Hacking Insight

Mentioning the word hacker usually elicits a strong response, no matter who you talk to. The Chief Security Officer and virtually anybody on the street will each have something specific to say. The problem with this word is that it detracts from the real issue of making Internet resources more secure because of the emotional baggage tied to that term.

In the real world, it doesn’t matter where an attack is coming from or who is performing it. It might be some teenage misfit with nothing better to do than wreaking havoc on your systems as a way of proving their skills to the world – a common hacker profile. It’s becoming increasingly common, however, that the source of your problems is well funded (such as organized crime or a hostile foreign government), is staffed with security professionals, and is willing to take their time.

What you don’t know could hurt you:

• Most of the work required to successfully hack into your systems does not require actually touching the target systems

• Most of the education you need to successful hack into your systems only requires simple Internet searching

It is best to get past the emotional aspects of the label of the attacker and use a more appropriate term: a determined intruder. Breaking into your systems and services is a project that requires the same methodical approach as any other important business project you take on. Let’s take a look at how a determined intruder takes on the task of getting inappropriate access to your Internet based resources.

For a determined intruder, the four parts of the attack process are as follows:

Part 1: Reconnaissance: Send packets to the target systems and learn how they are setup and what they are running

Part 2: Catalogue & Prioritize: Take the reconnaissance data and determine what is worth researching in more depth

Part 3: Research: Review available documentation, reports, release notes, configuration descriptions, specifications and do online research on who else has dealt with the specific component including known exploits or vulnerabilities

Part 4: Test & Validate: Use the data, techniques, and tools discovered during the research and try to an actual attack or to learn more about the profile of the site

One of the interesting observations about the above methodology is that only the first and fourth steps require sending data to the target site. The second and third steps are “offline” in the sense that the work is done mostly over the Internet (e.g., Google searches and follow-up), but does not include sending data to the target site. What is especially interesting is that historical evidence shows that most of the work in an attack is indeed in these second and third steps. To state what is obvious and yet many people do not appreciate, most of the work performed in a successful attack can not be detected, thwarted, or stopped by you because it is being done on systems that you do not own!

Probably the other most underappreciated fact about attacks is that there is a wealth of information available to anybody willing to invest a little time browsing the Internet. The information is readily available, compelling, and often provides incredibly detailed information that is useful in an attack.

Whether you do it yourself or hire reputable security professionals, all organizations should assume that their Internet resources will at some point become the target of a determined intruder. There are many different types of projects that can assess risk (architectural reviews, security audits or assessments, code reviews) but certainly one of the obvious methods is to simply to proactively do the same thing that a determined intruder would do and profile and test your own systems. It is important to get past the emotional baggage of the word hacker, and focus more methodically on the process of decreasing the risk of your key assets.