5 security practices hackers say make their lives harder

Hackers believe no password is safe from a determined attacker, but they agree that five key security measures can make it a lot harder to penetrate enterprise networks.

Whether they identify as white hats, black hats or something in-between, a majority of hackers agree that no password is safe from them — or the government for that matter. Regardless of where they sit with respect to the law, hackers mostly agree that five key security measures can make it a lot harder to penetrate enterprise networks.

At the Black Hat USA 2016 conference in Las Vegas earlier this month, Thycotic, a specialist in privileged account management (PAM) solutions, surveyed more than 250 attendees who self-identified as hackers (respondents remained anonymous). Eighty-four percent of respondents identified as white hat hackers — security researchers that help organizations uncover and remediate vulnerabilities. And 15 percent identified as black hat hackers, who penetrate networks with criminal intent.

"This year we had many verbal requests for a grey hat option, which was not included in the survey," adds Joseph Carson, a Certified Information Systems Security Professional (CISSP) and head of Global Alliances at Thycotic.

[ Related: Black Hat: Quick look at hot issues ]

Grey hats fall in the middle ground. They sell or otherwise disclose to government agencies zero-day vulnerabilities they find — law enforcement, intelligence and military. Ultimately, Carson says, the hackers ranked the five key security measures as follows, though black hats quibbled with the order in one key area.

1. Limit admin access to systems

First and foremost, serious attempts to secure the network must begin with privileged accounts. Privileged accounts are the "keys to the kingdom," making them the top target of any attacker seeking to gain access and move anywhere within the network.

"First, attackers gain a foothold in the network by any means possible, often through exploiting an end-user computer, then working to elevate their privileges by compromising a privileged account, which allows attackers to operate on a network as if they are a trusted IT administrator," Thycotic explains in its Black Hat 2016: Hacker Survey Report.

In response, organizations should adopt a least privilege strategy, in which privileges are only granted when required and approved, thus limiting the chances for an attacker to compromise your entire network by targeting privileged account passwords or hashes.

"Enforce least privilege on end user workstations by keeping end users configured to a Standard User profile and automatically elevating their privilege to run only approved and trusted applications,"Thycotic writes in the report. "For IT admin privileged accounts, control access to the accounts and implement Super User Privilege Management for Windows and UNIX systems to prevent attackers from running malicious applications, remote access tools and commands."

[ Related: 9 free security tools for defense & attacking ]

In addition, IT administrators should only make use of their privileged accounts when necessary. When privileges are not necessary, they should use standard accounts instead.

2. Protect privileged account passwords

It's easy to fall into the trap of thinking of privileged accounts in terms of the human users who have them. But privileged accounts are also extended to machines and systems to allow them to interact.

Organizations typically have two to three times more privileged accounts than they have employees. Carson notes that every system that gets deployed comes with a default account, and those systems get connected to service accounts to maintain them. Each virtual machine that gets deployed also receives privileges that don't expire when the machine they're associated with get spun down. And if a VM is cloned, those privileges get cloned along with them. As a result, organizations often wind up with large numbers of rogue privileged accounts with access to their environment.

"Thus, hijacking privileged accounts gives attackers the ability to access and download an organization's most sensitive data, poison data, broadly distribute malware, bypass existing security controls and erase audit trails to hide their activity," Thycotic writes in the report. "It is critical to proactively manage, monitor, and control privileged account access — these accounts are necessary to today's IT infrastructure and ensuring they are securely managed is critical."

To make matters worse, organizations still frequently rely on manual systems like spreadsheets to manage privileged account passwords. Not only is that inefficient, Carson notes that such systems themselves are easily hacked, posing a major security risk to the entire enterprise.

[ Related: Businesses failing to secure privileged accounts ]

"Privileged Account password protection provides a comprehensive solution to automatically discover and store privileged accounts, schedule password rotation, audit, analyze and manage individual privileged session activity and monitor password accounts to quickly detect and respond to malicious activity," Thycotic writes. "This adds a new layer of security to protect privileged accounts from inside the network."

3. Extend IT security awareness training

Most security professionals believe that human beings are the weakest link in any organization's security.

"As more sophisticated social engineering and phishing attacks have emerged in the past few years, companies need to seriously consider expanding their IT security awareness programs beyond simple online tests or acknowledgements of policies," Thycotic writes. "Especially as personal mobile devices are increasingly used for business purposes, educating employees on secure behaviors has become imperative."

Security awareness training has a history of variable results, though Steve Durbin, managing director of the Information Security Forum (ISF) believes that a program that seeks to embed positive infosec behaviors into business processes can transform employees from weakest link into first line of defense.

"The process itself may be the problem," Durbin says. "It may be you have a particularly complex system or cumbersome process and it doesn't have to be that way. Ask yourself: 'If we were starting fresh, how would we build security into this particular process that would make it easy for people to conform?"

It should be noted, though, that white hat hackers are greater believers in security awareness training than white hat hackers.

"Interestingly, both black hat and white hat hackers ranked all five security measures in almost the same order, except black hats did not believe IT security awareness training was as important," Carson says. "Overall, black hats would have ranked IT security awareness training in fourth place, giving more importance to limiting unknown applications from running. It could be that black hat hackers view humans as an unpredictable, weak link compared to a technological solution that restricts risky behavior."

4. Limit unknown applications

You can't protect something if you don't know it's there. You need to know which applications are authorized to run on your network and ensure their passwords are protected.

"Application accounts need to be inventoried and undergo strict policy enforcement for password strength, account access and password rotation," Thycotic writes. "Centralized control and reporting on these accounts is essential to protect critical information assets."

5. Protect user passwords with security best practices

Finally, it's not just about privileged accounts. While privileged accounts provide attackers with critical data access, end-user accounts remain an attack vector. That said, 77 percent of the survey respondents don't believe any password is safe from hackers.

"Protecting user passwords was ranked last, and some may say that's good news for companies, because changing human behavior is hard — it can be a much less daunting task to change processes on the IT team vs. all employees at a company," Carson says. "However, when you are ready to secure end user passwords, look for solutions that enforce your security policy for password strength and the frequency of password changes, and also provide easy and secure password resets — regularly requiring employees to change their workstation passwords will undoubtedly mean calls to the help desk when new passwords are forgotten.

Join the CSO newsletter!

Error: Please check your email address.

More about LexiconPAMThycotic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place