It's now standard practice to have antivirus software and desktop firewalls running on networked systems. However,
these defense measures fall short of protecting systems from a key component of spyware -- keyloggers. So, what's a security administrator to do? Fortunately, there are a number of specialized antispyware packages on the market designed to combat these threats.
Keyloggers are applications or devices that monitor the physical keystrokes of a computer user. They then either aggregate the information locally for later retrieval or send it off to a spyware server on the Internet. Some businesses use keyloggers, such as with the Spector Pro system, to monitor employee activity, but the vast majority are applications installed without the user's knowledge as part of a software download or system intrusion.
The true danger posed by keyloggers is their ability to bypass encryption controls and gather sensitive data directly from the user. All the encryption in the world will not secure your data if a hacker watches you type your encryption key. He can then simply use that plaintext key to decrypt all of your "protected" communications from that point forward!
Here are five steps you can take to detect existing spyware and prevent future infections on your network:
- Install spyware filters at the host level. There are plenty of spyware scanners available on the market. If you're looking for an inexpensive solution, you might consider Microsoft's beta tool, Windows Antispyware, Spybot or AdAware. Many commercial antivirus vendors, such as McAfee, also have spyware filters available that snap in to your enterprise antivirus solution.
- Install an application gateway with spyware content filtering. We're just starting to see the emergence of spyware appliance solutions that operate at the network level. One such system is the Blue Coat Spyware Interceptor. If your budget can bear it, you might consider this type of solution.
- Place egress filters on your network. It never hurts to have a good set of egress filters on your network. They might assist in blocking spyware attempting to "phone home."
- Monitor your intrusion-detection system (IDS) and keep the signatures current. If you're not able to block spyware from phoning home, you might at least be able to detect it with your IDS and use the reports to identify infected systems.
- Prevent users from installing downloaded software. Most spyware installations are the result of users installing unauthorized software downloaded from the Internet. If your organization's security policy permits, you should implement technical controls to prevent this type of activity.
Spyware, and the associated crime of identity theft, is one of the most important battles currently facing information security professionals. It's time to ensure that your organization is safe. Following these steps will help bring you closer to that goal.
About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.