Today, there are a number of different social engineering techniques that cyber criminals are using to deliver malware to end users, including:

Email from a friend: Users get a message from a friend telling them to view a video. When the link asks to download some required software, they are actually downloading a malicious program.

Spam: Hackers are using unsolicited email spam to send Trojan horses to individuals, hoping to dupe people into downloading fake advertisements that deliver malicious code onto their machines.

Spearphishing: Criminals create a maliciously encoded document that the victim is likely to open such as a follow up from a recent conference or a planning document from a partner organization.

Fake AV warnings: Criminals are hacking into Web pages and popping up fake antivirus warnings designed to look like messages from the operating system. Downloading these will infect a machine.

Malicious websites: Hackers trick search engines into linking to malicious websites that look like they have interesting stories or video about the hottest news topics.

While these threats can be perceived as consumer-related issues, businesses only need to look at this information in regards to “their employees” to understand how social engineering attacks can jump from end-users to corporate networks. The fact is, if an employee is tricked into downloading malware, the infected machine that is connected to a network can put corporate data and systems at risk.

The truth is, we will never be able to control our employees’ online behavior. Nor, is it realistic to train or re-train every employee perfectly. Because of this, the key to preventing malware attacks is to stop the payload from getting on the network. Application whitelisting does this by preventing the execution of any unauthorized application from running on a machine, no matter how the malware is delivered.

In the article, “Cyber attacks worry firms more than terrorism,” the “2010 State of Enterprise Security Study” conducted by Symantec Software Solutions Pvt. Ltd. found that 42% of companies representing industries such as telecom, hospitality, manufacturing, retail and technology perceive cyber attacks as the biggest threat to their enterprises.

One reason cited was the lack of adequate network security. Over the past year, 66% of companies surveyed said they had experienced cyber intrusions while 51% reported repeated attacks. The study also pointed out that deployment of enterprise security has turned into a difficult task for many organizations. Said Vishal Dhupar, managing director at Symantec:

“Enterprise security is understaffed and the most affected areas in organizations are network security, web security and data-loss prevention. To tackle the issue, companies need to secure their messaging and web environments and defending critical internal servers. They should also have the ability to back up and recover data and respond to threats rapidly.

With the rise in malicious attacks targeting sectors that can have a significant impact on India’s economy, one has to wonder if cyber attacks and terrorism weren’t one in the same. As I mentioned in a recent blog, “Are we in a cyberwar or not?” cyber threats continue to have a growing impact on our nation’s economy and global competitiveness. Although U.S. Cyber Czar, Howard Schmidt, may not think we are engaged in cyber warfare, the impacts from targeted attacks are being felt everywhere, and are top IT concerns for many organizations and nations around the world.

While the 40 page report covers many, many topics, there was one overarching theme that continued to bubble to the surface for me: there are no patches for people, and people are the primary vulnerability going forward.

Like it or not, our people (employees, contractors, partners, etc.) will continue accessing social media sites, cloud computing solutions and parts of the web that we know nothing about (the “Dark Web” as Cisco calls it).

Like it or not, our people will continue clicking on links from trusted sources (especially those from “friends” in social networks like Facebook or Twitter), and be taken to sites that download malware. This is especially the case with URL shortners (e.g., bit.ly) because there is no way for the user to know what site they are about to visit. As Patrick Peterson, a Cisco researcher told Robert McMillan at PC World , “Social media and the data-theft Trojans are the things that are really in their ascent. You can see them replacing a lot of the old-school things.”

Like it or not, the deposited Trojan horses (e.g., Zeus and Clampi botnets), keyloggers and worms (e.g., the Koobface worm that has infected over 3 million computers mostly through Facebook and Twitter) will continue to morph and obfuscate themselves to avoid detection by blacklisting solutions.

Like it or not, we have to clean up after our people when the malware is deposited via their innocent actions.

I have a better idea: Why don’t we recognize that we cannot stop our people from accessing all these resources, and instead focus on stopping the real threat: the payload? The best way to do that is application whitelisting. The malware is not on the approved list of applications, so it is stopped cold.

Application whitelisting: the patch for the common user.

A recent article in SearchSecurity.com, “Hackers to sharpen malware, malicious software in 2010″, points to increasing sophistication in cybercriminals’ use of social networking sites. Robert Westervelt writes:

In an effort to sustain growth and pick up new users, more social networks are opening up their architecture to allow third-party applications. Cybercriminals can take advantage of this by developing applications out of the social network environment to target users. In addition, access to social network APIs gives attackers a roadmap to vulnerabilities in legitimate third-party applications and a way to tap into user accounts.

Changes in this environment means that businesses will be more pressed than ever to set policies around the use of social networks on company IT resources and this won’t be popular. It will be made all the more difficult by the fact that social networks aren’t just for personal use any more. More businesses than ever are engaging in social media and using it to connect to customers, provide service, and promote their company.

Expect web site access control, application whitelisting and software asset management solutions to play an even more important role than ever on corporate networks. It will be essential that businesses both understand and control what applications their employees are using to defend against an increasingly prevalent threat.