Spyware Programs And Comparisons

Slide 1: Best of Breed vs. Suite Anti-spyware A couple of months ago, I was called in to assist with a penetration test involving a Supervisory Control and Data Acquisition (SCADA) system. SCADA systems are used by utility companies and other government agencies to provide a higher level of security around mission critical services such as nuclear reactors. While the base team of people was well aware of the makeup of the SCADA systems and how to theoretically compromise them, should they actually get access, I was supposed to figure out a way to get them the access. The next couple of paragraphs illustrate gaining access to such systems and how spyware plays a role in gaining access to sensitive sytems. As a first step, we found an attendee list for a user group for those SCADA systems. We then went through the list and pulled off the e-mail addresses of the people within the targeted organization. At that point, we assumed that the people would check e-mail on the systems that they used to access the SCADA systems. Next, we had the team create an e-mail that lured company employees to a web site that would unknowingly download spyware onto the system. The spyware allowed us to control the system, and therefore the SCADA systems that controlled a nuclear reactor. Needless to say, the plan worked like a charm. If anything, it worked too well as the employees we targeted not only connected to our website, they also forwarded the e-mail on to many other employees throughout the company! This attack took a couple of days to execute. The way it was crafted the threat bypassed several firewalls and intrusion detection systems to gain access to the system through users responding to an outside email request. This test clearly demonstrated the need for deployement of anti-spyware on endpoint systems. Frankly, it demonstrated the need for organizations to provide the most robust anti-spyware software available. The anit-spyware industry, however, is going in two separate directions that potential buyers must consider. First, there are the suite products that come with a variety of other security applications along with anti-spyware. Second, there are the best of breed products that are purely focused on detecting and eradicating spyware. You need to choose the right anti-spyware solution for your organization. Why Suite Products Exist There is a lot of talk these days in the media about security software vendor consolidation. Every time, one vendor acquires another one, stories talk about how consolidation is security’s future. The reality is that large companies will always acquire little companies in all markets. Large companies want to increase their revenues, and that typically means entering a new market. The easiest way to do this is by acquiring small companies with some penetration into the target market. The benefits for large companies are obvious. The companies appear to have steady growth. There is significantly less risk in entering the target market. Companies do not need to invest years in research and development. In many cases, the acquiring companies have to acquire companies, if for no other reason than they have too much cash on hand. This is especially true in the security software market, where the anti-virus product vendors have a steady stream of cash from the AV software sales. A related benefit is that they can expand revenues from their current customer base. This is ideal to them as their sales cycles are very short, and they can lock out competition. This in many ways potentially benefits customers in that they have fewer vendors to negotiate and contract with.

Slide 2: –2– June 9, 2006 Issues with Suites There are problems though. For example, the acquired companies have different software engineering procedures. The interfaces between the products merging together are completely different. A common interface is required that leads to the development of a single interface that cannot take full advantage of the individual products. There can also be a variety of other incompatibilities that end up “dumbing down” the individual software packages. Consider the analogy of a minivan. The reason why minivans proliferated so quickly were that they serve a variety of crossfunctional purposes. They can comfortably carry a reasonable number of people, but they cannot carry as much as a passenger van. They can drive reasonably comfortably, but they are not a luxury sedan. They can go reasonably fast, but they are not a sports car. Basically, a minivan is a little bit of everything, but it only provides a very basic level of everything. They do not necessarily excel on any count, but they are just right for many people. When we take minivans into the security world, we see the security suites. While ICSA Labs provided a standardization for anti-virus products, there is no standardization for anti-spyware and other security software. These products therefore have greatly varying quality, especially when it comes to security software suites. Again, they do a reasonably good job of everything, but the effectiveness of the individual functions are clearly not the best. What’s Best for You? The question then becomes, what is good enough? The answer is, it depends. With specific regard to anti-spyware software, this causes the greatest concern. Spyware has become insidious in the amount of damage it can do. The effects of spyware can be a nuisance, or it can ruin someone’s life. For organizations, the consequences are similarly varied and devastating. At best, it results in lost productivity. At worst, it results in the most critical data being provided to your competitors, and potentially putting you out of business. In a recent case of corporate espionage, an Israeli couple living in England sold spyware to corporate spies operating against Israeli companies. Confidential data from several companies was stolen resulting in large financial and intellectual property losses. Spyware has also resulted in cleaning out of personal and corporate bank accounts. In the healthcare sector, the potential results are embarrassing to devastating. In the Introduction, I spoke about how the use of spyware enabled my team to bypass a wide variety of security systems to control a nuclear reactor. Clearly this is a disaster scenario. Cyberextortion is a growing crime that is completely enabled by spyware. The criminals place spyware on systems that is used to launch denial of service attacks against third parties. Corporate systems that fall victim to spyware are used as part of the attack, which can make a company liable even for being an unwilling participant of the attacks. A case of spyware that we will be hearing more about involves a business where a computer was infected with spyware. The spyware stole corporate bank account information and the criminal then cleaned out the company account. The effected company is now suing Bank of America to recover the stolen money. While Bank of America did attempt to recover the stolen money, they could not recover all of it and would not credit the remainder back to the account. Bank of America is maintaining that they did everything that they could and the loss was a result of the customer’s poor security habits and that they are responsible for their own loss. For a variety of reasons, this will be a landmark lawsuit. While the anti-spyware products that are generally sold in a security suite are considered to be about 50% effective in identifying spyware, standalone anti-spyware is approximately 90% effective. Standalone anti- spyware tends to be more robust in the algorithms used, and is not usually dependent upon spyware

Slide 3: –3– June 9, 2006 signatures. This means that it is better suited to not only identifying known spyware, but new and custom attacks as well. The question is when do you need a minivan, and when do you need a high performance vehicle? Where spyware is concerned, the answer is that it depends how much you have to lose. In a corporate environment, there are few cases where the anti-spyware contained in suite products is adequate. The following illustrates some questions to ask when considering your anti-spyware strategy. Guidelines/ Process to determine Best of Breed vs. Suite 1) Does your organization store large amounts of credit card, social security, or financial transaction or other personal identification records of your customers or employees? 2) Do you store intellectual property documents that are critical to your competitive advantage in the market? 3) Do you have compliance requirements with SOX, HIPAA, GLB, or FTC section 5? 4) Would a data leak cause serious consequences to your brand and business? If you answered Yes to any of the questions above, your risk exposure would warrant giving best of breed solution serious consideration. The arguments against standalone, aka best of breed, anti-spyware focus on the fact that the standalone applications may require more resources in time and cost. The concern is valid, but largely exaggerated. With regard to cost, you are comparing getting anti-spyware with the cost combined into a suite product versus paying for a separate product. In this case the cost is offset by the loss due to spyware that is not detected. In a large organization, when you are talking about a 40% difference in effectiveness, you are talking about a very strong likelihood of this occurring. The extra cost is more than offset by the loss prevented. With regard to the extra time required to administer best of breed anti-spyware software, we are talking about an hour extra per week. This time is largely due to the fact that the software interface is more robust in its ability to refine its reporting criteria and detect spyware incidents. This is a result of the increased functionality that is provided through a dedicated user interface, and again results in increased protection against highly damaging malware. Admittedly though, there are environments where the anti-spyware software contained in security suites is acceptable. Where users are very computer illiterate, and they can barely understand the interface of a suite product, then it is probably best not to add any more complexity. Likewise, if you are in a low tech environment that is not highly computerized, it might be reasonable to go with a suite product. Security is about the management of risk. It is not about making things perfectly secure, but balancing potential losses and their likelihood against the cost to mitigate the potential loss. The question you have to ask yourself is, “Assuming a worst case spyware infection, what is the potential loss?” Sadly, given everything that we are seeing, you have to assume that a spyware infection will target your most critical assets. This is exactly what was demonstrated in the Israeli spyware case. In most business environments, choosing suite based anti-spyware software over best of breed anti-spyware software is leaving your organization open to a very high likelihood of a critical and embarrassing loss. The cost of best of breed software is trivial when compared to that loss.

Slide 4: –4– June 9, 2006 Ira Winkler, CISSP is President of the Internet Security Advisors Group. He is considered one of the world’s most influential security professionals, and has been named a “Modern Day James Bond” by the media. He obtained this status by identifying common trends in the way information and computer systems are compromised. He did this by performing penetration tests, where he physically and technically “broke into” some of the largest companies in the World and investigating crimes against them, and telling them how to cost effectively protect their information and computer infrastructure. He continues to perform these penetration tests, as well as assisting organizations in developing cost effective security programs. Ira also won the Hall of Fame award from the Information Systems Security Association. Mr. Winkler has also written the book Corporate Espionage, which has been described as the bible of the Information Security field, and the bestselling Through the Eyes of the Enemy. Both books address the threats that companies face protecting their information. He has also written over 100 professional and trade articles. He has been featured and frequently appears on TV on every continent. He has also been featured in magazines and newspapers including Forbes, USA Today, Wall Street Journal, San Francisco Chronicle, Washington Post, Planet Internet, and Business 2.0.