Executives have always been privileged users. As security practitioners we tend to think of privileged users as those administrators with outsized access to sensitive information, necessitated by their role in keeping IT services running, presenting risk that requires dedicated mitigation efforts. But when we consider the access rights that executives have to sensitive information, and the authority they wield, we find hidden risk that may not be fully appreciated.
This is evident in the recent revelations of a private email server used by Hillary Clinton during her tenure as Secretary of State. In the ultimate example of shadow IT, she and her staffers took it upon themselves to stand up an IT service, hosted in her own home, which escaped the purview of the Department of State’s IT team.
The rising risk of executive policy evasion
We can leave the discussion of motivation and the legality of Secretary Clinton’s actions to the political class. But it does provide a public example of how tempting it is for executives to operate outside of policy.
Not every executive wants to dedicate space in their bathroom to an email server. But there are companies without a BYOD policy where executives insist on using personal tablets. Yahoo’s CEO famously refused to put a passcode on her personal phone. Some execs retain access to sensitive information following retirement. They insist on downloading software from any Internet site they want to. With authority and resources, convenience is easily prioritized over policy.
Further, the risks presented by privileged users, including executives, continues evolving. No longer limited to the malicious or careless user, we now are confronted with outsiders obtaining and abusing insider credentials. Spear phishing executives, or “whaling” is a rising attack vector to take advantage of the broad access attackers possess, while self-inflicted vulnerabilities make them a softer target as well.
The implications of executive policy circumvention
In the case of Secretary Clinton, while there are some political costs, the security implications have yet to be determined. But we know that Top Secret information was transmitted over what is likely a network that wasn’t equipped to safeguard it. The US Government applies the Top Secret classification to information that, if disclosed, “could be expected to cause exceptionally grave damage to the national security.”
If her personal server was a target of foreign state actors, the implications are frightening.
Beyond governments, those companies with the most to lose from data breaches as a result of executive policy circumvention are those with significant intellectual property. Drilling technology in the oil and gas industry, pharmaceutical patents in development, or blockbuster movies being filmed are a few examples.
Addressing the risks
Although executives are privileged users, they are likely to chafe at the kind of restrictions typically placed on administrators. Privileged identity management techniques include password vaulting, controls over commands a user can execute, and monitoring and recording activity. While executives are unlikely to accept a need to check out credentials from a password vault, more passive security techniques, specifically user activity monitoring, may be an acceptable alternative.
If they understand what is at stake, unobtrusive monitoring that doesn’t restrict their work can identify abnormal use of their access that could indicate an abuse of privileges by an outsider.
To mitigate the risk of attackers obtaining executive credentials, multi-factor authentication (MFA) should also be considered. We know that if it is inconvenient, though, executives will circumvent or avoid the use of security controls. So selection of easy-to-use authentication methods, such as effective thumbprint readers or a YubiKey, is critical.
In democracies, politicians are ultimately accountable to voters, and it would seem that voter visibility of the Clinton email situation is currently at an all-time high. Ultimately, executives are accountable to boards. If executives are circumventing security policies, perhaps that activity should have board-level visibility. It’s unreasonable to expect personnel who report to executives to provide that visibility, so it will be up to external auditors to raise awareness as necessary.