Security researchers: These people are highly technical, publicly (or somewhat publicly) known security experts who not only monitor and track computer, network, and application vulnerabilities, but they also write tools and other code to exploit them. If these guys didn’t exist, security professionals wouldn’t have much in the way of open-source and even certain commercial security testing tools. I follow many of these security researchers on a weekly basis via their personal or company blogs, Twitter feeds, and articles, and you should too. You can review my blog (www.principlelogic.com
) and the appendix of this book, which lists other sources from which you can benefit. Following the progress of these security researchers helps you stay up to date on vulnerabilities, as well as the latest, greatest security tools. I list tools and related resources from various security researchers in the appendix and throughout the book.
Hackers can be good (white hat) and bad (black hat) hackers. Gray hat hackers are a little bit of both. There are also blue-hat hackers, outsiders who are hired to find security flaws in client systems. Blue-hat hackers are more recently referred to as purple-hat hackers.
A study from the Black Hat security conference found that everyday IT professionals even engage in malicious and criminal activity against others. And people wonder why IT doesn’t get the respect it deserves!
Regardless of age and complexion, hackers possess curiosity, bravado, and often very sharp minds.
Hacker motivations
Perhaps more important than a hacker’s skill level is their motivation. The following groups of hackers have different motivations:
Hacktivists: These hackers try to disseminate political or social messages through their work. A hacktivist wants to raise public awareness of an issue but wants to remain anonymous. In many situations, these hackers try to take you down if you express a view that’s contrary to theirs. Examples of hacktivism are the websites that were defaced by the “Free Kevin” messages that promoted freeing Kevin Mitnick, who was in prison for his famous hacking escapades. Others cases of hacktivism include messages about legalized drugs, antiwar protests, wealth envy, big corporations, and just about any other social and political issue you can think of.
Terrorists: Terrorists (both organized and unorganized and often backed by government agencies) attack corporate or government computers and public utility infrastructures such as power grids and air-traffic control towers. They crash critical systems, steal classified data, and/or expose the personal information of government employees. Countries take the threats that these terrorists pose so seriously that many mandate information security controls in crucial industries, such as the power industry, to protect essential systems from these attacks.
Hackers for hire: These hackers are often (but not always) part of organized crime on the Internet. Many of these hackers hire out themselves or their ransomware and DoS-creating botnets for money — lots of it!
Criminal hackers are in the minority, so don’t think that you’re up against millions of these villains. Like the email spam kings of the world, many members of collectives prefer to remain nameless; the nefarious acts are carried out by a small number of criminals. Many other hackers just love to tinker and only seek knowledge of how computer systems work. One of your greatest threats works inside your building and has an access badge to the building, a network account, and hair on top, so don’t discount the insider threat.
Why They Do It
Hackers hack because they can. Period. Okay, the reason goes a little deeper. Hacking is a hobby for some hackers; they hack just to see what they can and can’t break into, usually testing only their own systems. These folks aren’t the ones I write about in this book. Instead, I focus on those hackers who are obsessive about gaining notoriety or defeating computer systems and those who have criminal intentions.
Many hackers get a kick out of outsmarting corporate and government IT and security administrators. They thrive on making headlines and being notorious. Defeating an entity or possessing knowledge that few other people have makes them feel better about themselves, building their self-esteem. Many of these hackers feed off the instant gratification of exploiting a computer system. They become obsessed with this feeling. Some hackers can’t resist the adrenaline rush they get from breaking into someone else’s systems. Often, the more difficult the job is, the greater the thrill is for hackers.
It’s a bit ironic, given their collective tendencies, but hackers often promote individualism — or at least the decentralization of information — because many of them believe that all information should be free. They think their attacks are different from attacks in the real world. Hackers may ignore or misunderstand their victims and the consequences of hacking. They don’t think about the long-term effects of the choices they’re making today. Many hackers say that they don’t intend to harm or profit through their bad deeds, and this belief helps them justify their work. Others don’t look for tangible payoffs; just proving a point is often a sufficient reward for them. The word sociopath comes to mind when describing many such people.
The knowledge that malicious attackers gain and the self-esteem boost that comes from successful hacking may become an addiction and a way of life. Some attackers want to make your life miserable, and others simply want to be seen or heard. Some common motives are revenge, bragging rights, curiosity, boredom, challenge, vandalism, theft for financial gain, sabotage, blackmail, extortion, corporate espionage, and just generally speaking out against “the man.” Hackers regularly cite these motives to explain their behavior, but they tend to cite these motivations more commonly during difficult economic conditions.
Malicious users inside your network may be looking to gain information to help them with personal financial problems, to give them a leg up on a competitor, to seek revenge on their employers, to satisfy their curiosity, or to relieve boredom.
Many business owners and managers — even some network and security administrators — believe that they don’t have anything that a hacker wants or that hackers can’t do much damage if they break in. These beliefs are sorely mistaken. This dismissive kind of thinking helps support the bad guys and promote their objectives. Hackers can compromise a seemingly unimportant system to access the network and use it as a launching pad for attacks on other systems, and many people would be none the wiser because they don’t have the proper controls to prevent and detect malicious use.Hackers often hack simply because they can. Some hackers go for high-profile systems, but hacking into anyone’s system helps them fit into hacker circles. Hackers exploit many people’s false sense of security and go for almost any system they think they can compromise. Electronic information can be in more than one place at the same time, so if hackers merely copy information from the systems they break into, it’s tough to prove that hackers possess that information, and it’s impossible to get the information back.
Similarly, hackers know that a simple defaced web page — however easily attacked — isn’t good for someone else’s business. It often takes a large-scale data breach, ransomware infection, or a phishing attack that spawns the unauthorized wire transfer of a large sum of money to get the attention of business executives. But hacked sites can often persuade management and other nonbelievers to address information threats and vulnerabilities.
Many recent studies have revealed that most security flaws