2006-09-01
Abstract
David Harley reviews Combating Spyware in the Enterprise.
Copyright © 2006 Virus Bulletin
See Combating Spyware in the Enterprise on Amazon
Title: Combating Spyware in the Enterprise
Author: Baskin, Bradley, Caruso, Faircloth, James, Piccard and Schiller
Publisher: Syngress
ISBN: 1-59749-064-4
Cover price: $49.95
According to the cover blurb, this book is essential reading for 'anyone responsible for the security of an enterprise's network'. It contains some useful and interesting general material, but does it live up to its claim?
The book begins with chapters entitled 'An overview of spyware' and 'The transformation of spyware', both written by Tony Bradley. The first defines spyware, malware, adware, parasiteware (browser hijackers), phishing and botnets. The definitions will not add much to the knowledge of readers of Virus Bulletin, but are uncontentious and clearly written, with examples of specific programs and the body text of several phishing emails.
A short description of how botnets work is followed by very short descriptions of a handful of bots. The separate section on malware seems a little odd, given that most of us would probably consider most of the programs described here to be malware. The second chapter is largely historical, describing the origins and evolution of spyware through targeted marketing, spam and cookies, and adware. A section on spyware and criminal activity introduces some slightly different or additional definitions (identity theft, ransomware) and is followed by a short US-centric section on anti-spyware legislation. While these chapters don't really address the enterprise context, they do provide a reasonable introduction to the topic of spyware.
Chapter three, 'Spyware and the enterprise network' by Jeremy Faircloth, begins with brief descriptions of a selection of hardware and software keystroke loggers, including Sony's DRM fiasco. A consideration of 'spyware/backdoor combinations' and 'encapsulated trojans' is followed by a couple of pages on fake removal tools. The content related to the enterprise network is sparse and very generalized (e.g. 'Always use standard security practices…').
Chapter four, 'Real SPYware – crime, economic espionage, and espionage' by Craig S. Schiller, picks up the pace somewhat. The first few pages consist mostly of historical overviews of the criminal use of (loosely speaking) spyware and commercial and governmental espionage, and seem to suggest that profit-driven malware represents a shift from a previously ethical model of virus writing. (I'd love to hear that debate at a VB conference!) A more detailed overview of phishing is followed by a long section on botnet functionality, detection and countermeasures. There’s some useful introductory-to-intermediate material here, though many enterprises will not have the resources or incentive to follow up on this material to the same level of detail.
Chapters five and six, 'Solutions for the end user' and 'Forensic detection and removal', were written by Brian Baskin. Home users might find the former quite useful. However, this chapter is surprisingly long for a book which supposedly focuses on the enterprise. Only one keylogger detection utility is mentioned, but a number of common toolbar utilities are named, as well as a few commercial solutions. However, these are considered from an individual PC user's viewpoint, rather than in terms of enterprise management. Of the mainstream security vendors with products or services that include spyware management functionality, only McAfee AntiSpyware gets a mention. Given the number of mainstream AV vendors with a foot in that door, this is disquieting.
Chapter six is useful, but inaccurately named. It considers detection of spyware by tools like Hijack This, examination of the Registry, processes, the hosts file and so on, but pays no significant attention to the presentation of evidence in a court of law, so in what sense is it forensic? Its juxtaposition of detection and removal techniques without even mentioning the need to preserve a chain of evidence is, if anything, anti-forensic. The final section of the chapter summarizes a handful of enterprise-level removal tools and services, but not in any great depth.
Chapter seven, 'Dealing with spyware in a non-Microsoft world' by Ken Caruso, addresses the general issues of spyware and security on the Linux and Macintosh OS X platforms. Caruso mentions the existence of Linux spyware and rootkits, but the only Linux threats he describes (briefly) are Staog and Slapper, and the only preventative measures mentioned are the use of unprivileged accounts and (in the summary section) tripwire (which isn't described). Pre-OS X malware isn't mentioned at all, but Leap and Inqtana are described briefly. The only Mac security product mentioned is MacScan.
Chapter 8, 'The frugal engineer's guide to spyware prevention' by Paul Piccard, contains reasonable basic material, mostly on application security. It seems unhelpful to mention free versions of commercial AV here: very few enterprises will meet the licensing criteria to allow them to use those versions. The descriptions of Microsoft's WSUS and MBSA and the sections on securing email, Windows and so on could be the starting point for a useful set of checklists, but leave a lot of ground uncovered.
The appendix, written by Lance James, contains some competent material on mule-driving, telephony, and malware trends. It does fit quite well with the heavy emphasis on phishing in other chapters, but doesn't really tie the subject in with the main theme of the book.
This is a disappointing book. It contains useful general information on spyware and a number of related areas (especially phishing), but it isn't the definitive work on spyware. While there are certainly links between phishing attacks and spyware, the terms are not so interchangeable as to justify the volume of non-technical phishing material. This would have been more defensible had there been more emphasis on corporate governance and non-technical countermeasures. I would expect a book centred on spyware in the enterprise to address topics around governance issues like policy, end-user education, top management buy-in, compliance issues and accountability, as well as purely technical matters. Even at the technical level, the book is much better on attacks than on countermeasures.
The book largely overlooks the strong presence of mainstream AV vendors in this space. More surprisingly, even the open source programs widely used as a supplement (or, more contentiously, as a substitute) for commercial AV are not considered. This is a pity: a responsible, well-informed discussion of when it is appropriate to use open source and freeware would have been a real service to the enterprise community. AV aside, the range of commercial solutions that is considered is astonishingly narrow.
This emphasis on in-house technical measures and cost-cutting misses an essential point about enterprise security. Many enterprises prefer to spend serious money on commercial products and services rather than rely on internal expertise and applications that aren’t contractually supported. Why would they do that? Because the principle of transferring risk and accountability is, if properly managed, a viable security model. A book on enterprise security that doesn't give due weight to this model undermines its own credibility.
This book contains useful reading matter for non-specialists, and many system administrators and managers might benefit from it. However, as a guide to corporate handling of spyware, it is weak and even misleading.
Found a useful infosecurity book? Why not tell us about it so we can let others know - email: [email protected].
View this book on Amazon.
