Saw mention of a post over at CIO: 5 Security Practices Hackers Say Make Their Lives Harder. Ok. It seems like every security practice should make their lives somewhat harder. The 5 items trend largely towards password and privileged account protection, which isn’t surprising since the survey was conducted at Black Hat USA 2016 by Thycotic, a vendor of password and account management tools ( or Privileged Account Management [PAM] for the fancy). And I have used and generally like their Thycotic Secret Server, so I have nothing against them. I just generally have issues with vendor-led statistics. [As an aside, I consider Thycotic a sort of third level solution for any organization that has to manage privileged accounts. First being nothing, written, text files, or Excel files with password protection. Second being a PasswordSafe, keePass, or even LastPass sort of user/group password management tool. And third being something enterprise-ready that you’ll have to pay for, though not exorbitantly, like Thycotic.]
So I headed off to see what this survey was all about. I found a copy sitting over at SCMagazine: the 2016 Hacker Survey Report. Mysterious! Unfortunately, the survey pdf itself shows nothing of the methodology of the survey or the questions asked to get those 5 items that make hacker jobs more difficult.
Are the items wrong? Not really. Account security is highly important, from admin to end user. Access escalation and end-user phishing are strong topics for IT security in 2016 (along with cloud security and anything to do with PowerShell).
I just always get skeptical when I see self-serving vendor-provided surveys and information.
Edit: I actually just saw over LinkedIn that the survey pdf is now available from Thycotic if you want to submit some false sales information (no real verification or checks to download). It’s the same pdf as linked up above. And it’s still really not that interesting.