Survey Reveals Hackers’ Chosen Attack Vectors and Vulnerabilities Within Businesses

Each year at the annual Black Hat conference, Thycotic conducts a survey  of participating hackers to gain insight into modern perspectives on vulnerabilities — directly from the people who expose those vulnerabilities. Of these 300-plus surveyed hackers, 70 percent consider themselves to be “white hat hackers” — referring to those who work for various organizations to find and exploit vulnerabilities in order to uncover holes and strengthen security. However, 30 percent of the survey participants admitted they have broken laws in their efforts and 5 percent described themselves as “black hat” hackers.

The information gathered from the survey becomes attack intelligence and is reported and analyzed to educate the cybersecurity industry and community.

Out of the hackers surveyed, 26 percent said they most often infiltrated Windows 10. The next largest group, 22 percent of those surveyed, said their most frequently hacked system was Windows 8. 18 percent said Linux was their most hacked and less than 5 percent selected Mac.

As it is clear from the results which operating systems are hacked the most, it is also apparent that there is a dominant method used by hackers for seizing privileged accounts. Of those surveyed, 56 percent said social engineering is the fastest technique to gain access to these accounts. They mainly accomplish this by elevating privilege through the use through various attack vectors, often with the goal of obtaining administrative privilege. Once administrative access is gained, attackers can seize control of the entire system—obviously a catastrophic scenario for any organization.

Since the protection of privileged accounts is so crucial, organizations must take the proper measures to securing these accounts. In order to properly configure a security program, organizations must first understand the challenges they face to protecting privileged access.

  • The compromising of user accounts is almost inevitable and very dangerous to organizations.
  • Group Policy Objects (GPO) cannot be solely relied upon to protect privileges.
  • Privileged account access needs to be carefully — and minimally — granted to users.

Each of these concerns are problems for organizations of all industries and sizes. Smaller companies generally have less resources for security and enterprises have more endpoints to secure, in addition to a larger target on their backs. From these challenges stem recommendations to properly secure organizations from sophisticated, advanced attacks:

Adopt a Zero-Trust Posture

It has become widely accepted that human users are the weakest link in security. Naturally, users’ accounts can only be as secure as the humans using them, leaving critical systems at risk. User accounts are going to be compromised if the right precautions are not taken.

Since organizations cannot completely trust their systems or users, they should employ a “zero-trust” posture. This involves several steps, there are a couple that organizations should implement immediately. Prior to receiving any privileged access, all new devices that are added to internal networks should be properly identified and verified. As privileges increase, so should the security requirements for these devices.

Most importantly, organizations need to severely restrain local administrative access. 85 percent of breaches involve compromised endpoints. The best way to protect these endpoints is to restrict privileges which limits the attack surface for hackers who often use social engineering methods to exploit access. This leads right into the next strategy — implementing a least-privilege policy.

Apply the Principle of Least Privilege

This concept is centered around the idea that organizations should only grant privileged access when absolutely necessary. If these privileged accounts become compromised, attackers can seize administrative privileges to take full control over an organization’s IT infrastructure, often without detection. Despite the massive risk, it seems organizations are not doing enough to protect these accounts with a least-privilege policy. According to the results of the survey, 75 percent of hackers say organizations are failing to apply least privilege.

The survey participants said these organizations are typically penetrated by social engineering attacks. Even with cybersecurity dominating conversations across the globe, many organizations’ systems and applications are still protected by default passwords! Nearly 22 percent of the surveyed hackers said using the default passwords is the most effective technique to seize privileged accounts.

Incorporate Multiple Layers for a Security

Of course, that means 78 percent of hackers prefer alternative methods, such as application and OS vulnerabilities and session hijacking. It is well known that there are numerous attack vectors so organizations have to be prepared and employ a multi-layered security program.

Many organizations that use Windows and Active Director rely too heavily on GPOs. While they can strengthen security, 90 percent of the surveyed hackers were able to compromise Windows environments despite the presence of GPO.

Organizations need to accept the fact that security cannot be attained or maintained so easily. They must realize multiple solutions are required for a true defense-in-depth strategy.

Commit to Closing Vulnerabilities

It is apparent from this year’s survey that organizations users and endpoints are still dangerously vulnerable. Unfortunately, there is not going to be a major global shift that will suddenly secure all privileged accounts. The only way to realistically protect privileged access is by combining the right strategies with the right solutions.

Organizations need to construct a multi-layered program that includes the adoption of the least-privilege principle and zero-trust policy.


Add Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

10 Things You Didn’t Know about Progressive Insurance CEO Tricia Griffith
How Deadmau5 Achieved a Net Worth of $53 Million
10 Things You Didn’t Know about Arrow Electronics CEO Michael Long
How Morgan Freeman Achieved a Net Worth of $200 Million
A New Champion Emerges in Forex Trading: Wise Banc
10 Benefits of Having a Younkers Credit Card
10 Benefits of Having a Furniture Row Credit Card
10 Benefits of Having a Roaman’s Credit Card
Dark Operations: When is Shadow IT a Good Idea?
Bridging the Gap Between IT Ops and Security
How to Engage Employees in Improving Your Company’s Data Security
Five Amazing Products Harnessing the Power of Memory Foam
The Five Best Hotels in National Harbor, MD
10 Things to do in Delaware for First Time Visitors
Great Spirit Circle Trail on Manitoulin Island
Is Scott’s Cheap Flights Service Worth It?
The 10 Most Anticipated Supercars for 2019
This is the Most Expensive Motorhome in the World
The Rolls-Royce of SUVs: The 2019 Rolls-Royce Cullinan
Tips On Taking Advantage Of Your New Dodge Ram
10 Things You Didn’t Know about the Ulysse Nardin Maxi Marine
The Five Best Govberg Jewelers Watches on the Market Today
The Five Best Tourbillon Watches North of $50,000
A Closer Look at the Seiko Presage Cocktail Time SRPB43