Subtracting from Adware

Adware may present privacy and data security concerns, cause stability and performance problems where it’s installed and can be hugely distracting for employees. How might IT security professionals combat these threats? Dr Horst Joepen advocates the use of Content Security Management suites.

To most companies, the perception is that the biggest threat to their users’ data security emanates from e-mail and spam. In today’s world, corporate communications systems are totally reliant on giving employees web access and e-mail log-in to conduct their tasks. Take away that access and most employees would suggest their productivity will fall. The focus today for most IT security vendors and corporate security budgets remains on protecting e-mail traffic.

Is e-mail really the biggest threat, though? If you were a burglar looking to attack a domestic property, you’d surely choose the weakest, least-protected point to gain access to that property. The same applies to anyone who would attack your company’s infrastructure searching for the weakest link. It’s not the already well-protected e-mail system they’ll attack. It’s the comparatively less well-protected – and therefore vulnerable – web-based communications traffic.

The Internet is undoubtedly a prime channel for attack because the defence mechanisms are less clear-cut. A couple of years have passed by since the Code Red worm exploited a known vulnerability in Microsoft IIS servers to attack end user desktops. During those intervening years, little has changed. Although there is work in progress on standards, as yet there is no accepted security standard for web sites that provides any kind of guarantee in terms of data safety for a web site you may be accessing. Nothing exists to prevent the risks to your company’s business from web traffic.

Heart of the matter

At the heart of this problem is Adware, which is bandwidth-consuming, presents privacy and security concerns, can cause stability and performance problems where it is installed and is distracting to employees.

In truth, most employees allowed to surf the Internet at work probably have some form of Adware on their workstation. The bandwidth consumption alone is enormous, with Adware accounting for anything up to 50% of a company’s network traffic.

Adware is a form of Spyware. Often installed without the user’s consent – as a drive-by download or as a result of clicking some option in a deceptive pop-up window – Adware may be bundled with other software or downloaded in peer-to-peer (P2P) networks, such as music-swapping sites. Once installed, the software follows a user’s Internet surfing habits, and delivers advertisements based on those habits.

Such spyware also engages in rather more deceitful practices including the monitoring of keystrokes to gather confidential information (such as the end user’s e-mail address, location and even credit card information).

Sadly, the scale of the problem is worsening. One anti-virus alert group recently predicted that exploits and Adware account for over 60% of security breaches among home users. The group suggested Adware and unwanted content transmitted via e-mail and the web will continue to increase throughout 2005, with programs becoming ever more complex and combined with content such as spam.

On average, at least 13 Adware components can be found on every user’s machine. Its presence is becoming more of a threat than e-mail borne elements because most consumers use Internet Service Providers that proactively scan and clean e-mail viruses before mail is delivered to the consumer. However, they cannot do the same for web traffic.

Looking at filtering procedures

How, then, do you prevent this insidious Adware from taking hold of your machine? Content filtering is really the best way forward. To date, the market penetration of content security products is around the 30% mark. In other words, an estimated 70% of end users don’t have any form of protection in place, despite the fact that they need it – now.

By using proactive filtering, you prevent Adware by effectively deploying a shield, stripping the content and code that enables Adware to be downloaded, installed and executed from web-based traffic at the Internet gateway

Ironically, the market penetration of firewalls is far over 90%, but they don’t help prevent web attacks. They check authentication, yes, but not transmitted content. Anti-virus scanners have no signature file in the anti-virus database for most Adware, and do not analyse content or provide any customised filters to stop it.

There is really no other way of protecting against Adware than adopting proper perimeter and desktop protection, and putting proactive filtering defences in place. By way of an analogy, proactive filtering is the moat that guards a medieval castle. The castle also has high walls and a drawbridge to protect it, but it’s the moat that is the first line of defence – the deterrent for any would-be attacker.

The risk posed by web traffic means that all traffic can be considered to be potentially harmful. No company can afford to allow these threats to have any kind of access to its network. Even Secure Socket Layer web traffic must be considered.

By using proactive filtering, you prevent Adware by effectively deploying a shield, stripping the content and code that enables Adware to be downloaded, installed and executed from web-based traffic at the Internet gateway. In other words, before it can cross the moat and mount an attack.

Proactive filtering does not replace conventional anti-virus technology, but complements it to maximise protection and performance. A classic virus pattern can only protect against one particular attack after it has been found spreading via the web.

The proactive scanner does not look for a known virus that might be caught much faster by a pattern-based scanning regime. Instead, proactive filtering offers a three-way approach that verifies digital signatures and, in so doing, blocks any mistrusted program code, screens (and blocks) any suspicious code based on its potential behaviour and, finally, filters out any potentially harmful code that tries to exploit any vulnerabilities presented by the client.

Content Security Management

Even with a new incident, proactive filtering can either block the attack or (even when it needs to be updated) can block the whole class of potential attacks using the same mechanisms or scheme of attack. A Content Security Management suite is perhaps the best example of how proactive filtering might protect a business from Adware by encompassing reactive and proactive protection across all forms of web, FTP and SMTP-based traffic.

Other solutions to Adware include ensuring that your system does not have a vulnerability that can be exploited. Keeping your Windows operating system fully patched is an obvious thing you can do to ensure security, as well as disabling the Windows Messenger Service (which might dish up unwelcome advertising for unsuspecting users). Disabling the service will prevent both the pop-ups and the exploit.

Proactive filtering will ensure that the only unwanted advertisements security and IT managers see are on the television!