the security assessment reporting process.
Moving on
When you finish your security tests, you (or your client) will still need to implement your recommendations to make sure that the systems are secure. Otherwise, all the time, money, and effort spent on testing goes to waste. Sadly, I see this very scenario fairly often.
Chapter 2
Cracking the Hacker Mindset
IN THIS CHAPTER
Before you start assessing the security of your systems, it’s good to know a few things about the people you’re up against. Many security product vendors and security professionals claim that you should protect all of your systems from the bad guys — both internal and external. But what does this mean? How do you know how these people think and execute their attacks?
Knowing what hackers and malicious users want helps you understand how they work. Understanding how they work helps you look at your information systems in a whole new way. In this chapter, I describe the challenges that you face from the people who actually do the misdeeds, as well as their motivations and methods. This understanding better prepares you for your security tests.
What You’re Up Against
Thanks to sensationalism in the media, public perception of hacker has transformed from a harmless tinkerer to a malicious criminal. Nevertheless, hackers often state that the public misunderstands them, which is mostly true. It’s easy to prejudge — or misjudge — what you don’t understand. Unfortunately, many hacker stereotypes are based on misunderstanding rather than fact, and that misunderstanding fuels a continued debate.
Hackers can be classified by both their abilities and their underlying motivations. Some are skilled, and their motivations are benign; they’re merely seeking more knowledge. Still, other hackers may have malicious intent and seek some form of personal, political, or economic gain. Unfortunately, the negative aspects of hacking usually overshadow the positive aspects and promote the negative stereotypes.
Historically, hackers hacked for the pursuit of knowledge and the thrill of the challenge. Script kiddies (hacker wannabes with limited skills) aside, traditional hackers are adventurous and innovative thinkers who are always devising new ways to exploit computer vulnerabilities. (For more on script kiddies, see the section “Who Breaks into Computer Systems” later in this chapter.) Hackers see what others often overlook. They’re very inquisitive and have good situational awareness. They wonder what would happen if a cable was unplugged, a switch was flipped, or lines of code were changed in a program. They do these things and then notice what happens.
When they were growing up, hackers’ rivals were monsters and villains on video-game screens. Now hackers see their electronic foes as only that: electronic. Criminal hackers who perform malicious acts don’t really think about the fact that human beings are behind the firewalls, web applications, and computer systems they’re attacking. They ignore the fact that their actions often affect those human beings in negative ways, such as jeopardizing their job security and putting their personal safety at risk. Government-backed hacking? Well, that’s a different story, as those hackers are making calculated decisions to do these things.
On the flip side, the odds are good that you have at least an employee, contractor, intern, or consultant who intends to compromise sensitive information on your network for malicious purposes. These people don’t hack in the way that people normally suppose. Instead, they root around in files on server shares; delve into databases they know they shouldn’t be in; and sometimes steal, modify, and delete sensitive information to which they have access. This behavior can be very hard to detect, especially given the widespread belief among management that users can and should be trusted to do the right things. This activity is perpetuated if these users passed their criminal background and credit checks before they were hired. Past behavior is often the best predictor of future behavior, but just because someone has had a clean record and authorization to access sensitive systems doesn’t mean that they won’t do anything bad. Criminal behavior has to start somewhere!
However you view the stereotypical hacker or malicious user, one thing is certain: Somebody will always try to take down your computer systems and compromise information by poking and prodding where they shouldn’t — through denial of service (DoS) attacks or by creating and launching malware, especially ransomware. You must take the appropriate steps to protect your systems against this kind of intrusion.
THINKING LIKE THE BAD GUYS
Malicious attackers often think and work like thieves, kidnappers, and other organized criminals you hear about in the news every day. The smart ones devise ways to fly under the radar and exploit even the smallest weaknesses that lead them to their targets. Following are examples of how hackers and malicious users think and work. This list isn’t intended to highlight specific exploits that I cover in this book or tests that I recommend that you carry out, but it demonstrates the context and approach of a malicious mindset:
Evading an intrusion prevention system by changing the MAC or IP address every few minutes (or packets) to get farther into a network without being blocked.
Exploiting
