How to detect and prevent keylogger attacks

More on this topic Clean your infected system with this step-by-step guide Test your spyware savvy with this quiz Get the latest spyware news and advice in our resource center

Keyloggers are applications or devices that monitor the physical keystrokes of a computer user. They then either aggregate the information locally for later retrieval or send it off to a spyware server on the Internet. Some businesses use keyloggers, such as with the Spector Pro system, to monitor employee activity, but the vast majority are applications installed without the user's knowledge as part of a software download or system intrusion.

The true danger posed by keyloggers is their ability to bypass encryption controls and gather sensitive data directly from the user. All the encryption in the world will not secure your data if a hacker watches you type your encryption key. He can then simply use that plaintext key to decrypt all of your "protected" communications from that point forward!

Here are five steps you can take to detect existing spyware and prevent future infections on your network:

Security Seven Awards TechTarget's Information Security magazine, SearchSecurity.com and Information Security Decisions have created the Security Seven Awards to recognize the achievements of leading information security practitioners in seven vertical industries. Winners will be chosen from the financial services, telecommunications, manufacturing, energy, government, education and health care industries. To nominate an individual for the Security Seven Awards, please complete the form and return it to securityseven@infosecuritymag.com by Aug. 1, 2005.

1. Install spyware filters at the host level. There are plenty of spyware scanners available on the market. If you're looking for an inexpensive solution, you might consider Microsoft's beta tool, Windows Antispyware, Spybot or AdAware. Many commercial antivirus vendors, such as McAfee, also have spyware filters available that snap in to your enterprise antivirus solution.
   
   
2. Install an application gateway with spyware content filtering. We're just starting to see the emergence of spyware appliance solutions that operate at the network level. One such system is the Blue Coat Spyware Interceptor. If your budget can bear it, you might consider this type of solution.
   
   
3. Place egress filters on your network. It never hurts to have a good set of egress filters on your network. They might assist in blocking spyware attempting to "phone home."
   
   
4. Monitor your intrusion-detection system (IDS) and keep the signatures current. If you're not able to block spyware from phoning home, you might at least be able to detect it with your IDS and use the reports to identify infected systems.
   
   
5. Prevent users from installing downloaded software. Most spyware installations are the result of users installing unauthorized software downloaded from the Internet. If your organization's security policy permits, you should implement technical controls to prevent this type of activity.

About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Windows registry forensics: Investigating system-wide settings Weaponizing Kaminsky's DNS discovery Debian: A niche OS with a not-so-niche security flaw Web advertising exploits: Protecting Web browsers and servers Ransomware: How to deal with advanced encryption algorithms Hidden endpoints: Mitigating the threat of non-traditional network devices Protecting exposed servers from Google hacks (and Google 'dorks') Countermeasures against targeted attacks in the enterprise Windows registry forensics guide: Investigating hacker activities More built-in Windows commands for system analysis Spyware, Adware and Trojans Clickjacking details released after attack proof-of-concept emerges Product Review: Sophos Endpoint Security and Control 8.0 Researchers develop cloud-based antivirus Web advertising exploits: Protecting Web browsers and servers SaaS startups enter Web security gateway market Ransomware: How to deal with advanced encryption algorithms Stolen data ending up in Google cache, say researchers Information security book excerpts and reviews Yahoo, McAfee to warn users of dangerous websites Botnets and ethics Spyware, Adware and Trojans Research Firefox Security and Mozilla Security Clickjacking details released after attack proof-of-concept emerges Data risks take shine off Google Chrome Browser attack technique poses serious threat Mozilla issues update to repair critical Firefox flaws Google Chrome unlikely to attract security-minded users Google Chrome Plug-in opens door for self-signed SSL certs in Firefox 3 Adobe investigates clipboard hijackings Mozilla to release Firefox threat-modeling data Shrewd attackers bypass old security defenses with Web attacks Firefox Security and Mozilla Security Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary barnacle  (SearchSecurity.com) botnet  (SearchSecurity.com) browser hijacker  (SearchSecurity.com) crimeware  (SearchSecurity.com) DSO exploit  (SearchSecurity.com) government Trojan  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) keylogger  (SearchSecurity.com) PUP  (SearchSecurity.com) talking Trojan  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.