Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime Security Stats The Almighty Buck

Survey: Average Successful Hack Nets Less Than $15,000 (csoonline.com) 84

itwbennett writes: According to a Ponemon Institute survey, hackers make less than $15,000 per successful attack and net, on average, less than $29,000 a year. The average attacker conducts eight attacks per year, of which less than half are successful. Among the findings that will be of particular interest to defenders: Hackers prefer easy targets and will call off an attack if it is taking too long. According to the survey, 13 percent quit after a delay of five hours. A delay of 10 hours causes 24 percent to quit, a delay of 20 hours causes 36 to quit, and a majority of 60 percent will give up if an attack takes 40 additional hours. 'If you can delay them by two days, you can deter 60 percent of attacks,' said Scott Simkin, senior threat intelligence manager at Palo Alto Networks, which sponsored the study.
This discussion has been archived. No new comments can be posted.

Survey: Average Successful Hack Nets Less Than $15,000

Comments Filter:
  • by Narcocide ( 102829 ) on Thursday February 04, 2016 @10:49AM (#51439085) Homepage

    Oh wait, never mind.

  • by jellomizer ( 103300 ) on Thursday February 04, 2016 @10:49AM (#51439089)

    They are making low wages... Boo Hoo.
    Well stop hacking and get a real job.

    Except for most of these hackers are outside the US where the $15,000 USD is a lot of money.

    • And if four of those hacks are successful, that $60K USD is probably worth it.

      Hell, how many people in the US would consider that a decent income?

      • For many of these people, hacking is not their day job. Much hacking involves setting up automated scripts, which then run for hours or days, trying passwords or probing for open ports. In the meantime, the hackers can go about their lives, including going to their day jobs. If you look at the risk/benefit analysis, hacking makes a lot of sense, especially if you live in a jurisdiction that doesn't prosecute online crime.

      • by Anonymous Coward
        Strange numbers in the summary. "Less than $29k" per year is oddly specific. They could have said "less than $30k," but decided to be more specific, but didn't say "less than $28k," so I think we can safely assume the number is within a few hundred dollars of $29k. Same for the "less than $15k." It sure sounds a lot like they are using an average number of successful hacks of almost exactly two.
        But then saying "less than half" of the eight attempts are successful is, while true, a step backwards in specifi
        • by TWX ( 665546 ) on Thursday February 04, 2016 @12:19PM (#51439819)
          They probably converted currencies and didn't bother with significant digits across the conversion. That creates oddly specific numbers even when the source number is rough.
        • Strange numbers in the summary. "Less than $29k" per year is oddly specific. ...

          Most likely, they -did- write 30K. But some editor said "nobody is going to believe an even number" and changed it!

      • It said they net less than $29k a year on average that is close to what you would net at a $16 or $17/hr 40 hour a week job w/no overtime depending on deductions of course...

    • That is what I thought!
      The minimal salary in Brazil is about US$ 3100 a year by today's rate.
    • Indeed, they are almost in the top 1% highest earners in the world. To be the 1%, one must earn about $33K. (Different sources range between $32-$34K).
      http://www.investopedia.com/ar... [investopedia.com]

      It's funny, it was understanding that which made me realize the "your mom's basement" meme must actually be true for the majority of Slashdot commenters. I had thought we were mostly IT professionals and the like, but if so we'd all be earning twice as much as the 1%. In which case we wouldn't see all this hostility toward

      • Well if you assume the majority of Slashdot commentators are based in the US, then, from that link you provided...

        Making The U.S. One Percent Of course, Americans live in the United States, contending with U.S. prices. Who constitutes the one percent if you just look at the U.S.? Not surprisingly, it takes a massively higher income to crack the top percentile of wage earners: You’d have to make $434,682 in adjusted gross income to make the cut, according to the non-partisan Tax Foundation. And to rank amongst the highest one percent of Americans by wealth? That requires net assets of more than $7 million, based on the latest Federal Reserve figures.

        Being in the global one percent doesn't cut it when you're in a country where not many fall within the global poor 99%.

        Disclaimer: I have always lived in United Kingdom. We don't really have basements.

        • > Being in the global one percent doesn't cut it when you're in a country where not many fall within the global poor 99%.

          Yeah beng rich isn't enough when you're neighbors are rich too - anything other than being the richest of the rich just won't cut it. You can see that too in Orange County - when all the neighbors have BMWs, the brats whine that they don't have a Maserati. In Texas, we call that "spoiled" .

          In California and New York you'll find a lot of people who are really, really blind because altho

    • by bluefoxlucid ( 723572 ) on Thursday February 04, 2016 @11:35AM (#51439463) Homepage Journal

      On one hand, it's not a lot of money. A decent job pays more.

      On the other, apparently it's $29,000 for like two days of work.

      I quit playing the stock market because it was hard. I averaged 1% per day on 3-5 day holdings (swing trading; day trading would be attractive if I had a large portfolio), but that was with 18 hours per day of research, waking at 4am to examine news and foreign markets, with loads of analysis of technicals and some fundamentals. It was technically sustainable, if I didn't go insane first.

      Those two days of work for a hacker are followed by months or years of worrying which of the 40 odd jobs the FBI is investigating. I'd imagine an honest job provides a more enjoyable income than one in which you spend the following 7 years hoping the SWAT team doesn't boot your door in.

      • by TWX ( 665546 )

        Those two days of work for a hacker are followed by months or years of worrying which of the 40 odd jobs the FBI is investigating. I'd imagine an honest job provides a more enjoyable income than one in which you spend the following 7 years hoping the SWAT team doesn't boot your door in.

        That's probably why sustained-effort hacks are called off after a fairly short time, assuming that the article is correct. Even if the FBI or other law enforcement had full authority to go to each compromised system in-turn to analyse the connections to keep tracking back, there's still the issue of finding the owners, finding the system admins, possibly going in to look at paper records for credentials for systems that aren't commonly accessed, analyzing logs, etc. Quite some time will pass for the inves

      • 1% a day, with 250 trading days a year, would be equivalent to making your money increase by a factor of about thirteen over the course of a year. You are the world's genius investor and should go right back at it; surely you could retire after a year or two.

        • Yeah, after a couple years. No thanks.

          My contemporaries are doing better. Some have an average 2.8% per day. I've seen people spend months turning a $100,000 starting portfolio into a $900 million portfolio.

    • For about 4 days of work, it is not as bad as you think. They still have plenty of time for a real job in addition.
      • by tnk1 ( 899206 )

        And hacking doesn't even really require you to sit there and type really fast for those four hours like they show in Hollywood. Most of these tools are fully automated (this is *computer* crime after all). Your major time expenditure is running scans or exploits and reviewing the results. If you do get in, you have a flurry of work to extrude data, cause havoc, deface web pages, and cover your tracks (if you even care to), but at that point, you've already hit paydirt.

        So, much of the time used for these

    • by Nehmo ( 757404 )

      Except for most of these hackers are outside the US where the $15,000 USD is a lot of money.

      I'm in the geographic center of the US, and it's a lot to me. I never used someone else's credit card # though, so I'm not a true "hacker".

    • by Nehmo ( 757404 )

      ... where the $15,000 USD is a lot of money.

      I'm feeling cheated here! The last time I defaced a webpage, I didn't get anything!

  • by CajunArson ( 465943 ) on Thursday February 04, 2016 @11:01AM (#51439191) Journal

    " Hackers prefer easy targets and will call off an attack if it is taking too long. "

    I'm shocked to hear that criminals using computers are exactly like criminals who have been practicing their trade since probably long before recorded history began.

  • by penguinoid ( 724646 ) on Thursday February 04, 2016 @11:05AM (#51439213) Homepage Journal

    So, if they conduct 8 attacks per year, spending 70 hours per attack against a "typical" network, and earn 29,000 per year... that works out to $51 an hour, working from home. That would be rather lucrative for some countries.

  • I can make "X" dollars flipping burgers, or I can make "XX" dollars committing crimes. Hard choices here.

    • Not really. flipping burgers has major advantages in terms of future consequences. Doing crimes has a higher chances of death, imprisonment, and similar issues.

      Flipping burgers had a much higher chance of career advancement - having a criminal record severely limits your options, while burger flipper can end up owning their own shop. The higher you go in the criminal enterprise, the worse the consequences - most die before they hit 40.

      • by Nehmo ( 757404 )

        Not really. flipping burgers has major advantages in terms of future consequences.

        {Putting on the serious hat} True. The picture I like to create is that of a Cadillac dealership's customers. I ask, Of 100 new Cadillacs that roll off the lot, what proportion are driven by people who are career criminals (drug dealers, card hackers, etc.)? What proportion go to people who work legitimate jobs or own legitimate businesses?

  • by Anonymous Coward on Thursday February 04, 2016 @11:11AM (#51439275)

    'If you can delay them by two days, you can deter 60 percent of attacks,' said Scott Simkin, senior threat intelligence manager at Palo Alto Networks, which sponsored the study.

    So 40% of hackers are committed enough to still be working on a problem two days later.

    I will hire all of them right now to replace my current Help Desk. Those kids give up within 10 minutes. I pay better than $29,000/year too.

  • A lot of these hackers are in Russia and other countries with $29,000 per year is a fair amount of money, plus they might also have other jobs.

  • by wonkey_monkey ( 2592601 ) on Thursday February 04, 2016 @11:14AM (#51439303) Homepage

    hackers make less than $15,000 per successful attack and net, on average, less than $29,000 a year. The average attacker conducts eight attacks per year, of which less than half are successful.

    Unless the first two numbers are way off, they suggest the average hacker has (less than) two successful attacks which would be (less than) a quarter of the average eight per year.

    A quick rewrite:

    hackers make more than $14,000 per successful attack and net, on average, more than $28,000 a year. The average attacker conducts eight attacks per year, of which more than a quarter are successful.

    There, that's a much more positive spin on things!

    If I was amoral and had the skills, I'd take up hacking at those prices. A 25% chance of $14,000 for a week's work? Where do I sign up?

    • by Anonymous Coward

      Yeah these "less than" are annoying, especially since the reported bounds are not necessarily tight (24% gets reported as "less than half"). If you spend money on a survey, then please report goddamn estimates, not mere upper bounds.

    • See the story posted yesterday (or Tuesday?) about averages. You can't, generally, do math with averages of different measurements and expect to come out with a meaningful average of something else.

      As people said yesterday, 99.99% of people have more than the average number of eyes. Also, the average person has one testicle.

    • But "less than" includes -Zero-, and a lot of negative numbers!

      Just like "up to" in a technical spec written by salesmen... 8-)

  • by mrvan ( 973822 ) on Thursday February 04, 2016 @11:19AM (#51439327)

    From TFA:

    The average attacker conducts eight attacks per year, of which less than half are successful. Among the findings that will be of particular interest to defenders: Hackers prefer easy targets and will call off an attack if it is taking too long. According to the survey, 13 percent quit after a delay of five hours

    So, you do 8 attacks, and give up if you don't succeed in five hours. Since unsuccessful attacks are part of the 8, I assume that the ones they give up on are also part of that. That means that they work 40 hours a year, for an average salary of 29k$, or around 800$/hr. Not bad al all :)

    • It's self-reported, so you can expect exaggeration. Most stock market day-traders claim they make money, too.
      • by hawk ( 1151 )

        I think that most day traders *do* make a little bit.

        The catch is that the wins are small, and the losses catastrophic (like any other gambling "system")

        hawk

        • by Anonymous Coward

          More importantly: in aggregate their average performance is less than if they had simply bought and held index funds. The devil's advocate might say that their ignorant suffering is a necessary evil to achieve an efficient pricing mechanism.

          In reality, price efficiency(and liquidity) are much more reliably achieved by quants, hedge funds, and computerized trading. My personal suspicion is that there is a minimum bankroll required to cost-justify the electricity expense to do the statistical analysis necessa

          • by mrvan ( 973822 )

            In "other people's money", John Kay makes an interesting argument that most (short-term) trading indeed does little more than create liquidity, but liquidity in that sense is almost only interesting for short-term traders. In most "real" stocks there has always been sufficient liquidity for normal trading, and when a crisis hits and you really need that liquidity it evaporates anyway.

            http://www.amazon.com/Other-Pe... [amazon.com]

            • by hawk ( 1151 )

              Speaking as an Economics professor . . . there is also strong evidence that such trading and program trading reduce price volatility as well

              hawk

    • by Korbeau ( 913903 )

      That means that they work 40 hours a year, for an average salary of 29k$, or around 800$/hr. Not bad al all :)

      I would expect that the rest of the year they keep updated with research and systems, code their tools, search for vulnerabilities, find targets etc.

      It's probably comparable to other fields where you spend 80% of your time finding clients and pitching projects to fill the 20% of the time you are actually getting paid.

      Of course, at least they don't have to worry about PR, branding, cocktails and such :)

  • I would not be happy.
  • If you can only delay them by two days 40% of hacks won't be stopped.
  • This analysis does not appear to be bell curve friendly. A few big scores would bring the average up. If this is where it ends up, there isn't a huge income from this activity.
    • There is no such thing as a Bell Curve, just as there is no such thing as purely random.

      Any such calculation is no more than rough guess. To do better you need calculus, and specific data.

  • I wonder how script kiddies and inside jobs skew the results.

    In the case of script kiddies, these are people who are running a program to detect vulnerable points in various systems. They can run this script while doing something else so (as another poster pointed out), they can be working a legitimate job during the day while the script runs and then making money by hacking the vulnerable servers at night. In this case, making $15K isn't a "low wage" but a "nice side income." (Especially if they don't r

    • I wonder how script kiddies and inside jobs skew the results.

      In the case of script kiddies, these are people who are running a program to detect vulnerable points in various systems. They can run this script while doing something else so (as another poster pointed out), they can be working a legitimate job during the day while the script runs and then making money by hacking the vulnerable servers at night.

      I agree, the statement "the average attacker conducts eight attacks per year" doesn't take into account those who have just messed around to a position where it's a weekly/daily activity, they would also be looking for easy targets and not linger long as a general rule.

      Hell in my youth, I used to run a war dialer just looking for other modems when there were so few around. These days a lot can be done with Angry IP Scanner.

  • For most people - excluding the 5% who are american, this represents a good level of income. No wonder there are so many hackers and attacks.

    As for stopping 60% of attacks by delaying them for 2 days - again, this doesn't sound like much of a deterrent. In fact when you couple it with the above statistic, it just shows that the serious hackers are willing to carry on for days, to make their year's income.

  • No more itwbennet! We don't want paid schills for cio.com or csoonline.com. Notice every single one of his posts links to these two sites? Enough is enough!

  • Morning Guys,

    ITWBennet is the sort of poster that I, and I believe a lot of crusty slashdot users, are not a fan of. He has no post history and doesn't participate on the site and appears to solely push articles from CSO Online. I know that you need to be putting content on to slashdot but I would rather things others on the site picked as interesting than to read press releases.

  • They're only likely to stop if the time taken is their actual time, they will routinely leave scripts running slow attempts for months if nothing is done to stop them...

Genius is ten percent inspiration and fifty percent capital gains.

Working...