 Fight Back Computerworld Spyware Survey: Methodology and Detailed Results Sidebar: Plugging the Windows Hole Spyware's Pyramid Scheme or Anatomy of a Plague |  | | |
Spyware used to be thought of as a consumer problem. Now it has IT's full attention, and it's no wonder: In a Computerworld survey of subscribers with IT security responsibilities that was conducted for this story, 79% of the 577 respondents said they've had problems with spyware in the past 12 months, and 71% said they see it as a threat to their organizations. While spyware's major impact has been on the help desk because of spyware-related system reliability and performance issues, the unwanted programs are also viewed as a growing security threat -- one that 84% of respondents said is increasing.
The good news is that IT organizations are finally starting to get the kinds of tools that are needed to bring the problem under control. The evolution of centrally managed, enterprise-class antispyware tools for the desktop and the emergence of spyware-savvy gateways for the network perimeter are helping IT organizations identify and eliminate spyware programs and block new ones from infecting business PCs. Although the tools are new and still maturing, 41% of our survey respondents said they are already using enterprise-ready antispyware software.
At TelCove, the use of enterprise antispyware software has cut help desk call volumes by about 30%, says Windows server administrator Anthony Waters. The help desk at the Canonsburg, Pa.-based telecommunications company fields calls from 1,500 users in 72 offices. As spyware-related calls to the help desk skyrocketed late last year, the task of cleaning PCs with stand-alone antispyware tools and reimaging badly infected machines became overwhelming. "It was just crazy," Waters says.
Last December, Waters added McAfee Inc.'s AntiSpyware Enterprise to his antivirus software and deployed it to the desktops using McAfee's Policy Orchestrator software. Early on, the software didn't catch all spyware programs, and in some cases, programs it had supposedly removed came back. "But as we got different [updates], that part has improved," Waters says. This spring, he also upgraded all PCs to Windows XP with Service Pack 2, a move that helped eliminate several Windows and Internet Explorer vulnerabilities that spyware programs are known to exploit. Now, Waters says, spyware-related help desk calls have almost been eliminated.
One year ago, few enterprise-ready antispyware tools were available. Today, every major antivirus software vendor has an offering for the problem that Microsoft Corp. says was responsible for one out of every three Windows system crashes last year. Although the tools are still maturing, IT is going ahead with deployments, according to IDC analyst Brian Burke. "It's now the third-most-implemented security software, after antivirus and firewalls," he says.
While IT organizations worry that spyware can potentially be used to steal sensitive data, just 6% of the Computerworld survey respondents who reported spyware problems cited a resulting loss of organizational data or intellectual property. But more than half reported increased help desk activity resulting from spyware infections.
Commercial adware continues to cause reliability and performance issues for business users. Twenty-two percent of respondents reported that the more insidious programs -- Trojans, keyloggers, dialers and remote-control programs -- resulted in break-ins, while 14% experienced destruction of data or programs. The reason those numbers aren't higher is probably because such exploits are increasingly being picked up by other security layers.
At TelCove, for example, desktop antivirus software has caught dialers and Trojans. But information security professionals also worry about data loss through malicious use of the mechanisms and communication channels that adware uses.
"The main issue is the kinds of things that come through Ports 80 and 443, which are the general business ports. It's hard to block those," says Randy Sanovic, general director of information security at General Motors Corp. Antispyware tools address those concerns.
Help desk calls tend to underreport the scope of the spyware problem because users don't complain until their systems have become almost totally unstable. They wait until "they can't tolerate it anymore or you have a complete breakdown of the computer," says Paul Bryan, director of product management for client security at Microsoft.
Peter Wallace knew from help desk call volumes that he had a spyware problem at AAA Reading-Berks, an auto club in Wyomissing, Pa. But the extent of the infection surprised even him. When he ran eTrust PestPatrol across the organization's 90 machines, he found that 70% had problems. Deployment of the antispyware software cut the time he spent addressing spyware issues from 20 hours a week to a few minutes a day reviewing reports, he says.
Sam Curry, vice president of eTrust security management at Computer Associates International Inc., says the company's PestPatrol customers typically find 25 to 90 instances of spyware per PC. Statistics like that are what worry GM's Sanovic and other IT executives who haven't yet deployed antivirus tools enterprisewide. "What you don't know is the problem with spyware. If you don't look, you don't know when you are exposed," Sanovic says.
Gateway appliances on the network are also getting better at blocking spyware activity. At Exchange Bank, an intrusion-prevention appliance from Internet Security Systems Inc. blocks spyware activity, says Bob Gligorea, information security officer at the Santa Rosa, Calif.-based bank. "The ones it doesn't catch [during download], it catches when they try to go to the Internet," he says. His staff then issues a trouble ticket to remove the spyware. Gligorea also plans to add Web filtering software and ISS's Proventia Desktop to detect and block spyware activity.
At Philadelphia Stock Exchange Inc., Gene Peters has been holding off on buying desktop antispyware tools, but he's being proactive at the network perimeter. His Web filtering software, from SurfControl PLC, recently blocked a potentially dangerous spyware download. "We think it would have downloaded a Trojan," says Peters, director of information services at the exchange.
Fortunately, the spyware never got out of the Internet cache, but Peters is far from complacent. "We got lucky that [the Web site disseminating the spyware] was not a legitimate site in our URL list," he says. This fall, he plans to evaluate desktop tools as a complement to his network defenses.
Some 55% of survey respondents said they haven't yet purchased enterprise-class antispyware tools. GM's Sanovic is waiting for enterprise antispyware offerings from the bigger security software vendors to mature before jumping in. "It's difficult at first look to determine if a lot of the products are ready for corporate environments," he says. Peters says the add-on products he's tested from the antivirus vendors do offer centralized management and reporting but haven't been as effective as the single-user versions from smaller vendors.
More than half of the readers surveyed ranked currently available tools as only "somewhat effective" at detecting, removing and preventing the installation of spyware. The tools received their highest marks for detection but were seen as less effective at removal and prevention. "Some [products] do a great job at detecting spyware but a horrible job at removing it. How good is that to me?" Peters says. As a result, some organizations are using multiple tools to help address the problem.
Ricky Stewart uses Spybot Search & Destroy and other stand-alone utilities in addition to eTrust PestPatrol. "Spybot finds things that PestPatrol didn't," says Stewart, who supports 350 users at Cornell University's athletic department. "That's why I've always gone with multiple programs."
At this point, says Sanovic, "everyone is treading water, looking for the best you can get." Fortunately, the products are improving rapidly.
Most IT organizations aren't excited about loading yet another security agent onto the desktop but see no alternatives. "You can't have your help desk involved in trying to resolve hundreds of thousands of user problems," says Sanovic. Antispyware and antivirus software are also beginning to merge into a single client, says Gartner Inc. analyst John Pescatore.
Meanwhile, the same signature-based detection technology is being integrated into gateway products such as Blue Coat Systems Inc.'s Spyware Interceptor and McAfee's Secure Web Gateway. While gateways can help prevent the installation of spyware in the office, they can't prevent users who travel from bringing back spyware, nor can they remove it. Most organizations will require a combination of desktop and gateway tools to get the job done. But gateways won't work in all cases. For Waters, the cost of procuring them for 72 offices is just too high.
Initial enterprise antispyware tools were also budget busters, but that's changing rapidly. "We've seen the pricing of enterprise spyware deals drop very dramatically," says Pescatore, from as much as $40 per seat to as little as $2 per seat.
Waters says his deal worked out to a little under $8 per seat to cover 1,500 users. In the long run, as antispyware becomes just another feature in security software suites, the add-on pricing model could disappear entirely, he says.
Software suites should also offer better integration over time. Peters says he'd like to see Web antispyware tools communicate with his Web content filters so when spyware is detected on the desktop, the source Web site is automatically added to the list of blocked URLs. "That way, you won't have the same process recurring," he says.
Ultimately, even the best antispyware tools can't treat the root cause of the problem. As with antivirus software, vendors must continually update signatures to keep up with professional programmers hired by adware developers. "The financial incentives in spyware are much greater than anything else except direct hacking," says Sanovic.
Wallace is disgusted by the problem. "I would like to see the people responsible for the spyware in a public execution," he says. But he's resigned to the need for antispyware tools for the foreseeable future. "I'm not happy that I have to spend money for licensing to keep my machines clean," he says. "But I have to protect my systems and my users from this stuff."