|
Copyrighted work of Spyware Doctor
Disclaimer:
This paper may be copied freely so long as it is
not changed. It provides only general information
and is not legal advice for any particular
situation.
"[O]rganizations that
rely on networked computer systems must take
proactive steps to identify and remedy their
vulnerabilities, rather than waiting for an
attacker to be stopped or until alerted of an
impending attack."
--The National Strategy to Secure Cyberspace
Executive Summary
Combating computer pests, which can open back
doors into networks, thus endangering the
integrity of confidential information, is
becoming increasingly important. Corporations
should update their IT security policies to
require that measures be taken against computer
pests, including regular scanning and removal.
Good pest control software will search for a wide
range of malicious non-viral software and help
create evidence documenting the effectiveness of
your computer pest management program.
Introduction
Effective IT security requires that
enterprises be equipped to take action against
computer pests. Management of pests should be an
integral part of all corporate IT security
policies.
Any IT infrastructure system lives or dies by
the implementation of a well-researched and
conscientiously enforced security policy. Such a
policy ensures the enterprise takes a consistent,
logical, and practical approach to information
security issues. It helps avoid panic and error
in the event of a security breach or other
incident. And it contributes to evidence that the
enterprise is complying with its legal and social
obligations by providing a documented audit
trail. This paper explains what corporate
security policies should say about computer
pests.
What are Computer Pests?
Computer pests are a large and growing class
of miscreant computer programs that go beyond
mere viruses. Computer pests include trojan
horses, spyware, hacker tools (such as password
crackers, network sniffers, and keystroke
loggers), remote administration trojans, and
tools used to initiate distributed denial of
service (DDoS) attacks. Pests are generally
uninvited programs that take up residence by
stealth like parasites on an information system.
A computer pest might be the instrument of
hacking, covert data gathering, vandalism,
cyber-terrorism, commercial espionage, or
employee sabotage.
Computer pests are a social menace. Like a
virus, a single type of pest can often infect the
systems of many companies. But unlike a virus, a
pest such as a DDoS zombie on one company's
Internet server has the potential for damaging
the machines of many other companies - with the
added potential for significant loss of business,
legal damages, negative publicity, and many other
unwelcome problems above and beyond purely
technical issues. When a company goes into battle
against a pest, it helps not only itself but also
the larger Internet community.
Higher Expectations
Society is raising its expectations for
computer security within businesses. These higher
expectations are manifest in new laws such as the
data protection provisions of the HIPAA and
Gramm-Leach-Bliley regulations. The
Sarbanes-Oxley Act of 2002 requires management in
public companies to certify its evaluation of
internal control, which embraces information
security.
IT management needs to respond to these higher
expectations with effective tools and policies.
The US government views trojans, DDoS tools
and the like as national security threats because
they can disrupt the economy and critical
infrastructure. Fighting pests is a key component
to the post-September 11 homeland security
effort, which emphasizes voluntary corporate
action.
It is incumbent upon IT management to develop
policies, procedures, and action plans that are
easily implementable within their existing
organizational structures. The key is to find a
way to contribute to the voluntary effort with a
response that is specifically tailored to each
organization's unique requirements.
The Legal Necessity to Quash
Pests
Computer pests are a liability. The owner of
an enterprise's Internet resources can be held
accountable in law for damages to others caused
by pests that infiltrate and abuse those
resources.
As litigation like CI Host v. Exodus
Communications has shown, corporations can be
responsible for the malicious acts executed by
others in or through their computer network
facilities. In the CI Host case, a web hosting
service won a temporary restraining order against
another service provider, Exodus Communications,
from which hackers had launched a DDoS attack.
(See account of the litigation at http://www.cio.com/archive/110101/court.html).
Under the order, a Texas judge directed that
three of Exodus's servers be shut down until it
could be shown that they were no longer a threat
to the target of the attack, CI Host.
The "Slammer Worm" of January 2003
cost Verizon dearly. The Maine Public Utilities
Commission forced that telecommunications service
provider to give customers rebates in
compensation for poor quality of service. The
Commission found that Verizon had not done enough
to prevent an attack like the Slammer Worm. See
Decision of the State of Maine Public Utilities
Commission, Docket No. 2000-849, April 30, 2003 http://www.state.ma.us/dpu/telecom/03-38/56attcomne.pdf.
Effective July 2003, anyone holding private
electronic data on a California resident is
required to give that person formal notice if the
security of the data is compromised -- or even
suspected to have been compromised. California
Senate Bill 1386 requires an enterprise
processing (unencrypted) computerized personal
data to disclose any breach of security to any
Californian whose data was or might have been
released without authority. See Mitchell,
"Bracing for New Privacy Laws"
Computerworld, June 30, 2003 http://www.computerworld.com/printthis/2003/0,4814,82547,00.html
What this means from a practical perspective
is that, if personal data (such as name in
combination with social security number,
driver's license number or account number plus
password) is compromised, the enterprise owning
it must promptly notify the data subject.
Logistically speaking, notification can be an
expensive and embarrassing nightmare. Companies
never want to get to the point of notification.
They want to prevent security breaches from ever
happening.
Commit Your Policy to Paper .
. . and to Action
When a corporation finds itself in litigation,
courts will accord greater value - or weight
- to evidence that is collected according to a
disciplined routine. Through experience, courts
have learned that when an enterprise conducts the
same procedure time and again, the resulting
records are more reliable than if those records
were created on an ad hoc basis.
A written policy is key to establishing a
routine and sticking to it in a way that will
impress a court. A solid pest control policy,
properly enforced, shows that the enterprise is
thoughtful and deliberate and that its records
are more reliable for liability, audit, insurance
and law enforcement purposes.
Corporate security policies should direct that
IT personnel be vigilant against computer pests.
The policy should educate employees about pests
and lay out the steps to take and the tools that
will be used to evict these unwelcome visitors.
It is critical that both the policy and the
employee education efforts be continually updated
to take into account the latest pests and their
techniques. Criminal coders are constantly
changing and improving their handiwork. A good
provider of pest eradication software will
publish regular news and software updates.
For liability and insurance purposes, it
should be corporate policy to keep logs of pest
elimination efforts; pest control software should
do this automatically. Detailed logs, kept as
part of the normal course of business, can be
valuable evidence that the company was not
negligent and perhaps not even the source of
damage from a given pest incident. Logs should
show when scans for pests were conducted, what
the results were, and what remediation efforts
were taken for any pests that were found. Logs
should also record when updates to pest control
software were installed.
Post Warnings
In conjunction with using pest eradication
software, organizations should warn users of the
penalties for knowingly causing pest-related
damage. The employee handbook should state that
the company will not tolerate unapproved programs
on its information systems. Moreover, logon
screens and other access points to networks
should display cautionary banners such as this:
Warning!
This system is the property of Acme
Corp. Only authorized personnel may access
this system and only for official business
of Acme Corp. The introduction or use of
malicious programs such as viruses,
trojans, keyloggers, spyware or
unauthorized remote access tools is
strictly prohibited. Violators will be
reprimanded or prosecuted as appropriate.
|
Like a NO TRESPASSING sign on land, this
banner serves as a reminder to employees and
others using the company's information systems
that pests are forbidden, and lays the foundation
for punishing infractions. See EF Cultural Travel
BV v. Zefer Corporation, No. 01-2001 (1st Cir.,
January 28, 2003), in which the court endorsed
the posting of banners on a web site to delineate
what visitor activity is authorized and what is
criminal. In that case, the visitor was a
competitor trying to scrape valuable data off of
the web site. The court upheld an injunction
against the visitor.
IT staff might use a similar technique if they
find that someone has in fact placed a malicious
program on a corporate system. In place of the
pest software, they could install a warning in a
conspicuous way to get the attention of the
perpetrator if in the future he or she tries to
find or activate the pest. The warning might read
something like this:
Warning!
This system is property of Acme Corp.
and may be used only for official Acme
business. This system is monitored for
malicious programs. Security personnel
have discovered and removed [describe
pest]. Acme will reprimand or prosecute
you if you place other unauthorized
programs on this system.
|
This warning shows that management is serious.
It can serve as a deterrent, giving the
perpetrator the heads-up that he or she is being
watched. Presence of the warning can also assist
in any future prosecution or termination of
employment.
In many cases, the spreading or use of
computer pests can be prosecuted as a crime.
Planting a pest often constitutes unauthorized
access to or abuse of a computer that might be
punishable under the federal Computer Fraud and
Abuse Act, 18 United States Code Section 1030,
and state computer crime laws. Similar laws exist
in many countries.
Competent pest control software will have
functions for quarantining malicious code
uncovered during routine security scans.
Quarantined programs can no longer affect the
company's systems, but will be a valuable source
of evidence in the hands of a forensic crime
investigator.
Corporate policy should specify when a pest
incident is considered worthy of pursuing with
law enforcement as a crime. Bear in mind that
criminal investigations can be disruptive and
time-consuming. When an especially serious pest
incident is discovered, personnel should
immediately document what they witnessed and did,
and a forensics investigator (whether private or
law enforcement) should be brought in as soon as
possible.
The wise security manager will become familiar
with local and federal law enforcement procedures
in advance of a particular incident. Then, when a
case arises, he or she will already have contacts
and some idea of what law officers'
capabilities and requirements will be.
Sharing Information with
Authorities
Alongside the public's increased expectation
for computer security is a call for enterprises
and government to share security information. The
new homeland security campaign encourages
enterprises to report security vulnerabilities
and incidents to private-sector Information
Sharing and Analysis Centers, such as those
serving the financial and high tech industries,
and a proposed new Cyber Warning Intelligence
Network. These information-gathering groups help
authorities spot and remedy patterns of Internet
threat.
Corporate security policies should set out
procedures for collecting pest data and sharing
it (or electing not to share it) with
authorities. The logging and quarantine functions
of pest detection software will make this process
easier to undertake.
A company should consider some issues before
informing others about the discovery of pests on
its system. Although sharing information with law
enforcement or industry groups can help to fight
computer crime, information shared the wrong way
can come back to bite. The corporate security
policy should address this subject in advance so
as to assist quick decision-making when an
incident actually arises.
Consider whether the disclosure of information
will have any effect on the company's
competitiveness. Will competitors who get wind of
the information be able to use it to divine
anything of value about your markets, financial
condition, information systems, or corporate
strategies? Will public revelation of a security
breach (even if only a potential breach) damage
your firm's reputation or cause a loss of
confidence among customers and shareholders?
Think about whether the person or organization
to whom you are disclosing the information is
truly obligated to protect it and capable of
preventing leaks. It is advisable to consult with
legal counsel and public relations advisors to
ensure adequate protection of the information
prior to release.
Anti-Pest Weapons
Computer pests are normally not detected or
removed by anti-virus software. Viruses are code
fragments that infect individual files or file
types. Pests, on the other hand, are stand-alone
programs, sometimes disguised as games, utilities
or screen savers, and require a different
approach to prevention and removal.
Unfortunately, most consumers - and many
systems administrators - mistakenly believe that
their anti-virus software will deal with all
malicious code. The result is pests going
undetected. Software to remove pests does exist,
however, and due diligence suggests that
management ensure such software is implemented
within their organizations.
The Spyware Doctor
approach
Spyware Doctor scans your system, looking
specifically for malicious code. It currently can
detect some 32,000 pests, and the database
continues to grow. Spyware Doctor is designed to be
very fast and can scan 33,000 files per minute.
How does Spyware Doctor differ from anti-virus
software?
Spyware Doctor is not an anti-virus product and it
will not remove viruses. Spyware Doctor looks for and
detects other malicious code, including trojans,
hacker tools, Denial-of-Service attack agents,
and spyware. Since anti-virus products focus on
viruses, Spyware Doctor used in conjunction with an
anti-virus product offers complete and reliable
protection from the full complement of malicious
code that might result in downtime, loss of
employee productivity and dissemination of
dangerous code.
How does Spyware Doctor stay current?
We have created a number of tools that
automatically manage the Spyware Doctor database,
trapping new malicious code and constantly
updating the database. Such new files are
downloaded and automatically analyzed.
Information on how to remove this malicious
code from the registry, from ini files, and from
the file system is automatically added to our
Spyware Doctor.dat database. The database is
automatically posted to the web site so that
users of Spyware Doctor have access to the latest
strings; the product looks for updates and
downloads them automatically, too. The result:
Spyware Doctor can detect a pest within a few minutes
of its availability on the Internet and have the
necessary removal information immediately
available.
Compatibility with anti-virus
Spyware Doctor is designed to work with anti-virus
software, not instead of it. This design required
that several conditions be met:
- the scanning time for Spyware Doctor needed to
be lightning fast;
- the product needed to be
"lightweight", taking little machine
overhead;
- the product needed to detect problems that
the anti-virus software missed, with little
overlap.
Spyware Doctor benefits
Spyware Doctor is fast because its detection
algorithms are specifically built for pest
detection. At the time of writing, the database
contains 11 different pieces of information on
each of 32,000 different pests - over 350,000
information elements.
Spyware Doctor is flexible, with powerful command
line capabilities to facilitate scheduling,
network-wide scanning (including systems
connecting to corporate servers via VPN),
reporting, and updating.
Spyware Doctor combines speed, a mature database
and automated updating capability offering
complete and reliable protection from dangerous
code.
Conclusion
The current legal and political climate
dictates that corporate officers take steps to
preserve the integrity of IT infrastructure.
Successful defense requires management to
institute procedures that are executed properly,
week in and week out.
| 
