Slashdot Mirror
Software Exploits Aren't Needed To Hack Most Organizations (darkreading.com)
The five most common ways of hacking an organization all involve stolen credentials, "based on data from 75 organizations, 100 penetration tests, and 450 real-world attacks," writes an anonymous Slashdot reader. In fact, 66% of the researchers' successful attacks involved cracking a weak domain user password. From an article on Dark Reading:
Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian. Organizations would be far better served by improving credential management and network segmentation...
"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do"... [O]ne stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way.
Similar results were reported in Verizon's 2016 Data Breach Investigations Report.
"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do"... [O]ne stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way.
Similar results were reported in Verizon's 2016 Data Breach Investigations Report.
What if it's the lead system administrator's password?
Why have you designed an enterprise wide administration process based on a hierarchy? Where an attack on (one of) the top nodes can gain entry into everything?
Have gnu, will travel.
exploiting software doesn't even rank among the top five plays in the attacker's playbook
Only *because* you've been "Playing whack-a-mole with software vulnerabilities". If you stop applying patches, using exploits would be more productive.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Compartmentalization carries its own dangers. The idea is sound: only give people access to the systems and documents they need access to. The problem is that you'll never know beforehand which systems and documents those are. So, you need access to Doc X? "I know it takes 2 weeks to process an access request for this folder, so why don't I just email you the thing. Or I can email my credentials so you can access it with those". If your security measures get in the way of people doing their jobs, they will work around it.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
I support the concept of annual password changes. Much more than that and you quickly annoy your users, with very little gain in security.
Password complexity? Yes, but again, don't annoy your users. These arbitrary "must have one upper case and one lower case character, plus one number" BS rules, they aggravate the legitimate people you need on your side! Also, no words from the dictionary? Really? How do you think users remember their passwords?
If you are going to go full-on user hostile, then random generate huge, algorithmic passphrases. Stop pretending that you care at all about the users and just make them do what you want. Your security will get 0.000001% better and you'll feel good about yourself. In perhaps 3-5 years there will be a user revolt and you'll be out of a job. Congratulations! Then your organization will go too far the other way and the password "12345" will be allowed, as will "password" and "sex".
Indeed, one password is not nearly enough. Each file should have its own password! Consisting of at least 38 characters that are randomly generated and consist of lowercase, uppercase, punctuation, digits, Chinese, whitespace, and dingbats! And changing every 24 hours!
In fact I don't think that's secure enough yet. Maybe we should just not allow any 'files'. That way the hackers can never take them.
Do security people even understand that one of the primary goals of security must always still be that it must still be possible for work to be done? That, despite everything, they are a _service_, not a goal? That without any work going on, they will also be out of a job?
All the security you can come up with can be undone instantly if you offer the right person enough money.
Bribe the Tacacs server admin and you're golden. They'll set you up with access to anything and everything.
Pay them some more and they would probably disable logging for you.
Pro tip: Treat your IT folks well because they hold the keys to your entire Kingdom.