Security managers are often concerned about employees who use Facebook at work and fall for the 419 "I'm trapped in London and need money" scam. Others might still have some in their organization who are convinced it is the Prince of Nigeria who wants to share his fortune. And with spear phishing, a targeted email attack in which messages are created to look like they come from an employer, bank or other trusted source, now a common criminal technique, the need for effective awareness programs for employees has become paramount. But those concerns, according to Jayson Street, a security consultant and CIO of Stratagem 1 Solutions, shouldn't be the chief worry. That's because the biggest social engineering threat is the top executives in a company — and they're the ones who need to be educated the most.
Street, who conducts penetration testing and gives advice on what he calls "patching the human problem" said with access to sensitive data and confidential information, C-level executives are the juiciest targets for criminals, and they are putting the company at serious risk. These vulnerabilities won't go away until everyone understands security, from the bottom of the organization, right up to the top.
"We need to have executive buy-in of these risks," said Street. "Executives need to understand what can happen and how to avoid it."
Street details the four reasons why top executives may be the most likely target for a social engineering attack.
Also see: Social engineering:The Basics
They expect not to have to follow security rules
They are the most important people in the company, their jobs are extremely demanding, and they expect to be exempt from all of those inconvenient rules and policies that the security people have put in place, said Street.
"They are the ones who expect they don't need the firewall blocks as much, or that they can go to the web sites others can't," he explained. "They don't want to be filtered, logged or monitored, so they don't want to go through the web proxies that also protect them from compromise."
The problem is these executives are often no more security smart than your average employee and can be compromised with many of the common social engineering scams. And because they are executives, the social engineer is much more likely to make the attack targeted and personal, going as far as to send an email that appears to be from a legitimate source, but actually contains a bad attachment.
They think you're going to protect them
Once the executive has opened up that attachment and infected their machine, they're going to ask why security didn't protect it, said Street.
"When an executive is compromised and causes a loss for the company, he is not going to say 'Oops, my bad.' He is going to say 'Why didn't you protect me from myself?'"
Street recently completely a series of penetration tests for two hotels and gained access to the server room by sending a forged email to hotel employees which claimed he was the CEO of the hotel's tech support supplier.
"Afterward, I asked them 'Why did you let me in?' and they said 'This is how the owner does things. He sends emails like this all the time!'"
The point is: The executive, or in Street's example the hotel owner, may not realize what they are doing poses risks (in this case not having a system to verify emails) because they assume security knows better and will always have their back.
They use the latest technology
CIOs are the best targets for social engineers because they are the ones working with newer technology, said Street.
"Who is going to be using the newest iPhone before it's approved in the company?' he said. "Who will have the iPad working on the internal network, getting their email? It's going to be those C-level people. They are getting the laptops that aren't standard. They want the ultra-light or the one that can do a certain thing."
The problem is, the newness of these technologies mean they haven't been properly vetted for security risks and haven't been configured into the network securely, said Street. The problem is compounded by the previous point; the executive's assumption that IT already has the proper security in place to deal with the device, when they often do not.
"They might actually think because it's newer it's more secure, which it's not. And then they still want to log their laptop into their home network and then the trust model changes completely."
They have family who don't know they are targetsHow security professionals monitor their kids)
The attacker is looking for the easiest way in, and since the network administrator will mostly likely have restrictions and is doing some monitoring, it's much easier to go after the CIO's wife, husband or kid on Facebook, said Street. These family members often use computers that are shared by the CIO once he or she is home. (Also see:
"Why not compromise the wife's computer system and then, when CIO brings his laptop home, he is now on the internal network. The home network is more of a private network, which is more trusted. And that means the firewall lets more stuff in. It makes more sense to compromise the CIO that way."
Street says social engineering awareness has to extend out to these family members who unfortunately may become unwitting victims in a criminal act. "If you've got millions of dollars at stake, and you are doing corporate espionage and want to steal secrets or money, you don't go after your target only, you go after everyone in your target's network, too."