Trust is important in any relationship, but according to a recent survey conducted by Sophos, it seems to be lacking in relationships between IT professionals and the end users they support. A staggering 96% of surveyed IT professionals do not trust their end users to make sound IT security decisions. The survey also noted that senior management can inadvertently hinder security awareness and positive security practices.
In my past roles as a CISO, I recall many discussions about the strong demands that senior management, board members and commissioners place on IT for free and open access to their computers, unburdened by rules and policies.
One fairly common enterprise IT practice is to give executives and senior managers administrative rights to their computers, which enables them to download and install software and perform other computing activities not normally permitted for the average employee. Often, executives pressure IT and the CIO or CISO to give them administrative rights too. Without those rights, managers argue, they are locked down and unable to do their work.
When I think of the IT security problems stemming from executives, I immediately think about the challenges posed to companies by social engineering attacks. In this tip, we'll discuss why executives are prime targets for social engineers, and then I'll provide some tips for enterprises looking to establish security awareness training for their executives.
The executive as the target
Anecdotal evidence suggests that social engineering -- particularly against industries with valuable data, including energy, finance and defense -- has become one of the most popular methods for attackers targeting enterprise executives. As an example of a social engineering attack scenario, an email containing an attachment poisoned with malware is sent to a corporate executive. The email appears to be harmless and, in fact, the attachment could contain actual photos from the target's alma mater or of the last company picnic. When the user opens the attachment, though, the malware is downloaded onto the computer, and in many cases, the installed antivirus system does not detect the attack or the malware.
For the average user who does not have administrative rights or access to critical data, the malware's movement is restricted. But for an executive with administrative rights and access to critical systems, the malware can freely navigate the enterprise network, establish back doors, and begin a slow, stealthy attack -- possibly even becoming an advanced persistent threat (APT).
Although news accounts have made such attacks widely known, many senior executives and corporate users continue to obtain unfettered rights on their workstations or laptops, often with access to critical corporate data.
Training executives and staff
With those points in mind, it should come as no surprise that locking down executives' PCs, laptops and smartphones is unlikely to be a successful tactic. Therefore, increased focus should be placed on educating and training the executives and staff on the modern threat environment. The training must be relevant to executives and help them be part of the solution rather than part of the problem. Also, security-aware executives can help lead by example and reinforce the importance of security throughout the enterprise.
Some approaches and themes to consider in this training environment include:
- Explain to executives why they are targets. Begin discussions with senior executives -- as a group or one-on-one -- to explain why they are a valuable target for the miscreants. Provide real-world examples of enterprises that have suffered security issues as a result of the executives and senior staff possessing broad administrative rights.
For example, consider a recent social engineering attack that targeted an unnamed company. The attack consisted of an email regarding company reorganizations, which included a malware-laden spreadsheet. The company spam filter detected the email and placed in the junk mail folder of the user's email box. However, the user still opened the file due to its intriguing subject line; in turn, the company's network was subsequently compromised. This resulted in the exposure of sensitive data and the company's bottom line suffered substantial expenses as a result.
The key point here is to explain to executives that it can happen to them, and their administrative rights could contribute to the root cause of a significant, costly security incident.
- Educate the executive's key staff. Training needs to go beyond the executive to include other key members of their support team. The executive's assistant may very well have open access to the executive's email and calendar. Also, the executive assistant may have administrative rights on the executive's workstation, so training on potential threats needs to go beyond the senior executives to their key lieutenants.
Another element of security awareness training should include how to identify suspicious messages and what to do about them. This training should emphasize the importance of not opening attachments that appear even slightly suspicious or are from addressees that just don't seem right. Some tell-tale signs of potential malicious emails include misspelled words, bad grammar and any other similar oddity.
It can be helpful for the security team to assign a special email address and/or phone line that executives (and their assistants) can use to contact IT when they question an email or message. Responses to these notices should be fairly quick so that the IT security staff isolates and investigates the questionable message; if the response is slow or gives an indication that the issue is not important to the security staff, the executive may forego reporting future questionable email.
- Access to critical data. Remember, accessing all critical data all of the time may not be necessary for the executive to get the job done. Reduce the attack surface by turning off access to information -- especially critical data and confidential information -- that a specific executive may not necessarily need. It may seem like a hard sell, but there are plenty of real-world incidents that can be used to justify such restrictions.
- Don't forget social networks and personal email. In spite of protections and network security, cybercriminals are capable of targeting executives via social networks such as LinkedIn and Facebook. By taking the company's annual report (or 10Q/10K) and any biographical information for each board member and corporate executive, attackers use names and affiliations on social network sites to harvest the individual's personal information, including personal email addresses, home towns, number of children and alma maters. Armed with this information, an attacker can tailor a more effective cyberattack specifically for an executive or assistant.
- This training is good for all employees and contractors, too. Even though we have been focusing on security controls and awareness training specifically for the executive team, this type of information security training and education program is important for all employees -- particularly employees who maintain key data (the secret sauce) for the enterprise. An executive training effort should simply be a customized offshoot of a broader program in which all an organization's knowledge workers participate.
Executive buy-in is important
This approach will only be successful if it is supported by the executive team, including the CEO, CIO and CISO. Security requires a team effort to be mindful and help protect against threats. As long as security teams emphasize that business success often goes hand in hand with good security practices, buy-in from senior executives and management should be achievable.
About the author:
Ernest N. "Ernie" Hayden, CISSP, CEH, is a veteran information security professional and technology executive, providing thought leadership for more than 10 years in the areas of information security, cybercrime/cyberwarfare, business continuity/disaster recovery planning, leadership, management and research. Based in Seattle, Hayden holds the title of managing principal for energy security at Verizon's Global Energy and Utilitiespractice, devoting much of his time to energy, utility and smart grid security on a global basis. Prior to his position at Verizon, Hayden held roles as an information security officer or manager at the Port of Seattle, Group Health Cooperative in Seattle and Seattle City Light. Hayden's independent analysis may not always reflect positions held by Verizon. Read more of Hayden's expert advice on his contributions to the Verizon Think Forward blog. Submit questions or comments for Ernie Hayden via email at firstname.lastname@example.org.