In a recent blog I explained how your Mom was going to get owned next year – now it’s time to dish on your CxO . . .
I believe most of these attacks are e-mail based (either very convincing ‘click on this link’ type emails or emails with attachments) . . . the e-mails are probably spoofed to appear like they are from legitimate / trusted sources (or they actually *are* sent from legitimate / trusted sources who themselves have been compromised). This makes them incredibly hard to defend against (especially if your organization still allows spoofed e-mail inbound).
Hopefully articles like this will get companies here and abroad thinking about this ‘problem’ and what they can do about it. I think awareness is a big first step . . . people need to at least be in the ‘they really ARE out to get me’ mindset (even if you’re not a CxO) . . . other actions can be taken to attempt to reduce the threat as well (perhaps implementing a Domain Keys or ahem a SenderID type solution) . . . or perhaps other policies like enforcing a ‘signed e-mail’ policy that requires a private key stored on a smartcard be used to sign all e-mails – while not a panacea at least raise the bar a little bit for the bad guys with respect to spoofed incoming e-mails.
This is not a problem technology alone can solve.