Hackers, malicious and otherwise, are just people–that’s easy to forget, but it also means their hacks are subject to human habits too. A recent survey by Tufin Technologies suggests that the summer and weekends are low hacking periods.
A survey of the hackers attending this month’s Defcon 17 conference turned up these rather interesting results: Only 25% of the hacker community is thought to be the malicious Black Hat type, according to the majority of the Defcon 17 hackers themselves. And when these dodgy coders are doing their worst, most often their hacks happen in the Winter holidays. About 81% of the hackers say they’re more active during this period. 6% of hackers say Christmas is in fact the ideal time to tackle a corporate network, while 25% think New Year’s Eve is best.
As well as being an interesting curio, this is revealing. Let’s assume those 81% Winter hackers are more active because they’re more often stuck indoors–it illustrates that the majority of hackers live in the northern hemisphere, subject to its Wintery chill. The Holiday season is also an obvious time to effect hack attacks because many staff are on leave–the hackers themselves and, more importantly, IT staff at big companies. There’s another lesson to be learned here: This Winter, keep your IT staff in action and surveilling your network instead of granting them leave, and you many find your network security doesn’t get breached too badly by a hacker trying a direct assault. You might want to restructure the hours your IT security staff work too, since 30% of hacking gets done during normal business hours, but 52% happens after work during the week.
Of course, the timezone issue messes some of this up, since hacking is usually a remote operation and there’s no reason a hacker would particularly target nearby businesses. But at least weekends are still safe: Hackers like time off as much as the rest of us, and only 15% of them get busy on the weekends.
Oh, and while we’re on the subject, remember we reminded you that your Mac isn’t necessarily as safe from viruses and hacks as you may think? It seems Apple’s taken that on board too–there’s news out that the folks in Cupertino have bolted in a whole bunch of new anti-virus protection into the imminent Snow Leopard operating system. It appears that the software now scans drives for malicious code, and alerts you to its presence, though there’s no word on how often its virus registry will be refreshed to deal with new threats as they surface. Still, it’s a move in the right direction.
Here’s the full text of the survey news release:
Tufin Survey: Hackers Say Take a Break This Summer Before Winter Hacking Spike
Hacker Survey at DEFCON Reveals Hackers Work the Night Shift;
Believe Compliance Initiatives Don’t Improve A Company’s Security
Ramat Gan Israel, August 25, 2009–Tufin Technologies, the
leading provider of Security Lifecycle Management solutions, today
announced the findings of its “Hacker Habits” survey conducted amongst
79 hackers attending DEFCON 17 in Las Vegas earlier this month. Enjoy
your summer vacation says the hacking community, as you’re far less
likely to be targeted now than during your Christmas and New Year’s
vacation. Eighty nine percent of hackers admitted that IT professionals
taking a summer vacation would have little impact on their hacking
activities, as a whopping 81% revealed they are far more active during
the winter holidays with 56% citing Christmas as the best time to
engage in corporate hacking and 25% specifically naming New Years Eve.
“The survey reveals that the Christmas and New Year holidays are
popular with hackers targeting western countries,” said Michael
Hamelin, chief security architect, Tufin Technologies. “Hackers know
this is when people relax and let their hair down, and many
organizations run on a skeleton staff over the holiday period.”
If you want to know when you should be most on your guard it’s
during weekday evenings with 52% stating that this is when they spend
most of their time hacking, 32% during work hours (weekdays), and just
15% hacking on weekends.
Ninety six percent of hackers in the survey said it doesn’t matter
how many millions a company spends on its IT security systems, it’s all
a waste of time and money if the IT security administrators fail to
configure and watch over their firewalls. Eighty six percent of
respondents’ felt they could successfully hack into a network via the
firewall; a quarter believed they could do so within minutes, 14%
within a few hours. Sixteen percent wouldn’t hack into a firewall even
if they could.
“This may be stating the obvious,” said Hamelin, “but poorly
configured firewalls remain a significant risk for many organizations.
It’s not the technology that’s at fault, but rather the configuration
and change control processes that are neglected or missing altogether.
Best practice suggests you should test and review your firewall
configuration regularly, but many organizations fail to do so.”
Validating the frustrating gap between compliance and security,
seventy percent of the hackers interviewed don’t feel that regulations
introduced by governments worldwide to implement privacy, security and
process controls has made any difference to their chances of hacking
into a corporate network. Of the remaining 30%, 15% said compliance
initiatives have made hacking more difficult and 15% believe they’ve
made it easier.
“These results further validate the reality that there is little
common ground between compliance and security, but as an industry we
have the collective knowledge and the resources to change that,” said
Hamelin. “As the media constantly reminds us, while standards such as
PCI-DSS provide a good baseline, organizations that assume achieving
PCI compliance will solve their security woes are in for a rude
awakening. With security and compliance budgets so deeply intertwined,
it serves us as security professionals to make the two more synonymous.
At the end of the day, the more accountable we are willing to be, the
less we’ll have to be.”
With the Network Solutions breach being the latest in a series of
widely reported breaches of PCI compliant companies, how big is the
threat of a high-profile malicious hack? One important factor in
determining that is to understand the scope of criminal activity.
Seventy percent of those sampled believe the number of malicious
hackers–criminals motivated by economic gain– is less then 25% of
the of hacker community.
“I never fail to leave DEFCON without new insights on the nature of
cyber crime and how to prevent it,” said Hamelin. “My biggest
take-aways from the survey are that cyber security investments are only
as effective as the people, processes and technology tasked with
managing them. Just as a small subset of criminal hackers can taint the
reputation of an entire community, a few good guys willing to be
accountable for their internal processes and technology can preserve a
company’s reputation. With winter right around the corner, we have time
to shift the dynamic from 86% who can hack into a network through its
firewalls to 86% that can’t.”