For years, everyone has been hyper-focused on protecting the enterprise by spending millions of dollars on firewalls, IDS (Intrusion Detection Systems), IPS (Intrusion Prevention System), anti-phishing, anti-virus, and so on. All of the technology and key security features are fully enforced at the corporate level, but at the end of the day, the cybercriminals are going to choose the path of least resistance.

 

The path of least resistance is attacking the C-level executive through personal channels. When on work devices, corporate executives are monitored by cybersecurity professionals, while on personal time, they face the same threat with no team to back them up.

 

Hackers and cybercriminals spot the opportunity to effortlessly gain access and control over the executives’ home network, enabling them to migrate into the company network from that point. Every day the executive brings their company home, where the security controls are nonexistent and weak ‒ so every night, their corporate networks and company are at risk for a cyberattack.

 

What can be done to try to prove this? In the cyber exploration process, it is imperative to view this from a hacker’s perspective and have visibility into the attack surface to understand the digital assets that are at risk for being exposed.

 

Personal emails are inbounds. Personal passwords are inbounds. Executives are transacting business on personal accounts, they are using the same passwords, and oftentimes, they are transacting business on their personal devices. It is what it is, they are busy people.

 

Research Findings:

To further investigate the hypothesis, BlackCloak cyber analysts reviewed executives at the “Top” global pharmaceutical companies to discover the extent to which password-based vulnerabilities existed.

 

Cybercriminals are able to use passwords to navigate to the corporate executives’ personal email, dropbox, accounts, and social media. LinkedIn is a huge treasure trove of information revealing the executives entire network of associates, contacts, friends, personal addresses, and direct messages, as well as a lot of intellectual property.

 

Beyond the threat of access to messaging, spreading malware, and intellectual property, the greatest risk is that the cybercriminal can hack from the personal side of the personal accounts, infect other devices connected to the home network with malware, monitor corporate accounts and communications, and ultimately access corporate devices to attack the company.

 

Data Points

  • Two out of three (68%) Pharmaceutical Executives’ emails had been exposed in a data breach incident in the past 5-10 years

  • Of those exposed, the cracked (unhashed, visible, cleartext) password was viewable on the dark/deep web for 57% of these executives with exposures

  • Of those involved in a data breach 84%  had an exposure from the 2015 LinkedIn data dump

  • Surprisingly 3% of the executives whose passwords were viewable on the deep/dark web used their company’s name as the password or as part of the password

 

Observations

  • The personal and corporate lives of executives are intermeshed and user passwords on non-corporate systems can put the company at a weaker cybersecurity stance. In order to reduce the corporate attack surface, executives must be protected around the clock.  For privacy and legal reasons, this is a task that should never be done by the company itself.

  • Executives: (1) used similar passwords in their personal lives as they did for their corporate accounts and (2) executives used their corporate accounts as logins to personal online services with their personal passwords.

  • In the pharmaceutical world, executives appeared to move from job to job across a tier of companies and with this they brought their old passwords with them and showed consistent use over a period of sometimes 15 years of same and/or similar passwords.

  • Some companies went to deeper levels of email obfuscation to try to hide the email address and/or naming convention for executives, but this time and emphasis might be better used on education, training, or other controls as it only made the puzzle more interesting to solve.

 

Conclusion

There are no boundaries, no safe zones, and nowhere that hackers consider off-limits. If a company is spendings millions of dollars on cybersecurity to protect its network, then cybercriminals are going to target the most vulnerable area and expose the weakest link ‒ which is ultimately going to be the personal lives of corporate executives and their home networks.

 

Protect your company by protecting your executives.