For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Subscribe to
Computerworld 40 years of the most authoritative source of news and information for IT leaders.
|
|
|
|
April 22, 2004 (Computerworld) -- In a perfect world, corporate laptops and desktops would be outfitted with only authorized software that was appropriately configured, always up to date and patched, and protected by layers of security. Corporate information security policies would be painstakingly followed by professionals who never failed to employ best practices. IT audits, in turn, would be a formality -- a regular activity that simply confirmed a flawless IT environment.
What's far more likely is that corporate laptops and desktops include outdated, misconfigured and even unapproved applications. Users might download free games, utilities and media players on their corporate laptops or desktops or install peer-to-peer file-sharing programs.
In many cases, use of such utilities and programs is against corporate policy and a security risk to the organization. Why? Because many of these popular programs include spyware.
Threat or nuisance?
Spyware, sometimes called adware, snoopware or sneakware, is software that secretly gathers information about a user and relays that information to another party over the Internet. In many cases, users unknowingly install spyware when they download freeware or shareware, even though references -- often obscure -- to spyware might be included in the program's end-user agreement. In other instances, spyware programs are automatically installed when a user simply views an HTML e-mail or visits a certain Web page.
At its mildest, spyware is a simple tool used by advertisers to track users' Web-surfing preferences.
At its worst, spyware is used to monitor keystrokes, scan files, install additional spyware, reconfigure Web browsers, snoop e-mail and other applications, and more. Some of today's spyware can even capture screenshots or turn on webcams.
In a corporate environment, these capabilities pose a major threat to corporate security, especially since much of this activity goes on without anyone's knowledge.
Even in computing environments that encrypt data, spyware remains a threat to the security of corporate data because its keystroke-logging components capture input before it's encrypted.
An aid to spam
But that's not all. Spyware also leads to spam and vice versa. When spyware finds e-mail addresses, it sends them back out over the Internet to be traded, shared or sold to spammers. When unsolicited commercial e-mail finds a user who clicks to see an advertised product, spyware secretly downloads as the advertisement unfolds. This creates an administrative nightmare for corporate IT professionals, not to mention the legal implications it introduces as inappropriate content floods in-boxes.
Spyware also consumes memory and system resources. Because it constantly phones home to deliver user information and then sends back more pop-ups, banner ads and the like, spyware uses up valuable corporate bandwidth. Adding insult to injury, many spyware programs store their unwanted advertisements on the user's own hard drive.
Perhaps one of the biggest concerns regarding spyware in the corporation is the challenge it presents to organizations struggling to demonstrate compliance with government regulations for information security. While many of these regulations target specific industries, few corporate environments are unaffected. These regulations include the Health Insurance Portability and Accountability Act, established to ensure the privacy of patient information; the Sarbanes-Oxley Act, established to ensure that financial statements are resistant to fraud; the Gramm-Leach-Bliley Act, established to safeguard customer information; and even the California Data Privacy Law (California SB 1386), established to protect the confidential information of state residents.
However, when spyware is a component of the corporate computing environment, capturing confidential information or secretly perusing files and applications, regulatory compliance is virtually impossible.
Keeping spyware out of the workplace
By following certain steps, organizations and end users can reduce the risk of introducing spyware into the company. These measures include the following:
- Use antivirus software that identifies spyware.
- Download and execute code only from trusted sites.
- Update information security policies, if necessary, to include spyware. If file-sharing software is allowed, establish procedures for ensuring that it's configured correctly. If personal Internet use is allowed, establish criteria for appropriate use.
- Use discretion when clicking through online advertisements; ads that appear in a program's user interface are probably spyware.
- Review and revise firewall policies, if necessary, to ensure that only authorized outbound traffic is allowed. It may be necessary to install desktop firewalls to make sure spyware is blocked as it attempts to phone home.
- Become familiar with spyware sources and create rules to block access.
Whether viewed as a nuisance or a threat, spyware is a growing concern in corporate IT environments. It consumes resources and bandwidth, introduces risk and hinders compliance with information-security regulations.
As new generations of file-sharing and freeware programs emerge, spyware will likely evolve to become even more complex and troublesome. However, by leveraging people, processes and technology to combat spyware, corporations can effectively protect against this silent menace.
Kelly Martin is a senior product manager at Cupertino, Calif.-based Symantec Corp.
|
Print this Story |
|
Send Us Feedback |
|
E-mail this Story |
|
Digg this Story |
|
Slashdot this Story |
|
|
|
|
|
 |
|
All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone |
 See your link here
|
 |
||||||||
| ||||||||
| ||||||||
| ||||||||
|
Why SaaS is Vital to Email and Web Security
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
Get this white paper now!
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
- Elgan: You can be Batman, too
- Study: IT jobs will drop in 2009
- RIM fixes critical BlackBerry Enterprise Server bug
- More top stories
Security Management ZoneSecurity management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones
|
 Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day.New baits 
|
"Security Directions" virtual trade show2008's Code-Red Security Issues for Protecting the EnterpriseWebcasts, white papers, demos, and more. Presented in a unique 3-d environment. Enter our show right now! Click here to enter
|
 In SecurityStripping away the trappings of applications, systems and networks, information is the core asset of most organizations. Our columnist describes how asserting the importance of information governance is crucial to making that asset tangible, addressable and protected. Click here to read the latest column by Jon Espenschied |
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDG Connect
IDG World Expo
Infoworld
The Industry Standard
ITworld
JavaWorld
LinuxWorld
MacUser
Macworld
Network World
PC World
Playlist
Copyright © 2008 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission of Computerworld Inc. is prohibited.
Computerworld and Computerworld.com and the respective logos are
trademarks of International Data Group Inc.
|
