What Hackers Really Want

By Rob Medley

19 June 2016

You’ve spent thousands of dollars on that new Intrusion Detection System, upgraded your firewalls and endpoint security.  You kick back, sip your latte and marvel at this titan of security that lies before you.  You’re confident that there is absolutely no way to break into the system; let them try.

Two months later, you’re standing in front of the CEO explaining the breach; the CISO sitting glum in a chair, having incurred the boss’s wrath prior to your arrival.  “How did the breach occur?”, the boss asks. “It’s not clear”, you say, “but it appears to be a privilege escalation that happened after a third party contractor fell victim to a phishing attack.”  A heavy silence falls on the room as the boss studies you, shredding any confidence you had left in getting that raise; you briefly wonder how many boxes you’ll need to clean out your desk.

This scenario plays itself out far too often across corporate America.  With the high profile attacks on LinkedIn, MySpace, iMesh, Tumblr, & GitHub, to name a few, it’s hard not to become jaded.  In fact, the ease with which hackers are able to penetrate networks and  steal passwords is becoming laughable.  Just this month it was reported that 45 million passwords were stolen from over 1,100 mainstream websites^[1].  In May, a Russian hacker was selling over a billion, with a ‘B’, passwords from major email providers^[2].  To be fair, it should be mentioned that there were only 272 million unique passwords.

With firms dumping serious cash into network defense, to the tune of 2.3 billion in 2015^[3], one must wonder why events such as those mentioned above come to fruition.  According to a recent Ponemon study, the average cost of cleaning up a data breach is $4 Million; that’s almost a third more than it was in 2013^[4].  Breaking that down further, network downtime is costing firms an average of $300,000 an hour due to incidents^[5].  In comparison, hackers are selling compromised servers for less than $10 dollars^[6].  That’s right, your multimillion dollar security scheme is worth less than the average trip to Starbucks.

If hackers are investing the time to break into systems, then selling the sensitive data therein for the price of a Whopper and fries, one has to wonder, “What do hackers really want?”  We all know that the motivation to break into networks and systems is as varied as there are people in the world; but network penetration can generally be grouped into financial motivation, curiosity, or hacktivism.  Regardless of the motivation, the psychological underpinning of any action is that the hacker wants a challenge.

Hackers tend to look at accessing resources as a game (Chess, not Call of Duty).  The psychological high that comes from winning is the reason most get into the intrusion game in the first place.  At the same time, hackers tend to view easy opponents with disdain, feeling that the ‘n00b’ who can’t defend his or her network gets everything they deserve, like publishing their entire user database online.  Yet in the hacker heart, they want us to not suck at network defense.  They hope defeating us will be more difficult than playing Mortal Combat with their three year old brother.

We defenders must do our part in this virtual chess game!  In addition to properly securing those new-fangled firewalls with more features/bling than Kim Kardashians closet, we have (as in really, people) to get our act together with regards to basic security hygiene.  Bling is fine after you learn the basics.  Let me ask, how long ago did your office update your network security policies?  Do you even have them?  One in four businesses do not have a basic security policy^[7].  Are you in the same boat as the Federal Government, with languishing policies as old as 2006? Just remember that in 2006 Facebook was new, flip-phones were cool, the iPod (with the wheel) was at its height, & IOS, Android, and Windows Vista were not part of our vocabulary yet.

In addition to updating policies for the present, your organization should stand up a risk management program.  The costs of one or two employees (better are consultants – I know one 🙂  to conduct audits of policy controls, NIST, ISO, or whichever framework you use, can save you hundreds of thousands of dollars in downtime.  These risk management professionals can also provide staff training to lock down the human aspect of hacking – social engineering (phishing, and whaling).  The end goal of all of this is not to suck at network defense.

Let’s face it; all of the technology in the world will not do any good if there are not sound security controls behind it.  Things like enforcing mandatory password lengths, expiry dates, lockouts – e.g. the basics of security, which seem to be at the root of these huge breaches, are what is needed.  By doing due diligence on these basic things, we make hackers happy.  It’s now harder for them to gain access into a system.  They are forced to spend more time trying to gain the prize and, conversely, we can spend more time playing with the technology toys that make us happy.  Not only will practicing basic security give the cybersecurity chess game renewed vigor; it will give us the respect of hackers.  If you haven’t got the respect of your opponent, what’s the point?

^[1] Nicks, D. (2016, June 14). Hackers Steal 45 Million Passwords From Over 1,100 Websites. Retrieved June 18, 2016, from http://time.com/money/4369098/hackers-steal-45-million-passwords/?utm_content=buffere9699

^[2] Wei, W. (2016, May 04). Hacker is Selling 272 Million Email Passwords for Just $1. Retrieved June 18, 2016, from http://thehackernews.com/2016/05/hacked-email-accounts.html

^[3] Reuters. (2015, September 22). Cyber security investing grows, resilient to market turmoil. Retrieved June 19, 2016, from http://fortune.com/2015/09/23/cyber-security-investing/

^[4] Olenick, D. (2016, June 15). Ponemon puts a $4 million price tag placed on mitigating data breaches. Retrieved June 18, 2016, from http://www.scmagazine.com/ponemon-puts-a-4-million-price-tag-placed-on-mitigating-data-breaches/article/503392/

^[5] Firewall Migrations: Five Ways To Maximise Security Resilience & Availability – Information Security Buzz. (2016, June 09). Retrieved June 18, 2016, from http://www.informationsecuritybuzz.com/articles/firewall-migrations-five-ways-maximise-security-resilience-availability/

^[6]Auchard, E. (2016, June 14). Cybercrime market sells servers for as little as $6 to launch attacks. Retrieved June 18, 2016, from http://www.stltoday.com/business/local/cybercrime-market-sells-servers-for-as-little-as-to-launch/article_fd775f99-3a04-5133-921b-feffeebc7f11.html

^[7] Hoffman, S. (2008, October 28). Corporate Security Policies Found Ineffective. Retrieved June 19, 2016, from http://www.crn.com/news/security/211601180/corporate-security-policies-found-ineffective.htm