Hacker Business Models

wiredmikey writes "The industrialized hackers are intent on one goal — making money. They also know the basic rules of the business of increasing revenues while cutting costs. As hackers started making money, the field became full of 'professionals' that inspired organized cyber crime. Similar to industrial corporations, hackers have developed their own business models in order to operate as a profitable organization. What do these business models look like? Data has become the hacker's currency. More data, more money. So the attack logic is simple: the more attacks, the more likely victim — so you automate ..."

What's more dangerous?

[Monkeedude1212]

Industrialized hackers or non-industrialized hackers?

We recently had a run-in with a hacker, very recently, not this past Friday but the one before. Exploit because our Web Server wasn't patched up on Windows Updates (or so one expert tells us), we weren't more than a month behind. All that really seemed to occur is that the index.html file was overwritten by the hacker's web page. This has, of course, brought the spot light on IT and the CEO is now asking about our security practices.

This is the same CEO who insisted that we as IT staff dole out the passwords for users, make them simple enough to remember, and don't let them change. It is quite possibly the weakest password security I've ever seen and I have no doubts that this could have easily played a part in why there was a security breach. Reason being, sometimes a manager doesn't let us know of a person's dismissal till after they are gone - so their account is still fully active for a while. If they put in the request AFTER 5 on a Friday? Well lets hope we check our email when we get home and do it remotely. Just September we're dealing with the blow of someone leaving the company and taking contact information with them to their next job (I think that falls into trade secrets?), so theres a whole bunch of legal stuff around that, and of course people are asking if they were able to access this information after they left the company. Regardless, if someone puts in their 2 weeks - and they intend on taking it to their next job, they're going to grab what they can to take it off-site, and we have the worst policy regarding cell phones with data plans as well. Essentially if its not a blackberry, we set up the email forwarding, if it is a blackberry, we have an Enterprise server, and we can send the kill command to wipe all data from the blackberry including grandma's phone number... it's a pretty stupid policy, lets just leave it at that.

Basically, its going like this: The company went from small to medium pretty fast, and the plans are set to grow into a large company very quickly. All along the way, security was never that much of an issue, at least network wise. We had issues with people downloading movies and seemingly random attacks on the webserver, most of which have been dealt with by our firewall. All in all, the IT group is too small though, there's a team of 4 programmers to handle all the in-house applications we need, one of our critical systems is still on powerbuilder 5 or 6... Ontario just went from GST+PST to the Harmonized Sales Tax... Lets just say the Programmers are swamped. On the other side we've got 4 technicians and a manager. The manager contracts out our firewall setups to some guy who really doesn't seem any more competant than the rest of us, in fact he tries to keep us distracted while he does his work so we can't actually learn his job. I guess most contractors are probably like that though. But otherwise, its just 4 of us to handle ~800 PCs which is probably going to bump up to 1000 before December here, as we have roughly 5 new locations opening up.

So we're not equipped to handle hackers - and we've officially been hacked. What do we do? Turn to an industrialized hacker and hope we can pay more than our competitor's might pay? After all, it's a double edged sword. If we go looking for help on our security, it shows we have a weakness, and if we don't want to pay for his services he can go right next door and try and sell our goods with confidence. To me that sounds like a scenario where they can name just about any price they like. And with the current state of the company (growing) it would seem we have a lot of money to lose.

More devastating though, would be a hacker who ISN'T in it for the money. We get a lot of turn over here - and not just the summer student temps but in pretty much every division but IT and accounting. Someone who wants the company to fail and has a friend with expertise, or the expertise themselves, could easily bring this place down. I think we got lucky that we were hit by someone who seems to do nothing but self promotion of his abilities. Things aren't good right now, but they could be a lot worse.