This article can also be found in the Premium Editorial Download "Information Security magazine: Why business managers are a breed of security professional."
Download it now to read this article plus other related content.
Seven ways to leverage your infrastructure against spyware
|in doubt, reimage|
Spyware is on the tip of every security manager's tongue. During the past 18 months, spyware has exploded from a nuisance of faulty adware to a computing plague that threatens to compromise user privacy, expose proprietary data and destroy IT resources.
In a recent Information Security survey, 87.5 percent of respondents said that controlling spyware was their top priority for 2005. AV and security vendors are racing to convert consumer-centric antispyware applications to centrally manage tools designed to help enterprises counter the threat. But antispyware technology remains rooted in the signature-based framework of its AV cousins, making it only partially effective.
Enterprises can curb spyware by leveraging their existing infrastructure. These seven techniques can help enterprises close the gap on residual spyware risk.
1. DNS Black Holes
By tweaking your internal DNS servers to resolve common spyware domains to internal Web server IP addresses or to a local host (127.0.0.1), you can implement a DNS black hole. Whenever a machine is tricked into looking up a known spyware site, the internal DNS server will respond with an answer configured by the DNS admin.
Even if some spyware still manages to sneak in, manipulating DNS responses can prevent spyware packages from communicating with their home networks, rendering them inert.
Bleeding Edge of Snort's Black Hole DNS Spyware Project catalogs thousands of common spyware domains that should be considered when constructing DNS black holes.
Alternatively, you can include a list of potential spyware sites in each PC's local hosts file, resolving spyware sites to 127.0.0.1 without using DNS at all.
However, the DNS approach is easier to deploy because it doesn't require a configuration change to be pushed to each endpoint. Further, some spyware attacks the host file, changing its configuration to override any blocking via DNS or the hosts files themselves.
This was first published in June 2005