Protecting Executives from Compromise

Posted by Mark Greisiger

A Q&A with Chris Pierson, CEO of BLACKCLOAK
Increasingly, cyber criminals target corporate executives and high net worth individuals not inside their well protected work environments, but at home, where they are most vulnerable. We spoke with Dr. Chris Pierson, CEO of BLACKCLOAK about the risks organizations face, and how they can better defend targeted individuals against bad actors.

How do threat actors go about targeting and attacking the senior management of an organization?
First, threat actors will use open source intelligence to learn more about the company leadership and companies make that data surprisingly easy to find. They post pictures and the names of all key leaders online. Many times, there are links to profiles on LinkedIn and other networking sites. From there, it’s easy to find friends, interests, family members. These may be targeted individuals, companies or sectors—a recent example of the latter would be the energy sector attacks we’ve seen in Houston by foreign actors. There is already a lot of data out there on the dark web, given all of the hacks and breaches that have come before. They might send a phishing email to a personal email or a family member to get more information such as confirming an IP address or when to time an attack. It doesn’t have to be malware, but it might be something to help gain network access or it might be a brute force attack. They will use all of the tactics at their disposal.

And what are some of the leading weak spots that companies and individuals should be looking to shore up security?
Companies release so much data. If they are publicly traded, they are sharing valuable information in annual reports and quarterly updates to shareholders. Even the executive’s travel schedule is often released to the media through the public relations office. All of this is fodder for cyber criminals, particularly those who are based outside of the U.S. If they know there is, for instance, a big financial summit in London, they might go there to target specific individuals. As I mentioned, social media sites, whether that’s LinkedIn, Facebook or Instagram, give away a lot of data. Even so-called security devices high net worth individuals might have like home video cameras can be readily hacked online and used against them. Executives often have more permissions to networks than they need and as a result that makes them vulnerable.

What assets are criminals looking for?
In many instances, it’s money, targeting the company’s customer data, whether that’s for credit/debit payment info or bank information. They will use the personal access to a corporate device to get permissions and the data inside the networks. Or they might masquerade as a CEO or a CFO and ask for funds to be paid via transfer. There’s also theft of intellectual property that we see happening quite a bit. This information tends to be shared freely on personal devices and it is ripe for exploitation. Finally, there are revenge motives where individuals may be targeted for political or personal reasons and the criminals will attempt to smear their reputation or embarrass them publicly.

How do family members get caught up in these schemes?
It’s very easy to find an “in” through a family member, child or significant other because often they are connected to the same network but less aware of cyber security than the executive. They may even be sharing the same devices. And if one person is compromised, they become the weakest link and can infect the others very quickly so that is a common tactic.

What can a senior manager do to mitigate this threat exposure?
Any kind of internal cyber security will by definition be limited in terms of what can be monitored. You can monitor the work network and VPN but you can’t monitor employees’ private traffic and personal emails on their home networks —nor should you be able to. That would be illegal. Yet there is material cyber risk in what can happen at home. Companies should look for added protection that covers executives in their home environments to extend that envelope of protection. Not only could that reduce your insurance premiums but it could give you the reassurance that your data is safe around the clock because it is under the care of a trusted third party.  Really it is about protecting the entire digital life of the executive.

In summary…
I want to thank Dr. Pierson for his expertise into the topic of the personal cyber risk that faces senior management. As Chris rightfully points out, threat actors can target the executive—and their family—in an effort to gain entry into their corporate network. We’ve seen Business Email Compromise (BEC) situations that started in a less secure home computing environment, culminating in the criminal masquerading as the CEO instructing their corporate comptroller to make a fraudulent wire payment. Unfortunately, what happens at home in off-hours can have significant consequences and we would be wise to anticipate them.