How to understand the mindset of a cyber criminal

businessman with laptop in network server roomLet me start with an explanation of the types of cyber criminal that I’ll be talking about in this article.

First, I’ve used the term ‘cyber criminal’ rather than ‘hacker’ because here at IT Governance we understand what a hacker really is (we employ several of them).

Secondly, I’ll be talking about actual cyber criminals, not so-called ‘script kiddies’. Most script kiddies’ methods can be blocked by an organisation implementing effective security controls and basic cyber security. When a cyber criminal wants your data, however, they won’t be so easily detected or deterred.

So, who are we up against?

We often advise our readers that they need to protect their data from cyber criminals. Unfortunately, it can be very difficult to know where to start without knowing who these cyber criminals are and how they act.

The problem is that some cyber criminals are smart – very smart. Although it can be argued that their criminal life choices aren’t so smart, their technical abilities are undoubtedly second to none. They don’t just think outside the box – they tear it up.

They’ll always be one step ahead of you. By the time you implement a strong firewall, they’ll already be looking for a way in. By the time you warn your staff of malicious USB sticks being found in the car parks, someone in HR will already have plugged one in.

It’s a game – and unless you’re thinking like a cyber criminal you won’t win.

There are three main types of cyber criminal:

Criminal hackers: Highly skilled experts who write their own malicious malware and hacking tools (which are often used by script kiddies). Often part of a secretive group of other criminal hackers, these criminals don’t enjoy public attention; they just want to get in and out without being detected.

Hacktivists: Known for hacking into popular websites to display their political or social views – for example, hacking into the Brazilian World Cup website to display a video of how Brazilians were being treated in the run-up to the World Cup. Although hacktivists don’t necessarily go after data, they can seriously harm an organisation’s reputation.

Cyber terrorists: Very similar to criminal hackers in terms of skills and dislike of publicity, but with different targets. Cyber terrorists prefer to target governments and infrastructure such as power grids and air-traffic systems, but are equally adept sowing chaos in the private sector.

Depending on the nature of your business, you’re up against any if not all of these types of cyber criminal.

How do I think like one of these criminals?

As I said before, cyber criminals think outside the box. You need to prepare for the unexpected when assessing your organisation’s cyber security.

Max Brooks’s zombie apocalypse novel World War Z describes the Tenth Man Rule, a theory supposedly adopted by Israel after the 1973 Yom Kippur War. Based on the argumentative theory of reasoning, the rule dictates that when nine people agree that a strategy is correct, it is the tenth man’s duty to act as devil’s advocate and disagree, no matter how absurd it may be to do so. This way, all possibilities will be covered.

To slightly adapt that theory for the business world, if a board unanimously agreed that a particular outcome was almost certain, for example the ongoing success of a certain security feature, then one board member would be obliged to act as if it was going to fail. This way, if the feature did indeed fail, its failure would have been anticipated.

Now, I don’t mean to suggest that every organisation should have someone in the boardroom who says ‘no’ to everything. That would obviously be incredibly unproductive. What I do suggest is that in order to think like a cyber criminal, you need to understand that there is no such thing as 100% security. The voice of the tenth man needs to be heard loud and clear: there is a way into everything.

Is there a good guy who can think like a hacker for me?

I’m so glad you asked.

Ethical hackers (so called to avoid association with their criminal counterparts) are engaged by organisations to break into their systems and detect vulnerabilities. They then report what they found and explain how it can be fixed. This process is also known as a penetration test.

To learn more about ethical hackers and penetration tests, download our free paper.