Spyware used to be software that was secretly installed on your computer to track your click habits and send this information to advertisers. Then it morphed into malicious software (malware) able to deploy rootkit and other forms of attacks able to export uids and passwords. This blog will explore the extent of the spyware problem to enterprises.
Why should you worry about spyware? How big a threat is it? What kind of defenses can you use?
Out in the non-enterprise world, it was recently estimated that 89% of computers are infected with spyware. The study referenced here estimates that 31% of computers are infected with Trojan viruses. Bottom line, outside the enterprise firewall there is a huge problem with spyware. So what about within the enterprise?
In this eweek article written November 13, 2006 "Spyware threat marches on", it quotes a recent report by Ponemon Institute. Here is the grim news in their interviews with 500 North American IT professionals:
* 47% of respondents indicated that their companies were incapable of removing spyware from their networks once detected
* 40% believed their enterprises were able to ward off spyware attacks with frequent success
* 83% had full-time anti-spyware initiatives in place
* "Of the technologies being used to fight spyware, 48 percent of respondents said they are only using software that seeks out the attacks at the desktop level, while another 18 percent are using only network-based defenses. Only 21 percent of the companies involved in the research said they are using both types of applications, with 13 percent using no spyware-specific protections at all."
* 98% indicated their firewall is the primary line of defense
My summary of the above is that while 83% have anti-spyware in place, I think they are all living in a state of denial. Why?
Take a look at the latest test from malware-test.com. IT INDICATES THAT ANTI-SPYWARE SOLUTIONS FROM VENDORS DOES NOT WORK. The best success rate against a suite of spyware taken from a honey pot is 49.64%. This means that for the top vendor, it is missing 50% of the attacks! Worse, this trend has been more or less the same since September.
Since many of the spyware attacks are rootkit attacks, let's look at the state of the rootkit detection. In this study released by Symantec this fall, it examined the ability of Symantec and its competitors to first of all detect and then secondly, to successfully remove the rootkits.
The test was againt 20 rootkit attacks. Symantec could detect all 20, McAfee 17, Webroot and FSecure 15, Sunbelt 12, Trend 10 and Microsoft 5. All the vendors except for 1 missed 3 or more rootkit attacks. Then there was the cleanup. Symantec could only clean up 16, Webroot and FSecure 8, McAfee 7, Sunbelt 5, Microsoft and Trend 3. In other words, from one vendor, comes the admission that they cannot even remove three of the attacks.
Here is some more anecdotal evidence that supports the above. In this blog, it reports Steve Ballmer, head of Microsoft, trying to fix a friend's computer. He couldn't do it so he took it into Microsoft. There a team of engineers found the computer was infected with more than 100 pieces of spyware. They were unable to successfully remove all of it.
What does this mean to your enterprise?
1. You are highly likely to be successfully breached by spyware.
2. There is an excellent chance you will not be able to know you've been breached.
3. The malware will then commence to trap user uids and passwords.
4. This information will be passed out through the firewall.
5. You are therefore at risk of some serious internal attacks.
6. Even when you find the spyware, there is a strong chance you will be unable to remove it.
Bottom line: HIGH CONTINUING RISK.
What more evidence does an enterprise need that they are under continuous attack for which their firewall defenses will not withstand the attack?
Put in place a layered identity based, strong authentication defense. Read my papers here and here.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us