Digital Threats to High Value Targets Pose Physical Security Risks
In today’s era of tabloid frenzy, it’s rare for a celebrity event to be shocking. But that was the case when news outlets reported in October 2016 that a group of thieves broke into Kim Kardashian West’s hotel room in Paris, bound and gagged her, and stole millions of dollars’ worth of jewelry from her.
Kardashian West was able to release herself after the thieves fled the Hôtel de Pourtalès on bicycles. She located her stylist, Simone Harouche, who was also staying in the hotel, and contacted the authorities who rushed to the scene.
Months later in January 2017, police arrested 10 individuals allegedly involved in the robbery—including mastermind Aomar Ait Khedache. In an interview with Le Monde, Khedache explained that the group of thieves targeted Kardashian West after she posted photos on social media of her jewelry collection and updates about her trip to Paris for fashion week.
“The jewels were shown on the Internet, and [she said] that she didn’t wear fakes…the time she would arrive in France, you just had to look at the Internet and you knew everything, absolutely everything,” Khedache said.
Using this information, along with data from social media accounts associated with Kardashian West’s family and friends traveling with her, the thieves were able to determine the opportune time to strike: when she was at the hotel alone after telling her bodyguard to accompany her sisters to a club for the evening.
Kardashian West later confirmed in an appearance on the Ellen DeGeneres Show that the thieves followed her online activity for almost two years before robbing her in Paris. The incident caused her to change her approach to security.
“I never thought I needed security standing outside my door,” she said. “Even though I had a lot of jewelry, and if you think about it I should’ve had a security guard outside my door 24/7 when I’m traveling, and I didn’t. Now I have several, just for me to be able to sleep at night.”
The robbery triggered a brief hiatus from social media for Kardashian West, as well as changes to how she uses social media in response to the robbery, including waiting to post about where she is until after she has left that location.
“If I want to video something, I’ll save it and post it when I leave,” she said in an interview with Alec Baldwin on his talk show after the robbery and her return to social media.
While Kardashian West’s robbery was unique, the threat of compromising someone’s digital security to create a physical threat to an individual or an organization is not. In fact, this very vulnerability is on the rise, says Nate Lesser, CEO and founder of cybersecurity firm Cypient Black.
“Attackers take the same kind of cost-benefit approach that we all do to the way they spend their time,” he explains. “One thing we know universally about hackers is that they’re very good at shifting, so they will shift from an enterprise approach to a targeted, personal attack on the executive of that enterprise. And that happens pretty regularly…it becomes a lot easier and a much softer target, and they can have the same kind of impact.”
In The Entangled Enterprise, a recent report on protecting executives from cyberattacks, Cypient Black found that along with rising traditional enterprise attacks against corporate devices, networks, and information, and increasing attacks against the extended enterprise—third party providers, such as cloud providers and vendors—a third attack area is also increasing but is often not addressed by corporate budgets: entangled enterprise risk.
“Entangled enterprise risk is the risk borne by an enterprise from targeted attacks against the personal digital lives of the enterprise’s executives and other high value targets (HVTs),” according to the report. “These HVTs often include senior executives, board members, executive assistants, and their family members. Such attacks target aspects of personal cybersecurity that are entangled with the assets of operations of the corporate enterprise.”
Based on its analysis, Cypient Black identified two types of attacks that malicious actors use to target HVTs: pivot attacks and endgame attacks.
Pivot attacks leverage vulnerabilities in devices and networks that HVTs use that are not under the control of their respective organization, such as a personal smartphone or laptop, to get access to the enterprise.
“They take advantage of the fact that senior leaders have access to a wide range of sensitive corporate information, are constantly on the move, and inevitably have personal devices which connect to corporate networks,” according to the report.
Pivot attacks also use access to HVTs’ personal devices for reconnaissance and intelligence gathering. The information gathered through these attacks is then used to conduct social engineering or business email compromise campaigns (See “The Cost of a Connection,” Security Management, February 2019).
For instance, Lesser says it’s a common belief in the cybersecurity community that most individuals reuse usernames and passwords from their personal accounts to login to corporate accounts.
“If you use the same password to get into your enterprise system that you use to order shoes online, when the website that you buy shoes from is compromised and that password is out there in the wild, it’s easy to correlate the username and password because it’s usually your email address and your password,” he explains. “Then the attackers who have access to that can try the company you work for and say, ‘Does this password work at that company?’”
Endgame attacks, on the other hand, leverage access to HVTs’ personal digital lives to get corporate data or harm the HVT as a method of hurting the organization he or she is associated with.
One example of this in action was when an auto manufacturer was in the middle of a labor dispute. The CEO’s daughter went out to lunch at a restaurant and protestors showed up outside, even though she had not disclosed her location online. An analysis of her smartphone later found malicious tracking software on it.
“That’s a targeted hack of a personal device that’s two steps removed from the enterprise, but the impact was felt by the enterprise,” Lesser says. “Obviously, she got scared. Her father got scared, and it completely derailed these negotiations that they were in the middle of; we’re talking a multi-million-dollar impact on the company because of an attack on the CEO’s daughter’s device.”
While this tactic successfully instilled fear and distracted from the business at hand, a similar attack could enable blackmailing or kidnapping of an HVT.
The vectors used for these attacks are often overlooked by organizations due to an inability to meet the demand or privacy concerns, Lesser says.
“Most large companies are doing a good job of protecting their own assets, their IT infrastructure, and the devices they give to executives and employees across the board,” he adds. “What they don’t do at all because of privacy concerns is provide protection for the personal cybersecurity of executives and their family members.”
However, that may be changing as chief security officers become more aware of how digital threats to HVTs can impact organizational security, and how executive protection professionals (EPPs) can address them by adding to their skill sets or partnering with other organizations to provide them.
While EPPs should not be expected to be cyber experts, they should be aware of trends and possible attack vectors that their protectees could be exposed to while traveling or conducting business.
“It’s the simple day-to-day, human-centric vulnerabilities that are where the executive protection professional can really be differentiated around simple things like payment at point-of-sale systems and cyber practices with digital services,” says Wesley Bull, CEO of Sentinel Resource Group LLC, which provides consulting services to EPP firms—and the organizations that hire them—on these threats.
To start, EPPs should conduct a risk assessment of their protectee and the threats, risks, and vulnerabilities he or she comes into contact with in the digital world that could impact his or her physical security. The assessment should also consider the principal’s digital exposure when she or he is at home.
Many of Sentinel’s clients are based in Silicon Valley and have a much higher dependence on digital assistants and automation than individuals in other parts of the United States or Europe.
“If you’re coming in as an EPP, just how you think about how to protect the residential environment is a very complicated process because of the level of technical integration that your principal might be accustomed to,” Bull adds. “An EPP operating in that environment needs to have a different awareness level about the threats, risks, and vulnerabilities, given the interconnectivity of the home.”
For example, a protectee might have a digital assistant, such as an Amazon Alexa or Google Home device, that if compromised could be used to listen in on private conversations in the home. Those conversations, in turn, could be used to blackmail the protectee to provide compensation or take a business action that could be detrimental to the company in order to prevent the compromising information from becoming public.
Based on the information obtained through the risk assessment, EPPs can begin to determine what protections and defenses should be put in place to mitigate those risks.
For instance, Bull recommends starting with discussing general cybersecurity habits for protectees—such as creating strong passwords for personal accounts, pros and cons of using a digital wallet for transactions, access control on personal devices, and using virtual private networks instead of public Wi-Fi.
“This gets further complicated if the protectee is an international traveler,” Bull says. “Are they going to countries like China that are nonpermissive in their environments for cyber, meaning a number of foreign countries where executives are doing a lot of business and the government owns the telecommunications systems? If so, using any form of Wi-Fi, even in a network environment, could be exposing their phone or digital assets to intrusion.”
Another critical area to cover with protectees is social media and how the information the protectee—and individuals associated with him or her—shares can have security ramifications.
“Oftentimes the executive herself or himself has been briefed and they often have a heightened sense of awareness around their personal security, so they can be more adept at thinking through what they’re putting on social media and when they’re putting things on social media. The soft underbelly of compromise can actually come from family members,” Bull explains.
To mitigate this risk, Bull says EPPs should discuss best practices for posting with protectees and their friends or families. These could include waiting to post information about their location until after they have left the venue, such as Kardashian West now does, and utilizing privacy settings to limit access to their accounts.
Finally, it’s crucial that cybersecurity and IT staff have a way to communicate with the EPP who is physically with a protectee about a potential digital compromise. Having this communication channel in place allows the EPP to immediately address a threat, such as a malicious tracking app on a protectee’s personal smartphone.
Sometimes the “lack of synergy and integration” between various security verticals “can be the failure point in protection responsibility and coordination around a particular individual,” Bull says.