Almost half the time (45 percent), computers suffer from self-inflicted wounds as users infect their computers by launching malicious software themselves and 5.6 percent of all infections with malicious software are the result of security holes, according to the latest security report from Microsoft.
There also seems to be some justification behind all the talk about USB sticks as 26 percent of the attacks start from the erstwhile thumb drives. This vulnerability is possible by the USB autostart function, which was only included in Windows up to Vista; in February, Microsoft disabled it with an update. Infected network shares are behind 17.2 percent of all attacks, with contaminants spreading by infecting other files 4.4 per cent of the time.
Brute force attacks on passwords and manipulation of Office macros are relatively negligible in spreading viruses at 1.7 and 0.3 percent, respectively, according to the Microsoft report.
This is the first time Microsoft has analyzed how viruses disseminate. Up to now, experts had assumed that vulnerabilities play a much greater role in computer infections.
The report also slides away from the technical side and looks at people and the social engineering aspect of security.
IT professionals are accustomed to thinking about the technical aspects of security, the report said. However, the human element—the techniques that attackers use to trick typical users into helping them—has become just as important for attackers as the technical element, if not more so.
By implementing effective technical safeguards, programs, and processes designed to defend against social engineering, users can avoid becoming a victim of an attacker.
One way to go about protecting against a social engineering attack is to minimize and monitor the attack surface.
• Limit the number of powerful user accounts in your organization and the level of access they have, because this will help limit the harm a successful social engineering attack can cause.
• Regularly audit your powerful user accounts. Provide them only to those who must have access, and to the specific resources to which they need access.
• Ensure these user accounts have strong authentication (strong passwords and/or two-factor authentication).
• Regularly audit attempts to access sensitive company information — failed and successful attempts.