The recent news concerning the hacking of Amazon CEO Jeff Bezos’ mobile phone demonstrates that corporate executives are perfectly legitimate collection targets for governments. Powerful individuals should expect to be targets of criminals, activists, and governments. Furthermore, anyone in failing relationships could be a target for a partner installing “stalkerware.” To address these emerging threats, adopt a Zero Trust mentality — don’t click links or open attachments until that foreign official proves they deserve your trust.
Given this recent news, here are some details to help organizations defend against intelligence services targeting corporate executives. To answer that, we need to consider the following:
- What do I have (information, relationships, etc.) that would answer an intelligence service’s requirements?
- Any senior executive’s mobile device would have contact information for other executives at the company, as well as other CEOs. Such data could be very useful for understanding connections that could be leveraged for attacks such as phishing or social engineering.
- An executive’s immediate family members are not immune to this targeting by foreign governments. Because they are likely not as familiar with the threats, they may be easily tricked into compromising their devices en route to compromising the executive.
- What is the possible intent and objectives of the person/government/organization on the other end of the conversation?
- Several governments use their intelligence services to steal Western trade secrets. As a corporate executive, understand what types of intellectual property has value to criminals and governments.
- As corporations diversify their operations through mergers and acquisitions, they are likely expanding their threat landscape. Security and risk teams should consult senior executives during M&A considerations to advise the business on how a transaction may introduce more risk to the core business. If it’s likely that you have information (or close relationships with those that do have that information) that is valuable to the other party, then be very cautious opening any links or files sent from the other party.
How do you protect yourself from such threats?
- As your incident response team should already have a relationship with local FBI and law enforcement, make your security operations center, digital forensics and incident response, and threat intelligence teams aware of new business with foreign governments and seek their advice for managing risks of dealing with foreign governments.
- Use corporate phones and devices protected by the organization’s security stack.
- Use separate work and personal profiles on your mobile phone.
- If available, use the work-policy-protected browser for URL filtering.
- Extend email protections to mobile (URL rewrites, external email messaging, etc.).
- Be aware that trust is often violated.
Social engineering like this is about exploiting trust relationships; the greater the trust, the less abuse that’s needed to exploit it. https://t.co/QipU5UrUXD
— ░J░a░s░o░n░ ░K░i░c░h░e░n░ (@jckichen) January 22, 2020
- Use the latest biometric authentication options for your chosen mobile devices (i.e., facial recognition or fingerprint readers). Don’t be like Kanye West and have the media expose your easily guessed PIN!
- Use multifactor authentication for corporate and personal accounts, and minimize reliance on static, easily guessable passwords.
- Be highly skeptical of any unexpected or unusual links or files from untrusted parties.
- With your incident response team, conduct regular tabletop exercises for compromised executive devices and accounts. As a personal breach will be very emotional for those involved, it is important to have procedures in place and rehearsed to avoid spoliation of evidence that can be used to prosecute the perpetrators.
- Have a forensics expert on retainer who can quickly assess if a device has been compromised and preserve evidence.
For many, our personal and work lives become increasingly blurred as we gain responsibilities and power in our careers. That blurriness often plays out on our personal communications devices. For those concerned with emerging threats, maintaining dialogue with corporate security and risk professionals will help reduce risks and keep your families safe.