I remember being about 9 years old, and starting to understand the concept of money. Suddenly things I wanted (typically, video games) equated with dollars, and I realized that I had very few dollars, but wanted lots of games.
My buddies and I would daydream about how we could earn the impossible and princely sum of 100 dollars. 100 dollars! We’d be rich! Set for life! If we could just get 100 dollars, we thought we’d never need to ask for anything again.
What would we be willing to do? Eat a worm? Totally. Clean the house — no problem. Shovel snow out of all the driveways on the street? We’d do our best.
That was way before I ever knew I’d be an IT guy some day. Way before the idea of a hacker was part of popular culture. Way before I knew what it meant to have a real job, real income, and real expenses. But apparently, those daydreams never end.
In Centrify’s recent survey, we turned that question around. We asked grown-up IT Managers how little money it would take to convince them to “turn to the dark side” and become a hacker. The answer for 28% of them — $2,000.
What’s happened here? Like the 100 dollar dream of my youth, two grand isn’t enough money to retire with. It’s not enough money to eliminate worries. Heck, here in Silicon Valley, it’s not enough money for a month’s rent. Why is the bar so low?
As a former IT guy myself, I think it has a lot to do with the current cultural perception of what a “Hacker” is, combined with a general growing apathy about cybersecurity. Neither of which are good things.
Hackers = heroes
The Hacker of yore — the angry, powerless, intelligent, dedicated loner hell-bent on teaching lessons to “the establishment” has been nearly erased. Today’s “Hacker” could be anyone from a Systems Administrator who leaves a back-door open to more easily access and administer his servers, to a first-year programmer at a social media giant who “hacks” code to rough out ideas quickly, and then comes back to iterate and improve that code if the idea is valuable.
The value of the “techy” has risen so much in the last years, that everyone wants a piece of the action. The “Hacker” is our new folk hero — working to improve the status quo. Heck, marketing people are calling themselves “growth hackers” and the concept of “life hacking” is quickly replacing “self help” in blogs, and on bookstore shelves.
But let’s not forget that not all “Hackers” are positive folks. Hacktivism blurred the lines for us — those groups were truly out to help, not hurt, the industry by showing us our weaknesses. They were showing us that when the REAL bad guys came, we were going to be in trouble. And they were right!
The real bad guys, call them “Black Hat” or “Attackers” — they are truly criminals, not heroes. These folks aren’t Robin Hood. They aren’t teaching lessons. They are robbing all of us, every day, and making billions annually by preying on the weak. They con people out of passwords, they steal social security numbers and bank records, and then they empty bank accounts. Indiscriminately. Business, personal, you name it.
I think we need to do a better job of calling these people out — and stop glorifying the truly bad actors by associating them with the groups that are out to actually improve cybersecurity, not just circumvent it. Maybe then good people would be more reticent to call themselves “Hackers.”
Countless breaches and powerless IT
Now, in the last few years, so many companies have made the news by being hacked, it’s starting to seem like the status quo. I fear, in fact, that for many IT folks, it’s just seen as part of the cost of doing business. I think this also impacts the results of our State of the Corporate Perimeter survey — people just feel powerless to stop the attacks; they just hope they aren’t next.
Bad news, team: hope isn’t enough.
In my IT security community, I hear a lot of “I hope they fix those security holes…” or “I wonder when they will figure out a way to eliminate passwords entirely.” I always wince. In this community, “we” are the “they” that have to do this stuff.
We CAN protect against these common attacks that target credentials. We CAN eliminate passwords. We CAN use SAML. We can implement MFA. We have the tools to thwart the leading causes of attacks today. We just have to DO it.
But the fact that many of us are so beaten down, so demoralized, that all it takes is a couple grand to actually entertain the idea of “going black hat…” Well, it’s a scary picture. It’s time to focus less on the constant attacks, and focus more on the impact of those attacks. We need to remember that we are protecting ourselves and our loved ones, our employers, and our very infrastructure. We need a rallying cry, or a unifying hope. We need to stop just watching movies about superheroes, and start taking positive steps ourselves.
Maybe it’s not simple, but it sure isn’t impossible.
There’s scary stuff happening out there. And it’s not going to go away on it’s own. Hopefully we as an IT community can rally and show these truly bad hackers that we have learned our lessons and do have the skill and tools to stop them.
Until then, I take some solace in the fact that at least some of the hypothetical earnings from these suspect folks would still likely be spent on video games. Some things never change.
Read the white paper Stop Password Sprawl with App Single Sign-On via Active Directory to take the first step in eliminating passwords and improving security.