Why execs are the easiest social engineering targets

Your company's executive team has access to the most important information about the firm -- and may be some of the least secure employees.

1 2 Page 2
Page 2 of 2

Street recently completely a series of penetration tests for two hotels and gained access to the server room by sending a forged e-mail to hotel employees which claimed he was the CEO of the hotel's tech support supplier.

"Afterward, I asked them 'Why did you let me in?' and they said 'This is how the owner does things. He sends e-mails like this all the time!'"

The point is: The executive, or in Street's example the hotel owner, may not realize what they are doing poses risks (in this case not having a system to verify e-mails) because they assume security knows better and will always have their back.

They use the latest technology

CIOs are the best targets for social engineers because they are the ones working with newer technology, said Street.

"Who is going to be using the newest iPhone before it's approved in the company?' he said. "Who will have the iPad working on the internal network, getting their e-mail? It's going to be those C-level people. They are getting the laptops that aren't standard. They want the ultra-light or the one that can do a certain thing."

The problem is, the newness of these technologies mean they haven't been properly vetted for security risks and haven't been configured into the network securely, said Street. The problem is compounded by the previous point; the executive's assumption that IT already has the proper security in place to deal with the device, when they often do not.

"They might actually think because it's newer it's more secure, which it's not. And then they still want to log their laptop into their home network and then the trust model changes completely."

They have family who don't know they are targets

The attacker is looking for the easiest way in, and since the network administrator will mostly likely have restrictions and is doing some monitoring, it's much easier to go after the CIO's wife, husband or kid on Facebook, said Street. These family members often use computers that are shared by the CIO once he or she is home.

Also see: How security professionals monitor their kids

"Why not compromise the wife's computer system and then, when CIO brings his laptop home, he is now on the internal network. The home network is more of a private network, which is more trusted. And that means the firewall lets more stuff in. It makes more sense to compromise the CIO that way."

Street says social engineering awareness has to extend out to these family members who unfortunately may become unwitting victims in a criminal act. "If you've got millions of dollars at stake, and you are doing corporate espionage and want to steal secrets or money, you don't go after your target only, you go after everyone in your target's network, too."

This story, "Why execs are the easiest social engineering targets" was originally published by CSO.

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon