According to a newly released survey conducted at Black Hat 2018, 50% of hackers said that Windows 8 and Windows 10 have been the easiest attack vectors to exploit this year.
Thycotic surveyed more than 300 hackers – nearly 70% of whom identified as white hats – to understand the hacker perspective with regard to vulnerabilities and attack vectors.
In 2018 Black Hat Hacker Report, Thycotic reveals that hackers often leverage the reality that operating systems are only as secure as the people using them.
“The 2018 Black Hat Hacker Report indicates that our operating systems and endpoints remain woefully vulnerable to hackers and threats from cyber-criminals,” said Joseph Carson, chief security scientist at Thycotic, in today’s press release.
While the two Windows operating systems provided easy access, the survey found that 26% of hackers infiltrated Windows 10 most often, while 22% hacked Windows 8 the most. Linux lagged behind in popularity, with hackers exploiting vulnerabilities in the OS only 18% of the time. Less than 5% of respondents said that Mac was their easiest or most often-used attack vector.
To take control of privileged accounts, 56% of hackers said that social engineering is the fastest account seizing technique. Most often hackers are able to elevate privilege by either using default vendor passwords or exploiting application and OS vulnerabilities, the survey stated.
In addition, survey participants reported that nearly two-thirds (74%) of companies are lagging when it comes to implementing the principle of least privilege. In an email interview, Carson said, “Most companies are failing at applying the principle of least privilege as they are trying to solve this challenge with a technology-only approach, which tends to focus more on security without considering employee usability.”
The problem with such an approach is that the focus is most often on security rather than employee usability. “This typically creates a conflict between employee productivity and the need for better cybersecurity, resulting in a poor security experience and employees look for ways around it.”
Because lagging behind in privileged access policies could result in more data breaches, Carson said a failure to implement least privilege will mean a higher cost for companies when they experience a data breach.
Thycotic recommends using a combination approach between people and technology, as it provides the chance to create an experience in which productivity and security work together. “Least privilege can only be successful when employee productivity is not impacted, allowing them to continue doing their job without the need to call the IT help desk continuously," he said.