There is no doubt that malicious software (malware) is on the increase. We have learnt how to deal with the ever increasing number of viruses, worms and Trojan horses, but spyware is now a major problem too.
Earlier this month, it was widely reported how a joint investigation by law enforcement agencies in Israel and the UK foiled an attempt to use keystroke logging software to gain access codes in order to steal Â£220 million from the Sumitomo Mitsui bank. This is believed to be the first recorded incident of spyware being used for large scale online theft.
For some time now, IT-savvy users have been checking for spyware with products such as Spybot Search and Destroy or Lavasoft Ad-Aware. Then Microsoft bought the Giant Company and soon afterwards released its Windows AntiSpyware beta product. According to IT Week, the final release will be free for registered Windows users, but corporates will need to pay for the enterprise version of the product. Now Symantec has joined the spyware market with Symantec Client Security v3.0 and Symantec AntiVirus Corporate Edition 10, both incorporating spyware detection and removal capabilities, whilst McAfee Anti-Spyware Enterprise aims to block malware before it reaches the corporate network. Other vendors, such as Websense, have added malware detection to their products but there is still a gaping hole in many organisation’s IT strategy – mobile users returning to the network.
Whilst many corporates will specificly ban consultants and other suppliers from connecting non-managed PCs to their network, some don’t – and in any case that is still only half the issue – what about the user who takes their laptop on the train or to the airport and connects to a wireless hotspot, or even to a less-regulated business partner’s network, then returns to the “safe” corporate LAN with who-knows-what malware on their PC? It may sound paranoid, but when I started to use anti-spyware products a couple of years back I was amazed how much rubbish had infected my work PC and I am just one user on a large network.
According to IT Week, in a survey of 500 European IT Managers commissioned by Websense, 60% said that their company does not have systems in place to guard against internal threats with 35% unable to deal with spyware (and 62% unable to block phishing attacks).
Protecting the network edge is all very well, but the guiding security principle of defence in depth needs to be applied. Networks need to be segregated, with firewalls (or at the very least separate VLANs) restricting traffic between segments but the real answer to the mobile user issue is remediation.
The principle behind remediation is that on returning to the corporate network, users will not be granted full access until their device has been scanned for operating system patches, anti-virus and anti-spyware signatures and any application patches required. Only once all of these have been installed, will the user be granted full access to the network. Of course, as Dave Bailey recently commented in his article will you pass the access test? which appeared in IT Week recently, there will be occasions when patches fail to apply, or when returning users simply have too many updates to be applied and it impacts on their legitimate business operations (but not half as much as a full-blown network attack could impact on their business).
Both Microsoft and Cisco are preparing their remediation technology offerings. Cisco has it’s network admission control (NAC) technology, whilst Microsoft’s approach is network access protection (NAP) (when will they learn to read their acronyms phonetically – first WUS and now NAP). Unfortunately, NAP has been dropped from forthcoming ISA Server 2004 service/feature packs and instead will be held over for Longhorn (although Windows Server 2003 does offer network access quarantine control for users connecting via a VPN).