White Paper - Understanding Malware and Internet Security
By Mike Belton, Security Engineer, CISSP
The issue of unauthorized software in the enterprise environment is becoming a critical resource and productivity issue. The problem has risen to the legislative level. In 2004 the U.S. House of Representatives passed HR2929, the so-called Spyware Act, which is currently being reviewed by the Senate. Recently, the Senate Commerce, Science and Transportation Committee approved S.2145, a bill that would outlaw the practice of installing software that collects personally identifying information without the end-user’s consent. Additionally, various state governments have enacted their own legislation to better define and regulate this unauthorized software, which is typically referred to as malware. Software companies have responded by pointing out that their product comes with an End User License Agreement (EULA) that explains what their software does and what the end user is agreeing to. Theses companies claim that by entering into this binding legal agreement with the software company, the end user has consented to any actions the malware might perform.
The traditional method for detecting malware as it enters a computing device is through file scanning. Scanning is performed on any file that the computing system interacts with, including files downloaded from the Internet, files sent via email, and files on removable media. However, many companies that produce scanning software have been sued by the software producers for mislabeling some third-party software as a particular type of threat. The software producers argue that their software has legitimate uses and is delivered with a license. Therefore, if anti-virus companies classify these products as ‘spyware’ or ‘adware’ or ‘trojan,’ they are destroying product image and limiting sales.
All of this sets the stage for a very dynamic security issue that involves multiple layers of defense and end user education. To truly attack and mitigate the issue of malware, one needs to understand the policy issues, business drivers, and computer literacy of any particular business unit. You must also create and enforce policies regarding the types of access and the types of permissions that are appropriate for each part of your company. As with most corporations, your network has a very diverse user-base with unique computing requirements, business functions, and knowledge levels. This makes the task of fighting malware much more difficult.
