You’ve just gotta love it when “the bad guys” participate in surveys so that we (good guys) can better understand their techniques and motivations.
I wonder whether anyone has thought of hitting up ISIS and Al Queda with SurveyMonkey?
Article posted on Help Net Security.
Emphasis in red added by me.
Brian Wood, VP Marketing
86% of hackers don’t worry about repercussions
Thycotic announced the results of a survey of 127 self-identified hackers at Black Hat USA 2014. The survey found that 86% of hackers are confident they will never face repercussions for their activities. In a double-edged sword conundrum, 88% of respondents also believe their own personally identifiable information (PII) is at risk of online theft.
Asked which types of employees they would most likely target first in order to gain login credentials for a particular company, 40% of the hackers polled indicated they would start with a contractor. This is especially relevant, given that Edward Snowden was a contractor, and used his privileged access to steal sensitive NSA documents.
Additionally, 30% of respondents would first target IT administrators, highlighting the importance of locking down access controls to privileged accounts.
Other key findings from the survey include:
- More than half (51%) of hackers say their actions are motivated by fun/thrill seeking, while only 18% say they are motivated by financial gain.
- Meanwhile, 29% claim they are motivated by social consciousness or a moral compass.
- 99% of respondents believe that simplistic hacking tactics such as phishing are still effective.
- 53% of hackers do not believe users are learning to avoid such tactics.
“The motivations and inner workings of today’s hacker community have always been somewhat mysterious, but the damage they can do to an enterprise is painfully clear,” said Jonathan Cogley, founder and CEO of Thycotic. “Understanding why hackers do what they do is the first step as IT security teams take measures to better control and monitor access to company secrets. Organizations need to do a better job of protecting the passwords and privileged login credentials associated with contractors and IT administrators, as these employees are a huge target for cybercriminal activity.”