6 sobering insights to help you defeat hackers

July 13, 20185 Minute Read

Getting tricked by a phishing text message may not be your idea of a good time, but for many hackers, every day is April Fool’s Day—and they’re hoping to take you for the fool. In the never-ending battle to defeat hackers, though, knowing their motivations can give the good guys the upper hand. For instance, most—sometimes as many as 93 percent—launch attacks with purely financial goals in mind. But “fun” is also among the most commonly cited motives for cybercrime.

Falling prey to an elaborate hacking prank is no one’s idea of fun, but facing a more insidious security breach bent on stealing your data is even worse. That said, it’s useful to think of cybercrime in the context of practical jokes. After all, hackers are just pranksters who happen to also want to sink your entire company infrastructure. If you really want to defeat hackers, the trick is to get inside their heads and learn how these pranksters set their traps.

Without further ado, let’s explore the results from the recently released 2018 Hacker Report by HackerOne to discover some shocking revelations about hackers’ motivations, demographics, tools, and more.

1. Know your enemy and their motivations

Unsurprisingly, money is still among the main reasons hackers and script kiddies exchange Ransomware as a Service and target your endpoints for cryptojacking. However, there’s more to a hacker’s motivation than financial gain. Per HackerOne, here are some driving factors in the hacking community:

  • 14 percent seek a challenge
  • 12 percent desire career advancement
  • 3 percent just want to show off

If your mind is struggling to bend around this data, it gets weirder: 1 in 10 hackers profess to be driven to “do good in the world.” Hackers might not be just like you and me, but data like this makes it sound like they are perhaps not all that different, either.

2. Hackers may switch sides

Twenty-five percent of hackers have discovered a bug but not reported it only because they weren’t able to find the right channel for sharing their discovery. If your organization hasn’t addressed white-hat hacker discoveries or bug bounties, it may be time to start talking about it. Twenty-three percent of white hats are admittedly driven by decent bounties to make security discoveries.

3. They don’t always work alone

The hacking community isn’t anything new. In fact, MafiaBoy revealed he was part of an active online community way back in 2000. Less than a third of hackers are lone-wolf cybercriminals. Nine percent regularly work with teams, 8 percent have a hacking mentor or student, and nearly one-third use online resources to learn from other hacking stars.

If you’re not keeping up with the latest security research in your quest to defeat hackers, it’s time to start. Hackers use their communities to stay on top of vulnerabilities and security discoveries, so if you want to keep up, you need to stay one step ahead of them at all times.

4. Hackers specifically target weak endpoints

While 70 percent of hackers prefer targeting websites, there was an unsurprisingly high trend identified in the report toward attacking—you guessed it—all types of endpoints. Five percent prefer to target mobile applications, though just 0.1 percent choose to mess with Windows mobile apps. Nearly 3 percent are all up in your IoT devices, while 4 percent are busily devising attacks on your firmware or operating systems.

All this to say, don’t rush too quickly to pour all your security resources into protecting your website. At the end of the day, hackers are looking for the path—or endpoint—of least resistance. Failing to lock down every aspect of your IT network and invest in smarter office IT equipment, like printers with embedded security features, leaves the door open for a wolf to sneak in while you’re looking the other way.

5. Most are clever—but lazy

Nearly 58 percent of hackers identify as self-taught, and only half studied computer science in college or grad school—a surprising stat that should help your team keep things in perspective. At least most of the time, you’re not up against masterminds. These are ordinary, everyday people, and the key to levelling up your office IT skill set to defeat hackers may simply be better vigilance.

While it takes a considerable amount of dedication to teach yourself how to hack, two-thirds of hackers are at it less than 20 hours per week, and a staggering 44 percent hack for just 10 hours weekly or less. The only thing more infuriating than an effective hacker is a lazy yet effective one, right? Use this nugget as motivation to make their job harder with smarter defences and self-healing endpoints.

6. Hacker tool kits are largely the same

The most commonly reported hacker tool was Burp Suite, a Java-based tool for web application security testing. Thirty percent are all over it, while 15 percent prefer building their own tools. Less than 1 in 6 use traditional network vulnerability scanning tools. The most commonly reported mode of attack? Cross-site scripting, aka XSS.

Great penetration testers have perfected the art of thinking like a hacker, and you can apply the same mindset to protecting your company infrastructure. A recent study on how hackers operate reveals four key attack phases:

  1. Identifying vulnerabilities
  2. Scanning and testing
  3. Gaining access
  4. Maintaining access

While hackers may think it’s hilarious to hit you with a XSS attack, you won’t be the one laughing when you get hacked. Understanding this four-phased approach has value when it comes to proactively testing and improving your company infrastructure and endpoints.

Don’t be the butt of a hacker’s joke—while there’s a distinctly white-hat skew to the 1,700 hackers surveyed by HackerOne, there’s still a lot to be learned from their research about how to defeat hackers. Take hope from the bug bounty-motivated hackers who share their discoveries, and make sure you’ve established channels for vulnerability reporting. Most of all, don’t let your guard down or warm up to hackers too much. Remember, there are still a lot of scary cybermiscreants out there, cackling and eyeing your endpoints.

Gary Hilson October 31, 2018 4 Minute Read

5 ways to prepare for PIPEDA’s updates

PIPEDA's getting an update, and it looks a whole lot like GDPR. Here are five best practices that will help you stay compliant.

Stephanie Vozza October 29, 2018 4 Minute Read

Brush up on these 4 fundamentals for Cybersecurity Awareness Month

From employee training to shoring up endpoints and passwords, get primed for Cybersecurity Awareness Month with these four security and privacy tips.

Graham Templeton September 26, 2018 4 Minute Read

Prepare for PIPEDA with better device security and data privacy

Complying with PIPEDA's new privacy amendments requires diligence in everything from internal processes to device security.