We all know the threats posed by spyware to enterprise networks: user ID and password theft, financial loss, productivity drain, intellectual property theft. Security practitioners have two defenses at their disposal: the human
Educating end users about spyware should be part of any comprehensive security awareness training. It should be part of at least half-day or, preferably, whole-day training required by all employees at all levels, from the executive suite down to the receptionists and security guards at the front door. Everybody uses a computer today. Training should be a condition of employment with mandatory attendance noted as part of annual performance reviews. As the number of security threats keeps growing every year, training should be updated annually and employees should be required to take it once a year.
IT security awareness training conducted in groups of a few dozen at a time will not disrupt daily operations, yet it can still cover the entire staff over the course of a year. Your IT/ Information Security staff members should have the background to put together and conduct training without having to look elsewhere. But if staffing is an issue, consider professional trainers from outside the company.
Awareness training should cover the following:
- Safe Web surfing
- Acceptable uses for the Internet (for those allowed access)
- Policies against downloading software to desktops
- The type of Web sites are prohibited by policy, especially those likely to breed spyware
- Tips on spotting potentially infected desktops
- When to call the Help Desk
Reinforce training efforts with monthly newsletters that include security awareness tips. Focus on a new topic each month, and make spyware one of those topics. Newsletters can be designed to be colorful and eye-catching. Also, consider a "Security Awareness" award for an outstanding employee who was alert and saved the company from a spyware, or other, incident. Put the employee's picture in the newsletter. Internal publicity is a real morale booster.
Policies for preventing spyware are similar to those for protecting a network from other uninvited malware, such as viruses, worms and Trojans. The most effective policy is to prohibit employee access to the Internet altogether. But this may be unrealistic since many employees need Internet access for their work. At the very least, keep Internet access tightly controlled and be sure that those with access do, indeed, have a legitimate business need.
Spyware/malware policies include prohibiting users from downloading software from the Internet, including file-sharing software and toolbars, and prohibiting users from visiting questionable Web sites, the most obvious being pornography and gambling sites. These types of software and Web sites are notorious for harboring spyware.
Here is sample language for an end user policy:
"Employees shall not deliberately download any software from the Internet to their desktops without specific written permission from the Information Security department. Users are warned that all their Internet activity is subject to logging and monitoring at any time and that inappropriate use may subject them to disciplinary action up to and including termination."
A policy targeting spyware prevention specifically might state the following:
"Users are advised to report to the Help Desk suspicious activity on their desktops, such as excessive pop-windows opening simultaneously, unusually slow desktop performance or their Web browser being redirected to unwanted sites, such as pornographic or gambling sites. They should seek assistance from the Help Desk and advise that they suspect their desktop has been infected with spyware."
Lastly, provide users with something, such as this checklist, which can serve as constant reminder to be vigilant in the fight against spyware.
About the author
Joel Dubin is an independent computer security consultant based in Chicago. He specializes in web and application security and is the author of the recently released book The Little Black Book of Computer Security available from Amazon.
This was first published in September 2005