Author: Arthur Marquis
Learn how to protect yourself against hackers by understanding what hacking is and the types of threats out there.
What is hacking? Merrian-Webster defines hacking as “to gain illegal access to (a computer network, system, etc.)”. While Malwarebytes does a terrific write up on hacking stating, “Hacking refers to activities that seek to compromise digital devices, such as computers, smartphones, tablets, and even entire networks.”
In this article, we will cover the different types of hackers, social engineering, the types of threats out there, and how you and your organization can stay protected.
How to Protect Yourself Against Hackers: What are the different types of hackers?
A White-Hat hacker tends to be either freelance or hired by a large company to assess security flaws and deliver reports on what those flaws are. Additionally, they’ll share how to protect your organization from them. Essentially, white-hat hackers are the good kind of hacker that helps you to improve your security posture.
Black-Hat hackers are criminals that gain unauthorized access to computers and systems to either destroy data or compromise data in hopes of a payday. Or as Alfred said in The Dark Knight, “Some men want to watch the world burn.”
Grey-Hat hackers occupy a more complex middle ground. Some hack into a corporate environment without permission to gain sensitive information without leaking it to the public. Then, they turn around and offer security services almost with a blackmail-feel to the whole transaction.
A long time ago (in a galaxy far, far away) hacking had an old wise Grandpa. His name was Phreaking. Phreaking is when someone uses telephone lines illegally. You could go down to Radio Shack, spend about $5-10 and make yourself a device called a box. They had all kinds of boxes: Black, Rainbow, Green, Blue, etc. These boxes would allow you to do all kinds of things from a payphone pretending to be an operator.
For instance, a black box would trick a telephone system into connecting a call and have it think it was never answered; thus free phone call! A green box was probably the most prevalent. It would generate tones you would play on the payphone to fake the system into thinking you put money in; resulting in again, free phone calls. This, obviously, is not pertinent anymore but a fun little tidbit on how hacking REALLY started.
Once computers started becoming more affordable and you found them in millions of homes, phones and the internet became connected. Remember AOL?
That’s when hacking really gained momentum. Before the internet, there were bulletin board systems. These systems were a specific phone number you could dial (way before IP addressing) that would give you access to a companies’ network. For legitimate purposes, this would give you access to company news, downloads, etc.
What is social engineering?
Another term that goes hand in hand with hacking, is social engineering. Social engineering is the act of compromising people. A terrific example I have is from when I worked at a financial organization. This bank would assess the security hardening of its people. With a simple phone number spoof and a person’s name, I could pretend to be calling from their IT department. I did so and was met with Kathy (not her real name).
I identified myself as Mike from IT and stated that I needed to check on some data because we were having problems with the system.
Kathy then proceeded to answer all my questions without hesitation. These questions included:
- “What is the last account number you looked up?”
- “What is the name on the account?”
- “What is the balance you are showing in checking?”
Now it would be easy to blame Kathy here, but she is not to blame. The lack of employee training is the problem here as human beings are often the first and last line of defense between hackers and valuable data. Kathy thought she was doing the right thing and simply wanted to help her IT department do their job. Had she had the training to know that their IT department 1) would never call from an outside line, 2) require those types of inquiries to a manager, or 3) would have communicated sensitive information using encrypted email, this would have never happened.
Another example is when trying to gain access to a system. A hacker could do something as simple as drop some USBs with malicious code on them to run right when plugged in would work. If someone were to find that USB and curiosity got the best of them, they could plug it in, and that’s where the trouble starts.
Social engineering is one of the easier ways to gain access to a system, and one I usually start with when contracted to help an organization with their security. I worked with a client whose CFO received an email requesting employees’ social security numbers. The CFO believed it to be from another executive within the company. She delivered all employees’ social security numbers to a social engineer. Not a good day for her or her company.
There are ways to train your staff to avoid these failures.
- Quarterly e-mail reminders on social engineering techniques and how to avoid them
- Spot check employees by running an email campaign with an attachment that will show you who clicked on it and who did not open it. Then coach those employees
- Schedule training with your IT department or Managed Service Provider (MSP)
What kind of threats are there?
So, what kind of threats are out there? A LOT. You just read about social engineering. In addition to social engineering, you have:
- dictionary and brute force attacks,
- social media gathering.
Viruses come in all flavors. You have trojans (aka file infectors) which, aptly named, hide malicious code inside a normal looking program. Sometimes this program continues to function as intended while the bad code is stealing keystrokes. This gives access to the system remotely.
Browser hijacking viruses are the big ones for most users. These viruses are pretty easily detected and pretty much put you on a different webpage than you were intending to go.
Boot Sector viruses used to be more prevalent than they are now, but much like everything in history, I would bet on a comeback. These viruses hide in email attachments, or a random USB drive (see social engineering above). Either way, a malicious code is delivered to a computer.
I’m sure you’ve read or seen about hacking in the news at some point. Target brand was a major news story when they were hacked, and some of their transactional data was stolen: think credit cards, purchases, and all kinds of personal information. A real eye-opener for me was when CNN reported on the Soviet hacks. They used a photo from a famous video game (look!). This shows me how little people are aware of the risks when using a computer, phone, or tablet.
How can you stay protected with all these threats?
So how do we protect ourselves in this crazy world? Well, that is not so easy to answer, but there is some ways we can protect ourselves. The impact of social engineering can be lessened, or even completely negated, through employee training.
Data Encryption hacks can be completely negated by having comprehensive backups and trained staff and or vendors to recover data without paying these hackers.
Having a trained IT staff is HUGE. A real benefit to having a managed service provider is having all that experience as YOUR IT department. That is twofold, you can avoid most hacks, and if you are hacked you have qualified individuals to help you recover quickly.