The management level - an IT security risk?
The use of special social engineering techniques can be used to check the extent to which executives pose a security risk.
Technical IT security systems are only as strong as their weakest link - this not only involves new technologies and software solutions, but also the "human risk factor". Minimizing this potential vulnerability by training security awareness and establishing supporting technical solutions must always be an important component of a preventive security strategy.
Check total C-Level
NTT Security determines the specific status of the "human vulnerability" for a company's IT security in the new "Management hack". The focus is on the management level of a company, i.e. the entire C-level such as the CEO, CFO or CIO. The security provider writes that the management level is an attractive target for any hacker, as this group of people usually enjoys unrestricted access to confidential company data. It is not uncommon for managers to benefit from special privileges: security policies and standards are suspended or relaxed in order to simplify login, for example - with fatal consequences.
After appropriate coordination with the client, simulated, personalized social engineering attacks are carried out, of which the people in focus ideally know nothing. According to NTT, this involves analyzing how responsible the management level is in terms of security awareness and IT security. Subsequently, concrete weak points are identified and measures are recommended.
First experiences with "Management Hack
The company, which specializes in IT security, has conducted several "management hack" projects in Scandinavia. "The results surprised even us. In many cases, we gained access to company-critical data in just ten minutes, such as business plans, M&A planning, enterprise resource planning systems, domain controllers, user names or passwords. Administrative credentials were also often found," explains NTT Security's Kai Grunwitz. "The associated dangers for a company are obvious. For example, an attacker with administrative rights can move freely in the network and often access critical information unnoticed for a long time."
The new service is aimed at increasing security awareness at board and management level - but ultimately also at establishing a new security strategy and culture throughout the company. "Our initial projects have shown that there is definitely a need for action on the corporate side," says Grunwitz. "The level of maturity with regard to cyber security is still rather low at management level, to put it mildly."