Inside the mind of a hacker: Black Hat conference bares all
8 October 2018
What do hackers really think? Joseph Carson, Chief Security Scientist, Thycotic, tells us what the "good guys" think about vulnerabilities, the easiest points of entry into a corporate network and protecting privileged accounts.
The annual Black Hat conference in Las Vegas is a magnet for hackers, attracting tens of thousands of visitors. This year, Thycotic surveyed more than 300 of these attendees to discover the modern perspectives on vulnerabilities, directly from the people who expose them. The survey also revealed the easiest points of entry into a corporate network and why protecting privileged accounts must be a priority for any organisation.
The first thing to note is that of the surveyed hackers, only 5% describe themselves as black hat hackers, despite the fact that 30% admitted to having broken the law during their efforts to help organisations. The good news, however, is that white hat hacking is the more popular choice, with 70% of respondents considering themselves “one of the good guys”.
Also of interest: A day in the life of an ethical hacker
Operating systems (OS) are only as secure as the people using them and, according to 50% of hackers, they have easily compromised Windows 8 and Windows 10 in the past year. Application and OS vulnerabilities remain a major problem, with almost 20% of hackers exploiting unpatched systems. However, while much attention is given to these particular weaknesses, attackers still find it easier to trick users into simply handing over their corporate credentials; 10% of those surveyed said they used identity theft to gain network access.
Poor password protection is also an issue; when asked about the quickest way of gaining access to a corporate network, hackers confirmed that 50% of the exploits uncovered the fact that employees are reusing passwords already exposed by other data breaches. Similarly, 22% of hackers reported that default credentials continue to be an organisation’s Achilles heel. These results confirm that employees continue to struggle with password hygiene.
Contributing to this, the fast-paced world we live in means organisations today focus on getting employees onboard and productive as quickly as possible, investing heavily in identity provisioning solutions that help create the accounts employees need to do their jobs. However, many hackers – 75% – say that companies are typically giving users far more access than is necessary, especially for local admin accounts. Once these accounts are compromised, attackers can exploit administrative privileges to gain full access to the entire IT infrastructure whilst remaining undetected.
Hackers also identified Domain Administrator accounts as the most desirable to take over, allowing them to do just about anything they want to on the network. Other popular accounts include service, root and local admin accounts, all of which allow an attacker to move about the network undetected.
Also of interest: What can we learn from E-Stonia?
The principle of least privilege
It has become widely accepted that human users are the weakest link in cyber security and, with 85% of breaches involving compromised endpoints, it’s clear that employees are still falling victim to social engineering schemes and poor password practices. These user accounts are only as secure as the people using them, thereby leaving critical systems at risk.
Given that Gartner has identified privileged account management (PAM) as a top priority for 2018 and that compromise is probably inevitable at some point, organisations should also adopt a zero-trust strategy as part of their PAM efforts. With zero-trust, all new user devices connecting to the network must be properly identified and verified and, as privileges increase, so should the security requirements for these users and devices.
To implement a successful least privilege, zero-trust strategy, IT and security teams must work together to create policies that match the needs of the organisation. This is a technique which allows companies to remove administrator rights from end users, using controls to validate trusted applications, devices and users, and elevate the privileges of only those who require them. This enables organisations to significantly reduce their attack surface whilst balancing productivity, ease of use and security in a dynamic environment.