Chapter 2
IN THIS CHAPTER
Understanding the enemy
Profiling hackers and malicious users
Understanding why attackers do what they do
Examining how attackers go about their business
Before you start assessing the security of your systems, it’s good to know a few things about the people you’re up against. Many security product vendors and security professionals claim that you should protect all of your systems from the bad guys — both internal and external. But what does this mean? How do you know how these people think and execute their attacks?
Knowing what hackers and malicious users want helps you understand how they work. Understanding how they work helps you look at your information systems in a whole new way. In this chapter, I describe the challenges you face from the people who actually do the misdeeds, as well as their motivations and methods. This understanding better prepares you for your security tests.
Thanks to sensationalism in the media, public perception of hacker has transformed from harmless tinkerer to malicious criminal. Nevertheless, hackers often state that the public misunderstands them, which is mostly true. It’s easy to prejudge what you don’t understand. Unfortunately, many hacker stereotypes are based on misunderstanding rather than fact, and that misunderstanding fuels a constant debate.
Hackers can be classified by both their abilities and their underlying motivations. Some are skilled, and their motivations are benign; they’re merely seeking more knowledge. Still, other hackersmay have malicious intent and seek some form of personal, political, or economic gain. Unfortunately, the negative aspects of hacking usually overshadow the positive aspects and promote the negative stereotypes.
Historically, hackers hacked for the pursuit of knowledge and the thrill of the challenge. Script kiddies (hacker wannabes with limited skills) aside, traditional hackers are adventurous and innovative thinkers who are always devising new ways to exploit computer vulnerabilities. (For more on script kiddies, see the section “Who Breaks into Computer Systems” later in this chapter.) Hackers see what others often overlook. They’re very inquisitive and have good situational awareness. They wonder what would happen if a cable was unplugged, a switch was flipped, or lines of code were changed in a program. They do these things and then notice what happens. These old-school hackers are like Tim “The Tool Man” Taylor — Tim Allen’s character on the classic sitcom Home Improvement — thinking that they can improve electronic and mechanical devices by “rewiring them.”
When they were growing up, hackers’ rivals were monsters and villains on video game screens. Now hackers see their electronic foes as only that: electronic. Hackers who perform malicious acts don’t really think about the fact that human beings are behind the firewalls, wireless networks, and web applications they’re attacking. They ignore the fact that their actions often affect those human beings in negative ways, such as jeopardizing their job security and putting their personal safety at risk. Government-backed hacking? Well, that’s a different story, as those hackers are making calculated decisions to do these things.
On the flip side, odds are good that you have at least a few employees, contractors, interns, or consultants who intend to compromise sensitive information on your network for malicious purposes. These people don’t hack in the way that people normally suppose. Instead, they root around in files on server shares; delve into databases they know they shouldn’t be in; and sometimes steal, modify, and delete sensitive information to which they have access. This behavior can be very hard to detect, especially given the widespread belief among management that users can and should be trusted to do the right things. This activity is perpetuated if these users passed their criminal background and credit checks before they were hired. Past behavior is often the best predictor of future behavior, but just because someone has a clean record and authorization to access sensitive systems doesn’t mean that he or she won’t do anything bad. Criminal behavior has to start somewhere!
However you view the stereotypical hacker or malicious user, one thing is certain: Somebody will always try to take down your computer systems and compromise information by poking and prodding where he or she shouldn’t, through denial of service (DoS) attacks or by creating and launching malware. You must take the appropriate steps to protect your systems against this kind of intrusion.
Computer hackers have been around for decades. Since the Internet became widely used in the 1990s, the mainstream public has started to hear more about hacking. Certain hackers, such as John Draper (also known as Captain Crunch) and Kevin Mitnick, are well known. Many more unknown hackers are looking to make names for themselves, and they’re the ones you have to look out for.
In a world of black and white, describing the typical hacker is easy. The historical stereotype of a hacker is an antisocial, pimply teenage boy. But the world has many shades of gray, and many types of people do the hacking. Hackers are unique people, so a profile is hard to outline. The best broad description of hackers is that all hackers aren’t equal. Each hacker has unique motives, methods, and skills.
Hacker skill levels fall into three general categories:
Criminal hackers: Often referred to as crackers, these hackers are skilled criminal experts who write some of the hacking tools, including the scripts and other programs that the script kiddies and security professionals use. These folks also write malware to carry out their exploits from the other side of the world. They can break into networks and computers and cover their tracks. They can even make it look as though someone else hacked their victims’ systems. Sometimes, people with ill intent may not be doing what’s considered to be hacking; nevertheless, they’re abusing their privileges or somehow gaining unauthorized access.
Advanced hackers are often members of collectives that prefer to remain nameless. These hackers are very secretive, sharing information with their subordinates (lower-ranked hackers in the collectives) only when they deem those subordinates to be worthy. Typically, for lower-ranked hackers to be considered worthy, they must possess unique information or take the ganglike approach by proving themselves through a high-profile hack. These hackers are some of your worst enemies in IT. (Okay, maybe they’re not as bad as untrained and careless users, but they’re close. They do go hand in hand, after all!) By understanding criminal hacker behavior, you’re simply being proactive, finding problems before they become problems.
Security researchers: These people are highly technical, publicly known security experts who not only monitor and track computer, network, and application vulnerabilities, but also write tools and other code to exploit them. If these guys didn’t exist, security professionals wouldn’t have much in the way of open-source and even certain commercial security testing tools.
I follow many of these security researchers on a weekly basis via their blogs, Twitter feeds, and articles, and you should too. You can review my blog (https://www.principlelogic.com
) and the appendix of this book, which lists other sources from which you can benefit. Following the progress of these security researchers helps you stay up to date on vulnerabilities as well the latest, greatest security tools. I list tools and related resources from various security researchers in the appendix and throughout the book.
A study from the Black Hat security conference found that everyday IT professionals even engage in malicious and criminal activity against others. And people wonder why IT doesn’t get the respect it deserves!
Regardless of age and complexion, hackers possess curiosity, bravado, and often very sharp minds.
Perhaps more important than a hacker’s skill level is his or her motivation. The following groups of hackers have different motivations:
Hackers hack because they can. Period. Okay, the reason goes a little deeper. Hacking is a hobby for some hackers; they hack just to see what they can and can’t break into, usually testing only their own systems. These folks aren’t the ones I write about in this book. Instead, I focus on those hackers who are obsessive about gaining notoriety or defeating computer systems and those who have criminal intentions.
Many hackers get a kick out of outsmarting corporate and government IT and security administrators. They thrive on making headlines and being notorious. Defeating an entity or possessing knowledge that few other people have makes them feel better about themselves, building their self-esteem. Many of these hackers feed off the instant gratification of exploiting a computer system. They become obsessed with this feeling. Some hackers can’t resist the adrenaline rush they get from breaking into someone else’s systems. Often, the more difficult the job is, the greater the thrill is for hackers.
It’s a bit ironic, given their collective tendencies, but hackers often promote individualism — or at least the decentralization of information — because many of them believe that all information should be free. They think that their attacks are different from attacks in the real world. Hackers may ignore or misunderstand their victims and the consequences of hacking. They don’t think about the long-term effects of the choices they’re making today. Many hackers say that they don’t intend to harm or profit through their bad deeds, and this belief helps them justify their work. Others don’t look for tangible payoffs; just proving a point is often a sufficient reward for them. The word sociopath comes to mind when describing many such people.
The knowledge that malicious attackers gain and the self-esteem boost that comes from successful hacking may become an addiction and a way of life. Some attackers want to make your life miserable, and others simply want to be seen or heard. Some common motives are revenge, bragging rights, curiosity, boredom, challenge, vandalism, theft for financial gain, sabotage, blackmail, extortion, corporate espionage, and just generally speaking out against “the man.” Hackers regularly cite these motives to explain their behavior, but they tend to cite these motivations more commonly during difficult economic conditions.
Malicious users inside your network may be looking to gain information to help them with personal financial problems, to give them a leg up on a competitor, to seek revenge on their employers, to satisfy their curiosity, or to relieve boredom.
Hackers often hack simply because they can. Some hackers go for high-profile systems, but hacking into anyone’s system helps them fit into hacker circles. Hackers exploit many people’s false sense of security and go for almost any system they think they can compromise. Electronic information can be in more than one place at the same time, so if hackers merely copy information from the systems they break into, it’s tough to prove that hackers possess that information, and it’s impossible to get the information back.
Similarly, hackers know that a simple defaced web page — however easily attacked — isn’t good for someone else’s business. It often takes a large-scale data breach or an email phishing attack that spawns the unauthorized wire transfer of a large sum of money to get the attention of business executives. But hacked sites can often persuade management and other nonbelievers to address information threats and vulnerabilities.
Many recent studies have revealed that most security flaws are basic in nature, which is exactly what I see in my security assessments. I call these basic flaws the low-hanging fruit of the network, just waiting to be exploited. Computer breaches continue to get easier to execute yet harder to prevent for several reasons:
Although many attacks go unnoticed or unreported, criminals who are discovered may not be pursued or prosecuted. When they’re caught, hackers often rationalize their services as being altruistic and a benefit to society: They’re merely pointing out vulnerabilities before someone else does. Regardless, if hackers are caught and prosecuted, the “fame and glory” reward system that hackers thrive on is threatened.
The same goes for malicious users. Typically, their criminal activity goes unnoticed, but if they’re caught, the security breach may be kept hush-hush in the name of protecting shareholder value or not ruffling any customer or business-partner feathers. Information security and privacy laws and regulations, however, are changing this situation, because in most cases, breach notification is required. Sometimes, the malicious user is fired or asked to resign. Although public cases of internal breaches are becoming more common (usually through breach disclosure laws), these cases don’t give a full picture of what’s taking place in the average organization.
Whether or not they want to, most executives now have to deal with all the state, federal, and international laws and regulations that require notifications of breaches or suspected breaches of sensitive information. These requirements apply to external hacks, internal breaches, and even seemingly benign things such as lost mobile devices and backup tapes. The appendix lists the information security and privacy laws and regulations that may affect your business.
Attack styles vary widely:
Although the hacker underground is a community, many hackers — especially advanced hackers — don’t share information with the crowd. Most hackers do much of their work independently to remain anonymous.
Whatever approach they take, most malicious attackers prey on ignorance. They know the following aspects of real-world security:
Time is an attacker’s friend, and it’s almost always on his or her side. By attacking through computers rather than in person, hackers have more control of the timing of their attacks. Attacks can be carried out slowly, making them hard to detect. Attacks are frequently carried out after typical business hours, often in the middle of the night and (in the case of malicious users) from home. Defenses may be weaker after hours, with less physical security and less intrusion monitoring, when the typical network administrator or security guard is sleeping.
Smart attackers want to remain as low-key as possible. Covering their tracks is a priority, and many times, their success depends on remaining unnoticed. They want to avoid raising suspicion so that they can come back and access the systems in the future.
Hackers often remain anonymous by using one of the following resources:
If hackers use enough stepping stones for their attacks, they’re practically impossible to trace. Luckily, one of your biggest concerns — the malicious user — generally isn’t quite as savvy unless he or she is an network or security administrator. In that case, you’ve got a serious situation on your hands. Without strong oversight, there’s nothing you can do to stop hackers from wreaking havoc on your network.
13.58.82.79