Gordon Lawson is President of RangeForce, a provider of interactive cybersecurity training and defense simulation software for enterprises.
Anyone involved with cybersecurity understands that not all IT systems and devices represent the same level of risk. Some hold more valuable data than others. Some are mission-critical and others, while important, don’t spell “doom” if they are compromised.
However, when it comes to thinking about the executive suite, many security teams eschew common sense. They view executives just like every other employee and rely on the same protections, such as authentication, anti-malware software and on-device security.
That’s a mistake.
Executives frequently have the most sensitive information residing on their personal devices, and they often represent the greatest risk for exposing information through techniques like phishing. As a result, they’re likely to be specifically targeted by crooks who rely on increasingly sophisticated and stealthy methods to hack and crack systems and devices.
Recent news reports demonstrate how ingenious and effective attacks have become. Over the last few months, several high-profile ransomware attacks have taken place. These include the Colonial Pipeline hack, meatpacker JBS and the Washington, D.C. Metro Police Department. Additionally, the Ryuk Ransomware Gang targeted 235 hospitals and health care facilities across the U.S.
There’s no disputing the fact that social engineering attacks are becoming more aggressive and more widespread. Because the C-suite and other senior-level executives typically have a higher level of permissions and greater access to systems — along with more sensitive information on their personal devices — they’re in the crosshairs.
This may include smartphones, tablets and even home computers that lack virtual private networking gear and other cybersecurity protections, including anti-malware and default encryption for hard drives and other storage media. These risks also extend to personal assistants and administrative support staff who work with these executives and have access to the same sensitive information.
Ultimately, it’s critical to understand every executive’s entire digital footprint within the organization and even extend policies and security protections to social media accounts, such as LinkedIn and Twitter. It’s also important to monitor accounts regularly for any signs of unusual activity or odd posts.
Not surprisingly, extra and enhanced layers of protection are required for executives — and these safeguards extend beyond the office and the home. As the pandemic subsides, people are once again boarding planes, trains and automobiles for travel and finding themselves visiting client sites and using public Wi-Fi at airports, hotels and coffee shops.
This necessitates the need for a more sophisticated approach. One way to achieve this is through a so-called Moving Target Defense (MTD), which can be implemented through dynamic runtime platforms and dynamic application code and data. Originally conceived by the U.S. Department of Homeland Security, the framework is designed to deflect attacks by creating a more complex and constantly changing attack space. It relies on a number of tools, methods and techniques to accomplish this objective.
An MTD delivers key protections:
• Protected browsing: In order to protect sensitive and confidential data, a browser uses a protected mode to add a layer of protection. Essentially, the browser monitors the connection continuously (rather than only at the start) to ensure it’s private and secure. This makes it next to impossible to inject code and malware. Protected browsing is typically available through add-ons or extensions to browsers such as Mozilla Firefox and Google Chrome.
• Isolation and network segmentation: Isolation prevents threats from compromising company systems and networks by executing web code off a local device or the network. Similarly, network segmentation compartmentalizes and protects communications while operating away from trusted network connections and devices.
• Privacy measures: Obfuscation techniques lower a person’s cyber profile and proactively disrupt reconnaissance attempts. For example, traditional routers and VPNs are prone to vulnerabilities and typically reveal a person’s identity. A better approach is through cloud-based network services that deliver Zero Trust through obfuscation and MTD to proactively prevent cyber threats.
An MTD is effective because it introduces chaos, unpredictability and noise. Constantly changing IP addresses, easy-to-hack decoy software and the ability to adapt dynamically and even decrease attack surfaces all generate noise that distracts attackers and wastes their time and resources. Moreover, MTD works at different levels of the system stack, thus providing attackers with a constantly changing view of the IT environment. Not surprisingly, at a certain point, attackers are likely to move on to easier targets.
Consistency Is Key
MTD protections should exist on all the devices executives use while traveling in order to reduce the attack surface of potential vulnerability. Of course, it’s also critical to focus on physical security protections, such as blocking USB ports, avoiding public Wi-Fi and even using screen protectors that block off-angle viewing on planes, trains or at cafes.
Organizations also shouldn’t overlook awareness and training for executives. This includes emphasizing the importance of following guidelines, consistently using encryption and discouraging the use of unprotected personal devices. In the end, strong physical protections and good hygiene can greatly aid in locking down assets and repelling attackers.