Hackers take summer breaks and reserve the winter holiday season for most of their exploits, but fewer than a quarter are motivated by money or malicious intent, according to a study of hacker behaviour.
A survey of 79 hackers' habits conducted by Tufin Technologies at last month's Defcon hacker convention in Las Vegas showed that 81% were more active during the winter holidays. Christmas was the best time to engage in corporate hacking for 56%, and 25% preferred New Year's Eve.
Almost 90% said summer would have little impact on their hacking activities, even though many IT professionals took a break then.
Michael Hamelin, Tufin Technologies' chief security architect, said, "Hackers know winter is when people relax and let their hair down, and many organisations run on a skeleton staff."
The survey showed that 52% of hackers do their business during weekday evenings, 32% during work hours (weekdays), with just 15% hacking on weekends.
Seven out of 10 respondents said compliance with regulations to implement privacy, security and process controls had made no difference to their chances of hacking into a corporate network. Of the rest, 15% said compliance activities had made hacking more difficult, but 15% said they had made it easier.
Hamelin said standards such as PCI-DSS provided a good baseline, but they were not enough. Several PCI-DSS compliant firms had been hacked, with Network Solutions merely the latest high-profile case.
70% of respondents believed that fewer than a quarter of hackers broke into IT systems for financial or malicious motives.
Few were put off by the millions a company spent on its IT security. The survey found that 86% of respondents' felt they could hack into a network via the firewall; a quarter believed they could do so within minutes, 14% within a few hours.
Hamelin said, "Poorly configured firewalls remain a significant risk for many organisations. It is not the technology that is at fault, but rather the configuration and change control processes that are neglected or missing altogether. Best practice suggests you should test and review your firewall configuration regularly, but many organisations fail to do so."