back to article Gone in a day: Ethical hackers say it would take mere hours to empty your network

Once they've broken into an IT environment, most intruders need less than five hours to collect and steal sensitive data, according to a SANS Institute survey of more than 300 ethical hackers.  The respondents also proved the old adage that it's not "if" but "when." Even if their initial attack vector fails, almost 38 percent …

  1. amanfromMars 1 Silver badge

    For the Crashing and Burning, Collapsing and Crushing of Dodgy Ethereal Markets/Places and Spaces

    Hmmm? Interesting?

    With so many confident in being able to address and mitigate against cyber attack and virtual distress, one imagines the news to be gleaned and pumped/rinsed and pimped from all such novel industry reports is that there is really nothing to fear emerging from ITs crazy new worlds.

    It is indeed a crazy sad rad mad world ..... and quite perfect for exploitative 0dDay experimentation and expansion. ...... thunderous explosive and implosive bolts right out of the deep blue and wild dark wonder.

    Obviously here, Jessica, is the optimism you reported on being available to and from interested parties out there, summarily dismissed and all sensible advice for everything out there from here in such fields of expanding entrepreneurial endeavour and future progress, is to proceed with all due care and attention to extreme caution.

    Many novel fields neither entertain nor warrant the presence and pleasure of prisoners or wannabe elite white-collar criminals. One strike and you're out, and you aint ever coming back from nowhere good and great.

    1. Clausewitz4.0 Bronze badge
      Devil

      Re: For the Crashing and Burning, Collapsing and Crushing of Dodgy Ethereal ...

      See you at Sea. In uniform.

      1. amanfromMars 1 Silver badge

        Sure. Okay. You Got a Good Plan? Where is You All at?

        See you at Sea. In uniform. .... Clausewitz4.0

        That would have one prepared to meet and greet foreign and alien visitors and virtual terrain team miners channeling the Commander Bond, Grand Wizard and Worshipful AIMaster type Vibes and Means Memes Machine, a Palace Barracks Derived Confection and Imperial Contraption which have more than just a chosen few and many kicking down doors and smashing through barriers that server the worlds of royal and ancient monarchies/autocracies/oligarchies/meritocracies, postmodern 0dDay princes and princesses and future greater kings in the thrall of better queens of immaculate fancy, Clausewitz4.0

        Ich Dien et Mon Droit Private Public Pirate Key Territory for the Exercise of Sovereign Dominion in Pioneering Lead AIDomains.

        If you're into providing for or leading in any or all of that, is your supply chain both virtually and practically guaranteed failsafe secure protection and stealthy unlimited access to remote command and control leverage facilities and utilities and to the rewards and worthy benefits that their expert exercise accrues and delivers. Such has proven itself over millennia to be simply perfectly fair and honestly just and an immaculate host and hedge against wanton arrogant abuse and ignorant wilful misuse.

        A Uniformed Pleasure in Deed indeed to Look Forward to See Conveyed over the Air and Seas to Media and ITs Main Streams Presenting Events Overland and Realising SMARTR Operations via Deep Chunnels Dark Underground.

  2. Anonymous Coward
    Anonymous Coward

    Ethical hackers, lol. Certainly not if they hold the ridiculous CEH certifications that demonstrates ancient attacks on vulnerable services that haven't been used in the real world since about 1996.

    1. IceC0ld

      it MAY be out of date / fashion etc

      BUT at least there was a way to confirm someone's 'right' to be there, so if they took away your cert, you couldn't work

      and it must have worked, as it is still hanging around

      CEH was one of THOSE certs I wanted to get SO bad 20 years back, but my days of study fell into disrepute, and I was gradually ground down to what I am today, one that wished he had kept the proverbial to the grindstone, and also one who cannot wait to retire

  3. Anonymous Coward
    Anonymous Coward

    Hours.....or Months?

    Quote:

    "The Need For Speed

    ...

    And once they've gained access to target systems and data, 22.7 percent said they can collect and exfiltrate data in three to five hours. Meanwhile, 40.7 said they can do this in two hours or less."

    In the Equifax hack, the volume of data exfiltrated was huge....(Wikipedia: "Private records of 147.9 million Americans....") So that would be 100+ gigabytes at a low estimate.

    This article suggests "three to five hours" or maybe "two hours or less"........really? So, for the Equifax hack to be done in a few hours, the bad guys need somewhere in the range 50-100 MBits/sec, continuously for hours on end....and no one notices?

    In fact, the Equifax hack went on for an unknown number of MONTHS.

    Is El Reg in the fact business......or in the marketing business? I think we should be told!

  4. Pascal Monett Silver badge
    Mushroom

    "I do not blame the person who clicks in an email"

    I do.

    We've seen enough of this. People should know by now.

    1. DJV Silver badge

      Re: "I do not blame the person who clicks in an email"

      Absolutely! But there are some people who, no matter how many times they are told not to, will ALWAYS click the link and then spout some utter rubbish excuse like, "But it promised me lots of shiny stuff!"

      1. heyrick Silver badge

        Re: "I do not blame the person who clicks in an email"

        Shouldn't the local mail handler strip out stuff like that? It's not like poisoned links in emails isn't a very well known vector, is it?

    2. Missing Semicolon Silver badge
      Facepalm

      Re: "I do not blame the person who clicks in an email"

      No, they don't know. Because a real mail from your bank looks just like a fishing mail.

      1. Michael Wojcik Silver badge

        Re: "I do not blame the person who clicks in an email"

        Real email from our corporate security group looks exactly like a phishing mail, including the link to a site not in our domain and instructions to enter corporate credentials.

        And that's for our anti-phishing training.

        Blaming users is stupid and pointless. It's stupid because human beings cannot be constantly vigilant, and organizations continue to use email with embedded URLs for legitimate purposes. It's pointless because decades of IT security experience, and millennia of security experience in general, universally tell us that blaming the users does not help. It does nothing to improve the situation. It's merely an occasion to make yourself look smug, and it's not even very good for that.

        1. Anonymous Coward
          Anonymous Coward

          Re: "I do not blame the person who clicks in an email"

          @Michael_Wojcik

          Agree.......but it's actually worse than you have described:

          (1) As usual, it's simply "experts" pontificating about the "poor behaviour" of the unwashed customer.....that always has a good look

          (2) If the pontification is by an "expert", the great unwashed are entitled to ask "So...why are you not doing something to help?"

          In summary....business as usual......"Blame The Victim"!!!!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like