Some security pros estimate that half of all spyware on corporate
networks comes from employees going to pornographic and gambling Websites
on company computers.
”I think a lot of companies are blissfully unaware of what their
employees do on their networks,” says Ken van Wyk, principal consultant
for KRvW Associates, LLC and a columnist for eSecurityPlanet.
”If you take generic commercial America, a pretty good percentage of
sites don’t spend a lot of time and energy monitoring what their
employees are doing. It’s still seen as somewhat of a stigma. People are
on an honor system. If you believe those statistics, apparently the honor
system isn’t working.”
And van Wyk says this can mean trouble, since spyware is no longer the
nuisance it used to be.
”I think the potential for spyware to do really bad things is certainly
out there,” he adds. ”The potential for danger is pretty daunting. I
certainly wouldn’t want any of that sitting on my network.”
Bob Hansmann, a senior manager at Trend Micro Inc., which has its U.S.
headquarters in Cupertino, Calif., says spyware is increasingly
troublesome for companies. And he says employees largely are to blame for
it.
IT administrators instantly would be able to reduce spyware by as much as
50 percent if they could keep users from visiting pornographic and
gambling Websites while on the job, says Hansmann. He notes that when
customers start using URL filtering software, blocking porn and gambling
sites, their spyware problem has been cut in half.
Hansmann tells the story of some IT professionals working to patch their
network. While they were waiting for the patches to download, they would
use another machine to surf the Net, visiting pornographic sites. The IT
people actually became the source of the company’s spyware infections
while they were in the process of following a good security practice.
User Complacency
Ken Dunham, a senior engineer for VeriSign iDefense Intelligence based in
Mountain View, Calif., says most users are visiting these Websites
because they don’t think they’ll ever be caught. They also might think it
would be better to be caught on these Websites at work than at home.
”There’s a certain degree of complacency. They wouldn’t do it at home
because they’re afraid of what [malware] they might get. But they’ll surf
at work because it’s not their system, and they don’t think they have to
worry about it… It’s like owning a house or renting a house.”
When someone visits many of the online gambling or porn sites, they might
get legally installed spyware or they might be silently infected with
illegal spyware or adware. Some sites will alert the user that a program
is going to be downloaded and asks for the OK. Other sites will illegally
reroute the user to another site without their knowledge where a bunch of
spyware will be installed silently and without the user’s permission.
”To view a site, you might have to install an ActiveX object to view
what’s on that site,” explains Dunham. ”Or you might have to install
some code. A lot of porn sites require you to download an executable so
you can view the pictures or the movies. That executable should be seen
as quite suspect. It’s an executable. They’d have spyware attached. That
might even be a legal installation, but it was presented and someone
clicked on it being OK.
”The user might run an application and not realize it’s installing stuff
you don’t know about,” he adds. ”There are a lot of installations where
you have no idea what you’re getting. You think you’re just getting this
pornography package but there might be a bunch of things being installed
with it and you have no idea.”
Blocking Porn and Gambling
So why don’t IT administrators just block pornographic and gambling
sites?
Well, it’s not as easy, or effective, as it might seem.
van wyk says IT admin need to combine technology with a strong policy to
have any chance of making it work. He recommends trying a URL blocker
that would sit in line with the firewall. And then he says the company
needs to come up with a strict policy that states that the company’s
computers and network are to be used for legitimate business purposes
only. It also needs to spell out that workers will be monitored, there
should be no expectation of privacy and there will be repercussions if
the rules are broken.
”You have to realize that this is not a trivial thing,” says van Wyk.
”If you go looking for something, you better be prepared to act on it.
There is an administrative burden in following through on that.”