Digital devices and home networks of corporate executives, board members and high-value employees with access to financial, confidential and proprietary information are ripe targets for malicious actors, according to a study released Tuesday by a cybersecurity services firm.
The connected home is a prime target for cybercriminals, but few executives or security teams realize the prominence of this emerging threat, noted the study based on an analysis of data from more 1,000 C-suite, board members and high profile executives from over 55 U.S.-based Fortune 1000 companies who are using the executive protection platform of BlackCloak.
“BlackCloak’s study is exceptional,” observed Darren Guccione, CEO of Keeper Security, a password management and online storage company.
“It helps illuminate the pervasive issues and vulnerabilities caused by millions of businesses migrating to distributed, remote work while at the same time, transacting with corporate websites, applications and systems from unsecured home networks,” he told TechNewsWorld.
BlackCloak’s researchers discovered that nearly a quarter of the executives (23%) have open ports on their home networks, which is highly unusual.
BlackCloak CISO Daniel Floyd attributed some of those open ports to third-party installers. “They’re an audio-visual or IT company that, because they don’t want to send a truck out when things break, they’ll set up port-forwarding on the firewall,” he told TechNewsWorld.
“It allows them to remotely connect to the network to solve problems,” he continued. “Unfortunately, they’re being set up improperly with default credentials or vulnerabilities that haven’t been patched for four or five years.”
Exposed Security Cameras
An open port resembles an open door explained Taylor Ellis, a customer threat analyst with Horizon3 AI, an automated penetration testing as a service company in San Francisco. “You wouldn’t leave your door unlocked 24/7 in this day and age, and it’s the same way with an open port on a home network,” he told TechNewsWorld.
“To a business leader,” he continued, “the threat of breaking and entering escalates when you have an open port providing access to sensitive data.”
“A port acts like a communication gateway for a specific service hosted on a network,” he said. “An attacker can easily open a backdoor into one of these services and manipulate it to do their bidding.”
Of the open ports on the home networks of corporate brass, the report noted, 20% were connected to open security cameras, which can also pose a risk to an executive or board member.
“Security cameras have often been used by threat actors both to plant and distribute malware, but perhaps more importantly to provide surveillance on patterns and habits — and if the resolution is good enough, to see passwords and other credentials being entered,” noted Bud Broomhead, CEO of Viakoo, a developer of cyber and physical security software solutions in Mountain View, Calif.
“Many IP cameras have default passwords and out-of-date firmware, making them ideal targets for being breached and once breached making it easier for threat actors to move laterally within the home network,” he told TechNewsWorld.
The BlackCloak researchers also discovered that the personal devices of corporate brass were equally, if not more, insecure than their home networks. More than a quarter of the execs (27%) had malware on their devices, and more than three-quarters of their devices (76%) were leaking data.
One way data leaks from smartphones is through applications. “A lot of apps will ask for sensitive permissions that they don’t need,” Floyd explained. “People will open the app for the first time and just click through the settings not realizing they’re giving the app access to their location data. Then the app will sell that location data to a third party.”
“It’s not only executives and their personal devices, it’s everyone’s personal devices,” added Chris Hills, chief security strategist at BeyondTrust, maker of privileged account management and vulnerability management solutions in Carlsbad, Calif.
“The amount of data, PII, even PHI, that the common smartphone contains these days is mind-boggling,” he told TechNewsWorld. “We don’t realize how vulnerable we can be when we don’t think about security as it relates to our smartphones.”
Personal device security doesn’t seem to be top of mind for many executives. The study found that nearly nine out of 10 of them (87%) have no security installed on their devices.
Mobile OS Security Deficient
“Many devices ship without security software installed, and even if they do it may not be sufficient,” Broomhead noted. “For example, Samsung Android devices ship with Knox security, which has had security holes found in it previously.”
“The device manufacturer may try to make tradeoffs between security and usability that may favor usability,” he added.
Hills maintained that most people are comfortable and content in thinking that the underlying operating system of their smartphone contains the needed security measures to keep the bad guys out.
“For the common person, it’s probably enough,” he said. “For the business executive that has more to lose given their role in a business or company, the security blanket of the underlying operating system just isn’t enough.”
“Unfortunately, in most cases,” he continued, “there is so much we focus on trying to protect as individuals, sometimes some of the most common get overlooked, such as our smartphones.”
Privacy Protections Lacking
Another finding by the BlackCloak researchers was that most personal accounts of executives, such as email, e-commerce, and applications, lack basic privacy protections.
In addition, they discovered security credentials of executives — such as bank and social media passwords — are readily available on the dark web, making them susceptible to social engineering attacks, identity theft, and fraud.
Nearly nine of 10 executives (87%) have passwords currently leaked on the dark web, the researchers noted, and more than half (53%) are not using a secure password manager. Meanwhile, only 8% have activated multifactor authentication enabled across a majority of the applications and devices.
“While measures like multifactor authentication aren’t perfect, these basic best practices are essential, especially for the board/C-suite who often opt-out of the requirement as a matter of convenience,” Melissa Bischoping, an endpoint security research specialist with Tanium, maker of an endpoint management and security platform in Kirkland, Wash. told TechNewsWorld.
“Attacking personal digital lives might be a new risk for enterprises to consider,” the researchers wrote, “but it is a risk that requires immediate attention. Adversaries have determined that executives at home are a path of least resistance, and they will compromise this attack vector for as long as it is safe, seamless, and lucrative for them to do so.”