Digital devices and home networks of business leaders, board members and valuable employees with access to financial, confidential and proprietary information are ripe targets for malicious actors, according to a study released Tuesday by a cybersecurity services company.
The connected home is a prime target for cybercriminals, but few executives or security teams realize the prominence of this emerging threat, the study noted based on an analysis of data from more than 1,000 C-suite, board members and senior executives from more than 55 US -based Fortune 1000 companies leveraging the executive protection platform of: Black Cloak†
“BlackCloak’s study is exceptional,” said Darren Guccione, CEO of Keeper Securitya password management and online storage company.
“It helps alleviate the ubiquitous problems and vulnerabilities caused by millions of companies migrating to distributed, remote work while simultaneously transacting with corporate websites, applications and systems from unsecured home networks,” he told TechNews All.
The BlackCloak researchers found that nearly a quarter of executives (23%) have open ports on their home network, which is highly unusual.
BlackCloak CISO Daniel Floyd attributed some of those open ports to third-party installers. “They’re an audiovisual or IT company that because they don’t want to send a truck if something breaks, they will set up port forwarding on the firewall,” he told TechNews All.
“It allows them to connect to the network remotely to troubleshoot issues,” he continued. “Unfortunately, they are set incorrectly with default credentials or vulnerabilities that haven’t been patched in four or five years.”
Visible Security Cameras
An open gate is like an open door, explains Taylor Ellis, a customer threat analyst with: Horizon3 AI, an automated penetration test as a service company in San Francisco. “You wouldn’t leave your door open 24/7 these days, and it’s the same way with an open port on a home network,” he told TechNews All.
“For a business executive,” he continued, “the threat of intrusion is increased when you have an open port to access sensitive data.”
“A port acts as a communication gateway for a specific service hosted on a network,” he said. “An attacker could easily open a backdoor to one of these services and manipulate it to fulfill their bids.”
Of the open ports on corporate brass home networks, the report noted, 20% were connected to open security cameras, which can also pose a risk to a director or board member.
“Security cameras have often been used by threat actors to install and distribute malware, but perhaps more importantly to monitor patterns and habits — and if the resolution is good enough, to see how passwords and other credentials are entered,” said Bud Broomhead. , CEO of viakooa developer of cyber and physical security software solutions based in Mountain View, California.
“Many IP cameras have default passwords and outdated firmware, making them ideal targets to be breached and breached once, making it easier for threat actors to move laterally within the home network,” he told TechNews All.
The BlackCloak researchers also found that business buyers’ personal devices were just as, if not more, insecure than their home networks. More than a quarter of executives (27%) had malware on their devices and more than three quarters of their devices (76%) were leaking data.
One-way data breaches from smartphones are through applications. “Many apps will ask for sensitive permissions that they don’t need,” Floyd explains. “People open the app for the first time and just click through the settings, without realizing that they are giving the app access to their location data. Then the app sells that location data to a third party.”
“It’s not just executives and their personal devices, it’s everyone’s personal devices,” added Chris Hills, chief security strategist BeyondTrustmaker of privileged account management and vulnerability management solutions in Carlsbad, California.
“The amount of data, PII, even PHI, that the regular smartphone contains today is mind-boggling,” he told TechNews All. “We don’t realize how vulnerable we can be if we don’t think about security regarding our smartphones.”
Security of personal devices does not seem to be the top priority for many executives. The survey found that nearly nine out of ten of them (87%) have no security installed on their devices.
Mobile OS security inadequate
“Many devices come without security software installed, and even if they do, this may not be enough,” noted Broomhead. “For example, Samsung Android devices come with Knox security, which has previously found vulnerabilities.”
“The device manufacturer may try to make trade-offs between security and usability that benefit usability,” he added.
Hills claimed that most people are content to think that their smartphone’s underlying operating system has the necessary security measures in place to keep the bad guys out.
“For the common person, it’s probably enough,” he said. “For the businessman who has more to lose given his role in a business or corporation, the security blanket of the underlying operating system just isn’t enough.”
“Unfortunately, in most cases,” he continued, “there is so much that we as individuals try to protect, sometimes some of the most common are overlooked, such as our smartphones.”
Privacy protection is missing
Another finding from the BlackCloak researchers was that most executive personal accounts, such as email, e-commerce and applications, lack basic privacy protections.
In addition, they found that executive security credentials, such as bank and social media passwords, are readily available on the dark web, making them susceptible to social engineering attacks, identity theft, and fraud.
Nearly nine out of 10 executives (87%) have currently leaked passwords to the dark web, the researchers noted, and more than half (53%) don’t use a secure password manager. Meanwhile, only 8% have activated multi-factor authentication for most applications and devices.
“While measures like multi-factor authentication aren’t perfect, these basic best practices are essential, especially for the executive/C-suite who often forego the requirement for convenience,” Melissa Bischoping, an endpoint security research specialist at Taniumcreator of an endpoint management and security platform in Kirkland, Wash. told TechNews All.
“Attacking personal digital lives may be a new risk for companies to consider,” the researchers wrote, “but it is one that requires immediate attention. Opponents have found that executives at home are the path of least resistance, and they will compromise this attack vector as long as it is safe, seamless and lucrative for them to do so.