Courtesy of Computer Associates
PC World
Friday, August 24, 2007 8:19 PM

IT security experts warn that spyware is rapidly moving from personal computers to business networks connected to the Internet. The National Cyber Security Alliance reports that nearly nine out of every 10 home computers contains spyware. Similarly, Web usage by workers on the job is now giving IT teams security headaches.

Spyware is quickly becoming a high level security problem for businesses large and small. It does more than just steal information about your computing habits. It robs you of system speed and Internet access efficiency. Spyware can introduce threats to companies including data theft, legal liability, reduced employee productivity and public relations nightmares.

While spyware may seem similar to viruses and worms, it is much different. Spyware tends to propagate differently and is generally more resistant to quick-and-easy removal than most viruses. That is why the best solutions aren't found in antivirus packages, even if they include basic spyware-blocking features. Separate desktop products are available to identify and remove spyware. But managing standalone desktop software across a company can be complex and time-consuming, so these solutions are not always ideal for businesses. Successful defense requires establishing usage policies and management procedures and implementing an automated anti-spyware solution that offers flexibility, low maintenance and centralized controls.

Spyware is a program that is installed, with or without the user's permission, and can monitor computer activity while broadcasting the information back to an outside party that controls the program.

Spyware comes in many shapes and sizes. Some types of spyware are simply an annoyance causing increased spam or unwanted pop-ups, while others can threaten your company's security and increase your liabilities. These pests often lurk silently on your computer until someone or something sets them off. Spyware can do more than steal personal information.

Think of all the confidential and proprietary information that may be contained in your company's computers:

Spyware may reside on PCs inside your organization or on the laptops and home PCs that employees use outside of the office. Keyloggers can monitor passwords and other access information and pass them onto third parties who may compromise company security or cause embarrassment, or worse, by revealing client, customer or employee information. At the very least, it can rob your system of its speed, stability and Internet access efficiency.

Common Pest categories include:

Legal Risks From Spyware

One of the greatest liability risks from computer Pests comes when crooks take advantage of someone else's computer facility to cause harm to others. The law might hold an organization vicariously accountable for the actions or consequences of a malicious person who executes a computer Pest through the organization's information resources.

A computer Pest might be a hacker tool planted by a company's own employee to enable him to hack into other sites. Such hacking exposes the company to significant liability. In May 2000, the operator of a financial website, Wall Street Source, sued a competitor, IPO.com, when one of its employees allegedly used a stolen password to access Wall Street Source's site and alter or falsify information. Wall Street Source sought $800,000 in actual damages and $5 million in punitive damages.

Alternatively, a computer Pest could be a Trojan horse or other malicious software, which would damage a business computer system and prevent it, for example, from serving the company's customers as promised. Even if it did not condone or know about the Pest, an organization hosting it might be liable for negligence for failing to exercise reasonable care not to cause foreseeable injury to someone else.

A Distributed Denial-of-Service (DDoS) attack can be caused by a particularly potent type of Pest on the Internet. Litigation surrounding related types of dangers suggest a DDoS victim can successfully make the case that the victim is entitled to compensation from a negligent Internet administrator who allows his facilities to be used as an instrument for launching an attack.

Rather than being something that inhibits operation, a computer Pest might be an espionage tool, which helps a snoop steal personal or sensitive customer information, like credit card or social security numbers. U.S. financial institutions are subject to new information security regulations under the Gramm-Leach-Bliley Financial Services Modernization Act. Financial institutions include banks, insurance companies and securities firms, and the regulations extend to the subsidiaries and service providers of these institutions. The purpose of the regulations is to promote the confidentiality and integrity of data about customers.

The regulations require institutions to assess risks to private customer data and take measures to control those risks. The risks could include the introduction of computer Pests that allow vandals to access or abuse personal data. Regulatory examiners will be monitoring institutions for compliance, and shortcomings can lead to sanctions.

Similarly, new regulations45 CFR Parts 160 and 164under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) obligate health care institutions to put in place security measures to ensure that patient information remains confidential. If an institution falls short on this obligation it could be subject to civil and criminal penalties.

Also, a growing number of American companies are signing on to the EU-US Safe Harbor relating to the protection of private data collected about people in the European Union. Under the Safe Harbor's fourth principle, organizations collecting personal data must take reasonable precautions (which may include actions against Pests) to guard against the loss, misuse or unauthorized access to or disclosure of the data.

Even where legal action may not occur, damage from computer Pests attracts the public spotlight. In Finland, the operator of an anonymous Internet remailer shut down his system under pressure from the Finnish police even though it was not clear the operator had violated any particular Finnish law. The service, which forwarded millions of messages a day in a way that hid the identities of the original senders, was accused of facilitating distribution of child pornography.

Securities laws require companies to maintain control over their assets and information systems, which by implication means companies must rid themselves of vermin like computer Pests. The portions of the Securities Exchange Act of 1934, known as the Foreign Corrupt Practices Act, require that publicly owned companies protect their assets and maintain internal control over assets. The Securities and Exchange Commission routinely brings actions against companies for wasting assets and maintaining lax internal controls, such as in computer systems.

The SEC took action against Material Sciences Corporation for failing to protect its inventory management computer system from access and abuse by unauthorized people. "MSC's computer system?... lacked safeguards to prevent inappropriate manual computer entry of general ledger information."

Best Practices to Combat Spyware

Businesses that wish to guard against spyware, adware and other unwanted applications will benefit from supplementing traditional protection methods (including firewalls, intrusion detection systems and antivirus programs) with new strategies that address the unique characteristics of spyware. A comprehensive, company-wide spyware-prevention strategy should include multiple elements:

How Do I Remove Spyware?

The major challenge of spyware is that it is extremely difficult to remove. Spyware programs can have hundreds of bits of individual code that are cumbersome, difficult and risky to manually remove. The uninstallers of most spyware programs do not usually completely uninstall the program; they can include self-protection mechanisms, such as reinstallers; they have constant rewrites to the registry; and they can even have two copies of the program running at the same time to protect each other.

The easiest way to remove spyware is to install an anti-spyware solution that detects and removes all pieces of spyware. eTrust ™ PestPatrol ® Anti-Spyware (eTrust PestPatrol) offers a comprehensive solution that both detects and removes a wide range of spyware, adware and other nonviral malicious code to protect your confidential data and the performance of your PC.

Computer Associates International, Inc. (CA) has been a trusted security advisor to businesses worldwide for more than 16 years and supports pest researchers on three continents. The eTrust PestPatrol team has been active for almost five years and has the most mature database of pest information available anywhere. The CA Threat Advisory Team has more than 80 dedicated researchers that proactively rally support from individuals to report incidents to them. eTrust PestPatrol has more than 1.8 million pest-related incidents reported on a monthly basis and has been the "go to" resource for pest research for almost five years. Given its quality and breadth, the data found in the Pest Research Center is frequently quoted in the press.

eTrust PestPatrol detects and removes nonviral malicious code that can expose confidential and diminish the performance of consumer and business PCs by:

eTrust PestPatrol enables:

eTrust PestPatrol coexists with and complements perimeter security solutions, such as antivirus software, firewalls and virtual private networks (VPNs).

What Are the Business Benefits of Removing Spyware?

Companies that deploy a comprehensive solution that both detects and removes spyware, adware and other nonviral malicious code realize benefits that reduce legal liability and total cost of ownership:

If you're not sure that spyware, adware and other malicious applications are presenting a problem for your organization, we invite you to download a free 25-user, 30-day, full-function evaluation version of eTrust PestPatrol by visitingca.com/smb/antispyware/trial

What you find on your computer may surprise you.

"Wall Street Source Sues IPO.com Alleging Employee Hacked Web Site," Cyberspace Lawyer, June 2000, vol. 5, no. 4 at 25. "Distributed Denial of Service Attacks: Who Pays?", Margaret Jane Radin (mazunetworks.com/radin-toc.html).hhs.gov/ocr/hipaa/European Developments, Finland, Cyberspace Lawyer, December 1996, vol. 1, no. 9, at 23. 15 U.S.C. Section 78m(b)(2)(A) et seq. In the Matter of Material Sciences Corporation, Securities Exchange Act 1934, Release No. 41930, September 28, 1999.

For more information, call 1-8866-576-9727or visitca.com

Copyright 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document "AS IS" without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. MP277790205

This story was editorially selected as relevant and is used with permission fromCA. PC World received no compensation for posting this article.