Читать книгу Hacking For Dummies - Kevin Beaver - Страница 43

Hackers hack because they can. Period. Okay, the reason goes a little deeper. Hacking is a hobby for some hackers; they hack just to see what they can and can’t break into, usually testing only their own systems. These folks aren’t the ones I write about in this book. Instead, I focus on those hackers who are obsessive about gaining notoriety or defeating computer systems and those who have criminal intentions.

Many hackers get a kick out of outsmarting corporate and government IT and security administrators. They thrive on making headlines and being notorious. Defeating an entity or possessing knowledge that few other people have makes them feel better about themselves, building their self-esteem. Many of these hackers feed off the instant gratification of exploiting a computer system. They become obsessed with this feeling. Some hackers can’t resist the adrenaline rush they get from breaking into someone else’s systems. Often, the more difficult the job is, the greater the thrill is for hackers.

It’s a bit ironic, given their collective tendencies, but hackers often promote individualism — or at least the decentralization of information — because many of them believe that all information should be free. They think their attacks are different from attacks in the real world. Hackers may ignore or misunderstand their victims and the consequences of hacking. They don’t think about the long-term effects of the choices they’re making today. Many hackers say that they don’t intend to harm or profit through their bad deeds, and this belief helps them justify their work. Others don’t look for tangible payoffs; just proving a point is often a sufficient reward for them. The word sociopath comes to mind when describing many such people.

The knowledge that malicious attackers gain and the self-esteem boost that comes from successful hacking may become an addiction and a way of life. Some attackers want to make your life miserable, and others simply want to be seen or heard. Some common motives are revenge, bragging rights, curiosity, boredom, challenge, vandalism, theft for financial gain, sabotage, blackmail, extortion, corporate espionage, and just generally speaking out against “the man.” Hackers regularly cite these motives to explain their behavior, but they tend to cite these motivations more commonly during difficult economic conditions.

Malicious users inside your network may be looking to gain information to help them with personal financial problems, to give them a leg up on a competitor, to seek revenge on their employers, to satisfy their curiosity, or to relieve boredom.

Many business owners and managers — even some network and security administrators — believe that they don’t have anything that a hacker wants or that hackers can’t do much damage if they break in. These beliefs are sorely mistaken. This dismissive kind of thinking helps support the bad guys and promote their objectives. Hackers can compromise a seemingly unimportant system to access the network and use it as a launching pad for attacks on other systems, and many people would be none the wiser because they don’t have the proper controls to prevent and detect malicious use.

Hackers often hack simply because they can. Some hackers go for high-profile systems, but hacking into anyone’s system helps them fit into hacker circles. Hackers exploit many people’s false sense of security and go for almost any system they think they can compromise. Electronic information can be in more than one place at the same time, so if hackers merely copy information from the systems they break into, it’s tough to prove that hackers possess that information, and it’s impossible to get the information back.

Similarly, hackers know that a simple defaced web page — however easily attacked — isn’t good for someone else’s business. It often takes a large-scale data breach, ransomware infection, or a phishing attack that spawns the unauthorized wire transfer of a large sum of money to get the attention of business executives. But hacked sites can often persuade management and other nonbelievers to address information threats and vulnerabilities.

Many recent studies have revealed that most security flaws are basic in nature, which is exactly what I see in my security assessments. I call these basic flaws the low-hanging fruit of the network, just waiting to be exploited. Computer breaches continue to become more common and are often easier to execute yet harder to prevent for several reasons:

 Widespread use of networks and Internet connectivity

 Anonymity provided by computer systems on the Internet and often on internal networks (because proper and effective logging, monitoring, and alerting rarely take place)

 Greater number and availability of hacking tools

 Large number of open wireless networks that help criminals cover their tracks

 Greater complexity of networks and codebases in the applications and databases being developed today

 Naïve yet computer-savvy children who are eager to give up privacy (which is easy because they’ve never experienced it) for free stuff

 Ransoms paid by cyberinsurance policies can be huge

 Likelihood that attackers won’t be investigated or prosecuted if caught

A malicious hacker needs to find only one security hole, whereas IT and security professionals and business owners must find and resolve all of them!

Although many attacks go unnoticed or unreported, criminals who are discovered may not be pursued or prosecuted. When they’re caught, hackers often rationalize their services as being altruistic and a benefit to society: They’re merely pointing out vulnerabilities before someone else does. Regardless, if hackers are caught and prosecuted, the “fame and glory” reward system that hackers thrive on is threatened.

The same goes for malicious users. Typically, their criminal activity goes unnoticed, but if they’re caught, the security breach may be kept hush-hush in the name of protecting shareholder value or not ruffling any customer or business-partner feathers. Information security and privacy laws and regulations, however, are changing this situation, because in most cases, breach notification is required. Sometimes, the malicious user is fired or asked to resign. Although public cases of internal breaches are becoming more common (usually through breach disclosure laws), these cases don’t give a full picture of what’s taking place in the average organization.

Regardless of whether they want to, most executives now have to deal with all the state, federal, and international laws and regulations that require notifications of breaches or suspected breaches of sensitive information. These requirements apply to external hacks, internal breaches, and even seemingly benign things such as lost mobile devices and backup tapes. The appendix lists the information security and privacy laws and regulations that may affect your business.