If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"
Webroot Spy Sweeper finds and destroys these programs with robust rootkit discovery methods, a feature many other
antispyware programs lack."
Source : Webroot Software
Best of breed versus Suite Anti-spyware
Anti-spyware is also known as :
Anti Spyware Blocker,
Anti Spyware Comparison,
Anti Spyware Detection,
Anti Spyware Downloads,
Anti Spyware Freeware,
Anti Spyware Killer,
Anti Spyware Programs,
Anti Spyware Protection,
Anti Spyware Removal,
Anti Spyware Products,
Anti Spyware Review,
Anti Spyware Reviews,
Anti Spyware Scan,
Anti Spyware Software,
Anti Spyware Software Review,
Anti Spyware Solution,
Anti Spyware Tool,
Anti Spyware Tools,
Anti Spyware Virus,
Anti Spywares,
Best Anti Spyware,
Best Anti Spyware Programs,
Best Anti Spyware Software,
Best Anti Spyware Tool,
Best Antispyware Software,
Best Free Anti Spyware,
Download Anti Spyware,
Free Anti Spyware,
Free Anti Spyware Software,
Free Anti Spyware Tool.
A couple of months ago, I was called in to assist with a penetration test involving a Supervisory Control
and Data Acquisition (SCADA) system. SCADA systems are used by utility companies and other
government agencies to provide a higher level of security around mission critical services such as nuclear
reactors. While the base team of people was well aware of the makeup of the SCADA systems and how
to theoretically compromise them, should they actually get access, I was supposed to figure out a way to
get them the access. The next couple of paragraphs illustrate gaining access to such systems and how
spyware plays a role in gaining access to sensitive sytems.
As a first step, we found an attendee list for a user group for those SCADA systems. We then went
through the list and pulled off the e-mail addresses of the people within the targeted organization. At that
point, we assumed that the people would check e-mail on the systems that they used to access the
SCADA systems. Next, we had the team create an e-mail that lured company employees to a web site
that would unknowingly download spyware onto the system. The spyware allowed us to control the
system, and therefore the SCADA systems that controlled a nuclear reactor.
Needless to say, the plan worked like a charm. If anything, it worked too well as the employees we
targeted not only connected to our website, they also forwarded the e-mail on to many other employees
throughout the company!
This attack took a couple of days to execute. The way it was crafted the threat bypassed several firewalls
and intrusion detection systems to gain access to the system through users responding to an outside
email request. This test clearly demonstrated the need for deployement of anti-spyware on endpoint
systems. Frankly, it demonstrated the need for organizations to provide the most robust anti-spyware
software available.
The anit-spyware industry, however, is going in two separate directions that potential buyers must
consider. First, there are the suite products that come with a variety of other security applications along
with anti-spyware. Second, there are the best of breed products that are purely focused on detecting and
eradicating spyware. You need to choose the right anti-spyware solution for your organization.
Why Suite Products Exist
There is a lot of talk these days in the media about security software vendor consolidation. Every time,
one vendor acquires another one, stories talk about how consolidation is security’s future. The reality is
that large companies will always acquire little companies in all markets. Large companies want to increase
their revenues, and that typically means entering a new market. The easiest way to do this is by acquiring
small companies with some penetration into the target market.
The benefits for large companies are obvious. The companies appear to have steady growth. There is
significantly less risk in entering the target market. Companies do not need to invest years in research and
development. In many cases, the acquiring companies have to acquire companies, if for no other reason
than they have too much cash on hand. This is especially true in the security software market, where the
anti-virus product vendors have a steady stream of cash from the AV software sales.
A related benefit is that they can expand revenues from their current customer base. This is ideal to
them as their sales cycles are very short, and they can lock out competition. This in many ways potentially
benefits customers in that they have fewer vendors to negotiate and contract with.
Issues with Suites
There are problems though. For example, the acquired companies have different software engineering
procedures. The interfaces between the products merging together are completely different. A common
interface is required that leads to the development of a single interface that cannot take full advantage of
the individual products. There can also be a variety of other incompatibilities that end up “dumbing down”
the individual software packages.
Consider the analogy of a minivan. The reason why minivans proliferated so quickly were that they serve
a variety of crossfunctional purposes. They can comfortably carry a reasonable number of people, but
they cannot carry as much as a passenger van. They can drive reasonably comfortably, but they are not a
luxury sedan. They can go reasonably fast, but they are not a sports car. Basically, a minivan is a little bit of
everything, but it only provides a very basic level of everything. They do not necessarily excel on any
count, but they are just right for many people.
When we take minivans into the security world, we see the security suites. While ICSA Labs provided a
standardization for anti-virus products, there is no standardization for anti-spyware and other security
software. These products therefore have greatly varying quality, especially when it comes to security
software suites. Again, they do a reasonably good job of everything, but the effectiveness of the individual
functions are clearly not the best.
What’s Best for You?
The question then becomes, what is good enough? The answer is, it depends.
With specific regard to anti-spyware software, this causes the greatest concern. Spyware has become
insidious in the amount of damage it can do. The effects of spyware can be a nuisance, or it can ruin
someone’s life. For organizations, the consequences are similarly varied and devastating. At best, it results
in lost productivity. At worst, it results in the most critical data being provided to your competitors, and
potentially putting you out of business.
In a recent case of corporate espionage, an Israeli couple living in England sold spyware to corporate
spies operating against Israeli companies. Confidential data from several companies was stolen resulting in
large financial and intellectual property losses. Spyware has also resulted in cleaning out of personal and
corporate bank accounts. In the healthcare sector, the potential results are embarrassing to devastating.
In the Introduction, I spoke about how the use of spyware enabled my team to bypass a wide variety of
security systems to control a nuclear reactor. Clearly this is a disaster scenario.
Cyberextortion is a growing crime that is completely enabled by spyware. The criminals place spyware on
systems that is used to launch denial of service attacks against third parties. Corporate systems that fall
victim to spyware are used as part of the attack, which can make a company liable even for being an
unwilling participant of the attacks.
A case of spyware that we will be hearing more about involves a business where a computer was infected
with spyware. The spyware stole corporate bank account information and the criminal then cleaned out
the company account. The effected company is now suing Bank of America to recover the stolen money.
While Bank of America did attempt to recover the stolen money, they could not recover all of it and
would not credit the remainder back to the account. Bank of America is maintaining that they did
everything that they could and the loss was a result of the customer’s poor security habits and that they
are responsible for their own loss. For a variety of reasons, this will be a landmark lawsuit.
While the anti-spyware products that are generally sold in a security suite are considered to be about 50%
effective in identifying spyware, standalone anti-spyware is approximately 90% effective. Standalone antispyware
tends to be more robust in the algorithms used, and is not usually dependent upon spyware signatures. This means that it is better suited to not only identifying known spyware, but new and custom
attacks as well.
The question is when do you need a minivan, and when do you need a high performance vehicle? Where
spyware is concerned, the answer is that it depends how much you have to lose. In a corporate
environment, there are few cases where the anti-spyware contained in suite products is adequate. The
following illustrates some questions to ask when considering your anti-spyware strategy.
Guidelines/ Process to determine Best of Breed vs. Suite
- Does your organization store large amounts of credit card, social security, or
financial transaction or other personal identification records of your customers
or employees?
- Do you store intellectual property documents that are critical to your competitive advantage
in the market?
- Do you have compliance requirements with SOX, HIPAA, GLB, or FTC section 5?
- Would a data leak cause serious consequences to your brand and business?
If you answered Yes to any of the questions above, your risk exposure would warrant giving best of
breed solution serious consideration.
The arguments against standalone, aka best of breed, anti-spyware focus on the fact that the standalone
applications may require more resources in time and cost. The concern is valid, but largely exaggerated.
With regard to cost, you are comparing getting anti-spyware with the cost combined into a suite product
versus paying for a separate product. In this case the cost is offset by the loss due to spyware that is not
detected. In a large organization, when you are talking about a 40% difference in effectiveness, you are
talking about a very strong likelihood of this occurring. The extra cost is more than offset by the
loss prevented.
With regard to the extra time required to administer best of breed anti-spyware software, we are talking
about an hour extra per week. This time is largely due to the fact that the software interface is more
robust in its ability to refine its reporting criteria and detect spyware incidents. This is a result of the
increased functionality that is provided through a dedicated user interface, and again results in increased
protection against highly damaging malware.
Admittedly though, there are environments where the anti-spyware software contained in security suites
is acceptable. Where users are very computer illiterate, and they can barely understand the interface of a
suite product, then it is probably best not to add any more complexity. Likewise, if you are in a low tech
environment that is not highly computerized, it might be reasonable to go with a suite product.
Security is about the management of risk. It is not about making things perfectly secure, but balancing
potential losses and their likelihood against the cost to mitigate the potential loss. The question you have
to ask yourself is, “Assuming a worst case spyware infection, what is the potential loss?” Sadly, given
everything that we are seeing, you have to assume that a spyware infection will target your most critical
assets. This is exactly what was demonstrated in the Israeli spyware case. In most business environments,
choosing suite based anti-spyware software over best of breed anti-spyware software is leaving your
organization open to a very high likelihood of a critical and embarrassing loss. The cost of best of breed
software is trivial when compared to that loss.
Ira Winkler, CISSP is President of the Internet Security Advisors Group. He is considered one of the
world’s most influential security professionals, and has been named a “Modern Day James Bond” by the
media. He obtained this status by identifying common trends in the way information and computer
systems are compromised. He did this by performing penetration tests, where he physically and
technically “broke into” some of the largest companies in the World and investigating crimes against them,
and telling them how to cost effectively protect their information and computer infrastructure. He
continues to perform these penetration tests, as well as assisting organizations in developing cost
effective security programs. Ira also won the Hall of Fame award from the Information Systems
Security Association.
Mr. Winkler has also written the book Corporate Espionage, which has been described as the bible of the
Information Security field, and the bestselling Through the Eyes of the Enemy. Both books address the
threats that companies face protecting their information. He has also written over 100 professional and
trade articles. He has been featured and frequently appears on TV on every continent. He has also been
featured in magazines and newspapers including Forbes, USA Today, Wall Street Journal, San Francisco
Chronicle, Washington Post, Planet Internet, and Business 2.0.