Recently the FBI issued a warning about a rise in phishing attacks that are having a high success rate. The FBI is always tracking cyber criminals and how they are mounting attacks. What makes this one a little different is we can track it to a new trend in phishing – so called “CEO Fraud.”
The ever watchful Brian Krebs was ahead of the FBI and had identified these attacks about a month before the warning. Phishing will be with us as long as email. So the idea that bad guys can email posing as the CEO or another executive is not that shocking, even though it’s a relatively new angle.
There are two things that not many seem to be focusing on regarding this “CEO fraud” style of attack. First, the attack relies on the notion that people being attacked have a very large amount of access and complete freedom in using it. In the Seagate attack described by Brian Krebs, the employee emails the attacker all current and past W2 files. Think about what that means about the employee’s access. This person had unfettered, ungated access to a mountain of sensitive information with legal impact on the company. They were able to simply hit send to exfiltrate it into the hands of the bad guy. Does that seem like a good pattern to follow?
Before we hang the IT folks out to dry for allowing this sort of access, let’s also consider what this means about executive leadership. The simple thing to point out is that executives have, through choices or willful blindness, allowed there to be the sort of access to information that let this happen. But that’s not the interesting part. You can say that about nearly every organization on earth. Executives will always make choices about value versus security and likely make choices security pros won’t like.
The interesting part is that the person who received this phishing email didn’t think it was so out of the ordinary that it required more deliberation before hitting send. In other words, it seemed perfectly natural that an executive would ask for that highly sensitive information to be sent over that insecure, untraceable channel. What does it say about how executives are treating sensitive data in real operations and requests they make that an employee would find this request plausible?
The Problem is Privileged Access
Some privilege is easy to identify: the root user on a Linux host, the enable right on your routers, membership in the Domain Admins group, or the right to run commands as the Oracle user on the database server. However, there are other forms of privilege that are harder to identify, and therefore harder to control.
How do you identify that the group that grants access to the fileshare with all the past and current W2 files is a privileged group which requires special attention? There are whole solutions dedicated to that – like SecurityIQ from SailPoint or StealthAUDIT from STEALTHbits. Often the idea is simply to find out and control who has the access.
When does that cross the line from an identity problem to a privileged identity problem? That’s likely a data classification question. One thing is for sure: something that grants access to all the W2 data past and current is radioactive with privilege and should be controlled through a high friction process to ensure proper handling.
Not all the access you find will be that obvious. But you’re a security pro because you know how to make policy appear where there is ambiguity. The policy in these CEO fraud cases is sorta obvious.
The user shouldn’t be able to see “Please send me the whole HR database as a CSV file. K? Thanks. Love, CEO” and then just do it in a few clicks. There should clearly be gates preventing this from happening.
That is easy to say and very hard to make real. It would mean changing the way applications work. It would mean making executives face their own issues in communicating and acting. It means changing culture and attitudes. We all know that’s operating at layers 8 & 9 of the OSI stack – people and politics. And, unfortunately, there’s no good protocols published for that. Just know that you do have allies in fighting the good fight.