Social media is impacting the world around us.
Most organizations have social media accounts, cloud-based drives, access cloud platforms, are filled with employees who use messengers like Slack, and tap into any other piece of the ever expanding digital world.
Because of the growth rate of each of these types of technology and the associated user adoption, ideal security best practices and tools are still sorely lagging behind in place of innovation. Because of this, any user, and in particular executives or the C-suite with keys to the castle, are constantly a potential target to threat actors.
This week we are taking a closer look at some of the ways executives and the C-suite can be the target of digital risk and phishing attacks, with a few ways to reduce them along the way.
The Social Media Impostor
*Slaps the roof of Twitter* this social media platform can fit so many parody accounts in it. In recent months social platforms have been been scrutinized for how and when they enforce their Terms of Service (ToS) agreements against users. Between the bots and fake users, there is also a rampant concern with impostor accounts, many of which are not properly labeled to skirt by the rules (just toss parody in the bio and you’re fine, apparently).
Regardless of an executive having their own social account or not, it only takes a few minutes to create a profile on their behalf, and from there easily mislead an organization’s customers, clients, and constituents. Unless stumbled upon, having a monitoring system in place is the only way to actively secure these accounts as they popup.
Enemy-Ish From Within
The misspelled phish that miraculously make it through email filtering and advance technology may result in you shaking your head, but those are not the ones organizations have as much to worry about. Instead, it’s the targeted emails that involve research, well crafted messages, and the right timing. However, a threat actor doesn’t just go after an executive directly, in many cases they will work their way up the chain by acquiring credentials from any unfortunately user, adding extra layers of trust to their attack along the way.
Once they have internal credentials in-hand, a threat actor will develop a targeted message for their true target, all in the hopes of gaining access to their credentials and in turn unrestricted access to information. These kinds of attacks are often labeled as CEO Fraud or BEC attacks, and can be highly effective.
Exhibit A: the DNC email breach.
Location Tracking is a Common Default Setting
Swarm (formerly FourSquare) may not be very popular anymore, but there are countless apps that track a person’s location. In many cases apps have default tracking set to on, or don’t realize that picture Exif data can also log where an image was taken. In some cases, Google, they even track you if you turn the setting off.
Regardless of the why, these various different location tracking features can also pose a risk to executives and their family or really anyone that could become a target of a threat actor. In an effort to curb these issues it’s typically as easy as scrubbing Exif data, turning location tracking off, and educating or training users about why they should avoid it.
Mo’ Devices, Mo’ Problems
Bringing your own devices to the office is the norm now, but that doesn’t mean they are typically secured. For executives in particular, they need to ensure that both their personal and professional devices meet the same level of security required by the organization. While neither of these will stop a well crafted phishing attack, it at least curbs some threats at the door. Just like technology, training should play a vital role in reducing mobile-focused threats such as URL padding.
The Common Traps of Regular Travel
You get to the airport, there’s still an hour on the clock before your flight boards, and you feel like getting some work done. Typically you’re met with a few different open wifi networks, and at least one is bound to work. Unfortunately, among the one or two airport wifi networks, you’ll also find a few personal hotspots and potentially even other networks designed to become a middle man and steal your credentials. This certainly isn’t new and feels like avoiding them should be common sense, but sometimes that wifi fix overrules our security vigilance when stuck in an airport for hours. So, always be sure to connect to only official networks, use a VPN, or just use our own secure hotspot to reduce risk.
Families Can Be Targets Too
Just as a threat actor may try to climb up the org chart to access confidential company information, an executive’s family and loved ones can be a target. Whether it be oversharing information, accidentally sharing a relevant location, or opening the gate to information through a successful phishing attack, relevant users also need training.
Reducing Digital Risk
There’s a good chance you see a common theme when it comes to the ever growing digital footprint that impacts all of us. All users, including the C-suite, need to take security awareness training seriously. Most users have experienced a few different forms of training, but starting with an assessment of key organizational account holders can drive home the importance of being more knowledgeable.
After an audit, which should consist of things like how many phishing attempts targeted them, any threats or negative items found about them on the open, deep, or dark web, and that both personal and professional devices are secured, a better understanding and buyin follows. To reduce digital risk, build a security awareness training program that users take seriously, are able to retain the information, and are able to apply in their everyday life. Our education model is a good example of how this can be applied to organizations.
*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Elliot Volkman. Read the original post at: https://info.phishlabs.com/blog/targeting-brand-c-suite-risk