Security Experts:

The "Executive" IT Security Problem - Lessons Learned from Hillary Clinton

Hillary Clinton A National Security Risk?

Executives have always been privileged users. As security practitioners we tend to think of privileged users as those administrators with outsized access to sensitive information, necessitated by their role in keeping IT services running, presenting risk that requires dedicated mitigation efforts. But when we consider the access rights that executives have to sensitive information, and the authority they wield, we find hidden risk that may not be fully appreciated.

This is evident in the recent revelations of a private email server used by Hillary Clinton during her tenure as Secretary of State. In the ultimate example of shadow IT, she and her staffers took it upon themselves to stand up an IT service, hosted in her own home, which escaped the purview of the Department of State’s IT team.

The rising risk of executive policy evasion

We can leave the discussion of motivation and the legality of Secretary Clinton’s actions to the political class. But it does provide a public example of how tempting it is for executives to operate outside of policy.

Not every executive wants to dedicate space in their bathroom to an email server. But there are companies without a BYOD policy where executives insist on using personal tablets. Yahoo’s CEO famously refused to put a passcode on her personal phone. Some execs retain access to sensitive information following retirement. They insist on downloading software from any Internet site they want to. With authority and resources, convenience is easily prioritized over policy.

Email SecurityFurther, the risks presented by privileged users, including executives, continues evolving. No longer limited to the malicious or careless user, we now are confronted with outsiders obtaining and abusing insider credentials. Spear phishing executives, or “whaling” is a rising attack vector to take advantage of the broad access attackers possess, while self-inflicted vulnerabilities make them a softer target as well.

The implications of executive policy circumvention

In the case of Secretary Clinton, while there are some political costs, the security implications have yet to be determined. But we know that Top Secret information was transmitted over what is likely a network that wasn’t equipped to safeguard it. The US Government applies the Top Secret classification to information that, if disclosed, “could be expected to cause exceptionally grave damage to the national security.”

If her personal server was a target of foreign state actors, the implications are frightening.

Beyond governments, those companies with the most to lose from data breaches as a result of executive policy circumvention are those with significant intellectual property. Drilling technology in the oil and gas industry, pharmaceutical patents in development, or blockbuster movies being filmed are a few examples.

Addressing the risks

Although executives are privileged users, they are likely to chafe at the kind of restrictions typically placed on administrators. Privileged identity management techniques include password vaulting, controls over commands a user can execute, and monitoring and recording activity. While executives are unlikely to accept a need to check out credentials from a password vault, more passive security techniques, specifically user activity monitoring, may be an acceptable alternative.

If they understand what is at stake, unobtrusive monitoring that doesn’t restrict their work can identify abnormal use of their access that could indicate an abuse of privileges by an outsider.

To mitigate the risk of attackers obtaining executive credentials, multi-factor authentication (MFA) should also be considered. We know that if it is inconvenient, though, executives will circumvent or avoid the use of security controls. So selection of easy-to-use authentication methods, such as effective thumbprint readers or a YubiKey, is critical.

In democracies, politicians are ultimately accountable to voters, and it would seem that voter visibility of the Clinton email situation is currently at an all-time high. Ultimately, executives are accountable to boards. If executives are circumventing security policies, perhaps that activity should have board-level visibility. It’s unreasonable to expect personnel who report to executives to provide that visibility, so it will be up to external auditors to raise awareness as necessary.

RelatedClinton Email Server Vulnerable for 3 Months, Security Firm Says

RelatedFeedback Friday: Industry Reactions to Hillary Clinton’s Use of Personal Email

RelatedEmails Latest Knock to Clinton Presidential Bid

view counter
Travis Greene, Identity Solutions Strategist at Micro Focus, possesses a blend of IT operations and security experience, process design, organizational leadership and technical skills. After a 10-year career as a US Naval Officer, he started in IT as a Data Center Manager for a hosting company. In early 2002, Travis joined a Managed Service Provider as the leader of the service level and continuous improvement team. Today, Travis conducts research with NetIQ customers, industry analysts, and partners to understand current Identity and Access Management challenges, with a focus on provisioning, governance and user activity monitoring solutions. Travis is Expert Certified in ITIL and holds a BS in Computer Science from the US Naval Academy.