Why is this hacker smiling? (pic:Maskot/Getty Images)
Despite the drumbeat of advice from the security industry on how to protect themselves from cyber-crime, businesses continue to make the same mistakes – mistakes hackers are only too happy to exploit over and over again.
According to a survey of hackers conducted at the Black Hat 2018 conference in Las Vegas by Thycotic, the mistakes reveal an overreliance on security tools and an underestimate of the threat posed to the organisation by user error.
Thycotic questioned more than 300 hackers at the conference and found that 70 percent considered themselves white-hat hackers, a figure which Thycotic’s chief security scientist Joseph Carson said surprised him. The other 30 percent admitted to engaging in activity that could be in violation of the law, while a subset of those (five percent) claimed to be black-hats.
So what did we learn from the Thycotic survey?
1. Nearly 50 percent of the hackers said they had easily compromised Windows 8 and Windows 10 devices in the past year. Asked what operating system they conquered most in the past year, they said Windows 10 (26.7 percent), Windows 8 (22.4 percent) and Linux (18.5 percent). Mac OS, Unix and mobile devices all scored less than five percent in the survey. Some 20 percent of the hackers surveyed said they regularly exploited unpatched systems.
2. 90 percent of the hackers said that Group Policy Objects (GPO) was no bar to compromising the Windows environment. The lesson here is don’t rely on GPO for security, said Thycotic – apply additional techniques and security tools to build defence in depth.
3. Three out of four (74 percent) of hackers said organisations fail to apply the principle of least privilege. Organisations are giving away too much access, especially local admin rights, Thycotic said. Access to privileged accounts enable hackers to gain full access to IT systems and remain undetected for a long time, it said.
4. 56 percent of hackers say social engineering is the fastest way to compromise a system. If that fails, the next fastest ways to get in is through an application/operating system vulnerability (19.8 percent), stolen identity (nine percent), compromised endpoint (6.9 percent) and malware (six percent), the hackers reported.
5. 47.4 percent of hackers said that password reuse was the riskiest behaviour for organisations as this was the attack vector they exploited the most by far. Trailing behind that was gaining access through public Wi-Fi (18.5 percent), getting people to use USB drives without scanning (19.4 percent) and exploiting the use of personal cloud storage for corporate data (6.9 percent).
6. 22 percent of hackers are using default vendor passwords to escalate privileges once they have established a foothold on a machine, while 19.8 percent exploit known vulnerabilities. Misconfigured service accounts (17.7 percent), social engineering (16.8 percent) and shared accounts (11.6 percent) provide additional avenues.
7. 25 percent of attackers said their favourite privileged account for staying hidden is the domain administrator. This was followed by the service account (19.4 percent) and root account (18.5 percent).
Thycotic said that many organisations are using GPO to centralise the management, configuration and security in the Windows environment, but hackers are using tools like Mimikatz (42.6 percent) to extract plaintext passwords, hashes, PIN codes and Kerberos tickets as well as perform pass-the-hash attacks.
And Carson told SC: "Passwords continue to be a pain for employees, leaving employees to create a strong password exposes most companies to risks from credential stealing and identity theft which is a prime target for cyber-criminals. Organisations need to help empower their employees by using password managers and privileged access management solutions to reduce the risk of reusing passwords and reduce the cyber fatigue that employees have from choosing or creating a good, strong, complex password."