Each year at the annual Black Hat conference, Thycotic conducts a survey of participating hackers to gain insight into modern perspectives on vulnerabilities — directly from the people who expose those vulnerabilities. Of these 300-plus surveyed hackers, 70 percent consider themselves to be “white hat hackers” — referring to those who work for various organizations to find and exploit vulnerabilities in order to uncover holes and strengthen security. However, 30 percent of the survey participants admitted they have broken laws in their efforts and 5 percent described themselves as “black hat” hackers.
The information gathered from the survey becomes attack intelligence and is reported and analyzed to educate the cybersecurity industry and community.
Out of the hackers surveyed, 26 percent said they most often infiltrated Windows 10. The next largest group, 22 percent of those surveyed, said their most frequently hacked system was Windows 8. 18 percent said Linux was their most hacked and less than 5 percent selected Mac.
As it is clear from the results which operating systems are hacked the most, it is also apparent that there is a dominant method used by hackers for seizing privileged accounts. Of those surveyed, 56 percent said social engineering is the fastest technique to gain access to these accounts. They mainly accomplish this by elevating privilege through the use through various attack vectors, often with the goal of obtaining administrative privilege. Once administrative access is gained, attackers can seize control of the entire system—obviously a catastrophic scenario for any organization.
Since the protection of privileged accounts is so crucial, organizations must take the proper measures to securing these accounts. In order to properly configure a security program, organizations must first understand the challenges they face to protecting privileged access.
- The compromising of user accounts is almost inevitable and very dangerous to organizations.
- Group Policy Objects (GPO) cannot be solely relied upon to protect privileges.
- Privileged account access needs to be carefully — and minimally — granted to users.
Each of these concerns are problems for organizations of all industries and sizes. Smaller companies generally have less resources for security and enterprises have more endpoints to secure, in addition to a larger target on their backs. From these challenges stem recommendations to properly secure organizations from sophisticated, advanced attacks:
Adopt a Zero-Trust Posture
It has become widely accepted that human users are the weakest link in security. Naturally, users’ accounts can only be as secure as the humans using them, leaving critical systems at risk. User accounts are going to be compromised if the right precautions are not taken.
Since organizations cannot completely trust their systems or users, they should employ a “zero-trust” posture. This involves several steps, there are a couple that organizations should implement immediately. Prior to receiving any privileged access, all new devices that are added to internal networks should be properly identified and verified. As privileges increase, so should the security requirements for these devices.
Most importantly, organizations need to severely restrain local administrative access. 85 percent of breaches involve compromised endpoints. The best way to protect these endpoints is to restrict privileges which limits the attack surface for hackers who often use social engineering methods to exploit access. This leads right into the next strategy — implementing a least-privilege policy.
Apply the Principle of Least Privilege
This concept is centered around the idea that organizations should only grant privileged access when absolutely necessary. If these privileged accounts become compromised, attackers can seize administrative privileges to take full control over an organization’s IT infrastructure, often without detection. Despite the massive risk, it seems organizations are not doing enough to protect these accounts with a least-privilege policy. According to the results of the survey, 75 percent of hackers say organizations are failing to apply least privilege.
The survey participants said these organizations are typically penetrated by social engineering attacks. Even with cybersecurity dominating conversations across the globe, many organizations’ systems and applications are still protected by default passwords! Nearly 22 percent of the surveyed hackers said using the default passwords is the most effective technique to seize privileged accounts.
Incorporate Multiple Layers for a Security
Of course, that means 78 percent of hackers prefer alternative methods, such as application and OS vulnerabilities and session hijacking. It is well known that there are numerous attack vectors so organizations have to be prepared and employ a multi-layered security program.
Many organizations that use Windows and Active Director rely too heavily on GPOs. While they can strengthen security, 90 percent of the surveyed hackers were able to compromise Windows environments despite the presence of GPO.
Organizations need to accept the fact that security cannot be attained or maintained so easily. They must realize multiple solutions are required for a true defense-in-depth strategy.
Commit to Closing Vulnerabilities
It is apparent from this year’s survey that organizations users and endpoints are still dangerously vulnerable. Unfortunately, there is not going to be a major global shift that will suddenly secure all privileged accounts. The only way to realistically protect privileged access is by combining the right strategies with the right solutions.
Organizations need to construct a multi-layered program that includes the adoption of the least-privilege principle and zero-trust policy.