"The success rate for social engineering is phenomenal," says John Strand, network penetration tester with Black Hills Information Security in Sturgis, SD.
People will call in pretending to be from a help desk, suggesting that the user download (infected) software. Or plausible emails such as a delivery notification will entice users to click on infected links, he explains.
And then there's software that tells the user to disable the system's malware protection "to ensure compatibility." "I don't think there is any legitimate software that needs you to disable security protection for compatibility reasons," says Schouwenberg. "But some software does ask you to disable it during installation, creating a precedent, so they think it's all right when they get email from a website telling them to turn it off."
Even if users are trained to resist such ploys, smiling people with clipboards and faux badges may show up at the front desk saying they need to inspect the server room on some pretext -- and they'll probably be allowed in, says Strand.
Beyond that, large numbers of log-in credentials to corporate networks are always for sale at various malicious sites, because people have registered at third-party sites using their office email addresses and passwords -- and those sites were later compromised, Strand adds.
"The good news is that it is relatively easy to defend against most malware, if you use up-to-date anti-virus software, run a firewall, get security updates and use strong passwords," Rains says. "These techniques can block the major attacks used today and probably for years to come."
"The best practices I was telling people about 10 years ago I still have to tell people about today," Haley adds. "Have good security software, update the system and use good common sense. Don't link to email that doesn't seem right."
Finally, Pescatore suggests looking to the field of public health (rather than the military or ecology) for a metaphor about living with malware. "We have learned to wash our hands and keep the cesspool a certain distance from the drinking water," he notes. "We still have the common cold, and we still have occasional epidemics -- but if we react quickly we can limit the number who are killed."
This story, "Malware: War without end" was originally published by Computerworld.