Targets of Choice
Hackers often have a goal in mind when selecting a target. Consider the role the media has played in setting your internal vision of what a hacker is. Many people think that a hacker possesses the following characteristics:
• Disgruntled, negative, and angry at the world
• Bitter, with few friends and low self-esteem
• Extremely smart, yet not able to focus on making a living or having a career
• Has trouble maintaining relationships, friendships, or romance
• Disrespects authority; a social misfit, lone wolf
• Young and inept with women and others
• Enjoys junk food and pizza, ensuring the presence of acne (this was true, at least for me)
These stereotypes are true in some cases but not all; regardless, a subculture of hacking exists, and some hackers revel in it. However, believing that all the security threats against your network come from individuals like these would be a mistake.
Are You a Target of Choice?
The following scenarios can help you understand that your company—or perhaps even you—might be a target of choice by a hacker:
• Perhaps your company has a new product or solution that is going to revolutionize your area of business. What if it is a breakthrough?
• Perhaps you are engaged in a bitter dispute with a family member and you have information that the other party wants. A nasty divorce comes to mind as an example; your ex-wife might be going steady with a hacker checking your email and snail mail.
• Perhaps you have upset someone who knows a hacker.
• Perhaps you have a good credit rating or credit cards, making your identity very attractive—priming you for identity theft or botnet target.
• Perhaps your company is in a business that, if disrupted or left unavailable, would enable people with an agenda to make a point.
• Perhaps your company has information on another company that is important to someone such as a competitor, for example industrial sabotage.
• Perhaps an employee or former employee has become disgruntled and wants to make a point, which is often the case because most security threats come from employees.
• Perhaps you want to hide something from someone during a legal action.
• Perhaps your company is doing business in a part of the world that is in the middle of social or political upheaval—even hackers have geopolitical consciences nowadays.
In these cases and perhaps many others, you are now officially a target of choice because there is a reason why the hacker has chosen you.
Certainly the hacker could fit within the subculture described earlier, but perhaps he is not something out of a Hollywood movie. What about private investigators and lawyers—might they not be interested in information that you or your company might have?
As people wanting to know all sorts of things hire them, private investigators are learning new skills; therefore, to be successful, they could have turned to the Internet to find this information about you. What about the ex-military or those trained by the government as security specialists and business espionage? It is highly doubtful that they fit the Hollywood hacker stereotype. What about a spurned lover or spouse who has some computer skills, or an employee who knows all your partnering companies? These groups do not fit the hackers we see on Hollywood’s silver screen, but they can certainly be viewed as a threat to your network.
Understand, as well, that a hacker might not do all the work himself, and it might not be electronic. For example, do you recall the term dumpster diving? Dumpster diving is legal and is an easy means of acquiring all kinds of information that could be helpful to a hacker because your trash is not your property anymore.
The following section covers how an attack begins and the process an attacker takes to begin compromising the target, which could be a person, software program, network, server, or the common Windows flaws. (Fortunately, this book was written and edited on a Mac.)