HPE Business Insights

HPE Community for IT leaders
Enterprise Security

The (big) business of hacking

Hackers may work in the shadows, but they have the same capabilities as a traditional business.

By Scott Koegler, contributing writer

Hacking is no longer an underground operation but a full-scale enterprise, equipped with owners and operators, customers, and even marketing departments. In fact, it has become an online industry that mirrors other digital services. The main difference, aside from the fact that hackers sell illegally obtained information, is that the services aren't available through the standard open Internet.

Hacking on the dark web

The hacker community conducts its business on the dark web, which isn't easily penetrable by non-hackers. While the dark web may be difficult to reach by outsiders, it's not radically different from what most Internet users experience on the standard web, also referred to as the "surface web" or "clear web." Like the standard web, the dark web is populated by buyers and sellers of products and services, ranging from amateur hackers looking for instructions to hacking companies that have developed assets they offer for sale or for rent, including malware. According to a report by CNBC, there's so much stolen data available on the dark web that hackers are selling personally identifiable information for as little as one dollar, while bank account login information is worth between $200 and $500.

The successful players have scaled quickly and honed their products and methodologies, maximizing their returns. They employ staff to handle their accounting and payroll, and, aside from the products they sell and the purchasing or acquisition practices they perform, carry on daily operations on a global scale similar to other enterprises.

These hacking companies have developed tools and methods to steal data and to evaluate the value of their plunder so it can be sold. They need to find customers for the data records they accumulate, and they employ marketing teams that concoct sales events, special promotions, and volume discounts. Byproducts of their efforts include highly sophisticated software tools that can be offered to others who may want to execute their own hacking efforts.

Their business revolves around finding new data to sell to hackers and providing hackers with the tools they need to profit from the data. For hackers who find installing software and managing the process beyond their abilities, some hacking organizations offer pre-installed software as a service (SaaS) or hacking as a service (HaaS), through which the company collects rent in the same way as other legitimate SaaS providers. In an article in CSO OutlookOndrej Krehel, MD and founder of LIFARS, said HaaS is not only cheap and easy to use, but also easy to access. "These platforms," Krehel said, "are no longer just found on servers, found only on the Deep Web. They are becoming ever more mainstream and easy to find for the less technically savvy attackers."

The "it's so easy, anyone can do it" state of hacking is showing no signs of slowing down. From HaaS to hacking software, if there's a cybercriminal who wants to breach your enterprise, there's an affordable, easy-to-use tool on the market to do the job.

Protecting your enterprise from hackers

In the modern world, having insecure software and services can negatively impact the bottom line of an enterprise.

 

As the population of intruders expands and the tools become more sophisticated and more easily obtainable, companies need to protect themselves by using the most up-to-date enterprise security tools available. Every enterprise computing environment is under attack—many enterprises will be breached, and data will inevitably be stolen. According to the Cyber Risk Report 2016, "In the modern world, having insecure software and services can negatively impact the bottom line of an enterprise. As breaches become more prevalent, the tools and techniques used in these breaches gain legitimacy and a monetary value."

The second level of protection needs to include robust encryption that assures that even when the data finds its way to market, it's unusable. Security professionals need to put measures in place that protect data not only when it's at rest, but also while it's being moved from storage to application, and even when it's being used by its applications.

Protecting your employees from hackers

Training is a potent defense against social engineering hacks .

 

Hackers find their way into your systems through vulnerabilities. Frequently, those weak spots are created inadvertently by staff. The hacking of people, known as social engineering, is far too common in enterprises. Often, employees are targeted by their social media profiles, including LinkedIn, which reveals their job status in the enterprise and suitability for an attack, such as phishing. One of the best defenses against human hacking is simple education. According to Enterprise Forward, "Training is a potent defense against social engineering hacks. It not only substantially reduces the number of people who fall victim to such attacks, it creates a network of 'human sensors.' And humans are far more effective at detecting attacks than almost any technology."

Yet, like so much else in the enterprise, excellence in IT security needs to start at the top: security software and education go a long way, but it is IT leaders who must set the standards and the tone.

For more information on this topic, read the Business of Hacking business white paper (reg. req’d).

Scott Koegler practiced IT as a CIO for 15 years. He also has more than 20 years of experience as a technology journalist and has written for publications including Network Computing, Forbes, Internet Evolution, and many others.

 

Join HPE Business Insights today

Become a member of HPE Business Insights community for IT leaders to get strategic insights delivered by email every other month as well as exclusive access to in-depth ebooks, webinars, and assessment tools.

Join now No, thanks!