IT Compliance Institute, September 6, 2005:

Trends and Technologies

FDIC: Spyware Cure Requires More Than Technology

When the FDIC recommended financial organizations improve their response to spyware, it meant helping to protect customers, as well. And, as its recent Financial Institution Letter notes, technology alone won't solve the problem.

By Mathew Schwartz

Spyware is problem, particularly for financial organizations. So says the Federal Deposit Insurance Corporation (FDIC) in a recent Financial Institution Letter, "Best Practices on Spyware Prevention and Detection." In fact, the FDIC recommends financial organizations not only improve their own response to spyware, but also help protect their customers. An effective response, it observes, must go beyond technology fixes.

The FDIC's recommendations come none too soon, as spyware infestations are increasing in number and destructive potential. According to Richard Stiennon, vice president of threat research for Webroot Software Inc., which just released its "State of Spyware" report for the second quarter of 2005, "more than 80 percent of enterprise desktops are infected" with adware or spyware. Furthermore, he says, "the next generation of spyware we're starting to see emerge now does things like changing system properties, changing permissions or security settings to give itself better access, or having code to be self-propagating."

Thus, the FDIC recommends financial institutions take a number of internal steps to combat spyware:

• Prevent users from downloading software. If possible set browsers to reject ActiveX controls, and always warn users before installing anything.
• Include spyware in the overall risk assessment. According to the FDIC, "this ensures that the financial institution considers all risks to private customer information and takes appropriate steps to mitigate those risks."
• Alter security policies to prohibit user access to risky sites. Furthermore "management should take steps to enforce these policies and reprimand staff who fail to comply with them."
• Use firewalls to monitor inbound and outbound traffic. Assess whether employees need access to instant messaging or peer-to-peer networks. Block outbound ports that are not actively used in business processing or communications.
• Watch firewall logs for suspicious activity. If there's a lot of activity from a single IP address, and "if research determines that the Internet address belongs to a service that intercepts Internet communications, consider blocking access to the Internet banking site from that address."
• Audit trusted root certificates. "Some spyware installs its own trusted certificates allowing it to intercept secure Internet communications or the execution of malicious code," says the FDIC.

Beyond the enterprise, consumers are also at risk. According to a Pew Internet & American Life Project release issued last July, 43 percent of US adults report they've had at least one piece of spyware or adware on their PC. "This is probably a conservative estimate," says the report. For example, in October 2004, an AOL and National Cyber Security Alliance said 53 percent of respondents reported they had a spyware or adware infection. Scans, however, found 80 percent were actually infected.

The FDIC memo advised banks to provide education as well as technical controls. If customers can't tell a bank's real e-mails from fake ones, and behind the scenes, the fake e-mail is a phishing attack designed to harvest sensitive information and install spyware on a user's computer, then the bank has a public relations problem. Thus, the FDIC recommends "informing customers about the risks associated with spyware and recommending actions that customers can take to prevent spyware from being downloaded on their computers."

Anti-Spyware Advice for Consumers

When advising customers on spyware, experts recommend focusing on—and beyond—technology. Indeed, as the FDIC notes, "while most financial institutions and some individuals have taken steps to protect their computers, many firewall and anti-virus software packages do not protect computers" from spyware.

In fact, much of the success of phishing and spyware attacks is independent of technology, per se. "A lot of times you look at fraud and injury on the Internet, and it's old wine in new bottles. For example, the Nigerian letter is the Spanish Prisoner—it's a 500-year-old con job," notes David Perry, the global director of education for Trend Micro Inc. He's referring, of course, to a scam in which the perpetrator offers to split millions of dollars in exchange for a relatively small initial cash infusion (or bank account access) from the victim. Similarly, "adware and spyware are nothing new; you could just look at them as technological allegories of existing, real world things," Perry states.

Because the scam variations are always changing, however, effective spyware prevention must include consumer education—and it doesn't have to be complex. Warning customers about the dangers of fake e-mails and advising against providing personal information over e-mail is one tactic. However, banks can also encourage consumers to be proactive about protection.

According to Bruce Hughes, a senior antivirus researcher for Trend Micro, a bank could tell customers "'you're much safer if you've just updated the [security] patches on your system, and just doing that, you're going to be 99 percent safe.'" As a consumer, even though "there are always new vulnerabilities and exploits coming out, the chance of you hitting a Web page with one of those is really small," Hughes says.

In the future, two other efforts should help alleviate spyware pains, notes Perry. First, user technology including operating systems and applications will improve. Second, legislation might help.

But, says Perry "[Legislation] is very tricky, because it involves legitimate businesses and users at the same time." For example, many spyware victims actively, if unwittingly, allow installation on their machines. In many cases, users might agree to a business's end user license agreement (EULA), which is often too long to be readable, and install "free" software, which ends up monitoring their computer. Most of the anti-spyware legislation on the books would do little to prevent this type of scenario.

Still, Perry is hopeful. "I hope it comes down on the side of the individual user, even if they've clicked the EULA," he says. On that front, the anti-spyware ball is in legislators' court.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.