Connect with us

Hi, what are you looking for?


Network Security

Patching Not Enough; Organizations Must Adopt Zero-Trust Practices: Report

Hackers Can Gain Network Access Via Social Engineering and Wait for New Zero-Day Exploits to Elevate Their Privilege

Hackers Can Gain Network Access Via Social Engineering and Wait for New Zero-Day Exploits to Elevate Their Privilege

At Black Hat 2017, privileged access firm Thycotic surveyed 250 hackers to find out what was easy and what was hard about hacking into networks. At this year’s Black Hat, it conducted a similar survey (PDF) among 300 people that consider themselves hackers.

“This year,” Thycotic’s chief security scientist Joseph Carson told SecurityWeek, “we also wanted to better understand the types of hacker that exist, and their motives for doing what they do.”

The respondents self-identified as three groups that could traditionally be described as white hat (70%), grey hat (30%) and black hat (5%). The white hats describe themselves as ‘ethical’ hackers — they use their skills and knowledge for good purposes. “There’s another category — which is also ethical — but where they admit to crossing the line,” said Carson. “Their motivation is still to benefit the community; but they admit that some of their practices may actually be illegal.”

These tend to be independent researchers, and their work is often unrecognized, because, said Carson, “they tend to report their findings through anonymous channels.”

And then there’s the black hats — those who hack for illegal purposes and for personal gain. Only 5% of the respondents admitted to this; but none of them are likely to be full-time criminals. Law enforcement agencies always monitor Black Hat; and ‘unemployed’ attendees are of particular interest.

The 5% black hats are likely to have legitimate day jobs, and may well have been sent to Black Hat by their employer. It tends to confirm the findings of Malwarebytes this summer — many companies have one or two employees who moonlight to the dark side.

“Another area we wanted to examine,” Carson told SecurityWeek, “is whether staying up to date with the latest software is any protection against hackers.” Specifically, Thycotic wanted to know whether current OSs are easily compromised, and asked the question, ‘Which OS did you conquer the most in the past 12 months?’.

Advertisement. Scroll to continue reading.

“What was really surprising,” said Carson, “was that Windows 10 — even though it is the latest and most secure operating system from Microsoft — is still easily exploitable by hackers. More than one-third of the compromised OSs were Windows 8 and 10. It goes against the common viewpoint that having the latest fully patched system will keep you secure. You have to accept that being patched and up to date is not enough on its own.”

The most common method of hacking used by the respondents (56.03%) is social engineering — it’s easier and a lot cheaper than using a zero-day exploit. “Hackers confirmed that 50% of their exploits have uncovered employees re-using passwords that have been already exposed in other data breaches, giving hackers an easy way onto the network,” notes the report.

It is clear that users still do not understand the weaknesses in passwords. “A strong password isn’t just a lot of jumbled characters,” said Carson. “Before it can be considered strong, a password must combine three separate characteristics: it must be complex, unique, and not already compromised elsewhere.”

“One thing we did notice,” Carson told SecurityWeek, “is that using social engineering doesn’t automatically give the hacker privileged access and full network control. Hackers gain access and then wait for the arrival of new zero-day exploits that allow them to elevate their privilege.”

Carson pointed out that one such Windows 10 zero-day was disclosed a few weeks ago. “This likely means that over the past couple of weeks many companies that had a simple unprivileged account breach now have the potential for a major compromise occurring within their networks. Social engineering allows attackers to get one foot in the door and then they wait for either misconfiguration or a new vulnerability that they can easily exploit to move to the next level.”

These two findings from the hacker respondents — that patching doesn’t prevent hacking, and that most hacks come through social engineering — are key to Carson’s primary conclusion: organizations need to adopt zero-trust practices. “We learnt from last year’s study that least privilege and multi-factor authentication make life difficult for hackers,” Carson told SecurityWeek

“We learn this year that 75% of companies have still not adopted this approach despite its effectiveness.” Zero trust implies the automatic assumption that an account has been compromised, and requires multi-factor authentication to prove otherwise. This is applied both when moving from the internet to the corporate network, and from one segment of the corporate network to another segment.

“The combination of least privilege and zero trust will make life too difficult for the hackers, and they will likely give up and move on to easier targets,” said Carson. Those hackers who have socially engineered a low privilege account and are waiting for a privilege escalation zero day will find they have to break in again before they can do everything.

“Every time the criminal returns to the network he is challenged again and has to use multiple and more sophisticated methods to continue the attack,” said Carson. “Combining the principles of least privilege and zero trust is not 100% protection, but it is a major deterrence against everyday hacking.”

Related: Organizations Fail to Maintain Principle of Least Privilege 

Related: Exploiting People: Report Shows Attacker Love for Huma
n Interaction

Related: Compromised Credentials: The Primary Point of Attack for Data Breaches 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...