Whether they identify as white hats, black hats or something in-between, a majority of hackers agree that no password is safe from them — or the government for that matter. Regardless of where they sit with respect to the law, hackers mostly agree that five key security measures can make it a lot harder to penetrate enterprise networks.
At the Black Hat USA 2016 conference in Las Vegas earlier this month, Thycotic, a specialist in privileged account management (PAM) solutions, surveyed more than 250 attendees who self-identified as hackers (respondents remained anonymous). Eighty-four percent of respondents identified as white hat hackers — security researchers that help organizations uncover and remediate vulnerabilities. And 15 percent identified as black hat hackers, who penetrate networks with criminal intent.
"This year we had many verbal requests for a grey hat option, which was not included in the survey," adds Joseph Carson, a Certified Information Systems Security Professional (CISSP) and head of Global Alliances at Thycotic.
[ Related: Black Hat: Quick look at hot issues ]
Grey hats fall in the middle ground. They sell or otherwise disclose to government agencies zero-day vulnerabilities they find — law enforcement, intelligence and military. Ultimately, Carson says, the hackers ranked the five key security measures as follows, though black hats quibbled with the order in one key area.
1. Limit admin access to systems
First and foremost, serious attempts to secure the network must begin with privileged accounts. Privileged accounts are the "keys to the kingdom," making them the top target of any attacker seeking to gain access and move anywhere within the network.
"First, attackers gain a foothold in the network by any means possible, often through exploiting an end-user computer, then working to elevate their privileges by compromising a privileged account, which allows attackers to operate on a network as if they are a trusted IT administrator," Thycotic explains in its Black Hat 2016: Hacker Survey Report.
In response, organizations should adopt a least privilege strategy, in which privileges are only granted when required and approved, thus limiting the chances for an attacker to compromise your entire network by targeting privileged account passwords or hashes.
"Enforce least privilege on end user workstations by keeping end users configured to a Standard User profile and automatically elevating their privilege to run only approved and trusted applications,"Thycotic writes in the report. "For IT admin privileged accounts, control access to the accounts and implement Super User Privilege Management for Windows and UNIX systems to prevent attackers from running malicious applications, remote access tools and commands."
[ Related: 9 free security tools for defense & attacking ]
In addition, IT administrators should only make use of their privileged accounts when necessary. When privileges are not necessary, they should use standard accounts instead.
2. Protect privileged account passwords
It's easy to fall into the trap of thinking of privileged accounts in terms of the human users who have them. But privileged accounts are also extended to machines and systems to allow them to interact.
Organizations typically have two to three times more privileged accounts than they have employees. Carson notes that every system that gets deployed comes with a default account, and those systems get connected to service accounts to maintain them. Each virtual machine that gets deployed also receives privileges that don't expire when the machine they're associated with get spun down. And if a VM is cloned, those privileges get cloned along with them. As a result, organizations often wind up with large numbers of rogue privileged accounts with access to their environment.
"Thus, hijacking privileged accounts gives attackers the ability to access and download an organization's most sensitive data, poison data, broadly distribute malware, bypass existing security controls and erase audit trails to hide their activity," Thycotic writes in the report. "It is critical to proactively manage, monitor, and control privileged account access — these accounts are necessary to today's IT infrastructure and ensuring they are securely managed is critical."
To make matters worse, organizations still frequently rely on manual systems like spreadsheets to manage privileged account passwords. Not only is that inefficient, Carson notes that such systems themselves are easily hacked, posing a major security risk to the entire enterprise.
[ Related: Businesses failing to secure privileged accounts ]
"Privileged Account password protection provides a comprehensive solution to automatically discover and store privileged accounts, schedule password rotation, audit, analyze and manage individual privileged session activity and monitor password accounts to quickly detect and respond to malicious activity," Thycotic writes. "This adds a new layer of security to protect privileged accounts from inside the network."
3. Extend IT security awareness training
Most security professionals believe that human beings are the weakest link in any organization's security.
"As more sophisticated social engineering and phishing attacks have emerged in the past few years, companies need to seriously consider expanding their IT security awareness programs beyond simple online tests or acknowledgements of policies," Thycotic writes. "Especially as personal mobile devices are increasingly used for business purposes, educating employees on secure behaviors has become imperative."
Security awareness training has a history of variable results, though Steve Durbin, managing director of the Information Security Forum (ISF) believes that a program that seeks to embed positive infosec behaviors into business processes can transform employees from weakest link into first line of defense.
"The process itself may be the problem," Durbin says. "It may be you have a particularly complex system or cumbersome process and it doesn't have to be that way. Ask yourself: 'If we were starting fresh, how would we build security into this particular process that would make it easy for people to conform?"
It should be noted, though, that white hat hackers are greater believers in security awareness training than white hat hackers.
"Interestingly, both black hat and white hat hackers ranked all five security measures in almost the same order, except black hats did not believe IT security awareness training was as important," Carson says. "Overall, black hats would have ranked IT security awareness training in fourth place, giving more importance to limiting unknown applications from running. It could be that black hat hackers view humans as an unpredictable, weak link compared to a technological solution that restricts risky behavior."
4. Limit unknown applications
You can't protect something if you don't know it's there. You need to know which applications are authorized to run on your network and ensure their passwords are protected.
"Application accounts need to be inventoried and undergo strict policy enforcement for password strength, account access and password rotation," Thycotic writes. "Centralized control and reporting on these accounts is essential to protect critical information assets."
5. Protect user passwords with security best practices
Finally, it's not just about privileged accounts. While privileged accounts provide attackers with critical data access, end-user accounts remain an attack vector. That said, 77 percent of the survey respondents don't believe any password is safe from hackers.
"Protecting user passwords was ranked last, and some may say that's good news for companies, because changing human behavior is hard — it can be a much less daunting task to change processes on the IT team vs. all employees at a company," Carson says. "However, when you are ready to secure end user passwords, look for solutions that enforce your security policy for password strength and the frequency of password changes, and also provide easy and secure password resets — regularly requiring employees to change their workstation passwords will undoubtedly mean calls to the help desk when new passwords are forgotten.