High-level executives are one of the biggest social engineering risks for organisations, according to a security expert.
Senior executives often demand for exceptions to be made to security rules and policies for their convenience at the expense of security, Jayson Street, CIO and managing partner of Stratagem 1 Solutions, said on Thursday at the network security conference track. This practice makes it easy for cybercriminals to successfully gain access to corporate networks by impersonating as management personnel.
Top executives are also ideal targets given their systems privilege and access rights, he pointed out. "[Hackers are] not going after the bank teller, [they are] going after the bank president, because the tellers have USB drive rights deactivated, they have controls on where they can go on websites."
Street recounted how he was able to access the server room of a hotel simply by gathering information through social networks such as LinkedIn and Twitter of the owner, then sending an email to the access control personnel masquerading as the CEO of the tech support organisation. When the staff was later asked why he allowed Street access, he said: "Because [the boss] sends email messages like these all the time! He asked, and he's the owner — you have to let him do what he wants."
Street likened this approach to one of the 36 Stratagems, a Chinese essay on deceptive tactics called "kill with a borrowed knife", which in this case refers to the use of an employee as an attack vector.
Social engineering has been around for centuries and happened much earlier than the Kevin Mitnick days, Street noted, referring to the high-profile hacker whose speciality is social engineering.
In fact, the most impressive social engineering incident ever was the Trojan Horse that led to the downfall of Troy, he said. Sinon, a Greek man who had been disfigured and appeared to be abandoned by the Greeks, gained the Trojans' trust and convinced them that the horse statue was safe to be brought into their city.
Social engineering remains effective today in breaking down defences as humans are "less guarded and cannot be patched", he added.
There are, however, steps that organisations can take to mitigate the threat, said Street. Information security personnel need to make senior executives understand that it is their job to protect upper management from becoming easy targets, and to avoid overriding security policies that they might regret later.
At all other levels, employees should be empowered to question and report suspicious activity, and to be recognised or appreciated when they actually do so, he added. In addition, the best "patch" for users is to help them become more aware about the dangers of social engineering and to learn from past mistakes.
"Doing social engineering engagements and testing on your employees brings up that kind of awareness," said Street. "That's a great way to patch [the security loophole]."