PROTECTING CORPORATE ASSETS IN THE AGE OF SPYWARE
Yanki Margalit,
Chairman and CEO
Aladdin Knowledge Systems, Ltd. (Nasdaq:ALDN)

It damages productivity, drains help-desk resources, and creates security holes which enable the uncontrolled flow of data out of an organization.

Virus? Trojan Horse? No, it's spyware, and it's raking in billions of dollars a year for unscrupulous enterprises worldwide. The statistics cited in recent reports are alarming:

• 90% of home PCs are infected with spyware (Dell Survey)
• 80% of all PCs are infected with spyware (National Cyber Security Alliance and AOL Survey)
• 67% of all PCs are infected with spyware (IDC estimate) 

But in order to fully understand the threat, we must first understand what spyware is. According to most accepted definitions, spyware is software installed without the full knowledge of the user. It is often covertly transferred to a user's computer during the downloading of file sharing programs, or when surfing certain websites. (Adware, though objectionable, does not transmit information to a third-party and is not included in our definition as spyware.) Computer users and web surfers should note that spyware (and adware) components such as Gator, Cydoor, eZoola and others are found in most "free" applications.

As if installation without consent isn't bad enough, spyware poses a security threat by transmitting the user's private information back to a third-party.  Using spyware, its creators can:

Gather a user's private/personal information Steal copyrighted or confidential information Create irreparable system instability Damage or interfere with legitimate application operations Open a backdoor on infected systems Take over an infected system

How bad can it really be? At Aladdin, our Content Security Research Team recently completed a thorough analysis of the top 2,000 spyware in the wild in the first half of 2005. They classified spyware into three threat categories, based on the nature of, and actions taken, by the spyware program:

• Severe Threat -- Fifteen percent of spyware threats send private information gathered from the end user currently logged on to the infected system: logging the user’s keystrokes, logged-on user name, hash of administrator passwords, email addresses, contacts, instant messengers login and usage, and more.
   
• Moderate Threat -- Twenty Five percent of spyware sends information gathered from the victim’s operating system, including the computer (host) name, domain name, logs of all processes running in memory, installed programs, security applications, client’s internal IP address, OS version, the existence and versions of service packs and security updates, TCP ports the spyware is listening to, Computer Security Identifier (SID) ,default browser’s homepage, browser plug-ins, etc.
   
• Minor Threat -- Sixty percent of spyware transmits gathered commercial-value information about the end user’s browsing habits. This includes keywords used in search engines, browsing habits and ratings of frequently visited websites, shopping reports etc.

These statistics demonstrate the seriousness of the threats of corporate espionage and computer crime which companies face from spyware.

Skirting the Legal Line

Part of the difficulty in fighting spyware is that it is often installed with the user's consent (usually as a component of a seemingly benign software program), though not necessarily his or her full understanding – thus making it a tough legal question.  Many spyware vendors argue that their applications are not spyware, but simply smart marketing.

Groups such as the recently formed Anti-Spyware Coalition (which includes industry leaders such as America Online, Computer Associates International, Hewlett-Packard, Microsoft, and Yahoo) are pushing for common definitions in spyware, and for the establishment of accepted practices in the fight against spyware. They note that the spyware phenomenon is expanding from the consumer arena, becoming a bigger enterprise issue.    

So, what is an enterprise to do? Take their computers offline? Go back to back to the days of typewriters and locked file cabinets?

Part of protecting your organization’s sensitive corporate and employee information is a matter of staying informed and keeping your computer security solutions up-to-date. An educated computer user is a safer computer user, and though there are no 100% guarantees against spyware infection, recognizing the signs of infection is an important step in securing your interests. These signs include:

1. Significant increase in network activity
2. Significant decrease in PC performance
3. Strange, dialog boxes, asking suspicious questions
4. New modem dialup connections
5. System instability
6. Excessive pop-up windows
7. Website re-direction
8. New toolbars, menus or buttons
9. Persistent homepage address changes
10. Default search engine change
11. New taskbar icons
12. New items in Favorites
13. Excessive hyperlinks added to webpages

Desktop Solutions are Not Enough

To truly protect your company against spyware, you need more than just a desktop anti-spyware solution. Desktop solutions are also not always effective against ‘driveby’ spyware applications (i.e., those downloaded automatically from a web page without the user’s knowledge or permission). And smart users can circumvent desktop policy, but not gateway enforcement. Finally, while desktop solutions are effective for cleaning, some spyware can create damage beyond repair.

As with anti-virus solutions, a first layer of defense at the gateway is clearly the best security practice.

Gateway Security Critical to Protecting Your Assets

When evaluating a corporate or enterprise-wide anti-spyware solution, make sure that it stops spyware at the Internet gateway, before it has the opportunity to compromise your organizational defenses. If it doesn’t cover the following layers of protection, you're not implementing a complete solution:

Layer 1 - Spyware download blocking - proactively blocking web content exploits which allow automatic spyware download and installation; preventing unintended spyware download by unsuspecting users after being exposed to tricky or misleading dialog boxes.

Layer 2 - Spyware ID Blocking -- blocking access to spyware servers and auto-updated lists; blocking spyware by ActiveX identification and prevents existing ActiveX from being exploited.

Layer 3 - Spyware signature blocking – using traditional signatures similar to those used in anti-virus products, as well as Smart Signatures enabling the proactive blocking of new variants of known spyware families.

Layer 4: Spyware communication blocking -- preventing existing spyware from communicating with their servers; providing protection even when spyware has already been installed on the desktop.

Layer 5: Centralized spyware remediation – giving IT and security administrators the ability to identify and remove functioning spyware components from desktops, using a centralized server instead of spending hours at each desktop on individual cleanup.

In 1998, Aladdin’s security experts recognized the dangers posed by malicious code delivered through on web pages -- which today we call spyware -- and began developing solutions to protect organizations from these threats.  Through a significant investment in R&D and product innovation, Aladdin today is at the forefront of helping organizations stay safe from spyware and other malware.
 

>>Aladdin Archive
 

Yanki Margalit is the founder, chairman and chief executive officer of Aladdin Knowledge Systems, Ltd. In 1984, he developed a handwriting-analysis software application, founding Aladdin to market it.

Mr. Margalit then developed HASP, a system offering software security without inconveniencing legitimate users. In 1993, Mr. Margalit took Aladdin public on the NASDAQ stock exchange.

Today, Aladdin is a global leader in the software and Internet security market, living up to its mission of "Securing the Global Village." Visit the Aladdin website at http://www.Aladdin.com to learn about Aladdin security solutions.