Slashdot Mirror
Software Exploits Aren't Needed To Hack Most Organizations (darkreading.com)
The five most common ways of hacking an organization all involve stolen credentials, "based on data from 75 organizations, 100 penetration tests, and 450 real-world attacks," writes an anonymous Slashdot reader. In fact, 66% of the researchers' successful attacks involved cracking a weak domain user password. From an article on Dark Reading:
Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian. Organizations would be far better served by improving credential management and network segmentation...
"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do"... [O]ne stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way.
Similar results were reported in Verizon's 2016 Data Breach Investigations Report.
"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do"... [O]ne stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way.
Similar results were reported in Verizon's 2016 Data Breach Investigations Report.
All of those are perfectly good questions to ask your IT department.
- Requiring more complicated passwords does not improve security significantly as people start using simpler (to crack) passwords and writing them down (or worse putting them on a cloud-based notepad app)
- Requiring 3 month changes is likewise going to result in simpler passwords
- Allowing user domain accounts to have any credentials on any servers unnecessarily results in issues like having a single credential login to SSH on any server. You should only need your accounts authenticate against specific applications and do proper filtering (eg. only authenticate against cn=managers,ou=sales, not your entire LDAP tree).
- A 2007 IBM server should be able to handle plenty of directory services. LDAP is almost as old as the Internet, it's "light weight" and a single set of servers should be able to handle thousands if not millions of queries per minute. Off course, if you're tied into a single vendor *cough*Microsoft*cough*, you should've calculated the true cost in 2007.
Custom electronics and digital signage for your business: www.evcircuits.com