Slashdot Mirror
Hacker Business Models
wiredmikey writes "The industrialized hackers are intent on one goal — making money. They also know the basic rules of the business of increasing revenues while cutting costs. As hackers started making money, the field became full of 'professionals' that inspired organized cyber crime. Similar to industrial corporations, hackers have developed their own business models in order to operate as a profitable organization. What do these business models look like? Data has become the hacker's currency. More data, more money. So the attack logic is simple: the more attacks, the more likely victim — so you automate ..."
Reads like a lot of obvious consultant-wank generalities to me.
I don't care who this broad claims to be, she needs to either cite case examples, or go bake me some cookies.
Oh, client confidentiality. Well, that's convenient, ain't it? On the internets, nobody can prove you're not a 1337 security ninja.
If you were blocking sigs, you wouldn't have to read this.
News flash: in English, words can have multiple definitions. I'm a hacker and I break golf clubs in frustration.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
So we're not equipped to handle hackers - and we've officially been hacked. What do we do?
Hiring 'hackers' is a media fiction - you wouldn't hire someone who was convicted of armed robbery to guard your local bank just because he was really good at it, would you? Hire a security professional who actually takes what they do for a living seriously, has credentials to prove it, and has a reputation for honesty and integrity they're not afraid to defend with references from previous employers and clients. Or contract the same. Or hire a consulting firm that specializes in security. A CISSP should be a minimum bar to get over.
Security is all about setting appropriate levels of trust on personnel. If you don't trust your security professionals (and by the way, the guy who sets up your firewall there should be one of them) then you can't trust the security they're putting in place. Audit the work they do. Trust, but verify. And for your size of network, you should have at least one full-time IT security person on staff.
>Turn to an industrialized hacker and hope we can pay more than our competitor's might pay?
NO NO NO NO. If you hire a criminal they will steal from you. This is like hiring a wolf to guard the sheep except the sheep are chopped up into cutlets and served to him on fine china.
Turn to a decent computer consulting company and bring in an integrated security solution, practices and policies. Use the breach as a lever to get the CEO to cough up the money for it. Business case goes like this: Get good security = Spend big $. Don't have good security = delaying expansion plans, legal exposure, unknown potential economic impacts, cobbled together solutions that could fail at any moment. Conceptually describe security as entirely different from normal IT so you don't lose your job. Stay on top of your consultants so you don't lose your job or get screwed with scope change and billing creep.
If you're worried about gouging get your purchasing people involved but ride herd on them too. Get bids from multiple companies, fixed price lists of services where possible, case examples as available and recommendations.
Come on the editors of Slashdot should know about the difference between the word hacker and cracker. A hacker has only a negative sound to those who don't know the history about the word or know what they are talking about, you know the way Hollywood uses the word for example. Crackers are the criminal oness. Or at least say something like "black hats" instead of hacker, when it's the criminals you are writing about.
More and more articles seems to suffer from the same lack of geekyness in multiple different ways..