Websense Enterprise Keylogging Filtering Category

Websense offers a layered defence against both commercial and custom-built malicious keylogging applications

Provider of employee Internet management solutions, today announced that Websense Enterprise has enhanced the ability of organisations to protect themselves against the advancement of keylogging threats by including a new keylogging filtering category in the Websense Master Database. In 2004, there have been more than 100 high-profile incidents of malicious code discovered with built-in keyloggers. According to Websense Security Labs(tm), there are currently hundreds of free commercial keystroke logging applications available for download. Websense Security Labs investigates and publishes today’s internet threats for the security industry and customers.

Keylogging applications record keystrokes and screen shots and can be replayed later to reconstruct a user session, said Peter Firstbrook, program director at META Group, a leading provider of IT research, advisory services and strategic consulting. These products are very dangerous and can be used to steal passwords and confidential information, which can be used to provide full access to corporate systems and files. Several organisations have lost valuable corporate information including passwords and usernames to these devices. One software company lost significant revenue when source code for new gaming software was stolen via a remote keystroke logger and posted on the Internet.

Keylogging applications are split into two classes: commercial key loggers that are freely downloadable on the internet, and custom built keyloggers that can auto install onto a PC as part of a blended attack through malicious code. Commercial keylogging applications often market themselves as a consumer solution that can be used to monitor what a spouse or child is doing while they are on the computer, whether online or offline. Although these applications are marketed for the intentional monitoring of commercial or home PC use, they can easily be used for malicious intent within an enterprise.

More recently, hackers have advanced the delivery of non-commercial, custom-built malicious keyloggers. When looking at the recent JS Scob outbreak, users infected their PCs by simply visiting sites where malicious code was automatically deposited onto their system without their knowledge or acceptance. For example, when users visit the infected website of a banking institution, their user names, passwords and account numbers may have been transferred to a keylogger’s host server.

Hackers are getting better as they now have the ability to recognise end user behaviour such as typing confidential information, said Dan Hubbard, senior director of security and technology research for Websense, Inc. For example, numerous keyloggers wait for an end user to connect to a particular banking site before activating. By proactively blocking access to websites that contain malicious code and keylogging applications, organizations remove the web as an attack vector and take a major step in mitigating these risks.

As companies and hackers continue to develop more advanced keylogging application techniques, a layered security approach at the internet, network and desktop can protect valuable corporate and employee information from being exposed. Available exclusively within the Websense Security Premium Group(tm) (PG), the new keylogging internet content subcategory provides a new level security by proactively managing employee access to applications and sites that contain keylogging applications enabling organizations to block internet traffic to third parties looking to obtain logged keystrokes. This filtering category coupled with Websense Client Policy Manager(tm) (CPM) prevent the launch of keylogging applications, adding an additional layer of security. Current customers deploying Websense CPM or the Security PG will automatically be upgraded to include the new keylogging subcategory free-of-charge.

At the internet gateway and desktop, applications and URLs that are identified as being associated with keylogger applications or those that are infected with keylogging code will be included in the new subcategory, which is updated along with the Websense database downloads. Websense recently introduced Real-Time Security Updates which enables immediate updates to the databases as malicious events are discovered. When a block policy for the subcategory is implemented by a customer, employees that click on keylogging applications and links will be proactively blocked from accessing the keylogging application or counterfeit site.

With Websense CPM, organisations gain additional security against malicious keylogging applications at the employee desktop. CPM delivers protection from not only malicious code keyloggers but also from commercial versions of keyloggers that are being used with malicious intent within a corporate environment. CPM also provides added protection with its network lockdown feature which prevents un-classified applications from accessing the network to relay logged information. These blocking features combined with Websense Explorer allow IT administrators to drill down into which users may have keyloggers installed on their machines.

CPM policies enforce the blocking of unauthorised applications from launching on employees’ PCs. For example, if an employee were to attempt to install a keylogging application, when the employee tried to launch that application, CPM would recognize this launch request and terminate the application on the desktop before it can cause harm. Additionally, when installed on a travelling laptop, CPM policies protect laptops, whether on or off the network.

For more information about Websense and its products, please visit www.websense.com. The Websense Security Labs is available at www.websensesecuritylabs.com