Impact of Information Security Trends on Banks, Part 1: New Hacker's Objectives
September 1st 2005
While we are not analyzing the ethical nature of a hacker, we must still consider a hacker to be a person who maintains a superior level of technical knowledge and abilities. Therefore, by definition we must then accept that there are hackers with good intentions (gurus) and hackers with bad intentions (cyber criminals)
Both kinds of hackers have recently changed their objectives. This is due to other trends in information security (e.g. changes in regulations) as well as social and generational changes
In the past, both kinds of hackers shared a few basic characteristics. They were usually lone individuals, searching for personal achievements and recognition. The fundamental difference between them was that in the past, security risks posed by hackers with bad intentions were limited by their resources, time, and abilities, and hackers with good intentions took care of creating complex applications all by themselves.
Nowadays, many hackers with bad intentions have gathered into groups. These groups of professional criminals have a single objective in mind, profiting from criminal activities. The previous generation of lone cyber criminals that often wasted their time defacing websites or creating viruses and worms for fun and recognition, are slowly fading into extinction. Tighter regulation and lower regard for hackers in our time have pushed them towards corporate crime. Additionally, since hackers with bad intentions risk jail time for most types of illicit activities, be it releasing a virus for fun or committing some fraud, theyâ€™ve chosen to raise the bar and only go after activities that are at least â€œworth the risk.
Spamming (sending unsolicited email) and phishing (getting confidential information through deceit) are just examples of this trend. Bad hackers profit from these activities, even though it does not often entitle them to the same level of fame and recognition that they once enjoyed. Recently, virus and worm writers have also shown changes in their work. It is now rare to come across writers who create virus's or worm's to satisfy their own curiosity, send political messages to the world, or simply create programs to promote themselves. Instead, most viruses and worms now include backdoors that allow attackers to control other peopleâ€™s computers. In this game control is power, and power means profit. Hackers can use these programs to sell their legions of controlled machines for a price (to spammers, for example).
Spyware is also another type of malware that has become increasingly common. Spyware creators often prefer to use simple and hard to detect code as a means of retrieving other peoples stored information.Â Hackers have learned that stealing some important information (e.g. credit card numbers) might be more rewarding than using the compromised machines for more mundane and easily detectable purposes (such as denial of services wars against rival hackers).
Hackers with good intentions have changed their behavior as well. For example, some information security investigators no longer see the same benefit in publishing discovered vulnerabilities. This is due to the fact that even if they notify the makers of the vulnerable systems and application first, they still risk legal action by the creator.
Hackers with bad intentions, on the other hand, have renewed motivation to discover vulnerabilities. But instead of publicizing them for fame, they too prefer to keep them for themselves. Therefore, it is not surprising to currently find more malware in the wild that is actively exploiting 0-day vulnerabilities.
Legal action is only part of the reason that hackers with good intentionsÂ prefer to keep a low profile nowadays. While they too are more capable when working within a team, many have developed several soft skills and are even eligible for management positions at some organizations. Apart from a few sparks of brilliance in certain activities (e.g. programming, networking) it is now much harder to recognize true hackers within organizations. Stricter norms and legislation have forced them to be more careful at work,Â forcing them to leave their â€œextracurricularâ€ research activities for home.
While this integration of hackers into he workplace seems like a good idea, there are some drawbacks to this integration. For instance, organizations are not able to take advantage of their full range of abilities. Therefore these individuals could choose toÂ 'switch to the dark side' at any time (e.g. if they get angry at their employer for some reason). This ability, coupled with internal knowledge of the employerâ€™s infrastructure and business processes can potentially allow these individuals to cause more harm than an external cyber criminal.
Either way, hackers (with both good and bad intentions) are not the only type of employees that organizations must be aware of. Thanks to the increased dependency of technology, almost any worker involved with computer systems and networks (i.e. technicians, system administrators, programmers) have the ability to potentially damage a system.