Executives are highly targeted for social engineering and other efforts to gain access to their information. Whether the data is from the recent-Yahoo breach (or any other breach), there is an active market for information, including information from your employees and executives. This information can be used to access accounts, build a spear-phishing profile, gather intelligence on execs or simply embarass them. Some thoughts:
- Start with the assumption that executive emails will be made public. Executives need to be trained to use email accordingly. Please see here for my guide on this subject.
- Self-generated passwords are useless. Assume that there is enough information “out there” about your executives that any password they self-generate is crackable, either because it is already “out there” or because it is weak. I recommend that highest-level executives receive corporate generated passwords. It will cause more instances of forgotten passwords, but that is a small price to pay.
- Corporate security should view breaches as part of an intelligence gathering activity against the enterprise:
- Corporate security should be active in reviewing what is available the “dark web” – finding out what information on executives is available – or worse, what information from your own corporate servers is available. Corporate security officers should integrate such available information into both digital and physical threat assessments for executives — and insure that each available fact is understood as part of a larger picture of their digital and physical security assessments.
- Breaches of “lower level” employees should be treated as a threat to more senior-level employees. We know from experience that such information can be used to “trickle up” security breaches in the corporate environment. See an important NY Times piece on this issue.
- Using true strong two-factor authentication is critical. However, I think it will become increasingly obvious that not all 2FA is created equally. See here for a post on cell phones and 2FA. I will likely do a more-focused 2FA post in the near future.
- A serious weak link in password-based security are the restore questions. Rather than answer security questions straightforwardly, use an alternative complex password-type phrase for each account. It is not hard to find out the mascot my high school — use a random phrase for each service. Unlike passwords, these can be written down and stored in a physically secure location — especially where the account is non-essential and restoration need not occur immediately (sorry Facebook!). Companies must figure out how to do email resets on more than mere voice verification.
- A document-retention policy should include emails and emails should be deleted as is legally permissible for your industry. Corporate executives should purge personal email accounts of sensitive or embarrassing material, again as legally appropriate.