For years, I’ve advocated spending extra attention to accounts on a network that once compromised, can cause devastation to the environment. Depending on what industry your work in, these are Executives, VIPs, Politicians, or even the C-Suite, whatever you call them, these are accounts, you may not have considered dangerous, but they can be. The damage from one of these email account takeovers can run into millions of dollars. In 2019, Toyota Boshoku Corporation lost $37 million after the information in a payment transaction was changed, sending millions to the fraudsters.
Information Security professionals responsible for securing sensitive C-suite email accounts face a two-fold challenge, first securing accounts with wide-ranging permissions coupled with a significant educational role with the largely non-technical executive. Surprisingly, this struggle is added by malicious actors knowing this and their brute-force attacks for C-suite mailboxes have escalated by 671%, according to the latest report from Abnormal Security.
What tends to make security headlines now, is all ransomware, but that’s not all we need to focus on. I’ve made the case before, that most security professionals know, that regardless of how sophisticated our tools are to detect intrusions, we all know that our users are the weakest links. Out of the typical user, the executives of the organization are the groups most at risk. In my personal opinion, the two best targets in business are first and foremost, the executives and then IT people.
Let me explain my thought process on this view of the landscape. Executives, by nature of their position, may not be the most technologically savvy user, that’s not their position in the organization. Secondly, that same group may be more likely to have exemptions to the security practices for your standard user. Our average users, generally can’t opt-out of the practices to defend the network, but an executive who wants to get around Multi-factor authentication will put pressure to be exempt. Plus in the numerous companies, I’ve worked within the past, some of them are more than likely administrator’s to their own systems. Plus the example I give every IT person, if your boss’s boss’s boss, asks you to do something now, how likely are you to hesitate or quote policy to them? If we’re honest, not many.
In an article from CSO, Terry Thompson, adjunct instructor in cybersecurity at Johns Hopkins University said, “The combination of social engineering and clever use of email made to look like it’s from the boss/CEO is a real threat in business email compromise’s,” He also stressed that the importance of securing these accounts, comes with the “greater vulnerability and risk to the organization, which will be exposed to ransomware, email spoofing, and related threats.” Executives are the most trusted with corporate secrets and confidential data, and their communication is more likely to be read and their instructions followed. “[C-suite executives] are more likely to change technology and more likely to insist on breaking the rules. They are also more prominent and therefore easier to target and imitate for abuse,” says Holden.
The second coveted group is the IT department. Though honestly a tougher target than executives, if you can get an account with privileged access, then your whole job is easier. You may be able to leverage an executive account to gain access to a privileged account, by just asking. The reason an IT account is an amazing catch reminds me of a story from an Information Security professional, where malware from a compromise was hidden in a group policy object, to install and infect the network when a user logged in. How scary is that?
So after all that…what can we do to protect those accounts? Well, I wish it was easy, but like most of our work in the information security field, it’s not. You really need to educate those executives and make sure they really understand the why…and keep themselves from exempting themselves out. I recommend going through tabletop exercises to raise their awareness and run through the process if something does happen. Like most things with executives, make the exercises and training, non-threatening and try to give them the information they need to prioritize this and other threats.
Once the awareness part is in place (or underway), then the technical controls need to be worked on with the executive suite. This is probably what you are doing with others in the organization, but you may need to make it easier for them. One example is multi-factor authnerication, but maybe changing the tactic with them…for example, if your system allows it, let the executives use push notifications, rather than the text, random codes, or security keys that your average user is using.
The third step to this is to make sure the executives know the importance that they play in the process. For any security program to really succeed in the organization, everyone needs to know the executives support this 100%, and not only do they back it, but they are also doing the same thing as every other user. It’s like the foundation of a building, if they are strong and understand the why and the risk and back it, there will be fewer people who are willing to challenge it. I remember this discussion at a position when I had an important user try to fight against security protection, and I mentioned the top person of the organization was doing it, and if they needed an exemption they’d need to explain why they deserve to be expected when everyone else was included. They weren’t happy, but as far as I know, they never tried to exempt themselves again.
These may read like easy tasks, but I can assure you they are not. Information technology professionals have a difficult time explaining the technology risks already, let alone security ones. So these may not be single engagements, and you’ll need to spend a lot of time laying the knowledge foundation to get everyone on the same page.