Survey: Average Successful Hack Nets Less Than $15,000 (csoonline.com) 84
itwbennett writes: According to a Ponemon Institute survey, hackers make less than $15,000 per successful attack and net, on average, less than $29,000 a year. The average attacker conducts eight attacks per year, of which less than half are successful. Among the findings that will be of particular interest to defenders: Hackers prefer easy targets and will call off an attack if it is taking too long. According to the survey, 13 percent quit after a delay of five hours. A delay of 10 hours causes 24 percent to quit, a delay of 20 hours causes 36 to quit, and a majority of 60 percent will give up if an attack takes 40 additional hours. 'If you can delay them by two days, you can deter 60 percent of attacks,' said Scott Simkin, senior threat intelligence manager at Palo Alto Networks, which sponsored the study.
Pokemon Institute?? (Score:3, Funny)
Oh wait, never mind.
Re: (Score:2)
Has Nintendo Network even been hacked? Its competitor sure has [wikipedia.org].
Re: (Score:2)
Oh those poor hackers! (Score:3)
They are making low wages... Boo Hoo.
Well stop hacking and get a real job.
Except for most of these hackers are outside the US where the $15,000 USD is a lot of money.
Re: (Score:2)
And if four of those hacks are successful, that $60K USD is probably worth it.
Hell, how many people in the US would consider that a decent income?
Re: (Score:2, Insightful)
I bet they're not even paying income taxes on that.
Re: (Score:3)
For many of these people, hacking is not their day job. Much hacking involves setting up automated scripts, which then run for hours or days, trying passwords or probing for open ports. In the meantime, the hackers can go about their lives, including going to their day jobs. If you look at the risk/benefit analysis, hacking makes a lot of sense, especially if you live in a jurisdiction that doesn't prosecute online crime.
Re: (Score:1)
But then saying "less than half" of the eight attempts are successful is, while true, a step backwards in specifi
Re:Oh those poor hackers! (Score:4, Informative)
Re: (Score:1)
Strange numbers in the summary. "Less than $29k" per year is oddly specific. ...
Most likely, they -did- write 30K. But some editor said "nobody is going to believe an even number" and changed it!
Re: (Score:2)
It said they net less than $29k a year on average that is close to what you would net at a $16 or $17/hr 40 hour a week job w/no overtime depending on deductions of course...
Re: (Score:2)
The minimal salary in Brazil is about US$ 3100 a year by today's rate.
They are almost 1%ers. (Score:3)
Indeed, they are almost in the top 1% highest earners in the world. To be the 1%, one must earn about $33K. (Different sources range between $32-$34K).
http://www.investopedia.com/ar... [investopedia.com]
It's funny, it was understanding that which made me realize the "your mom's basement" meme must actually be true for the majority of Slashdot commenters. I had thought we were mostly IT professionals and the like, but if so we'd all be earning twice as much as the 1%. In which case we wouldn't see all this hostility toward
Re: (Score:2)
Well if you assume the majority of Slashdot commentators are based in the US, then, from that link you provided...
Making The U.S. One Percent Of course, Americans live in the United States, contending with U.S. prices. Who constitutes the one percent if you just look at the U.S.? Not surprisingly, it takes a massively higher income to crack the top percentile of wage earners: You’d have to make $434,682 in adjusted gross income to make the cut, according to the non-partisan Tax Foundation. And to rank amongst the highest one percent of Americans by wealth? That requires net assets of more than $7 million, based on the latest Federal Reserve figures.
Being in the global one percent doesn't cut it when you're in a country where not many fall within the global poor 99%.
Disclaimer: I have always lived in United Kingdom. We don't really have basements.
We call that spoiled, and often blinded (Score:2)
> Being in the global one percent doesn't cut it when you're in a country where not many fall within the global poor 99%.
Yeah beng rich isn't enough when you're neighbors are rich too - anything other than being the richest of the rich just won't cut it. You can see that too in Orange County - when all the neighbors have BMWs, the brats whine that they don't have a Maserati. In Texas, we call that "spoiled" .
In California and New York you'll find a lot of people who are really, really blind because altho
Re:Oh those poor hackers! (Score:4, Informative)
On one hand, it's not a lot of money. A decent job pays more.
On the other, apparently it's $29,000 for like two days of work.
I quit playing the stock market because it was hard. I averaged 1% per day on 3-5 day holdings (swing trading; day trading would be attractive if I had a large portfolio), but that was with 18 hours per day of research, waking at 4am to examine news and foreign markets, with loads of analysis of technicals and some fundamentals. It was technically sustainable, if I didn't go insane first.
Those two days of work for a hacker are followed by months or years of worrying which of the 40 odd jobs the FBI is investigating. I'd imagine an honest job provides a more enjoyable income than one in which you spend the following 7 years hoping the SWAT team doesn't boot your door in.
Re: (Score:2)
Those two days of work for a hacker are followed by months or years of worrying which of the 40 odd jobs the FBI is investigating. I'd imagine an honest job provides a more enjoyable income than one in which you spend the following 7 years hoping the SWAT team doesn't boot your door in.
That's probably why sustained-effort hacks are called off after a fairly short time, assuming that the article is correct. Even if the FBI or other law enforcement had full authority to go to each compromised system in-turn to analyse the connections to keep tracking back, there's still the issue of finding the owners, finding the system admins, possibly going in to look at paper records for credentials for systems that aren't commonly accessed, analyzing logs, etc. Quite some time will pass for the inves
Re: (Score:2)
1% a day, with 250 trading days a year, would be equivalent to making your money increase by a factor of about thirteen over the course of a year. You are the world's genius investor and should go right back at it; surely you could retire after a year or two.
Re: (Score:2)
Yeah, after a couple years. No thanks.
My contemporaries are doing better. Some have an average 2.8% per day. I've seen people spend months turning a $100,000 starting portfolio into a $900 million portfolio.
Re: (Score:2)
Re: (Score:2)
And hacking doesn't even really require you to sit there and type really fast for those four hours like they show in Hollywood. Most of these tools are fully automated (this is *computer* crime after all). Your major time expenditure is running scans or exploits and reviewing the results. If you do get in, you have a flurry of work to extrude data, cause havoc, deface web pages, and cover your tracks (if you even care to), but at that point, you've already hit paydirt.
So, much of the time used for these
Re: (Score:1)
Except for most of these hackers are outside the US where the $15,000 USD is a lot of money.
I'm in the geographic center of the US, and it's a lot to me. I never used someone else's credit card # though, so I'm not a true "hacker".
Re: (Score:1)
... where the $15,000 USD is a lot of money.
I'm feeling cheated here! The last time I defaced a webpage, I didn't get anything!
Re: (Score:3)
It's also kind of interesting to note that both crimes are investigated by the FBI, rather than solely by local authorities. The FBI has a better track record of not forgetting cold cases too
Criminals like easy targets: News at 11 (Score:5, Insightful)
" Hackers prefer easy targets and will call off an attack if it is taking too long. "
I'm shocked to hear that criminals using computers are exactly like criminals who have been practicing their trade since probably long before recorded history began.
Re: Criminals like easy targets: News at 11 (Score:1)
I knew I should have patented "easy targets ... on a computer" ages ago. I could have been getting a cut of all this moolah all this time.
Re: (Score:2)
$51 per hour, working from home (Score:3)
So, if they conduct 8 attacks per year, spending 70 hours per attack against a "typical" network, and earn 29,000 per year... that works out to $51 an hour, working from home. That would be rather lucrative for some countries.
Re: (Score:1)
Hookers obviously.
Re: (Score:1)
And blow, don't forget the blow.
Hey, hackers party too.
I must object to the stereotyping. It's degrading and incorrect. Not everyone knowledgeable in software/computers is a coke head. Some prefer heroin.
Still more than minimum wage. (Score:1)
I can make "X" dollars flipping burgers, or I can make "XX" dollars committing crimes. Hard choices here.
Rent an ass (Score:3)
You could just bypass the middleman and rent your ass out for XXX a week.
I'm not sure there's much of a market for renting donkeys in the industrialized world now that bikes, cars, and trucks exist, apart from some fairly small niches [ponyparty.com]. And in the less-industrialized world, where pack animals are still regularly used to move goods over rugged terrain, wages are lower anyway [wikipedia.org] so you might not make much money that way either.
Re: (Score:2)
Flipping burgers had a much higher chance of career advancement - having a criminal record severely limits your options, while burger flipper can end up owning their own shop. The higher you go in the criminal enterprise, the worse the consequences - most die before they hit 40.
Re: (Score:1)
Not really. flipping burgers has major advantages in terms of future consequences.
{Putting on the serious hat} True. The picture I like to create is that of a Cadillac dealership's customers. I ask, Of 100 new Cadillacs that roll off the lot, what proportion are driven by people who are career criminals (drug dealers, card hackers, etc.)? What proportion go to people who work legitimate jobs or own legitimate businesses?
Hackers are Committed - I'm Hiring (Score:3, Funny)
'If you can delay them by two days, you can deter 60 percent of attacks,' said Scott Simkin, senior threat intelligence manager at Palo Alto Networks, which sponsored the study.
So 40% of hackers are committed enough to still be working on a problem two days later.
I will hire all of them right now to replace my current Help Desk. Those kids give up within 10 minutes. I pay better than $29,000/year too.
Wages (Score:2)
A lot of these hackers are in Russia and other countries with $29,000 per year is a fair amount of money, plus they might also have other jobs.
Less than... less than... less than... (Score:5, Insightful)
hackers make less than $15,000 per successful attack and net, on average, less than $29,000 a year. The average attacker conducts eight attacks per year, of which less than half are successful.
Unless the first two numbers are way off, they suggest the average hacker has (less than) two successful attacks which would be (less than) a quarter of the average eight per year.
A quick rewrite:
hackers make more than $14,000 per successful attack and net, on average, more than $28,000 a year. The average attacker conducts eight attacks per year, of which more than a quarter are successful.
There, that's a much more positive spin on things!
If I was amoral and had the skills, I'd take up hacking at those prices. A 25% chance of $14,000 for a week's work? Where do I sign up?
Re: (Score:1)
Yeah these "less than" are annoying, especially since the reported bounds are not necessarily tight (24% gets reported as "less than half"). If you spend money on a survey, then please report goddamn estimates, not mere upper bounds.
See "the flaw of averages" post from yesterday (Score:2)
See the story posted yesterday (or Tuesday?) about averages. You can't, generally, do math with averages of different measurements and expect to come out with a meaningful average of something else.
As people said yesterday, 99.99% of people have more than the average number of eyes. Also, the average person has one testicle.
Re: (Score:1)
But "less than" includes -Zero-, and a lot of negative numbers!
Just like "up to" in a technical spec written by salesmen... 8-)
Re: (Score:2)
Funny, my company seems to have no problems with rapid growth while paying US salaries (profits are plowed back into the business, for the most part). So far, it seems not only sustainable but highly successful.
In the US, anybody with more talent than a script kiddie can find a job making more than that. Unless they've got a criminal record, I guess, which is a good reason not to violate the CFAA for peanuts.
Re: (Score:2)
You know, I've heard lots of people saying that the US is going to fall, and providing no good reasons. If you want me to take you more seriously than a bunch of failures, you're going to have to give me reasons.
US wages are, apparently, generally lower than the workers' value to their employers, allowing employers to pay them, pay other expenses, and still typically have a profit. If a company concludes that parts of the labor force are paid more than their worth, it usually results in a layoff. In w
Re: (Score:2)
Wages have to be higher because the cost of living is higher, and the cost of living is higher because companies charge more for goods and services, part of the reason why they charge more is because they have to pay their workers more.
The problem is that companies are greedy and short sighted, so they will outsource to cheaper countries to reduce their costs... This will cut costs in the short term, but long term there will no longer be anyone able to afford your products.
what are they doing the rest of the year? (Score:5, Interesting)
From TFA:
The average attacker conducts eight attacks per year, of which less than half are successful. Among the findings that will be of particular interest to defenders: Hackers prefer easy targets and will call off an attack if it is taking too long. According to the survey, 13 percent quit after a delay of five hours
So, you do 8 attacks, and give up if you don't succeed in five hours. Since unsuccessful attacks are part of the 8, I assume that the ones they give up on are also part of that. That means that they work 40 hours a year, for an average salary of 29k$, or around 800$/hr. Not bad al all :)
Re: (Score:3)
Re: (Score:3)
I think that most day traders *do* make a little bit.
The catch is that the wins are small, and the losses catastrophic (like any other gambling "system")
hawk
Re: (Score:1)
More importantly: in aggregate their average performance is less than if they had simply bought and held index funds. The devil's advocate might say that their ignorant suffering is a necessary evil to achieve an efficient pricing mechanism.
In reality, price efficiency(and liquidity) are much more reliably achieved by quants, hedge funds, and computerized trading. My personal suspicion is that there is a minimum bankroll required to cost-justify the electricity expense to do the statistical analysis necessa
Re: (Score:2)
In "other people's money", John Kay makes an interesting argument that most (short-term) trading indeed does little more than create liquidity, but liquidity in that sense is almost only interesting for short-term traders. In most "real" stocks there has always been sufficient liquidity for normal trading, and when a crisis hits and you really need that liquidity it evaporates anyway.
http://www.amazon.com/Other-Pe... [amazon.com]
Re: (Score:2)
Speaking as an Economics professor . . . there is also strong evidence that such trading and program trading reduce price volatility as well
hawk
Re: (Score:2)
That means that they work 40 hours a year, for an average salary of 29k$, or around 800$/hr. Not bad al all :)
I would expect that the rest of the year they keep updated with research and systems, code their tools, search for vulnerabilities, find targets etc.
It's probably comparable to other fields where you spend 80% of your time finding clients and pitching projects to fill the 20% of the time you are actually getting paid.
Of course, at least they don't have to worry about PR, branding, cocktails and such :)
if it was my $15K or even my $100 (Score:2)
"deter 60%" (Score:1)
Average? (Score:1)
Re: (Score:1)
There is no such thing as a Bell Curve, just as there is no such thing as purely random.
Any such calculation is no more than rough guess. To do better you need calculus, and specific data.
Script Kiddies and Inside Jobs (Score:2)
I wonder how script kiddies and inside jobs skew the results.
In the case of script kiddies, these are people who are running a program to detect vulnerable points in various systems. They can run this script while doing something else so (as another poster pointed out), they can be working a legitimate job during the day while the script runs and then making money by hacking the vulnerable servers at night. In this case, making $15K isn't a "low wage" but a "nice side income." (Especially if they don't r
Re: (Score:2)
I wonder how script kiddies and inside jobs skew the results.
In the case of script kiddies, these are people who are running a program to detect vulnerable points in various systems. They can run this script while doing something else so (as another poster pointed out), they can be working a legitimate job during the day while the script runs and then making money by hacking the vulnerable servers at night.
I agree, the statement "the average attacker conducts eight attacks per year" doesn't take into account those who have just messed around to a position where it's a weekly/daily activity, they would also be looking for easy targets and not linger long as a general rule.
Hell in my youth, I used to run a war dialer just looking for other modems when there were so few around. These days a lot can be done with Angry IP Scanner.
Sounds like good money. (Score:2)
As for stopping 60% of attacks by delaying them for 2 days - again, this doesn't sound like much of a deterrent. In fact when you couple it with the above statistic, it just shows that the serious hackers are willing to carry on for days, to make their year's income.
Hey whiplash (Score:2)
No more itwbennet! We don't want paid schills for cio.com or csoonline.com. Notice every single one of his posts links to these two sites? Enough is enough!
Feedback for BizX & Whiplash (Score:2)
Morning Guys,
ITWBennet is the sort of poster that I, and I believe a lot of crusty slashdot users, are not a fan of. He has no post history and doesn't participate on the site and appears to solely push articles from CSO Online. I know that you need to be putting content on to slashdot but I would rather things others on the site picked as interesting than to read press releases.
Call off the hack (Score:2)
They're only likely to stop if the time taken is their actual time, they will routinely leave scripts running slow attempts for months if nothing is done to stop them...