A practical guide to computer security Part 3

Date July 19, 2005

Who Hackers Are

The popular image of a hacker is reflective of the movie WarGames: a young boy sitting in front of his TRS-80®, illuminated only by the glow of the screen. His computer has dialed every number in a phone exchange during the day while he was at school, and now he is exploring the treasures that have been collected. Trying simple passwords on system after system, dialing and dialing….

Of course, this description of a hacker is too narrow. Today, hackers are much more likely to be adults, with sophisticated tools and specific goals. Their backgrounds are diverse and their computer skills range from being a novice to an expert.

Internal Hackers

Attacks from the inside are the most common attack which causes financial loss. The internal hacker is someone who has valid access to a system but decides for whatever reason to perform unauthorized acts. This is often a disgruntled or dishonest employee. This is the type of hacker who can cause the most damage to a company’s computers and data.
Internal hackers should be the information security officer’s number one concern. They have both access to and knowledge of the organization’s computing resources. The motives of in-house hackers will vary, but generally they are either trying to profit from their actions or seeking revenge on the company or an individual. The methods used to gain profit from hacking can range from directly manipulating financial information to selling information to competitors or convincing the company to pay the hacker as a consultant to repair the system he has destroyed. Attacks to seek revenge can take almost any form, depending on what the hacker thinks will damage the company or individual the most.

Disgruntled Employee

Disgruntled employees are the most dangerous type of hacker. This person may be anyone from an end user, who has access to the company’s data, to a system programmer, who knows the system inside and out and has the ability to turn the system upside down. Disgruntled employees will not be stopped because the effort outweighs the value of the information. Often their goal is much more personal than financial.
Their intimate knowledge of the inner workings of the organization will be used to cause the most damage possible. They may understand how to go unnoticed and avoid being caught. Often internal hackers already have been given privileges which they will abuse to attack the system.

Patrick McKenna hacked into his former employer’s computer server on two occasions over the Internet. On these occasions he deleted approximately 675 computer files, modified computer user accounts, altered billing records and transmitted e-mails, which purported to have originated from an authorized representative of the victim corporation, to over one hundred clients. Those e-mails contained false statements about business activities of the corporation.
McKenna was convicted for “unauthorized computer intrustion” and sentenced to serve six months in federal prison and ordered to pay $13,614.11 in restitution for the damage he caused. [2]

[2] “Major Investigations: Patrick McKenna,” National Infrastructure Protection Center

Category Posted in WhitePapers

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>