Survey Reveals Hackers’ Chosen Attack Vectors and Vulnerabilities Within Businesses

Each year at the annual Black Hat conference, Thycotic conducts a survey  of participating hackers to gain insight into modern perspectives on vulnerabilities — directly from the people who expose those vulnerabilities. Of these 300-plus surveyed hackers, 70 percent consider themselves to be “white hat hackers” — referring to those who work for various organizations to find and exploit vulnerabilities in order to uncover holes and strengthen security. However, 30 percent of the survey participants admitted they have broken laws in their efforts and 5 percent described themselves as “black hat” hackers.

The information gathered from the survey becomes attack intelligence and is reported and analyzed to educate the cybersecurity industry and community.

Out of the hackers surveyed, 26 percent said they most often infiltrated Windows 10. The next largest group, 22 percent of those surveyed, said their most frequently hacked system was Windows 8. 18 percent said Linux was their most hacked and less than 5 percent selected Mac.

As it is clear from the results which operating systems are hacked the most, it is also apparent that there is a dominant method used by hackers for seizing privileged accounts. Of those surveyed, 56 percent said social engineering is the fastest technique to gain access to these accounts. They mainly accomplish this by elevating privilege through the use through various attack vectors, often with the goal of obtaining administrative privilege. Once administrative access is gained, attackers can seize control of the entire system—obviously a catastrophic scenario for any organization.

Since the protection of privileged accounts is so crucial, organizations must take the proper measures to securing these accounts. In order to properly configure a security program, organizations must first understand the challenges they face to protecting privileged access.

  • The compromising of user accounts is almost inevitable and very dangerous to organizations.
  • Group Policy Objects (GPO) cannot be solely relied upon to protect privileges.
  • Privileged account access needs to be carefully — and minimally — granted to users.

Each of these concerns are problems for organizations of all industries and sizes. Smaller companies generally have less resources for security and enterprises have more endpoints to secure, in addition to a larger target on their backs. From these challenges stem recommendations to properly secure organizations from sophisticated, advanced attacks:

Adopt a Zero-Trust Posture

It has become widely accepted that human users are the weakest link in security. Naturally, users’ accounts can only be as secure as the humans using them, leaving critical systems at risk. User accounts are going to be compromised if the right precautions are not taken.

Since organizations cannot completely trust their systems or users, they should employ a “zero-trust” posture. This involves several steps, there are a couple that organizations should implement immediately. Prior to receiving any privileged access, all new devices that are added to internal networks should be properly identified and verified. As privileges increase, so should the security requirements for these devices.

Most importantly, organizations need to severely restrain local administrative access. 85 percent of breaches involve compromised endpoints. The best way to protect these endpoints is to restrict privileges which limits the attack surface for hackers who often use social engineering methods to exploit access. This leads right into the next strategy — implementing a least-privilege policy.

Apply the Principle of Least Privilege

This concept is centered around the idea that organizations should only grant privileged access when absolutely necessary. If these privileged accounts become compromised, attackers can seize administrative privileges to take full control over an organization’s IT infrastructure, often without detection. Despite the massive risk, it seems organizations are not doing enough to protect these accounts with a least-privilege policy. According to the results of the survey, 75 percent of hackers say organizations are failing to apply least privilege.

The survey participants said these organizations are typically penetrated by social engineering attacks. Even with cybersecurity dominating conversations across the globe, many organizations’ systems and applications are still protected by default passwords! Nearly 22 percent of the surveyed hackers said using the default passwords is the most effective technique to seize privileged accounts.

Incorporate Multiple Layers for a Security

Of course, that means 78 percent of hackers prefer alternative methods, such as application and OS vulnerabilities and session hijacking. It is well known that there are numerous attack vectors so organizations have to be prepared and employ a multi-layered security program.

Many organizations that use Windows and Active Director rely too heavily on GPOs. While they can strengthen security, 90 percent of the surveyed hackers were able to compromise Windows environments despite the presence of GPO.

Organizations need to accept the fact that security cannot be attained or maintained so easily. They must realize multiple solutions are required for a true defense-in-depth strategy.

Commit to Closing Vulnerabilities

It is apparent from this year’s survey that organizations users and endpoints are still dangerously vulnerable. Unfortunately, there is not going to be a major global shift that will suddenly secure all privileged accounts. The only way to realistically protect privileged access is by combining the right strategies with the right solutions.

Organizations need to construct a multi-layered program that includes the adoption of the least-privilege principle and zero-trust policy.


Add Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

steven brill
20 Things You Didn’t Know about About Steven Brill
TI
How T.I. Achieved a Net Worth of $50 Million
John Engel
10 Things You Didn’t Know About WESCO International CEO John Engel
GPO
Should Your Company Use a GPO?
General Mills
Why General Mills is a Solid Dividend Stock for the Next 20 Years
The Top 10 Chase Sapphire Reserve Card Airport Lounges
Enbdrige
Why Enbridge (ENB) is a Great Dividend Stock for Retirees
The 10 Best Chase Credit Cards of 2019
Biosphere 2
Closed Ecological Systems: Can They Save the Future?
brain computer interface
How Close is Brain-Computer Interface To Being a Reality?
agricultural robots
What Are Agricultural Robots and How Will They Change the Future?
New Orleans Arcology
What is an Arcology and How Close are We To Having One?
New York Earth Room
10 Reasons to Visit the New York Earth Room
High Line
10 Reasons You Should Walk the NYC High Line
The Porter House
Why Porter House New York is One of the Best NYC Steakhouses
10 Reasons to Stay at the Ritz-Carlton Dorado Beach
1964 Ferrari 250 LM Rear
Is the 1964 Ferrari 250 LM Really Worth $18.26 Million?
1966 Shelby GT350
The 20 Greatest Muscle Cars of All-Time
1956 Cadillac Series 62 Eldorado Seville Coupe
The 20 Best Cadillac Eldorado Models of All Time
Veneno Showroom
The Lamborghini Veneno Roadster: A Rare and Limited Edition
Patek Philippe Pink Gold Pocket Watch 1894
A Closer Look at the $2.29 Million Patek Philippe Pink Gold Pocket Watch 1894
Patek Philippe Perpetual Calendar Chronograph Wristwatch in Pink Gold
A Closer Look at the $2.28 Million Patek Philippe Perpetual Calendar Chronograph Wristwatch in Pink Gold
20 Things That You Didn’t Know About Breitling Watches
2019 Breitling
The 10 Best Breitling Watches of 2019