The damage from executive email account takeovers can run into millions of dollars, as recent examples show.
In 2019, Toyota Boshoku Corporation lost $37 million after the information in a payment direction from a third-party was changed, sending millions to the fraudsters. The recent SolarWinds attack was bad enough, and now Nobelium, the group responsible, has since launched a campaign of email attacks appearing to originate from USAID after its Constant Contact email account was compromised.
Recently, Microsoft 365 Defender researchers disrupted an attack against infrastructure hosted in multiple web services after a phishing attack on a cloud provider netted stolen credentials that were used to access target mailboxes.
CISOs responsible for securing sensitive C-suite email accounts face the dual challenge of securing accounts with wide-ranging permissions coupled with a significant educational role with the largely non-technical executive. But with brute-force attacks on the rise and account takeover attempts for C-suite mailboxes escalating by a staggering 671%, according to the latest report from Abnormal Security, now is the time to review executive account protections and security procedures.
Why C-suite BEC attacks are so damaging
Ransomware might make the headlines, but business email compromise (BEC) attacks, particularly in the C-suite, can pave the way for huge losses, both financial and reputational, thanks to the authority and financial privileges attached to these accounts. Terry Thompson, adjunct instructor in cybersecurity at Johns Hopkins University with more than 40 years of professional experience in security and intelligence, has seen first-hand incidents where a hacker gains the email address of one or more executives from the C-suite, usually via social engineering or by compromising the email account. The hacker can then send an email to the CFO directing payment of a fake invoice to a linked bank account.
“The combination of social engineering and clever use of email made to look like it’s from the boss/CEO is a real threat in BECs,” Thompson tells CSO. The added importance of securing these accounts, he says, comes with the “greater vulnerability and risk to the organization, which will be exposed to ransomware, email spoofing, and related threats.” An executive’s account can also be compromised from below and then used to launch attacks. “‘Whaling‘ BEC attacks target a subordinate and use that person’s compromised email to get to the CEO,” he says.
C-suite executives are the most trusted with corporate secrets and confidential data, and their communication is more likely to be read and their instructions followed. “In many cases of BEC, the cybercriminals would find critical/confidential data inside the emails of C-suite victims,” says Alex Holden, founder and CISO at Hold Security and a member of the ISACA Emerging Trends Working Group.
By their nature, C-suite email accounts present specific challenges. “[C-suite executives] are more likely to change technology and more likely to insist on breaking the rules. They are also more prominent and therefore easier to target and imitate for abuse,” says Holden.
Thompson, Holden, and other experts offer the following advice for CISOs to work with C-suite executives to reduce email account takeover risk.
Train the C-suite to recognize BEC threats
Preparing the C-suite through training exercises can help them identify suspect emails. Thompson recommends twice-yearly tabletop exercises to raise awareness of the threats and practice responses to a breach or BEC before it happens. These exercises should ideally be conducted in a non-threatening ‘quiet’ time to help everyone in the C-suite become more security conscious and help with resilience if/when a company is victimized by a BEC or data breach. “These exercises can also identify and iron out any confusion caused by language barriers,” he adds.
Put technical controls in place
With education comes technical protections. While the layered security approach is common across cybersecurity defenses, there are a few differences when it comes to the C-suite, says Michael Del Giudice, principal in the consulting group at Crowe, which specializes in information security and data privacy for the public sector and implementing governance, risk, and compliance solutions. “First off, use your education to make sure you work with them to help identify anything that looks suspicious—syntax, language, misplaced characters, urgent requests,” he says.
There needs to be controls behind this line of personal defense—the layers. “Complementing that with technical controls, implementing things like multifactor authentication on email so even if they do get credentials it will still prevent them from authenticating,” Del Giudice tells CSO.
Del Giudice believes two main variables limit account takeovers: The first is to decrease the number of times someone takes an action that the attacker wants. “You want it to be as close to zero as possible,” he says. The other is to increase the number of notifications when someone gets a message that seems suspicious. “That may be our first clue that something going on and we need to start to investigate.”
When an account takeover occurs in the C-suite, the CISO first needs to be aware there’s an issue, ideally well before funds start moving into the criminal’s coffers. To Del Giudice, it begins with having the right monitoring—”An alert if someone’s forwarding mail to a specific mailbox,” he says. “Look for anomalous types of behavior that may flag something that could be an issue. Make sure that there is a banner on all email that’s coming in from outside the organization.”
Emphasize the need for the C-suite to set an example
Hold Security’s Holden says that the C-suite has an important role as exemplars of the best security behavior. “C-suite members are not regular employees; they are the most prominent employees. They are role models and not above the rules,” he says. “They are supposed to be the most protected individuals in the company. They may need more reminders to lead the cyber security initiatives by example and not to be the exception.”
Yet training the C-suite can be complicated, according to Holden. While they need customizations to stress their unique responsibilities to the company in terms of cybersecurity, they should also adhere to a higher standard. “Violations of the policies should be dealt with privately, but with significant actions to ensure that C-suite executives stay secure,” he says.
Communicate BEC risk to the CEO in business language
Johns Hopkins University’s Thompson says the challenge in securing and educating the executive rests on communications between the CEO and the CISO and finding a language to express the risks. “With different education and professional backgrounds, it was hard to find common ground when they spoke,” he says. He has seen a lack of understanding of the importance of cybersecurity among non-technical people who run most corporations. This can also worsen when CIOs and CISOs struggle to explain threats, vulnerabilities, and risks in business terms the C-suite can understand and translate into business risks. “The main challenge is for the CISO to be able to express the threats, risks, and solutions in plain language so that non-technical people in the C-suite can understand and act on the CISO’s recommendations,” he says.
Copyright © 2021 IDG Communications, Inc.