Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

The “Executive” IT Security Problem – Lessons Learned from Hillary Clinton

Hillary Clinton A National Security Risk?

Hillary Clinton A National Security Risk?

Executives have always been privileged users. As security practitioners we tend to think of privileged users as those administrators with outsized access to sensitive information, necessitated by their role in keeping IT services running, presenting risk that requires dedicated mitigation efforts. But when we consider the access rights that executives have to sensitive information, and the authority they wield, we find hidden risk that may not be fully appreciated.

This is evident in the recent revelations of a private email server used by Hillary Clinton during her tenure as Secretary of State. In the ultimate example of shadow IT, she and her staffers took it upon themselves to stand up an IT service, hosted in her own home, which escaped the purview of the Department of State’s IT team.

The rising risk of executive policy evasion

We can leave the discussion of motivation and the legality of Secretary Clinton’s actions to the political class. But it does provide a public example of how tempting it is for executives to operate outside of policy.

Not every executive wants to dedicate space in their bathroom to an email server. But there are companies without a BYOD policy where executives insist on using personal tablets. Yahoo’s CEO famously refused to put a passcode on her personal phone. Some execs retain access to sensitive information following retirement. They insist on downloading software from any Internet site they want to. With authority and resources, convenience is easily prioritized over policy.

Email SecurityFurther, the risks presented by privileged users, including executives, continues evolving. No longer limited to the malicious or careless user, we now are confronted with outsiders obtaining and abusing insider credentials. Spear phishing executives, or “whaling” is a rising attack vector to take advantage of the broad access attackers possess, while self-inflicted vulnerabilities make them a softer target as well.

The implications of executive policy circumvention

In the case of Secretary Clinton, while there are some political costs, the security implications have yet to be determined. But we know that Top Secret information was transmitted over what is likely a network that wasn’t equipped to safeguard it. The US Government applies the Top Secret classification to information that, if disclosed, “could be expected to cause exceptionally grave damage to the national security.”

If her personal server was a target of foreign state actors, the implications are frightening.

Advertisement. Scroll to continue reading.

Beyond governments, those companies with the most to lose from data breaches as a result of executive policy circumvention are those with significant intellectual property. Drilling technology in the oil and gas industry, pharmaceutical patents in development, or blockbuster movies being filmed are a few examples.

Addressing the risks

Although executives are privileged users, they are likely to chafe at the kind of restrictions typically placed on administrators. Privileged identity management techniques include password vaulting, controls over commands a user can execute, and monitoring and recording activity. While executives are unlikely to accept a need to check out credentials from a password vault, more passive security techniques, specifically user activity monitoring, may be an acceptable alternative.

If they understand what is at stake, unobtrusive monitoring that doesn’t restrict their work can identify abnormal use of their access that could indicate an abuse of privileges by an outsider.

To mitigate the risk of attackers obtaining executive credentials, multi-factor authentication (MFA) should also be considered. We know that if it is inconvenient, though, executives will circumvent or avoid the use of security controls. So selection of easy-to-use authentication methods, such as effective thumbprint readers or a YubiKey, is critical.

In democracies, politicians are ultimately accountable to voters, and it would seem that voter visibility of the Clinton email situation is currently at an all-time high. Ultimately, executives are accountable to boards. If executives are circumventing security policies, perhaps that activity should have board-level visibility. It’s unreasonable to expect personnel who report to executives to provide that visibility, so it will be up to external auditors to raise awareness as necessary.

RelatedClinton Email Server Vulnerable for 3 Months, Security Firm Says

RelatedFeedback Friday: Industry Reactions to Hillary Clinton’s Use of Personal Email

RelatedEmails Latest Knock to Clinton Presidential Bid

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.