There are many types of hackers and understanding the types and the motivations of each can help to build defenses.
- When I use the term hacker, you might imagine a person at a computer wearing a hoodie, scary looking, but their face hidden from view. But that's not what hackers look like. In fact, hacker can have a positive meaning. It can mean someone who tinkers with computers and electronics to come up with innovative ideas. Many of today's most reputable technology companies began as a couple of hackers experimenting in a garage. Security professionals divide hackers into two types: white hat and black hat. This imagery draws inspiration from classic western movies. The good cowboys wear white hats, while the bad ones wear black hats. Their skills may be the same, but they have different intentions. A white hat hacker is a security specialist who uses their skills to improve security by detecting vulnerabilities before the malicious black hat hackers can exploit them. Black hat hackers are the ones we want to protect against. Black hat hackers fall into several categories, and I think it's useful to understand the motivations of each one. First we have curious users. These are users who notice a thread and decide to pull it. Imagine a website where some pages have a URL that ends with a number. A curious user might try submitting different numbers to see what results they get back. These hackers often aren't very skilled or persistent. Next we have script kiddies. Script kiddies is a derogatory term for hackers who don't have many skills but run scripts that someone else wrote to do the hacking for them. This group is as likely to complete a hack successfully as they are to just muck up your server. The hacks in their scripts are often old, well-known hacks which we can easily guard against, using basic security techniques. Hacktivists are political activists. These hackers use their skills to advance a political agenda. Their causes may come from all sides of the political spectrum. You generally only need to worry about hacktivists if you're in a politically sensitive area such as a government or controversial organization. If you become their target, though, it's never random, and they're unlikely to give up easily. Next we have the criminal hackers. These could be individuals or organized crime groups. They are motivated by money. They may steal money, harvest credit card numbers, collect personal information they can sell, hold data hostage or promote some kind of scam. Their skill levels vary from former script kiddies to highly skilled talent for hire. Criminal hackers represent the biggest security threat to most websites. There are also trophy hunters. These are hackers seeking to prove their skills to gain fame and admiration from their peers. A trophy proves that they outsmarted a website's security. Trophy hunters include many of the most skillful hackers, but fortunately the chances are good that they will never notice your website. Breaking into a website for a local yarn shop is not very impressive. Breaking into an investment bank, who invest heavily in their security, that gives them the bragging rights they seek. Finally we have governments. These are often referred to as advanced persistent threats. It is a fitting name, as these government-supported hackers are both advanced and persistent. These are the most skilled attackers who have enormous resources at their disposal. Most governments keep databases of technical flaws that they can exploit and build libraries of code to exploit them. Luckily they're not generally interested in hacking most websites. They're primarily interested in intelligence-gathering, industrial spying and espionage and advancing larger political goals. However, governments may target unlikely websites. For example, in 2014 the Forbes.com website was hacked by a foreign government. The government knew that executives from many defense and financial services firms frequented the website. When the seemingly harmless thought of the day flash widget appeared, a visitor's browser would automatically download malware which compromised their computer. Knowing about hackers and their motivations is an important aspect of security awareness that could help you to build in adequate protections.
- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting