Thycotic Research Reveals Where Hackers and Security Professionals Agree and Where They Differ
September 2019 by Thycotic
Thycotic, provider of privileged access management (PAM) solutions to more than 10,000 organizations, including 20 percent of the Fortune 100, today released research results in a new report entitled, "Hackers & Security Professionals at Black Hat 2019: Where They Agree and Where They Differ." The report finds service accounts are a favored target of hackers, yet 35 percent of passwords never get changed or are changed only after a security incident.
The report is based on interviews with nearly 300 hackers (49 percent) and security professionals (51 percent) in attendance at the Black Hat 2019 annual conference in Las Vegas.
Both hackers and security pros strongly agree that service accounts are an attractive target because hackers can easily elevate privileges and gain access to sensitive information. And, they are in near-identical agreement on the best ways to protect a service account from compromise. In many software installations, the password for service accounts either remains the default vendor password (easily found on the internet) or it exists only in the memory of the consultant who installed the software.
"Service accounts can pose a significant risk to organizations because they are so difficult to manage and secure properly, especially across multiple accounts for different services, tasks, and other applications," said Joseph Carson, Chief Security Scientist at Thycotic. "Service account passwords are also a challenge because administrators can’t safely change a service account password if they don’t know where it’s used without risk of bringing down other applications."
The report had three main themes between hackers and security professionals:
• Get control of your service accounts or face the consequences
• Hackers don’t discriminate when targeting privileged accounts: on-premise, cloud and in hybrid environments
• Security professionals and hackers need to close a "trust gap"
Hacker respondents surveyed consider themselves as helping improve security and a valuable resource for reducing risks from cyberattacks, with more than half saying they would disclose vulnerabilities responsibly. However, nearly 50 percent of security pros believe hackers would sell stolen sensitive data for profit and only 10 percent think hackers would disclose it responsibility.
In another survey finding, a significant number of security pros (36%) and hackers (22%) did not feel any of the major providers such as AWS, Microsoft or Google were especially good at protecting their IT environments from threats. Hackers seemed to have a better opinion of AWS (32%) followed by Google (22%) and Microsoft Azure (20%). Security pros rated AWS (30%) ahead of both Microsoft (18%) and Google (15%).