Software Exploits Aren't Needed To Hack Most Organizations

The five most common ways of hacking an organization all involve stolen credentials, "based on data from 75 organizations, 100 penetration tests, and 450 real-world attacks," writes an anonymous Slashdot reader. In fact, 66% of the researchers' successful attacks involved cracking a weak domain user password. From an article on Dark Reading: Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian. Organizations would be far better served by improving credential management and network segmentation...

"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do"... [O]ne stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way.
Similar results were reported in Verizon's 2016 Data Breach Investigations Report.

Re:New rule passwords must be changed each week

[clovis]

New rule passwords must be changed each week

And it has to be written on a post-it on your monitor so we can check.

Stop applying patches? Then you'll be in trouble.

[complete+loony]

exploiting software doesn't even rank among the top five plays in the attacker's playbook

Only *because* you've been "Playing whack-a-mole with software vulnerabilities". If you stop applying patches, using exploits would be more productive.