Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

The “Executive” IT Security Problem – Lessons Learned from Hillary Clinton

Hillary Clinton A National Security Risk?

Hillary Clinton A National Security Risk?

Executives have always been privileged users. As security practitioners we tend to think of privileged users as those administrators with outsized access to sensitive information, necessitated by their role in keeping IT services running, presenting risk that requires dedicated mitigation efforts. But when we consider the access rights that executives have to sensitive information, and the authority they wield, we find hidden risk that may not be fully appreciated.

This is evident in the recent revelations of a private email server used by Hillary Clinton during her tenure as Secretary of State. In the ultimate example of shadow IT, she and her staffers took it upon themselves to stand up an IT service, hosted in her own home, which escaped the purview of the Department of State’s IT team.

The rising risk of executive policy evasion

We can leave the discussion of motivation and the legality of Secretary Clinton’s actions to the political class. But it does provide a public example of how tempting it is for executives to operate outside of policy.

Not every executive wants to dedicate space in their bathroom to an email server. But there are companies without a BYOD policy where executives insist on using personal tablets. Yahoo’s CEO famously refused to put a passcode on her personal phone. Some execs retain access to sensitive information following retirement. They insist on downloading software from any Internet site they want to. With authority and resources, convenience is easily prioritized over policy.

Email SecurityFurther, the risks presented by privileged users, including executives, continues evolving. No longer limited to the malicious or careless user, we now are confronted with outsiders obtaining and abusing insider credentials. Spear phishing executives, or “whaling” is a rising attack vector to take advantage of the broad access attackers possess, while self-inflicted vulnerabilities make them a softer target as well.

The implications of executive policy circumvention

In the case of Secretary Clinton, while there are some political costs, the security implications have yet to be determined. But we know that Top Secret information was transmitted over what is likely a network that wasn’t equipped to safeguard it. The US Government applies the Top Secret classification to information that, if disclosed, “could be expected to cause exceptionally grave damage to the national security.”

If her personal server was a target of foreign state actors, the implications are frightening.

Beyond governments, those companies with the most to lose from data breaches as a result of executive policy circumvention are those with significant intellectual property. Drilling technology in the oil and gas industry, pharmaceutical patents in development, or blockbuster movies being filmed are a few examples.

Addressing the risks

Although executives are privileged users, they are likely to chafe at the kind of restrictions typically placed on administrators. Privileged identity management techniques include password vaulting, controls over commands a user can execute, and monitoring and recording activity. While executives are unlikely to accept a need to check out credentials from a password vault, more passive security techniques, specifically user activity monitoring, may be an acceptable alternative.

If they understand what is at stake, unobtrusive monitoring that doesn’t restrict their work can identify abnormal use of their access that could indicate an abuse of privileges by an outsider.

To mitigate the risk of attackers obtaining executive credentials, multi-factor authentication (MFA) should also be considered. We know that if it is inconvenient, though, executives will circumvent or avoid the use of security controls. So selection of easy-to-use authentication methods, such as effective thumbprint readers or a YubiKey, is critical.

In democracies, politicians are ultimately accountable to voters, and it would seem that voter visibility of the Clinton email situation is currently at an all-time high. Ultimately, executives are accountable to boards. If executives are circumventing security policies, perhaps that activity should have board-level visibility. It’s unreasonable to expect personnel who report to executives to provide that visibility, so it will be up to external auditors to raise awareness as necessary.

RelatedClinton Email Server Vulnerable for 3 Months, Security Firm Says

RelatedFeedback Friday: Industry Reactions to Hillary Clinton’s Use of Personal Email

RelatedEmails Latest Knock to Clinton Presidential Bid

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.