Widespread use of networks and Internet connectivity
Anonymity provided by computer systems on the Internet and often on internal networks (because proper and effective logging, monitoring, and alerting rarely take place)
Greater number and availability of hacking tools
Large number of open wireless networks that help criminals cover their tracks
Greater complexity of networks and codebases in the applications and databases being developed today
Naïve yet computer-savvy children who are eager to give up privacy (which is easy because they’ve never experienced it) for free stuff
Ransoms paid by cyberinsurance policies can be huge
Likelihood that attackers won’t be investigated or prosecuted if caught
A malicious hacker needs to find only one security hole, whereas IT and security professionals and business owners must find and resolve all of them!Although many attacks go unnoticed or unreported, criminals who are discovered may not be pursued or prosecuted. When they’re caught, hackers often rationalize their services as being altruistic and a benefit to society: They’re merely pointing out vulnerabilities before someone else does. Regardless, if hackers are caught and prosecuted, the “fame and glory” reward system that hackers thrive on is threatened.
The same goes for malicious users. Typically, their criminal activity goes unnoticed, but if they’re caught, the security breach may be kept hush-hush in the name of protecting shareholder value or not ruffling any customer or business-partner feathers. Information security and privacy laws and regulations, however, are changing this situation, because in most cases, breach notification is required. Sometimes, the malicious user is fired or asked to resign. Although public cases of internal breaches are becoming more common (usually through breach disclosure laws), these cases don’t give a full picture of what’s taking place in the average organization.
Regardless of whether they want to, most executives now have to deal with all the state, federal, and international laws and regulations that require notifications of breaches or suspected breaches of sensitive information. These requirements apply to external hacks, internal breaches, and even seemingly benign things such as lost mobile devices and backup tapes. The appendix lists the information security and privacy laws and regulations that may affect your business.
HACKING IN THE NAME OF LIBERTY?
Many hackers exhibit behaviors that contradict their stated purposes. They fight for civil liberties and want to be left alone, but at the same time, they love prying into the business of others and controlling them in any way possible. Many hackers call themselves civil libertarians and claim to support the principles of personal privacy and freedom, but they contradict their words by intruding on the privacy and property of other people. They steal the property and violate the rights of others but go to great lengths to get their own rights back from anyone who threatens them. The situation is “live and let live” gone awry.
The case involving copyrighted materials and the Recording Industry Association of America (RIAA) is a classic example. Hackers have gone to great lengths to prove a point, defacing the websites of organizations that support copyrights and then sharing music and software themselves. Go figure.
Planning and Performing Attacks
Attack styles vary widely:
Some hackers prepare far in advance of an attack. They gather small bits of information and methodically carry out their hacks, as I outline in Chapter 4. These hackers are the most difficult to track.
Other hackers — usually, inexperienced script kiddies — act before they think through the consequences. Such hackers may try, for example, to telnet directly into an organization’s router without hiding their identities. Other hackers may try to launch a DoS attack against a web server without first determining the version running on the server or the installed patches. These hackers usually are caught or at least blocked.
Malicious users are all over the map. Some are quite savvy, based on their knowledge of the network and of how IT and security operates inside the organization. Others go poking and prodding in systems that they shouldn’t be in — or shouldn’t have had access to in the first place — and often do stupid things that lead security or network administrators back to them.
Although the hacker underground is a community, many hackers — especially advanced hackers — don’t share information with the crowd. Most hackers do much of their work independently to remain anonymous.
Hackers who network with one another often use private message boards, anonymous email addresses, or hacker underground websites (a.k.a. the deep web or dark web). You can attempt to log in to such sites to see what hackers are doing, but I don’t recommend it unless you really know what you’re doing. The last thing you need is to get a malware infection or lose sensitive login credentials when trying to sniff around these places.
Whatever approach they take, most malicious attackers prey on ignorance. They know the following aspects of real-world security:
The majority of computer systems aren’t managed properly. The computer systems aren’t properly patched, hardened, or monitored. Attackers can often fly below the radar of the average firewall or intrusion prevention system (IPS), especially malicious users whose actions aren’t monitored yet who have full access to the very environment they can exploit.
Most network and security administrators can’t keep up with the deluge of new vulnerabilities and attack methods. These people have too many tasks to stay on top of and too many other fires to put out. Network and security administrators may fail to notice or respond to security events because of poor time and goal management. I provide resources on time and goal management for IT and security professionals in the appendix.
Information systems grow more complex every year. This fact is yet another reason why overburdened administrators find it difficult to know what’s happening across the wire and on the hard drives of all their systems. Virtualization, cloud services, and mobile devices such as laptops, tablets, and phones are the foundation of this complexity. The Internet of Things complicates everything. More recently, because so many people are working remotely and often using vulnerable personal computers to access business systems makes, complexity has grown even more.
Time is an attacker’s friend, and it’s almost always on their side. By attacking through computers rather than in person, hackers have more control of the timing of their attacks. Attacks are not only carried out anonymously, but they can be carried out slowly over time, making them hard to detect. Quantum computing will make these attacks that much faster.
Attacks are frequently carried out after typical business hours, often in the middle of the night and (in the case of malicious users) from home. Defenses may be weaker after hours, with less physical security and less intrusion monitoring, when the typical network administrator or security guard is sleeping.
HACKING MAGAZINES
If you want detailed information on how some hackers work or want to keep up with the latest hacker methods, several magazines are worth checking out:
2600 — The Hacker Quarterly (www.2600.com
)