Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Why business managers are a breed of security professional."

Download it now to read this article plus other related content.

TECHKNOWLEDGE
Seven ways to leverage your infrastructure against spyware

When

    Requires Free Membership to View

    Login

in doubt, reimage
In many university environments, it's common practice to reimage systems every quarter, deleting the old OS (and any resident spyware and malicious code) and installing a newly upgraded and patched OS.

Some government agencies and financial institutions have taken this practice to the extreme by reimaging their desktops every night. Users are told to store all permanent data on a network file share instead of the local system. That way, user machines act like network terminals—portals by which users can access and edit files stored on protected network servers without storing anything locally. It's the network-centric computing model reborn, this time to fight spyware and malicious code.

Initially, users in these organizations complained that their custom desktop backgrounds and screen savers disappeared every night. But, within a couple of weeks, they accepted the change and appreciated the increased reliability of their nightly reimaged systems.

Reimaging can be accomplished by using customized scripts scheduled to run during off hours, or with specialized software products designed to reimage on a regular basis, such as Symantec's Ghost Solution Suite, ShadowStor's Shadow-User, or similar features built into some backup solutions.

--Ed Skoudis

Spyware is on the tip of every security manager's tongue. During the past 18 months, spyware has exploded from a nuisance of faulty adware to a computing plague that threatens to compromise user privacy, expose proprietary data and destroy IT resources.

In a recent Information Security survey, 87.5 percent of respondents said that controlling spyware was their top priority for 2005. AV and security vendors are racing to convert consumer-centric antispyware applications to centrally manage tools designed to help enterprises counter the threat. But antispyware technology remains rooted in the signature-based framework of its AV cousins, making it only partially effective.

Enterprises can curb spyware by leveraging their existing infrastructure. These seven techniques can help enterprises close the gap on residual spyware risk.

1. DNS Black Holes
By tweaking your internal DNS servers to resolve common spyware domains to internal Web server IP addresses or to a local host (127.0.0.1), you can implement a DNS black hole. Whenever a machine is tricked into looking up a known spyware site, the internal DNS server will respond with an answer configured by the DNS admin.

Even if some spyware still manages to sneak in, manipulating DNS responses can prevent spyware packages from communicating with their home networks, rendering them inert.

Bleeding Edge of Snort's Black Hole DNS Spyware Project catalogs thousands of common spyware domains that should be considered when constructing DNS black holes.

Alternatively, you can include a list of potential spyware sites in each PC's local hosts file, resolving spyware sites to 127.0.0.1 without using DNS at all.

However, the DNS approach is easier to deploy because it doesn't require a configuration change to be pushed to each endpoint. Further, some spyware attacks the host file, changing its configuration to override any blocking via DNS or the hosts files themselves.

This was first published in June 2005

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top