Spyware - how to minimize the spyware threat.
Spyware, adware, and malware have been occupying the headlines of many computer news sites for some time and are becoming a growing threat to the business network.
These threats can be broken up into the following categories:
Software that is often installed without the end users consent. It will log personal data and send this on to a server where it will be used for other purposes. Often this is used for marketing data collection but may be used for other things such as identity theft.
Often installed without the end users consent and may also be installed along with other programs. Sometimes software installers present clauses requiring that the adware remains present in order for the software to run. Sometimes shareware or freeware applications are repackaged by a third party, who then includes an adware application in the setup program.
This covers anything not covered above and may include things such as key-loggers and in recent weeks some dubious copy protection software.
Backdoor programs. Designed to allow remote control or monitoring of the infected PCs. These programs are often installed by viruses or added to cracked software packages.
With all of these, the actual threat to the end user and the business varies. Many of these programs are simply harmless and will not cause any problems at all. Some may be very badly crafted causing drops in system performance and some may even compromise system security. Many of the above are also written in a way that makes them difficult and sometimes impossible to detect and remove. Its also not uncommon for these packages to cause system crashes.
In any event, none of these unauthorized applications belong in a business network of any sort.There are applications available that look to be utilities to remove spyware, but in fact, are nothing more than spyware applications themselves, and this also needs to be something to look out for.
Security wise, the worst threat is posed by trojan programs. They could be used for collecting passwords and other inside information about the target network.
Because of the sheer number of applications out in the wild now, it's almost impossible to use your firewall to block everything; however its possible to mitigate the damage it can do and block some types from infecting machines:
- Using firewall rules to only allow outgoing traffic to ports, services, or applications that are essential is always a good idea.
- Forcing the use of a proxy server on the network is also essential in today’s' business networks as a lot of harmful content can be avoided.
However, it should be noted that firewalling has very little to do with preventing spyware. Firewalling is needed to minimise potential threats, but a firewall itself cannot prevent users from installing software on the client PC.
Apart from the firewalling aspects, focus on security policies that prevent installation of unauthorized software. The best defense is to be proactive. Some of the worst culprits are free software that performs seemingly useful but unnecessary functions such as, toolbar add-ons or, in some cases, anti-spyware checks. Educate your users about these threats and make sure your users know that only company approved software can be installed on the client PCs. Implement an IT policy in the company that end users must not install any non-approved software. Make a list of approved free software that can be installed and even better, download the applications and make them available to the users, without the users having to go to the net themselves.
Using Smoothwall Products to Prevent Spyware
Using Smoothwall firewall rules and Guardian filtering policies can help in the first line of defense, preventing users from accessing known malware sites and downloading unapproved applications.Guardian contains a blocklist category containing many of the popular websites that spyware is downloaded from, and Guardian's file type filtering can prevent downloads of executables, so will help reduce the chance of spyware being installed in the first place. With Guardian monitoring web traffic, the web logs can be reviewed to check if spyware type traffic can be seen, that is, traffic to funny domains or IP addresses that are not being requested by the user. Guardian can also be set to block all web addresses that are only IP addresses.
You can log rejected traffic through the firewall this could also serve to indicate possible malware infections on the network. Firewall rules can be used to allow traffic only to the ports you allow, for example, only allowing web traffic and therefore preventing any rogue application access to strange ports on the outside. With rejection logging enabled these logs can be reviewed to check for any attempted activity on ports you haven allowed.
You can also use firewall rules to isolate infected devices to prevent any potentially harmful data being sent out.
Various utilities exist to attempt to detect and remove any spyware. Owners of a validated Microsoft Windows operating system can use Windows Defender.