Feds seek cyber espionage protection

The rise in spyware programs that can monitor Internet users’ activities and, in some cases, steal information from their computers is forcing military and civilian agency officials to look for ways to stop such software from penetrating their networks.

At its worst, spyware can be used to launch a targeted terrorist or espionage assault aimed at bringing down specific systems or capturing sensitive information. Or it can be annoying adware that targets users with advertising based on their Web browsing habits. One piece of adware creates only minor problems, but large infestations can devastate a network.

Spyware might be even more insidious than viruses. Sam Curry, vice president of product management for Computer Associates’ eTrust solutions, said CA adds about 100 to 200 new virus definitions a week, compared to 400 to 600 spyware updates.

Because of the potential damage spyware can inflict, it should come as no surprise that the Army’s Directorate of Information Management (DOIM) at Fort Hood, Texas, is engaging this enemy on multiple fronts.

“We’re proactively protecting the network from outside attacks, but we’re also identifying and getting rid of spyware that is inadvertently or purposely brought inside the firewall,” said Lt. Col. Edward Morris, DOIM director.

Like the war on terrorism, spyware defies clear-cut definitions. It encompasses a variety of malicious and unwelcome commercial programs ranging from keyloggers, which collect a user’s keystrokes and send the information to an unauthorized person, to pop-up ads that appear based on a user’s browsing behavior. For example, frequent visitors to home remodeling sites might receive pop-up ads selling power tools.

“If it installs on my machine and ships user behavior or analysis of that behavior off-site to a server I don’t own, it’s spyware,” said Chris King, product marketing manager for Blue Coat Systems, which makes ProxySG anti-spyware appliances. Even adware’s theoretically benign activity “can slow a desktop to a crawl, impair business processes, idle users and bring networks to their knees,” King said.

Fort Hood has 30,000 computer systems in 600 buildings and about 40 gateways to the Internet. At each gateway, an Intrusion SpySnare sensor, a dedicated hardware and software system, monitors incoming traffic and prevents known spyware from getting past the firewall.

But this perimeter defense is not foolproof. Spyware is typically installed when users download infected programs intentionally or by clicking on dialog boxes on disreputable but often legitimate-looking Web sites. Although DOIM administrators update their spyware definitions a few times a week, newly created infections still have a brief opportunity to enter undetected.

And spyware has other ways of penetrating systems. “People may have brought their laptops to Iraq, for example,” Morris said. “By the time they get back here and plug it in our network, it may be fully infected with spyware and viruses.”

Therefore, whenever a new device is attached to the network at Fort Hood, the system automatically scans it for spyware. It will try to delete the infected program and notify administrators so they can temporarily remove the computer from the network until the problem has been resolved.

Policy is important, too

A third part of the anti-spyware strategy at Fort Hood has more to do with policy than technology. Users are generally not allowed to connect unauthorized computers to the network. They’re also prohibited from setting up or using peer-to-peer file-sharing networks, because they are an easy source of spyware infections.

Charles Kolodgy, research director for security products at IDC, agreed with Morris’ efforts to enforce a Web policy for internal users. Although employees often resent restrictions on their Web activities, “if users don’t go shopping or download software or visit disreputable sites, a lot of the [spyware] problem is solved,” he said.

Administrators at smaller agencies, where supervisors can see most users’ computer screens, might be able to control Web activity through policy statements. But Kolodgy is a strong proponent of installing filtering software that limits the sites employees can visit.

Of course, some agencies allow employees to connect their home computers to the network and many cannot reasonably restrict Web usage. At the National Center for Missing and Exploited Children (NCMEC), for example, employees have to visit disreputable sites.

“One of our employees’ primary Web jobs is to find and explore child pornography sites,” said Steve Gelfound, the center’s manager of information technology.

The center’s congressionally mandated CyberTipline enables the public to report the sexual exploitation of children, including Web-based child pornography and child prostitution.

“People who go to these kinds of sites aren’t about to complain about spyware,” Gelfound said. “So when we visit them, we’re flooded with problems.” Decentralized system but centralized control

If Fort Hood can be compared to Baghdad’s heavily barricaded Green Zone, which depends on a strong perimeter defense, NCMEC could be likened to the foot patrols that have to mingle with the population.

So when it came to choosing an approach for blocking spyware, NCMEC officials opted for a detection and eradication approach. They installed CA’s eTrust PestPatrol on the center’s 235 desktop computers. The application detects and removes spyware from individual computers.

But center officials have not given up on a centralized command and control structure. Administrators centrally manage the eTrust PestPatrol application via a console that help-desk personnel also access to control updates and determine when to scan for spyware, among other functions. Settings made on the console remain on individual computers even if the machines are removed from the network.

Before installing anti-spyware software, Gelfound conducted a test of 40 users and found 300 instances of spyware. The five-person help desk was constantly running from machine to machine scanning for problems, and sometimes the only way to resolve them was to rebuild the system.

After the anti-spyware application had been in place for four months, Gelfound said he had not had a single call from users complaining about spyware. In addition, he has recovered more than 15 hours of weekly staff time that was previously spent dealing with spyware infections.

Anti-spyware users often measure their success in improved productivity and not in a reduced espionage threat. According to a study by Webroot Software, which makes a product called Spy Sweeper, 75 percent of companies surveyed consider spyware a problem primarily because it increases desktop support duties. The other 25 percent are mainly worried about keystroke loggers capturing sensitive information.

But Richard Stiennon, Webroot’s vice president for threat research, said that although espionage might be a lower risk simply because it is less likely to happen, “if it does occur, it could be devastating.”

Initially, many organizations opt for a one-vendor solution. But because of the seriousness of the problem, many officials consider using more than one product to protect their networks.

Johannes Ullrich, chief research officer at the SANS Institute, a computer security training organization, said one product from a vendor with a good reputation might be all an organization needs to block spyware. But he added that, in some cases, there could be advantages to using two products — one on the server and another on desktop PCs.

“If you use two separate products, one might [detect] a spyware signature before the other one does,” Ullrich said.

However, he added that although free spyware products might be fine for augmenting enterprise-level tools, agencies should not depend on them.

“It’s extremely hard for agencies to determine before buying how well spyware works unless they have an extensive IT department to test the application,” he said. “So it’s necessary to go by [a vendor’s] reputation.”

He suggests that administrators confine their choices to products by companies well known in the enterprise software or security software markets. Such vendors have the resources to maintain their products for the foreseeable future and keep up with new spyware signatures.

Freeware and shareware makers might have good intentions, but they often lack the ability to combat the problem reliably enough for government work.

Experts also recommend looking for straightforward policy enforcement and administrative control functions. Software and hardware should also offer sufficiently high performance so that the anti-spyware system doesn’t negatively affect users’ productivity.

Spyware, like other cybersecurity issues, is a moving target. The problems and solutions will likely evolve over time. But at this point, enterprise-strength tools are sufficiently robust to keep ahead of any threat. The big issue for IT administrators is finding where and how to apply those tools.

Stevens is a freelance journalist who has written about information technology since 1982.