Profiles and Motives of Different Types of Hackers
Over the past three decades, the definition of what a hacker is has evolved quite a bit from what was accepted in the 1980s and even the 1990s. Current hackers defy easy classification and are best understood by looking at the motivations for their actions. Although there is no comprehensive list of the types of today’s hackers, here is a general list of categories of their motivations (you’ll learn more about each type of hacker in a later section in this chapter):
Good guys—Information security (InfoSec) professionals who engage in hacking activities to uncover vulnerabilities in hopes of fixing them and making systems more secure.
Amateurs—Entry-level hackers who do not possess their own advanced skills but rather use only scripts and software written by more experienced hackers.
Criminals—Hackers who routinely use malicious software and devices to carry out illegal activities primarily for the purpose of financial gain.
Ideologues—Hackers who carry out their activities to achieve ideological or political goals.
Most of today’s organizations have quickly learned that they can no longer afford to underestimate or ignore the threat attackers pose. Organizations of all sizes have learned to reduce threats through a combination of technical, administrative, and physical measures designed to address a specific range of problems. Technical measures include devices and techniques such as virtual private networks (VPNs), cryptographic protocols, intrusion detection systems (IDSs) or intrusion prevention systems (IPSs), access control lists (ACLs), biometrics, smart cards, and other devices. Administrative controls include policies, procedures, and other rules. Physical measures include devices such as cable locks, device locks, alarm systems, and other similar devices. Although any of these devices or controls may be expensive, they will likely be cheaper and more effective than the cost and effort required to clean up after a successful attack.
While discussing attacks and attackers, InfoSec professionals must be thorough when assessing and evaluating threats by also considering where they originate. When evaluating the threats against an organization and possible sources of attack, always consider the fact that attackers can come from both outside and inside the organization. A single disgruntled employee can cause tremendous damage because he or she is an approved user of the system. Although you will likely see many more external attacks, a malicious insider may go unnoticed longer and have some level of knowledge of how things work ahead of time, which can result in a more effective attack.
Controls
Each organization is responsible for protecting itself from risks by determining the controls that will be most effective in reducing or mitigating the threats it faces. One approach to developing a balanced and effective strategy to selecting security controls is the TAP principle. TAP is an acronym for technical, administrative, and physical, the three types of controls you can use to mitigate risk. Here’s a look at each type, with a few examples:
Technical—Technical controls take the form of software or hardware devices, such as firewalls, proxies, IDSs, IPSs, biometric authentication, permissions, auditing, and similar technologies.
Administrative—Administrative controls take the form of policies and procedures. An example is a password policy that defines what makes a good password. In numerous cases, administrative controls also fulfill legal requirements, such as policies that dictate privacy of customer information. Other examples of administrative policy include the rules governing actions taken when hiring and firing employees.
Physical—Physical controls are those that protect assets from traditional threats such as theft or vandalism. Mechanisms in this category include doors, locks, cameras, security guards, lighting, fences, gates, and other similar devices.
The Hacker Mindset
Depending on whom you ask, you can get a wide range of responses from hackers on how they view their actions. In fact, many hackers, like other individuals who break rules or laws for various reasons, have their own codes of ethics that they hold sacred. In defense of their actions, hackers have been known to cite various justifications, including the following:
The notion of victimless crime—Because humans are not the direct targets, there’s nothing wrong with committing the crime. (Of course, this justification doesn’t apply to attacks that actually do target individuals.)
The Robin Hood ideal—Stealing software and other media from “rich” companies and delivering them to the “poor” consumers via methods such as BitTorrent is okay because the target companies have plenty of money.
National pride and patriotism—Similar to the anti-establishment Robin Hood mentality, patriotic hackers may seek to upset the balance of national power, hacking to disrupt the due process of an adversary and/or bolster the opinion of their own country.
The educational value of hacking—Essentially, it is okay to commit a crime as long as one is doing it to learn.
Curiosity—Breaking into a network is okay as long as you don’t steal or change anything.
Another example of attempting to explain the ethics applied to hackers is known as the hacker ethic. This set of standards dates back to Steven Levy in the 1980s. In the preface of his book Hackers: Heroes of the Computer Revolution, Levy states the following:
Access to computers and anything that might teach you something about the way the world works should be unlimited and total.
All information should be free.
Authority should be mistrusted, and decentralization should be promoted.
Hackers should be judged by their hacking, not criteria such as degrees, age, race, gender, or position.
You can create art and beauty on a computer.
Computers can change your life for the better.
Motivation
Ethics are an important component in understanding hackers, but far from the only component. One must also consider motivation. Anyone who has watched one of the many television shows that focus on solving crimes knows that there are three things needed to commit a crime:
Means—Does the attacker possess the ability to commit the crime in question?
Motive—Does the attacker have a reason to commit the crime?
Opportunity—Does the attacker have the necessary access and time to commit the crime?
Focusing on the second point—motive—helps better understand why an attacker might engage in hacking activities. The early “pioneers” of hacking engaged in those activities almost exclusively out of curiosity. Today’s hackers can have any number of motives, many of which are similar to the motives for committing traditional crimes:
Beneficial contribution—Hackers with this motive are not criminals. White-hat hackers, also called ethical hackers, are InfoSec professionals who engage in hacking activities to help make their organization’s systems more secure. They try to attack their systems like attackers would to uncover vulnerabilities that can be mitigated before malicious attacks can succeed. The two main differences between ethical hackers and unethical hackers is that ethical hackers have permission to carry out their activities, and they do so to make their organizations more secure.
Status/validation—New hackers nearly always learn the ropes by running prepackaged scripts and programs written by more experienced hackers. These tools require very little sophistication and make it easy for inexperienced hackers to cause damage. These new hackers with limited original skills are generally referred to as script kiddies. As these hackers gain more skills, they often modify existing exploits and eventually write their own malicious software. Many of today’s hackers start out to make a name for themselves. Each successful attack gives them more status and elevates their reputation in the eyes of established hackers. For many hackers, this recognition is all they really want—at least at first.
Monetary gain—Most of today’s malicious attacks are specifically targeted to either generate revenue for the attacker or deny revenue to the target. Attacks can provide access to financial resources or to valuable data that can be resold, deny resources or processes that generate revenue, or deny access to resources that can be held for ransom. In any case, money is at the heart of the motivation for this type of hacker, which can include malicious insiders, individual criminals, organized crime organizations, or cybermercenaries.
Ideology—Hackers in this last category of motivations use technology to achieve ideological goals. Hackers who use malicious software to carry out activist attacks have given rise to the label of hacktivists. But hacktivists aren’t the only actors in this category. Nationalists and nation-state actors are also motivated by ideology. Their attacks are carried out to promote a particular agenda. Actors who operate in this area are often those with the most advanced skills and greatest financial backing. For this reason, these types of hackers tend to be the most sophisticated and dangerous, resulting in grave, global consequences.