Getting to know your hacker

This blog entry was submitted by one of our guest bloggers. The author’s views are entirely her own and may not reflect the views of IT Governance.

The first thing you need to know about criminal hackers is that they don’t care about you. They don’t care about the damage they could do to your business, the damage they can inflict on your personal life and they really don’t care who knows about it. That’s the key point for you to understand.

They don’t care about you.

It’s quite likely that you have already been hacked, you just may not know it. You need to understand that you ARE under attack.

It’s frightening to think that almost anything can be hacked these days: Fiat Chrysler cars can be remotely controlled, smart fridges can act as botnets and send spam emails, and even drug pumps can be hacked. Any electrical item with embedded firmware and an Internet connection can be hacked. Firmware binaries can be reverse engineered to find vulnerabilities and to develop malicious code, configurations can reveal passwords and encryption keys, and crash dumps can disclose sensitive data.

Don’t think for one second that a criminal hacker won’t do it, they will: they don’t care about you.

You have to consider this when designing your information security management system (ISMS). To assume that ‘they wouldn’t do that’ is your downfall. Hackers will do anything and everything they can to gain notoriety, money and recognition – even if it means breaking the law.

L0pht

Back in 1998, seven hackers advised US senators:

“Your computers are not safe – not the software, not the hardware, not the networks that link them together. The companies that build these things don’t care, and they have no reason to care because failure costs them nothing. And Federal Government has neither the skill nor the will to do anything about it. If you’re looking for computer security, then the Internet is not the place to be, the Internet itself can be taken down by any of the seven individuals seated before you with just 30 minutes of well-choreographed keystrokes”.

The seven named themselves L0pht, and they delivered a message that couldn’t have been more accurate.  But it was ignored then and now we are dealing with the fallout.

seven

L0pht pictured

Criminal hackers are looking to make a quick gain, whether that is money or notoriety; they prey on weak security. The quicker the hack, the better it is for the hacker. Criminal hackers get bored quickly, so they don’t want to have to slowly peel back layers of security; spending too long on a hack doesn’t have the quick results a hacker desires.

Security in layers

So, what’s onion security? It’s the best defence you can use. If you think about security like the layers of an onion you are already on track to defend against hackers. A single layer of security will leave you vulnerable to attack, but the more layers a hacker has to get through, the less likely he is to continue with his attack on your network – it simply takes too long. The most common forms of attack targeting critical infrastructure are worms/trojans, quickly followed by code injection and drive-by downloads. The skills demonstrated by malicious actors evolve and improve over time, which means that security also has to evolve.

Hackers use software like Kali, Hopper and Binwalk – software that’s used by a huge number of developers across the globe. These types of software offer a number of features, such as examining memory for specific patterns and entropy, memory extraction, and reverse assembly. The software can show a criminal hacker where the vulnerabilities are so that they can exploit them. Developers should also be using this type of software on their projects so that they can identify the vulnerabilities and patch them prior to release.

Since the 1990s we have seen a rise in security techniques such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to encrypt Internet traffic. This is a step in the right direction, but we need to keep studying and keep researching; we need our white-hat hackers to be a match for the black hats; we need the government to crack down on software and hardware developers to ensure that security is embedded from the ground up. We need our colleges and universities to ensure that security layering techniques are taught to students as part of business as usual.

It is only now that we take the threat of hackers seriously, only now that we are taking action – 17 years after we were first warned.