George Brown, a database and security consultant, says he always tells client CEOs to guard their private information zealously.
"It's the Wild, Wild West out there. Publicly held companies are forced to reveal a lot of information about their executives, so that's already out there. I tell them not to compound that by putting more information up on social networking sites," says Brown, CEO of Database Solutions Inc. in Cherry Hill, N.J. "Don't put anything out there that you don't absolutely have to."
One executive, the CIO of a Boston-area health care organization, hears that message loud and clear. Though she says she hasn't experienced any targeted attacks directly, she is extremely cautious in how she handles e-mail of any kind. "I do not open anything unless I'm absolutely sure I know where it comes from," she notes. "If I miss something important, that person will call."
The CIO -- who says that the percentage of her organization's IT spend that goes to multilevel security increases every year -- doesn't participate in any business social networking sites either, and she recommends that other executives follow suit. And talking publicly about security issues? Definitely a no-no, she says (hence her anonymity), "unless you want to make yourself a target."
Social Engineering Gone Bad
The prospect of company executives becoming targets raises IT managers' blood pressure for two reasons:
- The perpetrators often deploy sophisticated Trojans against company systems.
- They require a disturbing amount of inside corporate knowledge to work successfully.
That knowledge can and sometimes does involve inside sources who know what data the targeted executive is privy to and which other employees he might be inclined to trust.
"If I'm an attacker, I can always find some technical hole and use that, but I also need social engineering," says Zulfikar Ramzan, senior principal researcher for Symantec Corp.'s Security Response team.
"To be believable, if I want to target the CEO of a company, I might look up the company record at the Better Business Bureau, find contacts and craft an e-mail saying maybe there's a problem with their BBB ranking," Ramzan says. Chances are a CEO would at least look at such a message if it appears to be legitimate.
On Sept. 12 and 13, 2007, MessageLabs detected 1,100 e-mails to senior executives at companies around the world. The messages, ostensibly from an employment recruiter, used a Microsoft error message to lure victims into clicking on an enclosed RTF attachment. That attachment contained an executable file that installed two files on the target computer that would then pass information back to the perpetrator.
F-Secure Corp., a Helsinki-based security company, has followed similar threats for two years. "It's obvious in these cases that the attackers have taken effort and time finding and researching the target," says Mikko Hyppönen, F-Secure's chief research officer.