GKSD - stock.adobe.com
Career hackers and cyber criminals can expect to make almost as much, if not slightly more, money every year than their white hat equivalents, according to new statistics produced for an upcoming research paper from vulnerability and risk management firm Tenable.
The research analysing the increasing professionalism of cyber criminals was conducted by Oliver Rochford, a former Gartner analyst, writer of the first German edition of Hacking for dummies, and now research director at Tenable.
According to Rochford’s statistics, people working as white hat penetration testers can expect to make a wage of around $82,000 (£63,670) per annum, and threat researchers at suppliers around $100,000 (£77,640).
Earnings for bug bounty hunters tend to be somewhat lower, at around $34,000 (£26,410) on average. Entry-level jobs at nation state-level actors, for example intelligence agencies such as GCHQ or the NSA, start at around $90,000 (£69,900).
When it comes to cyber criminals, Rochford said the average midrange earnings could hit as much as $75,000 ($58,260), and up to $165,000 (£128,180) for a few high-end people.
“If you do this as a day job, if you are committed and you have good skills, $75,000 a year is achievable,” he said.
“Of course, there are caveats and problems around legality and so on, but depending on which country you live in – and we have seen this primarily in countries that produce a lot of trained IT people, but don’t have jobs for them – it can be very attractive to go into this area, especially if you’re in the right country where there are no extradition treaties.
“When we look at the sums here, we can see it is still more lucrative to go into the white market, it’s still more lucrative to do this legally, but if you can’t do that, it’s definitely a way to earn a living,” said Rochford.
With both sides of the cyber security battle working in a symbiotic relationship to some extent, Rochford highlighted the need to understand the financial dynamics surrounding threats and vulnerabilities so that the cyber security industry can more effectively disincentivise illegal activity.
It has been well-known for some time that cyber criminals are already selling vulnerabilities and exploits with pricing based on a parallel underground cyber crime-as-a-service channel model similar to something that might be used by a legitimate software company.
He highlighted one example of a ransomware-as-a-service product going for $900 for a 12-month contract, including 24/7 support services and a real-time client manager.
“This is not being done out of someone’s back bedroom. This is someone who has spent time evaluating how they are going to go to market and how they’re going to price the product,” he said.
Some of Tenable’s statistics purport to show that based on a payment rate of just 0.5% of victims, the average return on investment (RoI) for a ransomware strain can be as high as 500%.
“They [criminals] can afford to pay a lot more to conduct attacks before it’s not worth it, and that’s an important point because what we’re really interested in is how much does it cost to disincentivise this? How much would we actually have to pay, hypothetically, for vulnerabilities or zero days, to make it really not attractive for people to use them?” said Rochford.
Read more about cyber crime
- Sector analysis from Sophos has revealed some insight into how malware authors are adapting to thwart cyber security controls.
- Fancy Bear is back in action and once again targeting anti-doping bodies and sporting organisations, warns Microsoft.
- At the launch of its third annual review, NCSC head Ciaran Martin appealed for individuals and businesses to address the fundamentals of cyber security hygiene to help lighten the load.