Slashdot Mirror

← Back to Stories (view on slashdot.org)

Survey: Average Successful Hack Nets Less Than $15,000 (csoonline.com)

Posted by timothy on from the short-attention-span dept.

itwbennett writes: According to a Ponemon Institute survey, hackers make less than $15,000 per successful attack and net, on average, less than $29,000 a year. The average attacker conducts eight attacks per year, of which less than half are successful. Among the findings that will be of particular interest to defenders: Hackers prefer easy targets and will call off an attack if it is taking too long. According to the survey, 13 percent quit after a delay of five hours. A delay of 10 hours causes 24 percent to quit, a delay of 20 hours causes 36 to quit, and a majority of 60 percent will give up if an attack takes 40 additional hours. 'If you can delay them by two days, you can deter 60 percent of attacks,' said Scott Simkin, senior threat intelligence manager at Palo Alto Networks, which sponsored the study.

60 of 84 comments (clear)

  1. Pokemon Institute?? by Narcocide · · Score: 3, Funny

    Oh wait, never mind.

    1. Re:Pokemon Institute?? by tepples · · Score: 1

      Has Nintendo Network even been hacked? Its competitor sure has.

    2. Re:Pokemon Institute?? by Zaowulf · · Score: 2

      Glad I wasn't the only one who had to read it twice

  2. Oh those poor hackers! by jellomizer · · Score: 2

    They are making low wages... Boo Hoo.
    Well stop hacking and get a real job.

    Except for most of these hackers are outside the US where the $15,000 USD is a lot of money.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Oh those poor hackers! by gstoddart · · Score: 1

      And if four of those hacks are successful, that $60K USD is probably worth it.

      Hell, how many people in the US would consider that a decent income?

      --
      Lost at C:>. Found at C.
    2. Re:Oh those poor hackers! by Flavianoep · · Score: 1

      That is what I thought!
      The minimal salary in Brazil is about US$ 3100 a year by today's rate.

      --
      Linux is for people who don't mind RTFM.
    3. Re:Oh those poor hackers! by ShanghaiBill · · Score: 2

      For many of these people, hacking is not their day job. Much hacking involves setting up automated scripts, which then run for hours or days, trying passwords or probing for open ports. In the meantime, the hackers can go about their lives, including going to their day jobs. If you look at the risk/benefit analysis, hacking makes a lot of sense, especially if you live in a jurisdiction that doesn't prosecute online crime.

    4. Re:Oh those poor hackers! by bluefoxlucid · · Score: 3, Informative

      On one hand, it's not a lot of money. A decent job pays more.

      On the other, apparently it's $29,000 for like two days of work.

      I quit playing the stock market because it was hard. I averaged 1% per day on 3-5 day holdings (swing trading; day trading would be attractive if I had a large portfolio), but that was with 18 hours per day of research, waking at 4am to examine news and foreign markets, with loads of analysis of technicals and some fundamentals. It was technically sustainable, if I didn't go insane first.

      Those two days of work for a hacker are followed by months or years of worrying which of the 40 odd jobs the FBI is investigating. I'd imagine an honest job provides a more enjoyable income than one in which you spend the following 7 years hoping the SWAT team doesn't boot your door in.

      --
      Support my political activism on Patreon.
    5. Re:Oh those poor hackers! by Anonymous Coward · · Score: 1
      Strange numbers in the summary. "Less than $29k" per year is oddly specific. They could have said "less than $30k," but decided to be more specific, but didn't say "less than $28k," so I think we can safely assume the number is within a few hundred dollars of $29k. Same for the "less than $15k." It sure sounds a lot like they are using an average number of successful hacks of almost exactly two.
      But then saying "less than half" of the eight attempts are successful is, while true, a step backwards in specificity. It's just as easy to say a quarter of them are successful. This sounds a lot like somebody who doesn't truly understand the data is trying to sell something...

      Scott Simkin, senior threat intelligence manager at Palo Alto Networks, which sponsored the study.

      Yep, there's your problem.

    6. Re:Oh those poor hackers! by Anonymous Coward · · Score: 2, Insightful

      I bet they're not even paying income taxes on that.

    7. Re:Oh those poor hackers! by TWX · · Score: 3, Informative

      They probably converted currencies and didn't bother with significant digits across the conversion. That creates oddly specific numbers even when the source number is rough.

      --
      Do not look into laser with remaining eye.
    8. Re:Oh those poor hackers! by TWX · · Score: 1

      Those two days of work for a hacker are followed by months or years of worrying which of the 40 odd jobs the FBI is investigating. I'd imagine an honest job provides a more enjoyable income than one in which you spend the following 7 years hoping the SWAT team doesn't boot your door in.

      That's probably why sustained-effort hacks are called off after a fairly short time, assuming that the article is correct. Even if the FBI or other law enforcement had full authority to go to each compromised system in-turn to analyse the connections to keep tracking back, there's still the issue of finding the owners, finding the system admins, possibly going in to look at paper records for credentials for systems that aren't commonly accessed, analyzing logs, etc. Quite some time will pass for the investigator to work back to the origin, and if the hacker stops and manages to obfuscate his trail several hops out, they probably won't reach him.

      --
      Do not look into laser with remaining eye.
    9. Re:Oh those poor hackers! by pr0fessor · · Score: 1

      It said they net less than $29k a year on average that is close to what you would net at a $16 or $17/hr 40 hour a week job w/no overtime depending on deductions of course...

    10. Re:Oh those poor hackers! by AchilleTalon · · Score: 1

      For about 4 days of work, it is not as bad as you think. They still have plenty of time for a real job in addition.

      --
      Achille Talon
      Hop!
    11. Re:Oh those poor hackers! by tnk1 · · Score: 1

      And hacking doesn't even really require you to sit there and type really fast for those four hours like they show in Hollywood. Most of these tools are fully automated (this is *computer* crime after all). Your major time expenditure is running scans or exploits and reviewing the results. If you do get in, you have a flurry of work to extrude data, cause havoc, deface web pages, and cover your tracks (if you even care to), but at that point, you've already hit paydirt.

      So, much of the time used for these hacks is probably spent with the hacker playing on their PS4 or Xbone while they wait. They have to be there, but they're not actually doing anything but waiting for something to happen.

    12. Re:Oh those poor hackers! by kamapuaa · · Score: 1

      1% a day, with 250 trading days a year, would be equivalent to making your money increase by a factor of about thirteen over the course of a year. You are the world's genius investor and should go right back at it; surely you could retire after a year or two.

      --
      Slashdot: providing anti-social weirdos a soapbox, since 1997.
    13. Re:Oh those poor hackers! by cwsumner · · Score: 1

      Strange numbers in the summary. "Less than $29k" per year is oddly specific. ...

      Most likely, they -did- write 30K. But some editor said "nobody is going to believe an even number" and changed it!

    14. Re:Oh those poor hackers! by bluefoxlucid · · Score: 1

      Yeah, after a couple years. No thanks.

      My contemporaries are doing better. Some have an average 2.8% per day. I've seen people spend months turning a $100,000 starting portfolio into a $900 million portfolio.

      --
      Support my political activism on Patreon.
    15. Re:Oh those poor hackers! by Nehmo · · Score: 1

      Except for most of these hackers are outside the US where the $15,000 USD is a lot of money.

      I'm in the geographic center of the US, and it's a lot to me. I never used someone else's credit card # though, so I'm not a true "hacker".

      --
      (||) Nehmo (||)
    16. Re:Oh those poor hackers! by Nehmo · · Score: 1

      ... where the $15,000 USD is a lot of money.

      I'm feeling cheated here! The last time I defaced a webpage, I didn't get anything!

      --
      (||) Nehmo (||)
  3. Criminals like easy targets: News at 11 by CajunArson · · Score: 5, Insightful

    " Hackers prefer easy targets and will call off an attack if it is taking too long. "

    I'm shocked to hear that criminals using computers are exactly like criminals who have been practicing their trade since probably long before recorded history began.

    --
    AntiFA: An abbreviation for Anti First Amendment.
    1. Re: Criminals like easy targets: News at 11 by Anonymous Coward · · Score: 1

      I knew I should have patented "easy targets ... on a computer" ages ago. I could have been getting a cut of all this moolah all this time.

  4. $51 per hour, working from home by penguinoid · · Score: 2

    So, if they conduct 8 attacks per year, spending 70 hours per attack against a "typical" network, and earn 29,000 per year... that works out to $51 an hour, working from home. That would be rather lucrative for some countries.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    1. Re:$51 per hour, working from home by Anonymous Coward · · Score: 1

      Hookers obviously.

    2. Re: $51 per hour, working from home by Nehmo · · Score: 1

      And blow, don't forget the blow.

      Hey, hackers party too.

      I must object to the stereotyping. It's degrading and incorrect. Not everyone knowledgeable in software/computers is a coke head. Some prefer heroin.

      --
      (||) Nehmo (||)
  5. Still more than minimum wage. by EzInKy · · Score: 1

    I can make "X" dollars flipping burgers, or I can make "XX" dollars committing crimes. Hard choices here.

    --
    Time is what keeps everything from happening all at once.
    1. Re:Still more than minimum wage. by gurps_npc · · Score: 1
      Not really. flipping burgers has major advantages in terms of future consequences. Doing crimes has a higher chances of death, imprisonment, and similar issues.

      Flipping burgers had a much higher chance of career advancement - having a criminal record severely limits your options, while burger flipper can end up owning their own shop. The higher you go in the criminal enterprise, the worse the consequences - most die before they hit 40.

      --
      excitingthingstodo.blogspot.com
    2. Re:Still more than minimum wage. by Nehmo · · Score: 1

      Not really. flipping burgers has major advantages in terms of future consequences.

      {Putting on the serious hat} True. The picture I like to create is that of a Cadillac dealership's customers. I ask, Of 100 new Cadillacs that roll off the lot, what proportion are driven by people who are career criminals (drug dealers, card hackers, etc.)? What proportion go to people who work legitimate jobs or own legitimate businesses?

      --
      (||) Nehmo (||)
  6. Hackers are Committed - I'm Hiring by Anonymous Coward · · Score: 3, Funny

    'If you can delay them by two days, you can deter 60 percent of attacks,' said Scott Simkin, senior threat intelligence manager at Palo Alto Networks, which sponsored the study.

    So 40% of hackers are committed enough to still be working on a problem two days later.

    I will hire all of them right now to replace my current Help Desk. Those kids give up within 10 minutes. I pay better than $29,000/year too.

  7. Wages by doconnor · · Score: 1

    A lot of these hackers are in Russia and other countries with $29,000 per year is a fair amount of money, plus they might also have other jobs.

  8. Less than... less than... less than... by wonkey_monkey · · Score: 4, Insightful

    hackers make less than $15,000 per successful attack and net, on average, less than $29,000 a year. The average attacker conducts eight attacks per year, of which less than half are successful.

    Unless the first two numbers are way off, they suggest the average hacker has (less than) two successful attacks which would be (less than) a quarter of the average eight per year.

    A quick rewrite:

    hackers make more than $14,000 per successful attack and net, on average, more than $28,000 a year. The average attacker conducts eight attacks per year, of which more than a quarter are successful.

    There, that's a much more positive spin on things!

    If I was amoral and had the skills, I'd take up hacking at those prices. A 25% chance of $14,000 for a week's work? Where do I sign up?

    --
    systemd is Roko's Basilisk.
    1. Re:Less than... less than... less than... by Anonymous Coward · · Score: 1

      Yeah these "less than" are annoying, especially since the reported bounds are not necessarily tight (24% gets reported as "less than half"). If you spend money on a survey, then please report goddamn estimates, not mere upper bounds.

    2. Re:Less than... less than... less than... by cwsumner · · Score: 1

      But "less than" includes -Zero-, and a lot of negative numbers!

      Just like "up to" in a technical spec written by salesmen... 8-)

  9. what are they doing the rest of the year? by mrvan · · Score: 4, Interesting

    From TFA:

    The average attacker conducts eight attacks per year, of which less than half are successful. Among the findings that will be of particular interest to defenders: Hackers prefer easy targets and will call off an attack if it is taking too long. According to the survey, 13 percent quit after a delay of five hours

    So, you do 8 attacks, and give up if you don't succeed in five hours. Since unsuccessful attacks are part of the 8, I assume that the ones they give up on are also part of that. That means that they work 40 hours a year, for an average salary of 29k$, or around 800$/hr. Not bad al all :)

    1. Re:what are they doing the rest of the year? by 14erCleaner · · Score: 2

      It's self-reported, so you can expect exaggeration. Most stock market day-traders claim they make money, too.

      --
      Have you read my blog lately?
    2. Re:what are they doing the rest of the year? by hawk · · Score: 2

      I think that most day traders *do* make a little bit.

      The catch is that the wins are small, and the losses catastrophic (like any other gambling "system")

      hawk

    3. Re:what are they doing the rest of the year? by Anonymous Coward · · Score: 1

      More importantly: in aggregate their average performance is less than if they had simply bought and held index funds. The devil's advocate might say that their ignorant suffering is a necessary evil to achieve an efficient pricing mechanism.

      In reality, price efficiency(and liquidity) are much more reliably achieved by quants, hedge funds, and computerized trading. My personal suspicion is that there is a minimum bankroll required to cost-justify the electricity expense to do the statistical analysis necessary to benefit from short-term price inefficiencies.

    4. Re:what are they doing the rest of the year? by Korbeau · · Score: 1

      That means that they work 40 hours a year, for an average salary of 29k$, or around 800$/hr. Not bad al all :)

      I would expect that the rest of the year they keep updated with research and systems, code their tools, search for vulnerabilities, find targets etc.

      It's probably comparable to other fields where you spend 80% of your time finding clients and pitching projects to fill the 20% of the time you are actually getting paid.

      Of course, at least they don't have to worry about PR, branding, cocktails and such :)

    5. Re:what are they doing the rest of the year? by mrvan · · Score: 1

      In "other people's money", John Kay makes an interesting argument that most (short-term) trading indeed does little more than create liquidity, but liquidity in that sense is almost only interesting for short-term traders. In most "real" stocks there has always been sufficient liquidity for normal trading, and when a crisis hits and you really need that liquidity it evaporates anyway.

      http://www.amazon.com/Other-Pe...

    6. Re:what are they doing the rest of the year? by hawk · · Score: 1

      Speaking as an Economics professor . . . there is also strong evidence that such trading and program trading reduce price volatility as well

      hawk

  10. They are almost 1%ers. by raymorris · · Score: 2

    Indeed, they are almost in the top 1% highest earners in the world. To be the 1%, one must earn about $33K. (Different sources range between $32-$34K).
    http://www.investopedia.com/ar...

    It's funny, it was understanding that which made me realize the "your mom's basement" meme must actually be true for the majority of Slashdot commenters. I had thought we were mostly IT professionals and the like, but if so we'd all be earning twice as much as the 1%. In which case we wouldn't see all this hostility toward college grads (the 1%) that exists on Slashdot. So I guess most Slashdotters are indeed eating cheese puffs in their mom's basement, and resent those of us who aren't.

    1. Re:They are almost 1%ers. by Coisiche · · Score: 1

      Well if you assume the majority of Slashdot commentators are based in the US, then, from that link you provided...

      Making The U.S. One Percent Of course, Americans live in the United States, contending with U.S. prices. Who constitutes the one percent if you just look at the U.S.? Not surprisingly, it takes a massively higher income to crack the top percentile of wage earners: You’d have to make $434,682 in adjusted gross income to make the cut, according to the non-partisan Tax Foundation. And to rank amongst the highest one percent of Americans by wealth? That requires net assets of more than $7 million, based on the latest Federal Reserve figures.

      Being in the global one percent doesn't cut it when you're in a country where not many fall within the global poor 99%.

      Disclaimer: I have always lived in United Kingdom. We don't really have basements.

  11. if it was my $15K or even my $100 by peter303 · · Score: 1

    I would not be happy.

  12. "deter 60%" by AndreasNeukoetter · · Score: 1

    If you can only delay them by two days 40% of hacks won't be stopped.

  13. Re:$29K is a damn good salary by david_thornley · · Score: 1

    Funny, my company seems to have no problems with rapid growth while paying US salaries (profits are plowed back into the business, for the most part). So far, it seems not only sustainable but highly successful.

    In the US, anybody with more talent than a script kiddie can find a job making more than that. Unless they've got a criminal record, I guess, which is a good reason not to violate the CFAA for peanuts.

    --
    "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  14. Average? by hired+killer · · Score: 1

    This analysis does not appear to be bell curve friendly. A few big scores would bring the average up. If this is where it ends up, there isn't a huge income from this activity.

    1. Re:Average? by cwsumner · · Score: 1

      There is no such thing as a Bell Curve, just as there is no such thing as purely random.

      Any such calculation is no more than rough guess. To do better you need calculus, and specific data.

  15. Re:Hacking as a career by Locke2005 · · Score: 1

    No, the secret is to only hack computers in another country, because the chances of your getting extradited for computer hacking are practically nil.

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  16. Rent an ass by tepples · · Score: 2

    You could just bypass the middleman and rent your ass out for XXX a week.

    I'm not sure there's much of a market for renting donkeys in the industrialized world now that bikes, cars, and trucks exist, apart from some fairly small niches. And in the less-industrialized world, where pack animals are still regularly used to move goods over rugged terrain, wages are lower anyway so you might not make much money that way either.

  17. Re:15000 is low? by TWX · · Score: 2

    I think that the article's point, from an American perspective, is that one probably isn't going to get rich hacking, in the same way that one isn't going to get rich robbing banks. Like robbing banks, the more one hacks, the greater the chances one is caught, so trying to get rich is the fastest way to get caught.

    It's also kind of interesting to note that both crimes are investigated by the FBI, rather than solely by local authorities. The FBI has a better track record of not forgetting cold cases too, so depending on the statute of limitations one may never be in-the-clear.

    --
    Do not look into laser with remaining eye.
  18. Script Kiddies and Inside Jobs by Jason+Levine · · Score: 1

    I wonder how script kiddies and inside jobs skew the results.

    In the case of script kiddies, these are people who are running a program to detect vulnerable points in various systems. They can run this script while doing something else so (as another poster pointed out), they can be working a legitimate job during the day while the script runs and then making money by hacking the vulnerable servers at night. In this case, making $15K isn't a "low wage" but a "nice side income." (Especially if they don't report it on their taxes - hey, what's a little more crime if you're willing to make money via criminal activities?)

    In the case of inside jobs, I would think that the person would be a) more likely to make more money off their hack and b) need to spend less time on their hack. Since I work in IT, I have elevated permissions for many systems. If I wanted to, I could use this to gain access to data that would sell for a lot of money on some shady sites. To be clear: I would never actually do this, but someone in a position like mine but with less moral restraint could easily pull it off. They might even go undetected and remain at their day job, making their hacks a side income (like the script kiddies). Or they might move from job to job, waiting until they have high enough access to get sensitive data before moving on.

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    1. Re:Script Kiddies and Inside Jobs by Trax3001BBS · · Score: 1

      I wonder how script kiddies and inside jobs skew the results.

      In the case of script kiddies, these are people who are running a program to detect vulnerable points in various systems. They can run this script while doing something else so (as another poster pointed out), they can be working a legitimate job during the day while the script runs and then making money by hacking the vulnerable servers at night.

      I agree, the statement "the average attacker conducts eight attacks per year" doesn't take into account those who have just messed around to a position where it's a weekly/daily activity, they would also be looking for easy targets and not linger long as a general rule.

      Hell in my youth, I used to run a war dialer just looking for other modems when there were so few around. These days a lot can be done with Angry IP Scanner.

  19. See "the flaw of averages" post from yesterday by raymorris · · Score: 1

    See the story posted yesterday (or Tuesday?) about averages. You can't, generally, do math with averages of different measurements and expect to come out with a meaningful average of something else.

    As people said yesterday, 99.99% of people have more than the average number of eyes. Also, the average person has one testicle.

  20. Sounds like good money. by petes_PoV · · Score: 1
    For most people - excluding the 5% who are american, this represents a good level of income. No wonder there are so many hackers and attacks.

    As for stopping 60% of attacks by delaying them for 2 days - again, this doesn't sound like much of a deterrent. In fact when you couple it with the above statistic, it just shows that the serious hackers are willing to carry on for days, to make their year's income.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  21. Hey whiplash by b1ng0 · · Score: 1

    No more itwbennet! We don't want paid schills for cio.com or csoonline.com. Notice every single one of his posts links to these two sites? Enough is enough!

  22. We call that spoiled, and often blinded by raymorris · · Score: 1

    > Being in the global one percent doesn't cut it when you're in a country where not many fall within the global poor 99%.

    Yeah beng rich isn't enough when you're neighbors are rich too - anything other than being the richest of the rich just won't cut it. You can see that too in Orange County - when all the neighbors have BMWs, the brats whine that they don't have a Maserati. In Texas, we call that "spoiled" .

    In California and New York you'll find a lot of people who are really, really blind because although they are rich live in a country where most people are rich (richer than 95% globally) they are unhappy SO THEY DEMAND THAT THE RICH COUNTRY STOP DOING RICH THINGS AND BECOME MORE LIKE THE BROKE SOCIALIST COUNTRIES WHERE THE PEOPLE ARE POORER. In Texas, we call that "dumb as a box of rocks".

    If your whole country is rich, maybe it would make sense to find out why, and do MORE of the stuff that made you rich. If America makes people rich (and as you said, it does), then maybe be MORE of the American way, not less.

    Hint- we got rich mainly in the 1950s - 1960s, then leveled off. We did well in the 1800s too, minus the civil war.

  23. Feedback for BizX & Whiplash by Harlequin80 · · Score: 1

    Morning Guys,

    ITWBennet is the sort of poster that I, and I believe a lot of crusty slashdot users, are not a fan of. He has no post history and doesn't participate on the site and appears to solely push articles from CSO Online. I know that you need to be putting content on to slashdot but I would rather things others on the site picked as interesting than to read press releases.

  24. Re:$29K is a damn good salary by david_thornley · · Score: 1

    You know, I've heard lots of people saying that the US is going to fall, and providing no good reasons. If you want me to take you more seriously than a bunch of failures, you're going to have to give me reasons.

    US wages are, apparently, generally lower than the workers' value to their employers, allowing employers to pay them, pay other expenses, and still typically have a profit. If a company concludes that parts of the labor force are paid more than their worth, it usually results in a layoff. In what way are wages that fit into that structure insane?

    BTW, the second car allows both my wife and me to work in our jobs, which are widely separated in the metro area. Without it, our combined contribution to the economy would be much lower.

    --
    "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  25. Call off the hack by Bert64 · · Score: 1

    They're only likely to stop if the time taken is their actual time, they will routinely leave scripts running slow attempts for months if nothing is done to stop them...

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  26. Re:$29K is a damn good salary by Bert64 · · Score: 1

    Wages have to be higher because the cost of living is higher, and the cost of living is higher because companies charge more for goods and services, part of the reason why they charge more is because they have to pay their workers more.

    The problem is that companies are greedy and short sighted, so they will outsource to cheaper countries to reduce their costs... This will cut costs in the short term, but long term there will no longer be anyone able to afford your products.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!