Hacker Business Models 96
wiredmikey writes "The industrialized hackers are intent on one goal — making money. They also know the basic rules of the business of increasing revenues while cutting costs. As hackers started making money, the field became full of 'professionals' that inspired organized cyber crime. Similar to industrial corporations, hackers have developed their own business models in order to operate as a profitable organization. What do these business models look like? Data has become the hacker's currency. More data, more money. So the attack logic is simple: the more attacks, the more likely victim — so you automate ..."
Sources, or GTFO (Score:3, Informative)
Reads like a lot of obvious consultant-wank generalities to me.
I don't care who this broad claims to be, she needs to either cite case examples, or go bake me some cookies.
Oh, client confidentiality. Well, that's convenient, ain't it? On the internets, nobody can prove you're not a 1337 security ninja.
Re:ITYM "cracker" (Score:3, Informative)
News flash: in English, words can have multiple definitions. I'm a hacker and I break golf clubs in frustration.
Re:What's more dangerous? (Score:1, Informative)
Your server updates should be applied as soon as they come out. Being a month behind was unacceptable. Sometimes Microsoft releases them out of band (outside of Patch Tuesday). Those are really important and should be installed and the server rebooted that night. Web server should be in a DMZ. Should only have one or two local admin accounts that only the IT people know. Should not have any ports open to the internet except 80 and 443 if you need it. Any other server software on it should be fully updated (apache?).
What exploit was used to access your web server? What update was not installed that would have prevented it? Were you running IIS or some other web server?
I have a feeling that being one month behind on your Windows Updates was not actually the cause of this one. Did you check your security logs for any unusual activity? The stuff I wrote above is minimal, and there is no reason for it not to be setup that way. Web servers that get hacked like you described are on clusterfucked networks, in my experience. Your CEO is correct to question your security practices since you were a fucking month behind on your patches.
Re:What's more dangerous? (Score:3, Informative)
So we're not equipped to handle hackers - and we've officially been hacked. What do we do?
Hiring 'hackers' is a media fiction - you wouldn't hire someone who was convicted of armed robbery to guard your local bank just because he was really good at it, would you? Hire a security professional who actually takes what they do for a living seriously, has credentials to prove it, and has a reputation for honesty and integrity they're not afraid to defend with references from previous employers and clients. Or contract the same. Or hire a consulting firm that specializes in security. A CISSP should be a minimum bar to get over.
Security is all about setting appropriate levels of trust on personnel. If you don't trust your security professionals (and by the way, the guy who sets up your firewall there should be one of them) then you can't trust the security they're putting in place. Audit the work they do. Trust, but verify. And for your size of network, you should have at least one full-time IT security person on staff.
Re:What's more dangerous? (Score:3, Informative)
>Turn to an industrialized hacker and hope we can pay more than our competitor's might pay?
NO NO NO NO. If you hire a criminal they will steal from you. This is like hiring a wolf to guard the sheep except the sheep are chopped up into cutlets and served to him on fine china.
Turn to a decent computer consulting company and bring in an integrated security solution, practices and policies. Use the breach as a lever to get the CEO to cough up the money for it. Business case goes like this: Get good security = Spend big $. Don't have good security = delaying expansion plans, legal exposure, unknown potential economic impacts, cobbled together solutions that could fail at any moment. Conceptually describe security as entirely different from normal IT so you don't lose your job. Stay on top of your consultants so you don't lose your job or get screwed with scope change and billing creep.
If you're worried about gouging get your purchasing people involved but ride herd on them too. Get bids from multiple companies, fixed price lists of services where possible, case examples as available and recommendations.
replace word 'hacker' by 'cracker' (Score:3, Informative)
More and more articles seems to suffer from the same lack of geekyness in multiple different ways..