In This Chapter

Understanding the enemy

Profiling hackers and malicious users

Understanding why attackers do what they do

Examining how attackers go about their business

Before you start assessing the security of your systems, it’s good to know a few things about the people you’re up against. Many information security product vendors and other professionals claim that you should protect your systems from the bad guys — both internal and external. But what does this mean? How do you know how these people think and execute their attacks?

Knowing what hackers and malicious users want helps you understand how they work. Understanding how they work helps you to look at your information systems in a whole new way. In this chapter, I describe the challenges you face from the people actually doing the misdeeds as well as their motivations and methods. This understanding better prepares you for your security tests.

What You’re Up Against

Thanks to sensationalism in the media, public perception of hacker has transformed from harmless tinkerer to malicious criminal. Nevertheless, hackers often state that the public misunderstands them, which is mostly true. It’s easy to prejudge what you don’t understand. Unfortunately, many hacker stereotypes are based on misunderstanding rather than fact, and that misunderstanding fuels a constant debate.

Hackers can be classified by both their abilities and their underlying motivations. Some are skilled, and their motivations are benign; they’re merely seeking more knowledge. At the other end of the spectrum, hackers with malicious intent seek some form of personal, political, or economic gain. Unfortunately, the negative aspects of hacking usually overshadow the positive aspects and promote the negative stereotypes.

Historically, hackers hacked for the pursuit of knowledge and the thrill of the challenge. Script kiddies (hacker wannabes with limited skills) aside, traditional hackers are adventurous and innovative thinkers and are always devising new ways to exploit computer vulnerabilities. (For more on script kiddies, see the section, “Who Breaks into Computer Systems,” later in this chapter.) Hackers see what others often overlook. They have a tremendous amount of “situational awareness.” They wonder what would happen if a cable was unplugged, a switch was flipped, or lines of code were changed in a program. These old-school hackers are like Tim “The Toolman” Taylor — Tim Allen’s character on the classic sitcom Home Improvement — thinking they can improve electronic and mechanical devices by “rewiring them.”

When they were growing up, hackers’ rivals were monsters and villains on video game screens. Now hackers see their electronic foes as only that — electronic. Hackers who perform malicious acts don’t really think about the fact that human beings are behind the firewalls, wireless networks, and web applications they’re attacking. They ignore that their actions often affect those human beings in negative ways, such as jeopardizing their job security and putting their personal safety at risk. Government-backed hacking? Well, that’s a different story as they are making calculated decisions to do these things.

On the flip side, odds are good that you have at least a handful of employees, contractors, interns, or consultants who intend to compromise sensitive information on your network for malicious purposes. These people don’t hack in the way people normally suppose. Instead, they root around in files on server shares; delve into databases they know they shouldn’t be in; and sometimes steal, modify, and delete sensitive information to which they have access. This behavior is often very hard to detect — especially given the widespread belief by management that users can and should be trusted to do the right things. This activity is perpetuated if these users passed their criminal background and credit checks before they were hired. Past behavior is often the best predictor of future behavior, but just because someone has a clean record and authorization to access sensitive systems doesn’t mean he or she won’t do anything bad. Criminal behavior has to start somewhere!

As negative as breaking into computer systems often can be, hackers and researchers play key roles in the advancement of technology. In a world without these people, odds are good that the latest intrusion prevention technology, data loss prevention (DLP), or vulnerability scanning and exploit tools would likely be different, if they even existed at all. Such a world may not be bad, but technology does keep security professionals employed and keep the field moving forward. Unfortunately, the technical security solutions can’t ward off all malicious attacks and unauthorized use because hackers and (sometimes) malicious users are usually a few steps ahead of the technology designed to protect against their wayward actions.

However you view the stereotypical hacker or malicious user, one thing is certain: Somebody will always try to take down your computer systems and compromise information by poking and prodding where he or she shouldn’t, through denial of service (DoS) attacks or by creating and launching malware. You must take the appropriate steps to protect your systems against this kind of intrusion.

Who Breaks into Computer Systems

Computer hackers have been around for decades. Since the Internet became widely used in the 1990s, the mainstream public has started to hear more and more about hacking. Only a few hackers, such as John Draper (also known as Captain Crunch) and Kevin Mitnick, are really well known. Many more unknown hackers are looking to make a name for themselves. They’re the ones you have to look out for.

In a world of black and white, describing the typical hacker is easy. The historical stereotype of a hacker is an antisocial, pimply faced, teenage boy. But the world has many shades of gray and many types of people doing the hacking. Hackers are unique individuals, so an exact profile is hard to outline. The best broad description of hackers is that all hackers aren’t equal. Each hacker has his or her own unique motives, methods, and skills. Hacker skill levels fall into three general categories:

• Script kiddies: These are computer novices who take advantage of the exploit tools, vulnerability scanners, and documentation available free on the Internet but who don’t have any real knowledge of what’s really going on behind the scenes. They know just enough to cause you headaches but typically are very sloppy in their actions, leaving all sorts of digital fingerprints behind. Even though these guys are often the stereotypical hackers that you hear about in the news media, they need only minimal skills to carry out their attacks.

• Criminal hackers: Often referred to as “crackers,” these are skilled criminal experts who write some of the hacking tools, including the scripts and other programs that the script kiddies and security professionals use. These folks also write malware to carry out their exploits from the other side of the world. They can break into networks and computers and cover their tracks. They can even make it look like someone else hacked their victims’ systems. Sometimes, people with ill intent may not be doing what’s considered “hacking,” but nevertheless, they’re abusing their privileges or somehow gaining unauthorized access — such as the 2015 incident involving Major League Baseball’s St. Louis Cardinals and Houston Astros. Thus, the media glorifies it all as “hacking.”

  Advanced hackers are often members of collectives that prefer to remain nameless. These hackers are very secretive and share information with their subordinates (lower-ranked hackers in the collectives) only when they are deemed worthy. Typically, for lower-ranked hackers to be considered worthy, they must possess some unique information or take the gang-like approach and prove themselves through a high-profile hack. These hackers are arguably some of your worst enemies in IT. (Okay, maybe they’re not as bad as untrained and careless users, but close.) By understanding criminal hacker behavior you are simply being proactive — finding problems before they become problems.

• Security researchers: These people are highly technical and publicly known security experts who not only monitor and track computer, network, and application vulnerabilities but also write the tools and other code to exploit them. If these guys didn’t exist, security professionals wouldn’t have much in the way of open source and even certain commercial security testing tools. I follow many of these security researchers on a weekly basis via their blogs, Twitter, and articles, and you should, too. You can review my blog (http://securityonwheels.blogspot.com), and I list other sources that you can benefit from in the Appendix. Following the progress of these security researchers helps you stay up-to-date on both vulnerabilities and the latest and greatest security tools. I list the tools and related resources from various security researchers in the Appendix and throughout the book.

There are good-guy (white hat) and bad-guy (black hat) hackers. Gray hat hackers are a little bit of both. There are also blue-hat hackers who are invited by software developers to find security flaws in their systems.

I once saw a study from the Black Hat security conference that found that everyday IT professionals even engage in malicious and criminal activity against others. And people wonder why IT doesn’t get the respect it deserves! Perhaps this group will evolve into a fourth general category of hackers in the coming years.

Regardless of age and complexion, hackers possess curiosity, bravado, and often very sharp minds.

Perhaps more important than a hacker’s skill level is his or her motivation:

• Hacktivists try to disseminate political or social messages through their work. A hacktivist wants to raise public awareness of an issue yet they want to remain anonymous. In many situations, these hackers will try to take you down if you express a view that’s contrary to theirs. Examples of hacktivism are the websites that were defaced with the Free Kevin messages that promoted freeing Kevin Mitnick from prison for his famous hacking escapades. Others cases of hacktivism include messages about legalizing drugs, protests against the war, protests centered around wealth envy and big corporations, and just about any other social and political issue you can think of.
• Cyberterrorists (both organized and unorganized, often backed by government agencies) attack corporate or government computers and public utility infrastructures, such as power grids and air-traffic control towers. They crash critical systems, steal classified data, or expose the personal information of government employees. Countries take the threats these cyberterrorists pose so seriously that many mandate information security controls in crucial industries, such as the power industry, to protect essential systems against these attacks.
• Hackers for hire are part of organized crime on the Internet. Many of these hackers hire out themselves or their DoS-creating botnets for money — and lots of it!

Criminal hackers are in the minority, so don’t think that you’re up against millions of these villains. Like the e-mail spam kings of the world, many of the nefarious acts from members of collectives that prefer to remain nameless are carried out by a small number of criminals. Many other hackers just love to tinker and only seek knowledge of how computer systems work. One of your greatest threats works inside your building and has an access badge to the building and a valid network account, so don’t discount the insider threat.

Why They Do It

Hackers hack because they can. Period. Okay, it goes a little deeper than that. Hacking is a casual hobby for some hackers — they hack just to see what they can and can’t break into, usually testing only their own systems. These aren’t the folks I write about in this book. I focus on those hackers who are obsessive about gaining notoriety or defeating computer systems, and those who have criminal intentions.

Many hackers get a kick out of outsmarting corporate and government IT and security administrators. They thrive on making headlines and being notorious. Defeating an entity or possessing knowledge that few other people have makes them feel better about themselves, building their self-esteem. Many of these hackers feed off the instant gratification of exploiting a computer system. They become obsessed with this feeling. Some hackers can’t resist the adrenaline rush they get from breaking into someone else’s systems. Often, the more difficult the job is, the greater the thrill is for hackers.

It’s a bit ironic given their collective tendencies but hackers often promote individualism — or at least the decentralization of information — because many believe that all information should be free. They think their attacks are different from attacks in the real world. Hackers may easily ignore or misunderstand their victims and the consequences of hacking. They don’t think long-term about the choices they’re making today. Many hackers say they don’t intend to harm or profit through their bad deeds, a belief that helps them justify their work. Many don’t look for tangible payoffs. Just proving a point is often a sufficient reward for them. The word sociopath comes to mind.

The knowledge that malicious attackers gain and the self-esteem boost that comes from successful hacking might become an addiction and a way of life. Some attackers want to make your life miserable, and others simply want to be seen or heard. Some common motives are revenge, basic bragging rights, curiosity, boredom, challenge, vandalism, theft for financial gain, sabotage, blackmail, extortion, corporate espionage, and just generally speaking out against “the man.” Hackers regularly cite these motives to explain their behavior, but these motivations tend to be cited more commonly during difficult economic conditions.

Malicious users inside your network may be looking to gain information to help them with personal financial problems, to give them a leg up over a competitor, to seek revenge on their employers, to satisfy their curiosity, or to relieve boredom.

Many business owners and managers — even some network and security administrators — believe that they don’t have anything that a hacker wants or that hackers can’t do much damage if they break in. They’re sorely mistaken. This dismissive kind of thinking helps support the bad guys and promote their objectives. Hackers can compromise a seemingly unimportant system to access the network and use it as a launching pad for attacks on other systems, and many people would be none the wiser because they don’t have the proper controls to prevent and detect malicious use.

Remember that hackers often hack simply because they can. Some hackers go for high-profile systems, but hacking into anyone’s system helps them fit into hacker circles. Hackers exploit many people’s false sense of security and go for almost any system they think they can compromise. Electronic information can be in more than one place at the same time, so if hackers merely copy information from the systems they break into, it’s tough to prove that hackers possess that information and it’s impossible to get it back.

Similarly, hackers know that a simple defaced web page — however easily attacked — is not good for someone else’s business. It often takes a large-scale data breach; however, hacked sites can often persuade management and other nonbelievers to address information threats and vulnerabilities.

Many recent studies have revealed that most security flaws are very basic in nature. That’s exactly what I see in my information security assessments. I call these basic flaws the low-hanging fruit of the network just waiting to be exploited. Computer breaches continue to get easier to execute yet harder to prevent for several reasons:

• Widespread use of networks and Internet connectivity
• Anonymity provided by computer systems working over the Internet and often on the internal network (because effective logging, monitoring, and alerting rarely takes place)
• Greater number and availability of hacking tools
• Large number of open wireless networks that help hackers cover their tracks
• Greater complexity of networks and the codebases in the applications and databases being developed today
• Computer-savvy children
• Unlikeliness that attackers will be investigated or prosecuted if caught

A malicious hacker only needs to find one security hole whereas IT and security professionals and business owners must find and block them all!

Although many attacks go unnoticed or unreported, criminals who are discovered are often not pursued or prosecuted. When they’re caught, hackers often rationalize their services as being altruistic and a benefit to society: They’re merely pointing out vulnerabilities before someone else does. Regardless, if hackers are caught and prosecuted, the “fame and glory” reward system that hackers thrive on is threatened.

The same goes for malicious users. Typically, their criminal activity goes unnoticed, but if they’re caught, the security breach may be kept hush-hush in the name of shareholder value or not wanting to ruffle any customer or business partner feathers. However, information security and privacy laws and regulations are changing this because in most situations breach notification is required. Sometimes, the person is fired or asked to resign. Although public cases of internal breaches are becoming more common (usually through breach disclosure laws), these cases don’t give a full picture of what’s really taking place in the average organization.

Whether or not they want to, most executives now have to deal with all the state, federal, and international laws and regulations that require notifications of breaches or suspected breaches of sensitive information. This applies to external hacks, internal breaches, and even something as seemingly benign as a lost mobile device or backup tapes. The Appendix contains URLs to the information security and privacy laws and regulations that may affect your business.

Planning and Performing Attacks

Attack styles vary widely:

• Some hackers prepare far in advance of an attack. They gather small bits of information and methodically carry out their hacks, as I outline in Chapter 4. These hackers are the most difficult to track.
• Other hackers — usually the inexperienced script kiddies — act before they think through the consequences. Such hackers may try, for example, to telnet directly into an organization’s router without hiding their identities. Other hackers may try to launch a DoS attack against a Microsoft Exchange server without first determining the version of Exchange or the patches that are installed. These hackers usually are caught, or at least blocked.
• Malicious users are all over the map. Some can be quite savvy based on their knowledge of the network and of how IT and security operates inside the organization. Others go poking and prodding around into systems they shouldn’t be in — or shouldn’t have had access to in the first place — and often do stupid things that lead security or network administrators back to them.

Although the hacker underground is a community, many of the hackers — especially advanced hackers — don’t share information with the crowd. Most hackers do much of their work independently in order to remain anonymous.

Hackers who network with one another often use private message boards, anonymous e-mail addresses, hacker websites, and Internet Relay Chat (IRC). You can log in to many of these sites to see what hackers are doing.

Whatever approach they take, most malicious attackers prey on ignorance. They know the following aspects of real-world security:

• The majority of computer systems aren’t managed properly. The computer systems aren’t properly patched, hardened, or monitored. Attackers can often fly below the radar of the average firewall or intrusion prevention system (IPS). This is especially true for malicious users whose actions are often not monitored at all while, at the same time, they have full access to the very environment they can exploit.
• Most network and security administrators simply can’t keep up with the deluge of new vulnerabilities and attack methods. These people often have too many tasks to stay on top of and too many other fires to put out. Network and security administrators may also fail to notice or respond to security events because of poor time and goal management. I provide resources on time and goal management for IT and security professionals in the Appendix.
• Information systems grow more complex every year. This is yet another reason why overburdened administrators find it difficult to know what’s happening across the wire and on the hard drives of all their systems. Virtualization, cloud services, and mobile devices such as laptops, tablets, and phones are making things exponentially worse.

Time is an attacker’s friend — and it’s almost always on his or her side. By attacking through computers rather than in person, hackers have more control over the timing for their attacks:

• Attacks can be carried out slowly, making them hard to detect.
• Attacks are frequently carried out after typical business hours, often in the middle of the night, and from home, in the case of malicious users. Defenses are often weaker after hours — with less physical security and less intrusion monitoring — when the typical network administrator (or security guard) is sleeping.

If you want detailed information on how some hackers work or want to keep up with the latest hacker methods, several magazines are worth checking out:

• 2600 — The Hacker Quarterly magazine (www.2600.com)
• (IN)SECURE magazine (www.net-security.org/insecuremag.php)
• Hackin9 (http://hakin9.org)
• PHRACK (www.phrack.org/archives)

Malicious attackers usually learn from their mistakes. Every mistake moves them one step closer to breaking into someone’s system. They use this knowledge when carrying out future attacks. You, as a security professional responsible for testing the security of your environment, need to do the same.

Maintaining Anonymity

Smart attackers want to remain as low-key as possible. Covering their tracks is a priority, and many times their success depends on them remaining unnoticed. They want to avoid raising suspicion so they can come back and access the systems in the future. Hackers often remain anonymous by using one of the following resources:

• Borrowed or stolen remote desktop and VPN accounts from friends or previous employers
• Public computers at libraries, schools, or kiosks at the local mall
• Open wireless networks
• Internet proxy servers or anonymizer services
• Anonymous or disposable e-mail accounts from free e-mail services
• Open e-mail relays
• Infected computers — also called zombies or bots — at other organizations
• Workstations or servers on the victim’s own network

If hackers use enough stepping stones for their attacks, they are hard — practically impossible — to trace. Luckily, one of your biggest concerns — the malicious user — generally isn’t quite as savvy. That is, unless the user is an actual network or security administrator.