A new report details major vulnerabilities among the executive suite at some of the largest pharmaceutical companies.
Data leaks and ransomware scenarios have become routine. This criminal industry is only expected to increase in scale and sophistication as the seized information and cyber-hostage scenarios can fetch a king’s ransom for those involved. And the more valuable the loot, the higher the bounty.
As illustrated by the massive Merck data breach, these attacks can set back companies hundreds of millions of dollars and result in the loss of invaluable assets such as the loss of proprietary information and years worth of pharmaceutical research.
A new report from cybersecurity firm BlackCloak details widespread vulnerabilities among the executive suite at some of the largest pharmaceutical companies on planet Earth. This includes login credentials that are readily available on the Dark Web, served up on a platter at this very moment. TechRepublic spoke with BlackCloak CEO and Founder Chris Pierson about the report titled “The Path of Least Resistance ‒ Pharmaceutical Executive Credentials Line the Dark Web as Criminals Look to Exploit Crisis.”
Pierson started his first law firm practice group, Cyber Security and Cyber Liability, in 2002, as he noted in our interview, this was well before the law regarding data breaches went into effect in the summer of 2003. Since then Pierson has focused on cybersecurity preparedness in a host of settings ranging from the CPO of the world’s third-largest bank to CISO positions in the financial technology sector. Pierson notes his experience shoring up network security while pinpointing the inherent risks in the overall framework.
Needless to say, the premise of Murphy’s Law is central to cybersecurity preparedness and prevention.
“We could control what was within our own four walls. We could control the corporate devices when they were on a VPN outside of the corporate environment. We could control the different accounts that we had and held in terms of owned. But we were unable to control our executives in terms of their personal lives. We couldn’t secure them,” Pierson said.
Massive holes in network security
On the network security side, it’s possible to build a state-of-the-art cybersecurity apparatus, however, only so much can be done at the company level to mitigate risk associated with employees’ personal digital habits and their home networks.
“Every single night, they bring their laptops back home, their tablet back home, their work back home, and the family is there, the nephews, nieces are over for Thanksgiving, the neighborhood kids are running around on the Wi-Fi. You’re unable to take care of those risks that are in the personal lives of the executives,” Pierson said.
Exploiting crisis: The coronavirus pandemic and new opportunities for cybercriminals
BlackCloak provides remote cybersecurity safeguards and other services and, as one would imagine, the market for this type of protection is booming at the moment. Due to the coronavirus, millions of employees and entire companies have shifted from the traditional office to the digital workplace in a matter of weeks. As a result, these network vulnerabilities have been highlighted and IT many teams are scrambling to patchwork together a secure telecommuting strategy as well as the necessary technical infrastructure.
“Coronavirus has really shone a light on the fact that from a cybersecurity perspective, the community is not yet well-equipped to protect executives at home, their families at home, and there are going to be new attack surfaces for the company.”
SEE: Security Awareness and Training policy (TechRepublic Premium)
Now that the stage is set for cybercriminal activity, what’s the easiest way to access a corporation’s most valuable assets? Fun fact: It probably isn’t through the company’s digital front door buttressed with tens of millions of dollars in cybersecurity and dedicated multiperson teams monitoring movement around the clock.
“If you want to actually target the corporation, the path of least resistance in the soft underbelly is really going to be the executives. It’s going to be the executives’ homes. It’s going to be the executives’ personal accounts, because what they are doing in their personal lives translates directly into the company,” said Pierson.
Key findings: Weak passwords abound
The report paints a rather stark picture detailing surprisingly laxed, if not all-out negligent, login credentials among corporate executives at the largest pharmaceutical companies. Within the last five to 10 years, at least one breach had exposed the emails of nearly 70% of pharma executives. Of the exposed executive emails, more than half (57%) of these cracked passwords were readily available on the Dark Web and Deep Web.
One of the most alarming data points relates to the sheer simplicity of these cracked passwords. Of the crop of passwords viewable on the Dark Web, 3% included the company name as the entire password or at least a portion of the password.
“People are people. They use the same passwords for their personal life as they do in their corporate world,” Pierson said.
From crude dictionary attacks to more advanced programs, there are many sophisticated platforms criminals can deploy to crack a password. However, sometimes a little digital gumshoe work on social media will do the trick.
“I noticed the ones that were probably daughter’s names, and we saw those used on a multitude of accounts, once again, if you then were to go to the Facebook page or the bio page, maybe Suzie isn’t the password, but now Jennifer is the new baby. Maybe try that one. Or a mashup between the two,” Pierson said. “Sometimes you know the password. Sometimes you can guess the other types of passwords that you would create. Sometimes you can just do it automatically. And sometimes once you know the methodology, you’re kind of in.”
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
The report also highlights executive mobility at the top of this industry, with individuals migrating from one company to another along this top tier. The old passwords from the previous company sometimes tag along. Some executives have been using the same passwords for years. At times, these passwords were even identical or similar over a 15-year period.
It’s readily apparent why corporations bring on third-parties to fortify their remote network security. Once on the books, BlackCloak can then analyze the client’s digital security and pen test their homes. The company’s data on compromised executive data is even more alarming. Of the executives the company onboards about 37% of these individuals have already been hacked.
“That means (a) their computers are compromised (b) their cameras are compromised, or (c) their home networks, usually through home automation, are compromised,” said Pierson.
A wave of cybercriminal activity aimed at healthcare, medical organizations
In recent weeks, there’s been increased online criminal activity focused on the medical and healthcare industries with the World Health Organization, the Bill and Melinda Gates Foundation, and others targeted. Although some cybercriminals promised to not target hospitals during the coronavirus pandemic, this truce turned out to be rather short-lived.
A recent ransomware attack on a hospital in Colorado rendered its digital infrastructure inoperable forcing the medical staff to resort to pen and paper record keeping to log patient information. Another cyber attack on a Czech hospital forced a hospital to shut down its IT network, this resulted in delaying surgeries at the facility and rerouting patients to a nearby hospital for treatment.
“Cyber criminals go to what is hot, and right now, the pharmaceutical and medical industry are a hot area. It is a must-have area,” Pierson said. “It’s critical, literally critical, to our lives and livelihood, and if cybercriminals can make money faster that way, I think that they are going to take advantage of this opportunity.”