
	Home > Ask the Security Experts > Security Management Questions & Answers > Are senior level executives a target for social engineering attacks?

Ask The Security Expert: Questions & Answers

EMAIL THIS

Are senior level executives a target for social engineering attacks?

EXPERT RESPONSE FROM: Mike Rothman

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 05 July 2007
I've read that c-level executives are increasingly being targeted by social engineering attacks. What kinds of attacks are most prevalent right now, and what advice do you have for teaching security awareness to executives when they're often hard to reach?

EXPERT RESPONSE
One of the emerging attack trends is for high-level executives at larger companies to be individually targeted by phishing and other email-oriented attacks. According to MessageLabs, an executive receives a personalized message with his or her name and title in the correspondence, along with a malware-laden attachment that will turn the victim's machine into a zombie.

The reasons for targeting senior executives are obvious, but let's go over them. First, it's where the money is. The senior folks tend to have access to sensitive corporate data and more personal assets for the bad guys to target. Additionally, many of these executives are not as security aware as they need to be.

Which brings us to the second part of the question: how do we get senior executives to take security as seriously as they need to? I recommend a two-pronged approach. First, work with the human resources group to set up a broader security awareness training curriculum for senior executives. Actually, all employees should receive training, but given the fact that senior execs are being specifically targeted, the process should start with them.

Second, I'd work through the executive back channels to make the case that this kind of training is important. In other words, if you don't have access to the senior management team, go to your boss or your boss' boss and get access. A hallmark of my Pragmatic CSO approach to security is to develop relationships with the senior team and to be considered a peer because security is an important business issue. This is a great opportunity to test your mettle and get some face time with the powers that be.

For more information:

In this SearchSecurity.com Q&A, Ed Skoudis reviews the actions of a mail server when it is presented with a fake email address.

In this expert Q&A, security management pro Mike Rothman discusses the short-term and long-term benefits of employee security awareness training.

Sound Off! -

Be the first to post a message to Sound Off!

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Security Management
	Is it against HIPAA regulations to permanently store sensitive information?
	Two-tier distributed systems vs. three-tier distributed systems
	How to prevent software piracy
	How would you define the responsibilities of a data custodian in a bank?
	How do ISO 17799 and SAS 70 differ?
	Has FFIEC made any VoIP-specific mandates?
	Finding lost notebooks with 'LoJack for laptops'
	What controls can compensate when segregation of duties isn't economically feasible?
	What can be done to block adult images in search engine results?
	What are the security job prospects for someone without a certification?

Social Engineering

Countermeasures against targeted attacks in the enterprise

Quiz: Anatomy of an attack

Stolen data ending up in Google cache, say researchers

Information security book excerpts and reviews

Should social engineering tests be included in penetration testing?

What kind of data is compromised during a Google hack?

How Russia became a malware hornet's nest

How does a mail server respond to fake email addresses?

RSA Conference: Children must learn about cyber risks

Social engineering

Information Security Awareness Training

Unified communications trigger data leakage dangers, survey finds

Security Awareness Training Essential Part of Infosec Program

Societe Generale bolsters internal controls, discovers second insider

Companies still monitoring email manually, survey finds

Trading firms rethink risk strategy

Security pros focused on internal threat, training

Is it a violation of HIPAA to collect consumer Social Security numbers?

Windows Update attacks: Ensuring malware-free downloads

Is the Storm worm virus still a serious threat?

What are the benefits of employee security awareness training?

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

dumpster diving (SearchSecurity.com)

pretexting (SearchCIO.com)

shoulder surfing (SearchSecurity.com)

social engineering (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Advanced Search | Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy