I’ll be honest with you. LinkedIn scares me.
For any criminal interested in targeting senior staff in an organisation, it’s a goldmine of information.
With just a few clicks they can find out who has what job, who they are connected with, and often their contact information. Even if their contact information isn’t visible, it’s often just a simple case of firstname.lastname@example.org.
With that kind of information it’s not too hard to rustle up a convincing-looking phishing email or send over a poisoned PDF attachment that drops malware onto the recipient’s PC.
But hopefully your CEO and other senior members of staff have received security awareness training. Fingers crossed, they’ve been warned of the risks and the danger of targeted attacks, and are on the lookout for unexpected messages they might receive and the risks of the internet.
So far, so good.
But there’s someone on your company’s payroll who has access to your CEO’s email, may know the boss’s credit card number, their passwords… someone who organises the CEO’s travel arrangements on his or her behalf, remembers the wedding anniversary and arranges the flower delivery to their home.
Someone who sees the minutes of the board meetings, and knows probably as much as it’s possible to know about what the CEO is thinking and what the business is up to, without being the CEO themselves.
And that person is the PA to the CEO.
Yesterday, at the annual Project Honeynet workshop in Stavanger, Norway, security expert Per Thorsheim gave a presentation where he discussed the dangers posed by the CEO’s personal assistant.
Thorsheim described how he went onto LinkedIn and searched for “PA to CEO”. In London alone there were over 800 results.
So, what are the risks?
Well, one danger is that your company may not have been as diligent in training the PA about information security risks as others in the organisation.
And, because the PA may have access to senior staff’s calendars, email and sensitive documents they could be viewed as a soft target for a determined hacker.
Last year’s hack against Sony Pictures revealed the sloppy security practices at the upper tiers of the company, with the CEO sharing a terrifying amount of personal and sensitive information with his personal assistant:
The emails show CEO Michael Lynton routinely received copies of his passwords in unsecure emails for his and his family’s mail, banking, travel and shopping accounts, from his executive assistant, David Diamond. Other emails included photocopies of U.S. passports and driver’s licenses and attachments with banking statements. The stolen files made clear that Diamond was deeply trusted to remember passwords for Lynton and his family and provide them whenever needed.
“I still need the password to your Amazon account,” Diamond wrote to Lynton in August.
Another risk is perhaps highlighted by the skewed demographic found in the LinkedIn profiles of personal assistants.
Of the first 100 results displayed, there was only one man to 99 women. You’ll no doubt be shocked to hear that the typically male CEO tends to hire attractive young women in their twenties and thirties to be their personal assistant.
If an organised criminal gang wants to scoop up sensitive information from a particular company, do you imagine that some of them won’t consider flirting with the CEO’s PA? Maybe finding them online and then seeking them out in real life for romance, or maybe conducting an internet love affair?
Of course, this is far from a problem that only impacts female victims. When it comes to making poor decisions, men are just as capable as women. But with the majority of attackers believed to be male, and the propensity for females to hold the targeted position of personal assistant, there may be more opportunities for a “real-life” fake romance to be instigated.
We’re all human and we all want love, and it’s all too easy to imagine how hurriedly someone who thought they were falling in love with “Mr/Miss Perfect” would click on a dangerous link or open a malicious ecard.
Thorsheim raised another sinister danger. During the troubles in Northern Ireland, the IRA engaged in what became known as “tiger kidnapping” where an innocent person would be abducted.
However, rather than demanding a ransom be paid the kidnappers would coerce a family member or loved one of the abductee to commit a crime (such as robbery or planting a bomb) to ensure their safe return.
Just imagine, explained Thorsheim, how a poorly-paid personal assistant might be persuaded by organised criminals into infecting a laptop with a USB stick carrying malware, handing over a social media password, or opening an dangerous email attachment.
So, what can we learn from all this?
According to Thorsheim, it’s time to think outside the box and look further than your own responsibilities if you want to see the big perspective.
Chances are that your organisation has information or resources which have a commercial value to today’s cybercriminal. Sites like LinkedIn provide a valuable stepping stone in helping criminals determine who to target inside your organisation, and how to reach them.
If you leave users uneducated about the risks and the dangers to look out for, if you continue to act sloppily with your sensitive data and passwords, you’re playing a very dangerous game.
For more information, watch this video from the Project Honeynet workshop which contains Per Thorsheim’s talk (he starts discussing the Personal Assistant risk at about 3 hours 31 minutes into the video)