This post has been modified to reflect new information since its original publication.
Spear phishing and related social engineering techniques create a new challenge for IT professionals since attacks that target employees’ non-work accounts and devices can bleed over into corporate IT systems.
Even for companies that maintain strict device-use policies, it’s often just a short step from an employee’s compromised personal account to the company’s servers. This is especially true if that employee is an executive or someone else with high-level access to IT systems.
Out in the wild, some of the highest-profile recent phishing attacks have started with personal IT. Consider, for example, the 2016 hacking of Clinton campaign chairman John Podesta’s email account, or that of then-Governor Mike Pence. In both cases, attackers hacked a personal email address, not a work address.
Clearly, personal IT has an impact on corporate information security. Yet companies have limited recourse since enforcing security best practices for employees’ non-work activities would be both logistically impractical and legally problematic.
For that reason, the best approach is to make it harder to mount a successful social engineering attack against company personnel. This can be achieved through digital privacy protection: obscuring the online personal information that attackers use to conduct research on their marks and personalize their attacks.
The many ways personal devices can compromise corporate IT
Most companies that are concerned about IT security—and this should be virtually all of them—will have policies and procedures in place to protect their data systems. These may include software-level protections such as permissions restrictions or two-factor authorization. They may also include policies on the use of personal devices (often called BYOD or bring-your-own-device) and anti-phishing training.
Yet even the most locked-down IT systems are vulnerable to infection via personal devices. Consider the following scenarios:
Reusing passwords – Despite admonitions that employees use different passwords for work and personal accounts, it is difficult if not impossible to enforce compliance. The most common passwords in use today still include such embarrassing entries as “password” and “123456,” while many other people continue to use easy-to-guess combinations based on their initials or birthdate. A hacker can try a variety of common password-cracking or phishing approaches on a personal account, which is less likely to be monitored for abuse, then use the successful personal hack to intelligently guess corporate passwords.
Taking work home – An employee may decide to work on his or her own personal computer while away from the office, regardless of whether or not the use of personal IT equipment is allowed. The employee either logs into the company’s IT systems from home or emails files to a personal account. Meanwhile, the personal device is compromised, allowing access to the documents or accounts accessed from it.
2FA phishing – An attacker breaks into an employee’s personal email account and correctly deduces that the work email address uses the same password. However, the work account is also protected by two-factor authentication (2FA). Through a search of the personal email account, the attacker discovers the employee’s mobile phone number. The attacker then phishes a two-factor authentication code via SMS and accesses the work account.
Man-in-the-cloud – An employee syncs a work file-sharing account, such as Dropbox or Google Drive, to his or her personal smartphone or computer for ease of access. The device, meanwhile, has already been compromised, so the hacker can easily grab the service’s password token. The hacker installs the token on his or her device, allowing access to all files in the cloud account, even if the user changes passwords or deactivates the infected device.
BYOD: An imperfect solution
One potential answer to this problem is to allow employees to use personal devices at work, so-called BYOD, and then protect those devices as well as possible. That way, the personal devices used by employees will be less susceptible to compromise. However, this solution has serious limitations:
Incomplete coverage – Employees may have other IT devices that aren’t used for work and that aren’t protected.
Privacy concerns – Many people take issue with the idea that their employers could require them to use a personal device for work, since this practice may violate their privacy.
Legal complications – Depending on where you do business, BYOD can have complex legal implications, from the degree of access the company can demand to the storage of sensitive information on non-company property to reimbursement requirements for the use of employee equipment.
Maintenance hassles – Keeping a BYOD ecosystem secure means that the company IT department will need to support a virtually unlimited variety of devices, operating systems, and software configurations.
Risky non-work usage – Employees may use their devices for non-work purposes that are perfectly legitimate but that nonetheless pose a security threat to the company.
IT security through personal privacy protection
Whether or not your company decides to adopt some form of BYOD, the security threats posed by personal IT remain. That’s where personal privacy protection comes in. If hackers find themselves unable to locate personal information about a mark, they’re at a serious disadvantage.
People search opt outs
Consider, for example, a hacker trying to guess the answers to security challenge questions. Many of the most common questions relate to past addresses or the names of relatives. People-search sites compile this type of information and offer it to anyone who wants it, making it trivial for a skilled hacker to find the answers.
That said, most people-search sites offer some type of opt-out process that will remove an individual’s information from their systems. By issuing opt-out requests to these sites, you can deprive hackers of the ability to find these answers, albeit at the cost of significant time and effort invested into the opt-out process.
Social media audits
Social media is another common source of research for hackers, especially when mounting a spear-phishing attack. Although most social networks now provide robust privacy options, they can be confusing to configure: people often don’t realize exactly who has access to what in their social media feeds. To complicate matters, privacy vulnerabilities may stem not from the individual in questions but rather from the unsecure accounts of relatives.
To combat this type of threat, it becomes necessary to audit the social media accounts of personnel and their immediate relatives, then make specific security recommendations to each individual.
Full-service privacy protection
Clearly, this work can be time consuming. There are dozens of active people-search sites, and each has different opt-out requirements that may change without notice. These sites also re-create records for individuals who have previously opted out if new sources of the same information appear online. Privacy protection, therefore, is an ongoing maintenance task requiring human intervention and skilled decision-making.
This is why ReputationDefender developed ExecutivePrivacy. We handle the laborious task of locating sources of personal information, scrubbing these sources, and monitoring for any new records. We also analyze privacy threats stemming from social media and other user-controlled sources, creating a simple privacy-protection to-do list for our clients.
ExecutivePrivacy vastly simplifies the problem of protecting against personal IT security threats, and it does it at scale across a company’s key personnel. For more information on how ExecutivePrivacy can help protect your IT systems, schedule a consultation with one of our privacy experts.