Story image

Hackers speak: Privileged accounts best way to steal data

25 Aug 2017

From the mouths of the hackers themselves, organisations’ privileged accounts are the most attractive targets for gaining access to critical data.

Those are the results from Thycotic’s 2017 Black Hat survey, which quizzed more than 250 hackers on their methods of extracting critical data.

32% of hackers said that privileged account access was the primary way to get access to critical data, while 27% said email was the easiest way.

"Given that privileged accounts are prime targets for hackers, IT professionals should consider the opinions of the hackers themselves when it comes to protecting privileged accounts," comments Thychotic’s chief security scientist, Joseph Carson.

73% of hackers also said that perimeter security methods such as firewalls and antivirus products are now irrelevant or obsolete. They no longer provide effective barriers to getting inside networks.

Threat intelligence solutions, reputation feeds and education are also the weakest forms of security protection, according to the hackers.

Instead, 32% said multifactor authentication and 32% said encryption were the biggest obstacles facing hackers today.

"In today's connected world, organisations can no longer rely only on the traditional cybersecurity perimeter controls. The new cybersecurity perimeter must incorporate an identity firewall built around employee and data using Identity and Access Management technology controls which emphasizes the protection of privileged account credentials and enhancing user passwords across the enterprise with multi-factor authentication,” Carson continues.

85% of hackers said people were the primary sources of blame for security breaches, even more than inadequate security and unpatched software.

35% said that changing passwords and remembering new ones was a major source of cybersecurity fatigue.

"With traditional perimeter security technologies considered largely irrelevant, hackers are focusing more on gaining access to privileged accounts and email passwords by exploiting human vulnerabilities allowing the hacker to gain access abusing trusted identities," Carson explains.

"More than ever, it is critical for businesses to mitigate these risks by implementing the right technologies and process to ward off unsuspecting attacks and access to sensitive data."

Last month, Thycotic conducted its first annual State of Cybersecurity Metrics Report. Out of 400 respondents, 58% of organisations scored an ‘F’ or ‘D’ grade in terms of how they measure their cybersecurity investments and performance against best practices.

One in three organisations invested in cybersecurity solutions with no way to measure effectiveness or value.

"It's really astonishing to have the results come in and see just how many people are failing at measuring the effectiveness of their cybersecurity and performance against best practices," Carson notes.

"At a time when threats are escalating and the need for quantifiable metrics are putting security teams and executives under pressure, the 2017 State of Cybersecurity Metrics Report reveals what is actually occurring so that companies can produce assurances, remedy their errors and protect their businesses,” he concludes.

Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.