Windows OS Is Still the Most Lucrative Target for Hackers. Why?

Windows OS Is Still the Most Lucrative Target for Hackers. Why?

We update monthly on Patch Tuesday, install firewalls, anti-virus and anti-spyware, and always coach users to use complex, secure passwords. But apparently it is still not enough. A recent poll of 300 hackers conducted at Black Hat finds Windows OS is still a very hot target for attack. Those that answered the survey were a combination of white hat, gray hat and black hat hackers.

Nearly 50 percent of those surveyed said they had compromised Windows-based systems more than any other within the past year. Most said they infiltrated Windows 10 most frequently, followed by Windows 8. Microsoft says Windows 10 has been deployed on 700 million devices since its launch in 2015.

Microsoft has prioritized security in recent years, recently noting it will continue to invest over $1 billion a year on cybersecurity and research in order to further enhance the defenses of its products. But clearly, Windows is still seen as a sitting duck for hackers seeking a quick win. Why is that?

“With more than 80 percent of the desktop OS market share, it is no surprise that Windows is a hot target for hackers,” said Michael Maltsev, a security researcher at Reason Software Company. “Microsoft is well aware of this, and constantly works on mitigations for known attacks. For example, Windows 10 introduces security features such as KCFG (Kernel Control Flow Guard), ACG (Arbitrary Code Guard), HyperGuard, ASR (Attack Surface Reduction) and WDEG (Exploit Protection). Even though not all mitigations are enabled by default due to compatibility reasons, we can see a trend where it’s more difficult for attackers to exploit the system, and more attackers are relying on social engineering for the job.”

Windows Security Has Improved, But So Have Hacker Techniques

To its credit, Microsoft has included enhancements and improvements to each new Windows OS, which have paid off with better security in each new OS release, but there will always be the age-old problem of user error.

“It’s not that easy to compromise Windows from a remote only standpoint anymore,” said Dennis Chow, CISO, SCIS Security, a cybersecurity only consulting firm in Houston. “Many exploits are focused on ‘client side’ exploitation where they have to entice users to take an action; visit a site or email and click on a payload.”

The social engineering criminals Chow is referring to are constantly evolving their techniques, and with a majority of users sitting on the other end of a Windows OS, that is what they are after.

“Many hackers are running a business and you don’t create a new app or device that won’t have a market,” said Chris Goettl, director of product management, security, for Ivanti. “You create where there will be demand, where you can attach to more of the market. If more than 50 percent of the systems that hackers want to access are running Windows, then Windows is their primary target.”

Despite Investment in Security, Windows Vulnerabilities Climb

Enhancements in security features may have hardened Windows defenses, but admins are still fighting a hard-won battle against bugs and vulnerabilities that only appears to be getting worse. Analysis conducted last year by Avecto found Microsoft vulnerabilities have more than doubled since 2013. In a five-year analysis of Windows vulnerabilities, the firm found the number of reported vulnerabilities has risen 111 percent since 2013 and the number of critical vulnerabilities rose 60 percent in the same period.

“Companies are still leaving critical vulnerabilities open,” said Chris Stoneff, vice president of security solutions at Bomgar, which recently acquired Avecto. “According to the Avecto survey, 88 percent of all critical vulnerabilities reported by Microsoft over the last five years would have been mitigated by removing admin rights.”

Thycotic, in its summary of the Black Hat survey findings, echoes Stoneff’s thoughts and advised organizations to adopt a “zero-trust” strategy that emphasizes least privilege in order to mitigate Windows security concerns.

“Three out of four (75 percent) of hackers say companies fail at applying least privilege, giving user accounts too much access,” the summary of findings read. “Once compromised these local domain accounts can allow hackers to exploit administrative privileges to gain full access of the entire IT infrastructure and remain undetected.”

Going Beyond Group Policy Objects

Another key takeaway from the Thycotic survey highlights the need for organizations with Windows environments to use more than just Group Policy Objects for security. More than 90 percent of hackers surveyed said they compromised Windows environments despite the use of GPO to help maintain security.

“Despite using GPO to harden Windows environments, hackers indicate they can easily bypass security controls,” said the summary of findings. “Most hackers use Mimikatz, a popular Windows security audit tool (also available in Kali Linux), to extract plaintext passwords, hashes, PIN codes, Kerberos tickets from memory and perform pass-the-hash attacks. Other methods include getting passwords from SYSVOL, exploiting Group Policy Preferences or using Metasploit.”

Despite Troubles, Windows Will Continue Its Domination

With its massive market share, Windows will continue to be the top target for industrious criminals, but there are tactics Windows admins and security managers can employ to shore up defenses. A holistic approach that relies on solid patching practices and layered tools for security can give your organization a better shot at keeping hackers at bay.