Whether they identify as white hats, black hats or something in-between, a majority of hackers agree that no password is safe from them — or the government for that matter. Regardless of where they sit with respect to the law, hackers mostly agree that five key security measures can make it a lot harder to penetrate enterprise networks.
At the Black Hat USA 2016 conference in Las Vegas earlier this month, Thycotic, a specialist in privileged account management (PAM) solutions, surveyed more than 250 attendees who self-identified as hackers (respondents remained anonymous). Eighty-four percent of respondents identified as white hat hackers — security researchers that help organizations uncover and remediate vulnerabilities. And 15 percent identified as black hat hackers, who penetrate networks with criminal intent.
"This year we had many verbal requests for a grey hat option, which was not included in the survey," adds Joseph Carson, a Certified Information Systems Security Professional (CISSP) and head of Global Alliances at Thycotic.
Grey hats fall in the middle ground. They sell or otherwise disclose to government agencies zero-day vulnerabilities they find — law enforcement, intelligence and military. Ultimately, Carson says, the hackers ranked the five key security measures as follows, though black hats quibbled with the order in one key area.
1. Limit admin access to systems
First and foremost, serious attempts to secure the network must begin with privileged accounts. Privileged accounts are the "keys to the kingdom," making them the top target of any attacker seeking to gain access and move anywhere within the network.
"First, attackers gain a foothold in the network by any means possible, often through exploiting an end-user computer, then working to elevate their privileges by compromising a privileged account, which allows attackers to operate on a network as if they are a trusted IT administrator," Thycotic explains in its Black Hat 2016: Hacker Survey Report.
In response, organizations should adopt a least privilege strategy, in which privileges are only granted when required and approved, thus limiting the chances for an attacker to compromise your entire network by targeting privileged account passwords or hashes.
"Enforce least privilege on end user workstations by keeping end users configured to a Standard User profile and automatically elevating their privilege to run only approved and trusted applications,"Thycotic writes in the report. "For IT admin privileged accounts, control access to the accounts and implement Super User Privilege Management for Windows and UNIX systems to prevent attackers from running malicious applications, remote access tools and commands."
In addition, IT administrators should only make use of their privileged accounts when necessary. When privileges are not necessary, they should use standard accounts instead.
2. Protect privileged account passwords
Sign up for CIO Asia eNewsletters.