Comparing Attackers
Attackers break into computers and networks with malicious intent or for personal gain. Sometimes, they try to take a system down or out of service, and other times, they try to get into the system to gain information. For example, an attacker may break into a system to gain credit card information from a business’s customers. The attacker can then use this information to fraudulently use the credit cards. Or they may attempt to bring a system down as an act of revenge against an organization or to distract security professionals while another attack is stealing data.
Make no mistake, though: These attackers are criminals. Just like someone who breaks into your home is a criminal, attackers who break into networks and individual systems are also criminals. They are breaking laws. Most often, they’re attacking networks for monetary gain without any apparent care to how the loss affects their victims.
In general, criminals must have motive, means, and opportunity to complete a crime. The motive for an attacker is often money, but can also be revenge or other reasons. The means is often with some type of malicious code, and the opportunity is available for anyone with Internet access. Indeed, for a greedy criminal willing to risk jail time, there are often enough programs available on the Internet that they don’t even have to write the malicious code, but only need to locate and download it.
The following sections identify the different types of attackers and some of names used to identify them.
Hackers and Crackers
Two terms you’ll come across when studying IT security are hackers and crackers. The following two bullets provide traditional definitions, although you’ll see in the following text that these traditional definitions aren’t necessarily used:
• Hacker Someone that is proficient with computers (often with programming skills) and uses these skills to gain and share knowledge with others. By this definition, a hacker does not break into systems with malicious intent or for personal gain.
• Cracker Someone that is proficient with computers and uses these skills to attack systems. A cracker does attack systems with malicious intent or for personal gain.
TIP In general, hackers are good and crackers are evil based on the traditional definitions. However, the media commonly uses the term hacker to describe anyone who attacks with malicious intent and rarely uses the word cracker in this context. It’s becoming more common today simply to refer to anyone who attacks a network as an attacker.
The English language has a long history of changing the use of words and their meanings, often with some people kicking and screaming along the way. For example, you probably don’t use thee and thou in your daily speech. However, there was a time when everyone used these words regularly.
Similarly, the word hacker is evolving. Currently, the media widely uses the term hacker to identify anyone launching attacks on computers or networks. Even though some IT people are clinging to the traditional definition, it’s losing its meaning outside of these circles.
Insiders
An insider is someone who works within an organization as an employee or consultant with access to the organization’s systems. Insides have the means to cause a significant amount of damage, and insider losses are commonly known to cause much more damage and result in higher losses than other attacks. Although the infamous disgruntled worker can certainly cause a significant amount of damage intentionally, insiders can also cause damage within intending to do so. Some examples include the following:
• Responding to phishing attempts Phishing is explained in more depth later, but in short, it’s an e-mail that encourages the user to respond with personal information or to click a link. The user can give up valuable company information or inadvertently install malicious software on their system. The insider provides the link for an outside attacker to attack the organization.
• Forwarding malicious software (malware) or bringing malware from home
An uneducated user can forward viruses or other forms of malware via e-mail or bring it on USB drives from home. The malware could cause damage to internal systems or use other methods to gather information for other attacks against the organization.
White Hats, Black Hats, and Grey Hats
Under the historical definitions, hackers are good and crackers are evil. However, since the media began confusing these terms, the concepts of white hats, black hats, and gray hats has appeared.
These are reminiscent of the older cowboy movies where the good guys wore white hats and the bad guys wore black hats. White hats fall into the traditional definition of hackers and are sometimes called ethical hackers. They may be hired as security consultants to perform vulnerability assessments or provide other security services.
In contrast, black hats fall into the traditional definition of a cracker. Black hats are criminals that move into systems with malicious intent or for personal gain.
Of course, good and evil don’t always have definitive lines that can be drawn with good on one side and evil on the other. There are gray areas. Similarly, gray hats are individuals who have exceptional computer and networking skills, but they don’t use them for personal gain or with malicious intentions. However, their activities may cross ethical boundaries.
As a comparison between the three, imagine that someone discovers a weakness or vulnerability in a system. A white hat would inform the owners of the system but not take any further action. A black hat would try to exploit the vulnerability without telling the owner. A gray hat may first try to let the owners know of the vulnerability, but then decide to publish the vulnerability if the gray hat doesn’t think the owner is acting responsibly. By publishing the vulnerability, the gray hat makes the vulnerability known to the black hats, who then use the information to exploit it.
• Unauthorized data access If adequate access controls aren’t in place, a user may be able to access data. The user may then accidentally modify or delete it, or even disclose the contents of the data to someone else without realizing its true value. Something as simple as an unauthorized employee gaining access to personal records of other employees can cause a great deal of havoc to an organization.
• Losing hardware Users can be issued hardware such as laptops or USB drives.
When users don’t recognize the value of the hardware and the data it holds, they may not provide adequate protection, resulting in its loss. Many laptops are stolen during lunch breaks of daylong conferences simply because users don’t recognize how such theft happens and fail to take simple precautions to protect the equipment.
EXAM TIP Insiders are often overlooked as a threat, but losses from insiders can be the most costly to an organization. These can be accidental or intentional losses, but they result in real monetary losses just the same.
Other losses are intentional. For example, insiders may steal data such as trade secrets, customer information, or other classified information from the organization. They can then sell this information for public gain.
Some inside attacks are out for revenge. For example, Rajendrasinh Babubhai Makwana, was terminated in 2009 from a contractor job at Fannie Mae. However, he retained access to the systems for at least a short period afterward. He later embedded a time bomb script in the Fannie Mae system. It was set to run on January 31 and would have deleted passwords on about 4,000 servers, erased all the data and backup data for the servers, and then powered them down. He also programmed the script to disable the ability to turn the servers back on remotely. The result would have been catastrophic. Interestingly, he was terminated for allegedly making unauthorized changes to other systems. Yet his access wasn’t revoked, giving him enough time to install the malicious script. Luckily, another engineer discovered the damaging script about a week later. If the script had been programmed to run the next day instead of January 31, it would have been successful. Makwana was ultimately sentenced to over three years in prison. You can read about this incident here: http://blogs.computerworld.com/fannie_mae_ sabotaged.
Although insider attacks have often been the most costly to an organization, the trend may be reversing. The 2011 Cybersecurity Watch Survey reports that only about 33 percent of respondents considered the insider attacks more costly, compared to 51 percent in 2010. However, the survey admits that insider losses may simply be reported elsewhere, such as generic fraud instead of as an insider attack. It’s also worth noting that insider attacks are becoming more sophisticated. Many insider attackers are using sophisticated attack tools such as rootkits (described in Chapter 6).
NOTE The 2011 CyberSecurity Watch survey was conducted by CSO Magazine in cooperation with the U.S. Secret Service, the Software Engineering Institute Computer Emergency Response Team (CERT) Program at Carnegie Mellon University and Deloitte. You can view a summary here: http://www.cert.org/archive/pdf/11tn006.pdf.
Even though there may be a reversal in the trend, it’s worth stressing that an organization must protect against attacks from both outsiders and insiders. Effective access controls (including strong authentication and authorization mechanisms) combined with strong auditing techniques help to prevent successful attacks from insiders.
Some organizations are using sophisticated monitoring systems to detect and prevent insider attacks before they can cause damage. For example, the Transportation Security Administration’s (TSA) Colorado Springs Operations Center internal surveillance system identified the actions of Douglas Duchak as he was planting malware in a critical system about a week after being given a two-week notice. He was awarded a two-year prison sentence. If interested, you can read about this case here: http://www.wired.com/threatlevel/2011/01/tsa-worker-malware/.
Script Kiddies
A script kiddie is a relatively inexperienced attacker who can run a script or application to launch an attack. The script kiddie rarely has the knowledge to program the script or application and often doesn’t understand the details of what the attack is doing. You can think of a script kiddie as a bored teenager who has downloaded some hacking tools and uses them to launch attacks out of boredom.
It’s worth stressing that although script kiddies exist, many attackers today are highly proficient at programming techniques. They have detailed knowledge of different attack methods and are constantly modifying existing attacks to prevent detection.
Phreaks
A phreak (or phone phreak, or phreaker) is someone who illegally breaks into a phone system. The phreaker’s goal may be to access the system to make long distance calls or to tap the phone lines. Phone phreaking is the practice of hacking into a phone system.