IT security vendor, NTT Security, has announced an expansion of its phishing attack simulation service. It is to add in new social engineering techniques and target senior executives. The goal is to see how likely it is that senior execs will fall for a phishing attack.
This is part of what NTT Security calls its ‘Management Hack’ service. It is aimed specifically at senior execs as they are prized targets of hackers. Given their roles, their security credentials allow hackers to launch a variety of serious attacks. These range from theft of data to impersonation attacks. The latter is often used in what is called CEO Fraud or Business Compromise Email attacks.
The effectiveness of such attacks is explained by Kai Grunwitz, Senior VP EMEA, NTT Security: “In many cases, we were able to access critical data, such as confidential business plans, mergers & acquisitions documents, domain controllers, usernames and passwords, in just 10 minutes.”
One of the main problems is that board members often believe they are above the rules for other staff. When a senior exec has a cyber security issue, they are rarely disciplined in the same way as other staff. This makes them easier prey for hackers as the lack of consequences means they are more likely to make mistakes. It also sends the wrong message to staff.
What does the NTT Security Management Hack service include?
There are five steps that NTT takes when working with a customer. They are:
- Building a phishing website that simulates a customer or a website known to the customer
- Designing a phishing e-mail that leads to the phishing website
- Sending the phishing emails to the client’s senior management
- Intercepting login information or other sensitive information
- Producing a detailed report with statistics on the current security situation and measures to improve a company’s security posture.
While the process is agreed with the Chief Information Security Office (CISO) in an organisation, other senior execs are not told when it will happen. This is to make sure that any such tests are as realistic as possible.
In a briefing last month in Sweden, Fredrik Olsson, Regional Director Nordic, NTT Security told media that executives were often taken aback by being caught out. It is not uncommon, apparently, for them to complain that the attacks were too realistic and difficult to spot. Such responses do little to engender confidence in those running organisations.
Grunwitz said: “Our initial projects have shown that there is a need for action on the part of the company involved. It seems the degree of maturity in terms of cybersecurity at the senior management level is still relatively low.”
What does this mean
It doesn’t matter what your role is in an organisation, you are always going to be subjected to some form of cyber attack. This ranges from the simple spam attacks through to complex, hard to spot, BEC attacks. The latter often seek to exploit security gaps inside companies by using the stolen credentials of executives. They then send emails to accounts teams to get monies transferred to fictitious suppliers.
Other attacks are used to access sensitive data such as intellectual property and business plans. The experience of the NTT Security team is evidence of how lax security is at the upper echelons of organisations. As Grunwitz pointed it, it often takes just 10 minutes to get access to this type of data.
By exposing senior execs to this type of training, it is hoped that they will have a better understanding of the threats. This will enable them to participate in planning to improve security across the organisation.
For IT security teams, however, watching senior execs flounder around and fall prey to phishing and other attacks will no doubt be seen as a form of karma.