Despite the significant risks and potential for compromising organizational security, many executives still insist to having their email and other communications bypass filtering, or other security controls. Certain security experts have termed this “executive risk.” In fact, executive risk is an indication of a security double standard. This comes from the belief that people in executive positions are better able to protect themselves and their organizations. Of course, this is incredibly misguided.
According to Tom Olzak, IT Security blogger at TechRepublic.com:
“Many executives believe they are smart enough, and responsible enough, to avoid malware infestation. Even if they don’t believe this, they still prefer not to have to deal with the restrictions imposed on the rest of the workforce. When this double-standard exists, it presents a large attack surface to an attacker using a targeted approach.”
In order to avoid targeted malware attacks, especially those aimed at executive-level individuals, here are some industry recommendations:
- Eliminate double-standards when apply security controls. Any senior managers, executives or department heads must understand that they are increasingly at a higher risk, as attackers shift from broad-to narrow-scope attempts to compromise internal systems.
- Never allow a business user who processes sensitive information to have local administrator access to his/her computer. If a user should happen to open an infected attachment, there would still be a good chance that it wouldn’t install. This is one of the most effective ways to put up a wall between the attacker and the target.
- Enforce the principle of least privilege, which limits the amount of information breached if a compromise occurs. Least privilege must apply to IT staff, who should only use administrator accounts when necessary to perform specific tasks. Simply because an administrator can create business user accounts doesn’t mean that he/she should have access to router and switch configuration privileges.
- All systems and applications should be patched.
- IPS devices should be configured to prevent or detect unwanted or unusual outgoing connections between internal systems and external destinations.
- User awareness of threats is absolutely essential. Users must be trained on how targeted attacks work and how to react to a potential threat. This training should include targeted threat awareness information.
- Common controls: anti-malware software; intrusion detection/prevention for host and network; and email filtering.
World Cup Malware Attack
During the summer of 2010, with the FIFA World Cup on the horizon, malware attacks using the soccer tournament as a ploy, began targeting top executives at international manufacturing firms as well as inter-governmental agencies. These attacks were unique as the hackers repeatedly targeting the same desired victims over and over. They were also using sophisticated, official-looking attachments to contain the malware.
“MessageLabs Intelligence frequently sees certain users In certain organizations attacked again and again, month after month, either by one gang, or by multiple gangs. The attackers clearly have these particular users in sight, and they are determined to get their attack through to them, and access their sensitive or valuable data.”
At first, the World Cup scams originated from free Webmail accounts with .ZIP files that would include a Microsoft Excel file that, when opened, would install malware on the recipient’s computer and create a backdoor for hackers to exploit.
In subsequent months, the attacks began including graphics and other displays from prominent, legitimate World Cup sites and charities. Instead of .ZIP files, the malware was embedded in .pdf and .exe files, much more common file types.
Hackers’ emails were targeted towards specific executives with a surprising degree of success. The scam even convinced certain executives into divulging significant intellectual property, for instance, research and locations for future oil reservoirs.
This article takes a look at security double standards, which allow executives, managers and department heads certain exemptions from standard security controls. Despite the increased risk of targeted attacks, this double standard is unfortunately common practice in many enterprises and organizations. it’s important to remember that such exemptions and double standards (termed “executive risk”) destabilize even the strongest security frameworks. The article also looks at some industry-recommended practices for reducing risks to targeted attacks.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
- Unplanned Data Disclosure (I.B.g.)
- Organizational Practices – Privacy Concerns (II.A.b.)
- Privacy-Enhancing Technologies (III.B.c.)