New Public Enemy Number One
With a hectic workday ahead, Diane Coffey tenses as her computer slows to a crawl.
"You always feel under the gun, so any hitch in the system is extremely frustrating," says Coffey, managing director at Peter J. Solomon, a New York-based investment banking firm. "You wait and wait, and you think this is only an aberration. But seconds turn into minutes, and minutes turn into hours."
A scan of Coffey's computer turns up what has become an even bigger virtual pest than spam: spyware. These stealth programs, which download onto the computers of unsuspecting victims and send information back to their creators, can slow computer performance, crash the system and spawn out-of-control pop-up ads.
"Spyware's a huge problem, and it keeps getting worse," says Nick Ferguson, information systems (IS) manager at Peregrine Pharmaceuticals in Tustin, Calif. "We pay the employees to come in to work, and spyware basically makes the computers unusable. It's counterproductive."
Spyware has grown into a $2 billion industry, according to Webroot Software, a Boulder, Colo.-based antispyware software vendor that conducts a quarterly survey of the problem. In the first quarter of this year, 87 percent of corporate PCs contained some form of spyware-type software, according to the survey. But, say experts, even small companies with limited resources can win the war against spyware with the right arsenal of tools. That arsenal includes software, user education, policies and vigilance.
The obvious first step is prevention. As with viruses, however, it's hard to protect against an enemy that is not only ill-defined but also mutating. "Spyware is constantly changing," says Peter Firstbrook, an information technology security analyst with the research firm Gartner. "This is an arms race."
What's more, once downloaded, the programs are hard to remove, warns spyware researcher Eric L. Howes, who analyzes antispyware tools for SpywareWarrior.com.
"They just litter the system with all sorts of files and registry data," he says. If not cleansed entirely, the programs can resuscitate themselves. "You can have 100 files, and you can remove 99, but if you miss that one, it comes back."
Building an Arsenal
Until recently, only a few small vendors offered antispyware programs specifically for the desktop PC. In his two-year fight against spyware, Ferguson has had success using combinations of desktop antispyware products. Although they block some spyware programs, these products' real strength is detecting and erasing spyware on the PC. One product might pick up 75 percent of the spyware on a machine, while a competing product will catch the rest. But desktop antispyware products typically depend on the user or IT administrator to prompt them to run a scan. And with 150 machines on his network, cleaning every infected computer individually is becoming cumbersome, says Ferguson.
In the last several months, however, most antivirus vendors have released enterprise-level spyware products that can be administered centrally. In addition, software giants such as Symantec and Microsoft are getting into the act.
In fact, vulnerabilities in Microsoft's Internet Explorer have been a source of spyware's growth. Ferguson found some relief by using Mozilla Foundation's Firefox Web browser, but many sites will load only onto Internet Explorer, so he can't make a complete switch. Spyware also is rare on Apple and Linux operating systems.
Microsoft has taken several steps to correct the problems. Its Windows XP Service Pack 2 fixed many of the flaws, and Microsoft recently released a free beta version of antispyware for Windows.
Creating limited user accounts instead of giving users administrative privileges can go a long way toward fighting spyware, says Howes.
Particularly on a small business network, users want to be able to install software, modify the registry and change settings. However, that may be a freedom the IT manager should limit: If the user is able to download software or modify the registry, spyware can too, he explains.
Firewalls and automatic software updates are other critical security measures, and some businesses may even consider a gateway, which can help filter out unwanted sites. There are dedicated spyware gateway solutions, but they're still fairly crude, says Howes. "No solution is 100 percent. You're always going to need a layered approach."
Educating Your Armed Forces
A strong firewall and security measures on local machines could help Peregrine combat spyware, but because it hosts its own Web site and domain-name server in-house, certain ports must remain open, explains Ferguson. That's where user education and company policies come in. Some employees may be asking for trouble, visiting dubious sites and downloading smiley faces, songs or weather reports. But many spyware victims never knowingly consent to questionable downloads.
Businesses can use Web content filters to keep users away from certain categories of sites, but more important, they should educate end users to download only from reputable vendors, says Firstbrook. They also should read user agreements and contracts carefully, he notes. Some spyware uses misleading language, such as "click no if you want to download this program."
One way to remind employees of the dangers of spyware is to survey them periodically. A federal government agency has developed its own custom program that produces pop-up screens that test employees' knowledge of best practices. They must answer the questions in order for the pop-up to disappear. The results of the survey help the IT manager discover which employees may need more education on how to keep spyware off a PC.
Some small businesses have been lucky. Spyware blockers on every machine and tightly configured firewalls have done the trick for Inner Traditions, a 45-employee book publisher in Rochester, Vt. "Spyware can't get in here," says systems administrator Scott V. Blomquist.
At Peter J. Solomon, Coffey's problematic spyware experience was quickly brought under control by network administrator Robert Mezzone. Once he scanned her machine, found the spyware programs and cleaned them, her computer was back to normal.
"If people call and complain of a slow computer, nine out of 10 times, it's spyware," says Mezzone, who gets those calls about once a month.
As the only dedicated IT employee, however, he knows he needs to take action before it gets worse. He's been looking for an antispyware tool with a high detection rate that can be managed centrally and has high hopes for the new enterprise-level products.
"We want to be proactive because when people can't work at the pace they need to, they get very frustrated," says Coffey. "In a financial business like ours, you know that you have to get your numbers correct, and every delay is exasperating."
Spyware detection rates vary. Some programs achieve high rates but also come with a high number of false positives. Some count cookies as spyware, while others focus on more malicious programs. As a result, there have been industrywide discussions about devising common standards and definitions of spyware.
"I think part of the problem is that it's such a new phenomenon," says Mezzone.
The debate over what constitutes spyware continues, but there are at least four types:
System monitors: This category poses the greatest threat to a company's proprietary information and trade secrets, in that these programs monitor and record a PC's activity. The information recorded can include keystrokes, e-mails, instant messages, Web sites visited, programs run and even user names and passwords.
Trojan horses: As the name implies, these are malicious programs disguised as harmless ones. Trojan horses are spread through e-mail attachments and Web downloads. Once the user opens the file, the Trojan horse installs itself on the PC without the user's knowledge or consent. It may then create, delete, rename, view or transfer files to or from the PC.
Cookies: These are small data files that install themselves from a Web site onto a PC so the Web site can recognize that particular PC when it visits the site again.
Adware: Similar to cookies, these often use cross-domain cookies to track online behavior, then produce pop-up ads on the PC's browser. The goal is to drive visitors to advertisers' Web sites.
Source: Webroot Software's State of Spyware Survey