Hackers used to be hobbyists. They were curious and nosey and this was their main motivation for breaking into business and government networks. Some of them did some damage while getting into systems or left the equivalents of graffiti in order to show off to their peers and prove they’d gained the access they claimed.
They were motivated by a mixture of intellectual curiosity and an ego-driven desire to show off.
This was of course extremely irritating for security professionals – especially when they, and their businesses, were publicly humiliated.
But hackers today are in business. They’re working full-time and for money. They use automated tools to find weaknesses by scanning tens of thousands of business networks and websites.
Once they find a vulnerability which they can exploit then they look for ways to turn this into money.
In the old days the hobbyist hackers might try to sell you the information about the hole in your system. Exactly how they did that meant they would be defined as black or white hat hackers. These markets have multiplied with both good and bad guys as possible customers.
But nowadays there are lots of different ways to turn business vulnerability into money apart from old-fashioned blackmail.
This might be direct fraud –some gangs set up fake invoices and target finance officers to get payments sent. They go after exactly the right person with exactly the right information. They might claim the payment involves a secret take-over so needs to be made without the usual checks. But it won’t just be a random claim – they’ll use the name a company which makes sense – maybe even a company which is actually being considered as a take-over target.
Hackers might be also sell the information about the weakness to another gang to exploit.
Depending on your business they might use the hole in your system to get hold of intellectual property to sell to a rival company.
They might steal credit card information if you run a retail company. If they can access more detailed customer information they might set up an identity theft scam.
If you run a media business or do a lot of online marketing then ad fraud is another option.
But because hacking is a now a serious business you can use this as part of your defences.
You cannot make any system perfectly secure. But you can make it secure enough to not be a profitable target. To put it more cynically – you need to a be a less attractive target than other companies.
It’s like the old joke about two men being chased by a lion. One turns to the other and says: “We’ll never be able to outrun this lion”. To which the answer is: “I don’t need to run faster than the lion, just faster than you.”
So to stay safe you need to make life less profitable for attackers.
If you can reduce their profitability, slow their access to your systems and increase the risk that they’ll be caught then there’s a good chance they’ll go after someone else instead.
Of course there is still a need for basic perimeter security.
But beyond that you need to think about why hackers are doing what they’re doing. Then think about how your systems can make that more difficult for them.