Getting Personal The impact of cybercrime on executive leadership.
Executive Risk Whitepaper Corporate leaders and directors are often the targets of cyber crime. Sometimes they are just collateral damage. In either case, it can be costly and career ending.
EXECUTIVE RISK WHITEPAPER
Contents
[2] Executive Summary
[3] Take it from the top
[6] A Broken Circle of Trust
[7] Accidents Happen
[8] Sent Packing
[9] Spare Me
[10] Conclusion
© 2017 4iQ, Inc. All rights reserved. [ 1 ]
EXECUTIVE RISK WHITEPAPER
Executive Summary
When it comes to cyber threats, the C-suite and board room have a lot to worry about. What would a breach do to our company’s reputation? What could happen to our stock price? What if our intellectual property is stolen? How could the cost of a breach affect our financials? Or our viability as a company?
These are all important questions, and smart companies consider how to answer them before an incident occurs. But there is one question that few executives think to ask until it’s too late:
What if I am the source of the breach?
When a CEO’s account is breached, it can trigger an earthquake for the entire enterprise. Aftershocks often include phishing scams, exfiltrated intellectual property, exposed stolen customer lists, and countless other incidents that cause severe financial and reputational damage.
4iQ’s unique, outside-in approach can keep you and your company safe. We scour the full attack surface to uncover lost, leaked or stolen credentials and data.
© 2017 4iQ, Inc. All rights reserved. [ 2 ]
EXECUTIVE RISK WHITEPAPER
Take it from the Top
Increasingly, cyber criminals are targeting company leadership to gain access to networks, information, notoriety and money. Nobody is safe. Consider just a few of the executives and high-profile people who have been hacked recently:
Exposed Executives and Celebrities
Alf Goransson, former CEO. Bo Shen, founder of Fenbushi Capital. Identity Theft Social Engineering
Stolen identity was used for a false Bo, an early investor in digital currencies loan application in March 2017. No Ethereum and Augur, was considered a “whale.” legal action was taken until District Hackers stole and dumped his REP and ETH, Court declared him bankrupt in July. which then caused trading prices to plummet.
Amy Pascal, Sony Pictures. CFO and Head of Investor Relations Email Hijack Insider Hacking
Hackers leaked Pascal’s embarrassing Former IT technician stole passwords of company emails that damaged her reputation, executives and remotely accessed electronic caused a PR disaster for the company devices and mined confidential information to and ultimately forced her to resign. make “highly profitable” stock trades.
Sundar Pichai, Google CEO. Werner Vogels, Amazon CTO. Account Takeover Account Takeover
OurMine Hackers took over his Twitter CTO of Amazon Web Services had his social account by going through his linked networking account hacked and taken over. Quora account.
Katy Perry, celebrity. Anne Hathaway, celebrity. Social Media Hijack Social Media Hijack
The most followed person in the world Intimate photos have surfaced and widely shared had her Twitter account hijacked. on Tumblr, Twitter and Reddit. Hackers tweeted profanity and slurs targeting rival popstar Taylor Swift. Tiger Woods, golfer, celebrity. Social Media Hijack
Dozens of nude photos of Tiger and other celebrities were hacked and released on an internet porn site.
© 2017 4iQ, Inc. All rights reserved. [ 3 ]
EXECUTIVE RISK WHITEPAPER
These examples are of sophisticated executives at the helm of cutting edge tech companies or people in the public eye with careers dependent on their reputation, yet their accounts and identity are often compromised largely using the same tactics that put us all at risk. Let’s start with this one.
1. CEO Phishing Scams
Cyber criminals use phishing to gain access to identities and networks for one good reason – it works. Every day, even the most tech savvy execs fall for spoofed emails. By clicking on a seemingly innocuous link or entering a password in a familiar looking site, they put untold personal and corporate information and reputations at risk.
Preventing phishing scams is particularly vexing for corporate IT departments because they often do not set off spam traps. They aren’t mass emails and they use familiar domains.
In 2015, Ubiquiti Networks, a San Jose based maker of networking technology, was taken for $46.7 million when a hacker “impersonated” executives and directed funds to be transferred to an overseas bank.
Tech Firm Ubiquiti Suffers $46M Cyberheist
Networking firm Ubiquiti Networks Inc. disclosed this week that cyber thieves recently stole $46.7 million using an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers. [1]
In April 2016, Brian Krebs reported that the U.S. Federal Bureau of Investigation (FBI) alerted the public of a global increase (270%) in identified victims and exposed losses from “CEO scams.” As Brian notes in his blog, spoofed emails rarely set off spam traps because they are carefully calculated and targeted, not mass emailed.
FBI: $2.3 Billion Lost to CEO Email Scams
The U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years. [2]
[1] August 8, 2015. Brian Krebs. T ech Firm Ubiquiti Suffers $46M Cyberheist [2] April 16, 2016. Brian Krebs. F BI: 23 Billion Lost to CEO Email Scams
© 2017 4iQ, Inc. All rights reserved. [ 4 ]
EXECUTIVE RISK WHITEPAPER
2. Stolen credentials
If cyber crime is a fast moving wildfire across the global internet, stolen credentials are the oxygen. They are the source of 80% of all data breaches.
Massive 711 Million Emails and Passwords Dumped and you are Probably on the List...I Was A malware researcher going by the Twitter handle, Benkow moʞuƎq, uncovered a huge stash of emails and passwords stored on an open server in The Netherlands. The stolen credentials were apparently harvested by a spambot known as, Onliner. This spambot has been used to deliver banking malware which has compromised over 100,000 accounts. [3]
Like the rest of us, executives frequently use the same username and password combinations to log in to multiple accounts. On average, most people use 2 - 5 passwords to access 25 accounts.
This means that once a hacker gains the credentials that At 4iQ, we estimate an 80% chance a unlock one site, with a little time and the right software, he or she can gain access to the executive’s other online hacker can find a password belonging accounts, including the enterprise network. This is an to the victim if 3 different accounts all-too-common way intellectual property, money and are able to be tested. identities are stolen, and networks are held for ransom.
After the credentials are used, accounts drained and networks ransacked, criminals usually sell (or dump) the information on the dark web for others to use. At this point, it is a “free for all” and the stolen credentials are available for anyone. It’s akin to leaving your keys in the ignition with the engine running and the doors unlocked.
Mark Zuckerberg used the same password (“dadada”, seriously) to login to his Facebook, Adobe and LinkedIn accounts. Needless to say, they were breached multiple 92% of Executives have times. The last time, he learned of it by a tweet sent by credentials Exposed hackers from his very own Twitter account.
PASSWORD DECRYPTED EMAILS BREACH/SITE ALGORITHM PASSWORD [email protected] Linkedin SHA1 dadada [email protected] MySpace SHA1 *****fee [email protected] Last.fm MD5 *****v3a [email protected] Adobe 3DES dadada [email protected] Tumblr SHA1 *****nis [email protected] Dropbox SHA1 *****325 [email protected] Fling None *****980 [email protected] VK None *****123
[email protected] Adobe 3DES dadada
[3] August 30, 2017. SecureYourWorkplace.net. M assive 711 Million Emails and Passwords Dumped and You Are Probably on the List...I was
© 2017 4iQ, Inc. All rights reserved. [ 5 ]
EXECUTIVE RISK WHITEPAPER
A Broken Circle of Trust Password Security Checklist
By analyzing hundreds of breaches and deconstructing ● Use a unique password for every site, or how criminals stole identities, 4iQ determined that try using a password manager like sophisticated cyber crooks monitor people close to the 1Password or LastPass. executive for clues about his or her vulnerabilities and ● Keep contact and recovery information possible attack vectors. updated.
To prevent this, 4iQ’s executive identity protection ● Turn on two-factor authentication. Be services also monitor the identities in a leader’s circle of wary, adding your cell phone number can trust, including spouses, children, close friends, make is less secure is someone knows or assistants and others. In addition to more traditional can access your phone number. methods, this protective bubble may be the best way ● If a service only supports two-factor available today to prevent a high value target from being authentication via text message, then breached. contact your phone company to put a password or PIN on your account that's For companies though, there isn’t any tactic or set of not your social security number. tactics they can adopt to thwart cyber criminals. It takes ● Check the list of apps and delete ones you a fundamentally different way of looking at cyber crime. do not need. It is a business risk, and building in safeguards and advanced monitoring into everyday operations is a necessity. Or cyber crime will be an inevitability.
Protect the Full Attack Surface
Protection from all the pieces of information from the closer Circle of Trust of the Executive
© 2017 4iQ, Inc. All rights reserved. [ 6 ]
EXECUTIVE RISK WHITEPAPER
Accidents Happen
Notwithstanding all of the attention lately on careful information security practices, hundreds of millions of files are exposed annually just by accident.
Perhaps the best (or worst) example of this occurred when a contractor for the Republican National Committee left detailed information on 200 million voters open -- by mistake -- to anyone who entered the Amazon subdomain “d ra-dw. ” The repository of 1.1 TB of data was not password protected and left open to download.
Personal Details of Nearly 200 Million US Citizens Exposed Sensitive personal details relating to almost 200 Million US citizens have been accidentally exposed by a marketing firm contracted by the Republican National Committee. The 1.1 terabytes of data includes birth dates, home addresses, telephone numbers and political views of nearly 62% of the entire US population. [ 4]
You can bet that voter data is in the hands of hackers. 2017 also won’t forget the infamous Equifax breach where a web application flaw exposed over 143 million customer records, including names, Social Security numbers, birthdays, addresses and other personal information. While there are product security flaws and accidental exposures, there’s outright gross negligence in how sensitive information is handled at the cost of customers.
Veraz, a company in Argentina that manages Equifax consumer credit report disputes, left their online portal open with the username password combination “admin/admin.” In addition, the employee credentials were easily guessable, giving access to customer credit disputes.
Ayuda! (Help!) Equifax Has My Data! All one needed to do in order to view said password was to right-click on the employee’s profile page and select “view source,” a function that displays the raw HTML code which makes up the Web site. Buried in that HTML code was the employee’s password in plain text.
A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily. [5]
To make matters worse, a listing of 715 pages worth of complaints and disputes resided on the main page of the Equifax.com.ar employee portal, along with each person’s DNI records (Argentinian equivalent of the Social Security number) in plain text, exposed in over 14,000 records.
[4] BBC News. June 19, 2017. Personal details of nearly 200 million US citizens exposed. [5] Brian Krebs. September 17, 2017. Krebs on Security. A yuda! (Help!) Equifax Has My Data!
© 2017 4iQ, Inc. All rights reserved. [ 7 ]
EXECUTIVE RISK WHITEPAPER
Identity breaches and leakages create significant brand cost and result in the biggest fines for regulations such as US Breach Laws, EU General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act of 1996 (HIPAA), etc.
Anthem to pay record $115 million to settle U.S. lawsuits over data breach Anthem Inc, the largest U.S. health insurance company, has agreed to settle litigation over hacking in 2015 that compromised about 79 million people’s personal information for $115 million, which lawyers said would be the largest settlement ever for a data breach. [6]
We see mistakes and oversights like these happen every day. When they do, the privacy, finances, property and, in many cases, the safety of millions can be jeopardized. Once common thread: they were the result of carelessness of contractors. Choose and monitor yours carefully.
Sent Packing
CEOs are learning that cyber risk goes well beyond their personal brand or bank account. It can impact their very “The FBI estimates that organizations livelihood. The list of CEOs and other senior executives who victimized by CEO fraud attacks lose on have been fired in part or entirely due to a cyber breach is average between $25,000 and $75,000. long and growing. C-suite officials at Target, Home Depot and But some CEO fraud incidents over the Sony were all sacked, for example. Ashley Madison’s CEO past year have cost victim companies was also forced out, albeit after the site’s third leak. millions — if not tens of millions — of The harsh consequences stem from the fact that CEOs have dollars.” a fiduciary responsibility to take every reasonable step to B rian Krebs, protect a company’s data, intellectual property, reputation, cybersecurity expert. customer lists and other assets. Shareholders, regulators and consumers demand accountability.
Under what is known as the Caremark Standard, board members may be held personally liable if they fail to ensure reasonable internal controls are in place and adequately oversee risk.
Government officials face the same consequences. Senior administration officials from Utah, Texas, Arizona and other states all lost their jobs as a result of cyber breaches.
[6] Brendan Pierson. June 23, 2017. Reuters. A nthem to pay record $115 million to settle U.S. lawsuits over data breach
© 2017 4iQ, Inc. All rights reserved. [ 8 ]
EXECUTIVE RISK WHITEPAPER
Spare Me
So how can a corporate leader, celebrity, sports star or other high profile person reduce the likelihood of having their identity compromised? How can they avoid inadvertently allowing the organization they lead to be hacked? It’s frightening but true: There are no guarantees. But there are steps you can take to reduce the likelihood of being a victim or unwitting accomplice to a cyber crime.For example, update software on all devices; install anti virus, personal firewall software; use complex passwords, change them often and don’t reuse them across sensitive accounts. Employers should train employees on how to avoid phishing scams and conduct random tests. The FBI recommends 81% of hacking related breaches businesses use two factor authentication wherever possible, leveraged either stolen and/or and verify significant transactions with an old fashioned phone weak passwords. call. Updated software, good password hygiene, two factor authentication – these are the usual best practices that we - 2017 Verizon Data Breach should all take advantage of. Investigations Report
However, to provide an additional layer of protection, 4iQ offers executive identity protection services which notify high risk targets immediately when their credentials or personal information appear on the dark web. This unique, outside-in approach helps you stay ahead of cyber criminals and safeguard your identity and information. 4iQ scour the surface, social, deep and dark Web detecting exposed credentials and stolen data. Subject matter experts and automated crawlers monitor, analyze, authenticate and attribute breached data from the Darknet and underground communities. Real-time alerts are generated when breached data is discovered. This approach provides executives the opportunity to change their username and password combinations, update accounts, freeze credit or contact necessary firms in order to contain or prevent theft and mitigate risk from the exposed information.
20 + Subject Matter Experts (SMEs) and Automatic Processing [ Fig. 1]
[Fig.1] 4iQ curation and verification process
© 2017 4iQ, Inc. All rights reserved. [ 9 ]
EXECUTIVE RISK WHITEPAPER
Conclusion
Faced with personal, professional and corporate risk, what is a CEO to do? The palace wall approach -- building defenses, such as firewalls, with the hope that nobody breaks in -- is no longer enough. If your credentials are not already exposed, it’s just a matter of time before they are.
1 Billion personal records and credentials were stored online last year, giving hackers plenty of targets to choose from. - 2017 Verizon Breach Report
Aside from the obvious, sensitive accounts you need to monitor and safeguard such as your banking, insurance, healthcare, credit unions, shopping, a breach to your email will give access to more than you are probably aware.
Email accounts are a single source of personal information that you can’t afford to let out. Cyber criminals can use your life events against you learned by reading your email; having a baby, getting married or divorced, accepting a new job offer, opening a new credit card, filing your taxes, etc. Not to mention, your email provides access to many of your accounts with even more rich data about you. Value of a Hacked Email Account
[Fig.2] Graphic inspired by Brian Krebs, cyber security expert
© 2017 4iQ, Inc. All rights reserved. [ 10 ]
EXECUTIVE RISK WHITEPAPER
Today, companies and executives themselves need to be more proactive. This involves active monitoring on the dark web, alerting executives as soon as their credentials have been stolen, and preventing network access when credentials have been compromised in other breaches.
“The FBI estimates that organizations victimized by CEO fraud attacks lose on average between $25,000 and $75,000. But some CEO fraud incidents over the past year have cost victim companies millions — if not tens of millions — of dollars.”
- Brian Krebs, cybersecurity expert
Make sure your organization follows password guidelines as outlined National Institute of Standards and Technology (NIST) Special Publication 800-63B, including checks for exposed passwords in the deep and dark web.
© 2017 4iQ, Inc. All rights reserved. [ 11 ]
EXECUTIVE RISK WHITEPAPER
To learn more, go to w ww.4iq.com and connect with us: Read our blog:
@4iQ 4iqDelveDeep medium.com/4iqDelveDeep
4iQ Headquarters 289 S. San Antonio Road, Suite 110 Los Altos, CA 94022 USA DELVE DEEP C/Acanto 22 Copyright. ⓒ 2017 4iQ. All right reserved. 13th floor, 28045 4iQ and the 4iQ logo are registered trademarks of 4iQ. Madrid, Spain Other names may be trademarks of their respective owners.
© 2017 4iQ, Inc. All rights reserved. [ 12 ]