Malware and spam rates may not be on the decline, but a survey of hackers attending the DEFCON 17 conference in Las Vegas earlier this month found that many members of the underground cyber-economy work less during Q3 before ramping up their efforts again during Q4 ahead of the holiday season.
Experts have noted for years that attacks seem to take off once the summer ends and college kids go back to school, but even the post-graduate hacker set appears to take some vacation time during Q3, according to the survey conducted at DEFCON by Tufin Technologies, a vendor of security management applications.
Based on interviews with roughly 80 attendees of the infamous show, which has displaced Black Hat as the true hacker counter-culture summit as the former has become more oriented towards the business of ethical hacking, members of the larger hacking community believe that only 26 percent of their brethren account for the cyber criminal element, with most hackers performing white hat research.
In terms of seasonality, some 89 percent of those surveyed said that they don't feel that vacations taken in Q3 by IT security pros had any major impact on attack success rates, as many of the hackers themselves take a step back at the end of the summer before ramping up anew ahead of Thanksgiving, Christmas and New Year's.
Some 81 percent said that malicious hackers are typically far more active during Q4, with 56 percent citing the Christmas season as the busiest time of the year in terms of launching corporate, not consumer, attacks. Consumer oriented threats always take off during the holiday months as well, but apparently end users shopping over their company networks also expose their employers to increased infiltration.
New Year's is another favorite time of the year for attacks, with 25 percent of respondents to the Tufin survey saying that the bad guys usually create threats to be launched over the final days of the year.
IT security pros may take vacations during Q3, but they become lax as the holidays approach, making it easier for attackers to target their organizations, Tufin experts concluded.
"Hackers know this is when people relax and let their hair down, and many organizations run on a skeleton staff over the holiday period," Michael Hamelin, chief security architect at Tufin, said in a summary of the study.
Attackers also like to work under the cover of night when IT pros are home asleep, with 52 percent of respondents saying that the baddies typically are busiest during weekday overnights, with only 36 percent focusing most of their efforts during the typical 9-5 workday, and only 15 percent carrying out most of their attacks over weekends.
Those interviewed at DEFCON said that they also feel that compliance initiatives such as PCI DSS have done little to prevent attackers from targeting sensitive business data, with 97 percent scoffing at the efficacy such initiatives.
Government security directives have also done little to thwart attacks, survey respondents said, as 70 percent said that such mandates have done little to improve public sector security.
"These results further validate the reality that there is little common ground between compliance and security, but as an industry we have the collective knowledge and the resources to change that," said Hamelin. "While standards such as PCI-DSS provide a good baseline, organizations that assume achieving PCI compliance will solve their security woes are in for a rude awakening."
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.