I have worked in several environments of various sizes and security postures. One of the biggest threats I see in any of these environments when it comes to workstations is Adware and Spyware infections. Once infected systems either can become unusable due to resource hogging adware software, or proprietary data can be stolen from the system. The creators of these threats are always one step ahead of vendor patches, it seems. These days it's not enough just to have real-time malicious code scanning on your workstations. However, there are ways to combat this insidious threat.
First of all, a sensible patching schedule. You need to ensure you are as up to date as is feasible. There are a variety of patching schemes you can utilizing to this effect. The actual mechanics of these tools is outside the scope of this blog post. It can't be stressed enough that patching is crucial though.
A second thing to consider is your firewall. I have seen too many cases where firewalls are open to the world. In this scenario once an issue is identified the offending port or IP is blocked. This is completely backwards! You need to consider the firewall as being a completely closed wall and that you are poking holes in it every time you allow something. This combined with application layer scanning on the firewall and a network based IDS device would likely prevent data leakage from Spyware infections.
The third and most important consideration is an HTTP/HTTPS proxy. This is the ultimate bulwark against Spyware infection. I have seen an environment where they have a two fold approach to this. The first layer is a proxy that only permits access to specifically allowed webpages in a similar fashion to a properly deployed firewall. The second layer is a proxy which filters for potentially malicious code and strips it out of any HTTP/HTTPS traffic bound to workstations. I have seen the numbers in the reporting at this environment and the number of detections on the workstations themselves are dramatically lower than any other environment I've seen.
So as you can see, there are many considerations to preventing Adware and Spyware from infecting workstations. Of course, like many security issues, implementing a well thought out policy which utilizes industry best practices and environment specific considerations makes all the difference in the world.
More...
