I spoke to a large, multinational client the other day that is in the middle of a malicious hacking attack. A large percentage of the company's workstation computers are compromised. The attackers have access to nearly every server in the global environment. Executive email is being read, confidential data is no longer confidential, and state secrets are no longer secret.
Chinese hackers? We got 'em. Russian hackers? Check! Spearfishing malformed PDFs? Naturally. Socially engineered Trojans all over the place? You betcha! Accounting department's banking system compromised? Of course -- it wouldn't be a party without it.
Here's the kicker: In the middle of the call, I actually forgot which client I was talking to -- because every company I've worked with over the past two years is in the same situation.
Is it because of my job that I'm the only person aware of companies in these types of dire straits? It's not only large firms -- it's nearly every enterprise I'm aware of. Also, it goes beyond the businesses sector; my city is infected and has been nearly shut down. It's also hit my friend's computer -- an iMac. It's the same story with my mom's computer and my neighbor's computer. It makes me wonder: Is anybody not exploited?
My (virtual) hat is off to the hackers. They've managed to infect and exploit the world, and it doesn't appear that people care. It's so bad that this passes for life as usual. It's like learning to accept Mother Nature's natural disasters as inevitable -- though hackers can be stopped. I keep hoping that everyone will decide to come together in a "We Are the World"-type project to make it more difficult for malicious hackers to flourish on the Internet, but it doesn't seem likely anytime soon.
But there's plenty that you and your company can do. The majority of the risk is due to end-users intentionally executing socially engineered Trojans that show up as fake antivirus software, malicious video codecs, fake patches, and needed software drivers. Yes, good patching and strong passwords also help, but Trojan horse programs that your end-users (or friends or family) get tricked into installing are by far the most popular, successful threat.
First, implement an improved end-user education program. Teach end-users about the most frequent threats and how they can be tricked into installing malware. Tell them the bad guys often infect their most trusted Web sites and that there's no such thing as a trusted Web site. When the unsuspecting user visits the seemingly innocent site, the site will often the prompt the user to install some piece of "necessary" software. They will do so, despite the fact that the he or she has visited the same site a thousand times before without needing the software.
Sometimes the recommended software has some generic executable name (setup.exe, install.exe); sometimes it claims to be a popular app. My advice? Tell end-users to skip the installation unless they really find out they need it.