Spyware Protection Strategies
Q1 - Spyware Threats Dana: Tony, before we dive into how organizations should deal with spyware, can you give us some idea as to the magnitude of the spyware problem, that is, why has this topic drawn so much attention? Tony: Before describing the magnitude of the spyware problem, it is important to distinguish between the two major types of spyware. First, there is the most visible spyware in the form of adware and browser hijacking. While this type of spyware consumes system resources and reduces productivity, it does not pose an immediate threat to SSL VPN sessions. The second type of spyware is malicious and is significantly more dangerous as it intends to control and steal from users’ machines. Malicious spyware includes Trojan horses, keystroke loggers and zombies; these are the types of threats that businesses really need to be concerned about when securing remote access from potentially unmanaged PCs. If a machine is infected, keystrokes can be logged, files can be stolen and sessions can be controlled – all of which can compromise sensitive or confidential data, enable theft, and result in major losses. It is also important to note that malicious spyware is becoming more and more prevalent. A recent Network World report indicates that more than 78% of today’s worms have backdoor payloads involving some type of malicious spyware. Additionally, WholeSecurity’s experience with phishing indicates that more than 10% of today’s phishing attacks deliver malicious spyware and we anticipate a dramatic rise in this trend over the next few months. Companies offering anytime, anywhere access need to be particularly concerned about protecting endpoint PCs against malicious eavesdropping and remote control threats. Q2 – SSL VPNs + Anti-Spyware Dana: The adoption of SSL VPNs for remote access would appear to greatly amplify the potential damage from spyware on private, shared and public computing devices. Could you briefly explain what the major risks are? Tony: By their very nature, SSL VPNs provide anytime, anywhere access, which means that both managed and unmanaged PCs can access the network. Unmanaged PCs are particularly vulnerable to infection from worms and malicious spyware, as an organization has little control over how the machine is configured and what types of security measures have been taken. Infection by Trojan horses, keystroke loggers, or worms represent major risks for an organization. Trojan horses are malicious programs that allow a hacker to fully monitor and control an infected machine. This means that they can transfer any file that a user accesses, control their machine while they are logged into a company, see real time screen shots of the users system, and control their overall session. Keystroke loggers are a subcomponent of Trojans, but can be a serious problem as well. Keystroke loggers try to capture user information such as user ids and passwords, personal information, and potentially sensitive information entered in an online session. Hackers often restrict these searches to certain targeted companies so that they only have to look at data from the companies they are targeting. Q3 -Traditional Desktop Security Dana: Tony, much has been written about the general nature of spyware and how it can end up on almost anyone's personal computer. Please briefly describe why the traditional security products like anti-virus software and personal firewalls cannot afford sufficient protection for any organization. What's missing? Tony: I’d emphasize several points here: Many threats are now specifically designed to bypass both anti-virus and personal firewalls, with customization kits readily available to do so. For example, the program file of a well-known Trojan horse program can be slightly modified either manually or using an automated modification toolkit, such as a “packer.” After modification, the program will function just like before, but its anti-virus signature will be different. Since it is a new signature, it will not be included in the current signature database. That is the reason why anti-virus vendors often have a signature for NewWorm.A and then have to add a signature later for NewWorm.B, which is essentially the same code but slightly different. Obviously, given the readily available instructions and automated modification toolkits, it is practically impossible to create signatures for every possible variation. Also, "zero-day" exploits are an unavoidable reality. The same day vulnerabilities are announced, threats are released to exploit them. There is no time to patch, no time to develop signatures, and no time for companies to install them. These threats come too quickly with too many variants for signature-based solutions, like anti-virus software, to keep up. Additionally, threats that are customized to target a specific organization will never have a signature, as the distribution will be limited and will never be prevalent enough to appear on the radar of an anti-virus company. Although patching or updating any system - once a vulnerability is found and a fix is available - remains a good idea, it is important to remember that most malicious code, including spyware, does not need vulnerabilities to do damage. Mydoom.a was one of the most widespread worms of 2004, yet it did not require taking advantage of any vulnerability to both infect and spread. Because of the flexibility of the Operating System, actions like logging keystrokes are allowed and actually can have legitimate uses, thus most types of spyware simply do not need vulnerabilities to run their course. Preventative solutions, like personal firewalls, cannot identify and mitigate a threat that has already infected a PC. Furthermore, these solutions do not protect against user behavior, such as opening an infected email, installing peer-to-peer networking software like Kazaa, or being tricked into loading malicious programs on their system. Finally, anti-virus and personal firewall solutions cannot be delivered on-demand to unmanaged PCs, which is a concern in the SSL VPN environment. So what’s missing is a software solution that can recognize and detect new and unknown threats, without relying on signatures or the user, and that can be delivered on-demand to all PCs logging into an SSL VPN. Q4- Spyware Security Policy Dana: Based on your experience, how do organization develop effective anti-spyware security policies, i.e., what advice can you share on how they should start and proceed? Tony: The first step in developing an effective anti-spyware policy is realizing the difference between the types of spyware and deciding which type is most threatening to the organization. The approach for preventing infection by programs designed to steal differs from cleaning up adware and other productivity-reducing spyware. If stopping theft and protecting information is the priority, then it is important to choose a solution that can recognize these threats on both managed and completely unmanaged machines in the SSL VPN environment and can recognize threats based on their nature, rather than relying on a signature. Q5 – Anti-Spyware Product Categories Dana: There are many spyware-fighting products in the marketplace. Would you please classify them in a way organizations will understand the important trade-offs they should weigh? Tony: Most of today’s anti-spyware solutions are consumer-based solutions designed to combat adware and browser hijacking. The most important thing for an organization to understand is the type of protection these solutions offer against the two types of spyware – malicious spyware and adware. Consumer-based solutions can be highly effective against the most rampant forms of adware, but may not deliver adequate protection against the more malicious threats that can enable theft. They have no ability to detect threats based on their behavior, and generally speaking, their signature databases for these types of threats are not as extensive as anti-virus solutions. Organizations should also evaluate the enterprise management capabilities of the anti-spyware solutions they are considering. Many anti-spyware products were designed with the consumer in mind, both from the threat perspective and the management perspective, and are now being retrofitted and repackaged as enterprise-grade solutions. Q6 - Future Anti-Spyware Requirements Dana: How do you see anti-spyware requirements changing over the next few years. What is driving this evolution? How will solutions likely differ from today? Tony: Anti-spyware solutions will evolve based on customer requirements for improved detection of malicious spyware and demand for improved management capabilities. Most solutions are simply not there yet on either front. Additionally, WholeSecurity sees targeted attacks as another key concern for companies in the future; targeted attacks inherently require solutions to move away from dependency upon signature databases in order to be effective, so we will likely see changes to anti-spyware solutions, as a result. (Note: Targeted attacks are designed to infiltrate one particular organization. Often, the tools used for the attack, such as remote access Trojans, are custom built and may or may not have been used before. Therefore, by definition, no signatures exist for these threats. Only after the attack has been launched is there is a slight chance that the anti-virus companies might create signatures. Because such a threat is normally not highly proliferated, anti-virus companies usually have no urgency in adding these signatures quickly. We have had customers who complained that it took the large anti-virus vendors weeks or months to add signatures to their databases for well-known Trojans; you can imagine if the attack is largely unknown how long it might take for a signature to be developed.) Q7 – Anti-Spyware + SSL VPN Gateways Dana: In 2004, most SSL VPN gateway vendors acknowledged the importance of endpoint security (EPS) by adding new "network-based" features and building new partnerships with EPS vendors. How do you see these types of relationships evolving in 2005? Tony: These relationships will continue to strengthen in 2005 as endpoint security becomes a requirement and not just an option. Expect out-of–the-box integrations to solve the endpoint security and split tunneling concerns customers have with SSL VPNs. Q8 – Microsoft, Cisco and Check Point EPS Initiatives Dana: In 2004 the leading PC software, networking, and network security companies have all announced endpoint compliance initiatives and made related acquisitions. What role do you expect them to play in anti-spyware? And how will WholeSecurity work with them to deliver greater customer value? Tony: Each of these companies has a different approach and motivation for attacking spyware. Microsoft, who recently acquired Giant, has an incentive to provide a solution to spyware, especially for consumers who are fed up with slow computers, pop-ups and browser hijacking. Cisco, on the other hand, is entirely enterprise focused. They have endpoint security solutions, but their most important initiative is their Network Admission Control (NAC) program, which establishes an infrastructure for companies like WholeSecurity and other endpoint security vendors to work in their environment. Finally, Checkpoint is looking to deliver comprehensive security solutions to their enterprise customers. To date their endpoint initiatives have focused on personal firewalls, but they have a history of partnering well with other vendors and should have the mechanism for integrating with other security solutions. Q9 - Anti-Spyware Trustworthiness Dana: Anti-spyware software, like any security product, must be evaluated on well it performs its services AND how resistant it is to being undermined? What are the measures organizations should use to gauge the trustworthiness of anti-spyware? Tony: One of the most common evaluation strategies is to simply collect and/or write malicious spyware and then use these examples to test the products’ detection abilities. Checking an anti-spyware solution to see if it can be bypassed by a threat or a variant of a threat is a good test of how robust the software will be. Unfortunately, there are no standardized tests around spyware products today. However, organizations like ICSA are an authority that can analyze specific products, which can be helpful for companies evaluating the effectiveness of various solutions. Q10- WholeSecurity Solution Strategies Dana: What are WholeSecurity's primary strategies for dealing with evolving requirements for anti-spyware solutions? Tony: Our strategy for dealing with these requirements is to continue to produce breakthrough behavioral technology for catching and mitigating malicious spyware, without the need for signatures. Our leading Confidence Online product is built around the four key elements of WholeSecurity’s philosophy: it provides true zero-hour protection against both new and existing threats that is effective and reliable, without requiring reactive updates; it is highly scalable and can be easily integrated with SSL VPN technologies to provide on-demand protection to both managed and unmanaged endpoints; it is highly manageable, provides out-of-the-box value, requires infrequent updates, and is easily installed and maintained; and finally, Confidence Online is completely transparent to the end user – the software downloads and scans in typically less than ten seconds, requires no user decisions or expertise, and has almost no impact on system performance. Q11 - WholeSecurity Differentiation Dana: Is the WholeSecurity approach distinct in ways that most organizations can appreciate? Please explain. Tony: WholeSecurity’s approach is absolutely unique. Our advanced behavioral technology provides us with several key advantages. First, Confidence Online catches more malicious spyware than any other solution because the solution doesn’t rely on having seen the attack before in order to catch it. Our software can provide true zero-hour protection against new, emerging threats that can compromise the security of an organization’s data. Second, because Confidence Online doesn’t need a signature database, the size of the software is extremely compact – around 300K—which enables it to be delivered on-demand during a web session. As a result, it is one of the few security technologies that can be seamlessly integrated into the login sequence for an SSL VPN session. Third, Confidence Online has an extremely low total cost of ownership since it is pre-configured to provide immediate protection without requiring administrators to conduct profiling or to create rules; additionally, administrators don’t have to worry about reactive updates when new threats are announced. Q12 - Additional WholeSecurity Info Dana: Tony, thanks for sharing your thoughts on how organizations can protect themselves from spyware. Where can one go to learn more about the WholeSecurity solution? Tony: To learn more about WholeSecurity’s endpoint security solutions, please visit us online at www.wholesecurity.com.
|
