Dyre malware is now stealing Salesforce credentials. In a typical scenario, a user's laptop is infected while it is outside the corporate network and beyond the protection of APT protection such as FireEye. For example, a user takes her laptop home and uses it at the Starbucks coffee on the way to the office. Once the user is in the office and logs in to Salesforce, the malware steals the user's Salesforce credentials. The malware also spreads to other user devices opportunistically. Corporate data on Salesforce is now completely compromised.
(a) Encrypt your data on Salesforce via a Cloud-Access-Security-Broker (CASB) that offers strong encryption. First-gen technologies trade-off searchabilty with encryption strength offering an effective 20-bit encryption strength, useless against any hacker.
(b) Turn on anomaly alerts on the CASB so that you can monitor for unusual data downloads and activity.
(c) Salesforce.com suggests enforcing IP range restrictions on access, e.g. users may only access Salesforce from the corporate network. This offers some protection but not a whole lot, since the malware can siphon down data while the user is at the office and export it later on.
(d) Revisit corporate policy on "trusted devices." If your organization installs software agents on client devices and thereafter views them as trusted, you have an environment that is ripe for data breaches. Security sensitive organizations should treat all devices as suspect, choosing to protect corporate data rather than devices.