Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Business Models

Posted by CmdrTaco on from the doing-what-they-can dept.

wiredmikey writes "The industrialized hackers are intent on one goal — making money. They also know the basic rules of the business of increasing revenues while cutting costs. As hackers started making money, the field became full of 'professionals' that inspired organized cyber crime. Similar to industrial corporations, hackers have developed their own business models in order to operate as a profitable organization. What do these business models look like? Data has become the hacker's currency. More data, more money. So the attack logic is simple: the more attacks, the more likely victim — so you automate ..."

6 of 96 comments (clear)

  1. Sources, or GTFO by Rogerborg · · Score: 2, Informative

    Reads like a lot of obvious consultant-wank generalities to me.

    I don't care who this broad claims to be, she needs to either cite case examples, or go bake me some cookies.

    Oh, client confidentiality. Well, that's convenient, ain't it? On the internets, nobody can prove you're not a 1337 security ninja.

    --
    If you were blocking sigs, you wouldn't have to read this.
  2. Re:ITYM "cracker" by Lord+Ender · · Score: 2, Informative

    News flash: in English, words can have multiple definitions. I'm a hacker and I break golf clubs in frustration.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  3. Re:What's more dangerous? by Anonymous Coward · · Score: 1, Informative

    Your server updates should be applied as soon as they come out. Being a month behind was unacceptable. Sometimes Microsoft releases them out of band (outside of Patch Tuesday). Those are really important and should be installed and the server rebooted that night. Web server should be in a DMZ. Should only have one or two local admin accounts that only the IT people know. Should not have any ports open to the internet except 80 and 443 if you need it. Any other server software on it should be fully updated (apache?).

    What exploit was used to access your web server? What update was not installed that would have prevented it? Were you running IIS or some other web server?

    I have a feeling that being one month behind on your Windows Updates was not actually the cause of this one. Did you check your security logs for any unusual activity? The stuff I wrote above is minimal, and there is no reason for it not to be setup that way. Web servers that get hacked like you described are on clusterfucked networks, in my experience. Your CEO is correct to question your security practices since you were a fucking month behind on your patches.

  4. Re:What's more dangerous? by savanik · · Score: 2, Informative

    So we're not equipped to handle hackers - and we've officially been hacked. What do we do?

    Hiring 'hackers' is a media fiction - you wouldn't hire someone who was convicted of armed robbery to guard your local bank just because he was really good at it, would you? Hire a security professional who actually takes what they do for a living seriously, has credentials to prove it, and has a reputation for honesty and integrity they're not afraid to defend with references from previous employers and clients. Or contract the same. Or hire a consulting firm that specializes in security. A CISSP should be a minimum bar to get over.

    Security is all about setting appropriate levels of trust on personnel. If you don't trust your security professionals (and by the way, the guy who sets up your firewall there should be one of them) then you can't trust the security they're putting in place. Audit the work they do. Trust, but verify. And for your size of network, you should have at least one full-time IT security person on staff.

  5. Re:What's more dangerous? by BigSlowTarget · · Score: 2, Informative

    >Turn to an industrialized hacker and hope we can pay more than our competitor's might pay?
    NO NO NO NO. If you hire a criminal they will steal from you. This is like hiring a wolf to guard the sheep except the sheep are chopped up into cutlets and served to him on fine china.

    Turn to a decent computer consulting company and bring in an integrated security solution, practices and policies. Use the breach as a lever to get the CEO to cough up the money for it. Business case goes like this: Get good security = Spend big $. Don't have good security = delaying expansion plans, legal exposure, unknown potential economic impacts, cobbled together solutions that could fail at any moment. Conceptually describe security as entirely different from normal IT so you don't lose your job. Stay on top of your consultants so you don't lose your job or get screwed with scope change and billing creep.

    If you're worried about gouging get your purchasing people involved but ride herd on them too. Get bids from multiple companies, fixed price lists of services where possible, case examples as available and recommendations.

  6. replace word 'hacker' by 'cracker' by Device666 · · Score: 2, Informative

    Come on the editors of Slashdot should know about the difference between the word hacker and cracker. A hacker has only a negative sound to those who don't know the history about the word or know what they are talking about, you know the way Hollywood uses the word for example. Crackers are the criminal oness. Or at least say something like "black hats" instead of hacker, when it's the criminals you are writing about.

    More and more articles seems to suffer from the same lack of geekyness in multiple different ways..