Before we proceed on this article, let’s set the record straight. I’m potentially throwing myself to the lions here, but here goes…..
After posting a previous version of this article on Peerlyst (in it’s original format) last September, the “local hood” got somewhat upset at my portrayal of the word “hacker”. This caused upset with some members of this community, and I firmly believe that their response was without foundation, or a clear understanding of the term’s definition – particularly if you read the comments 🙂
Now, let’s look at what the actual definition of a hacker is – the first hit returned in Google search. I was advised to perform this simple feat to “understand the difference”
Definition of hacker – a person who illegally gains access to and sometimes tampers with information in a computer system
And so, based on this factual definition, I am posting the same article again – with it’s originally intended wording. And please, don’t wave your CISSP cert under my nose – It isn’t a technical exam and certainly doesn’t qualify you as a hacker. Once the market has become flooded with people that have these types of accreditation, it’ll be worthless – just like today’s MCSE. Hackers are light years ahead of the game when it comes to hoodwinking the good guys, and with so many attacks happening on a daily / weekly / monthly basis, there really is no argument here in my view, particularly as the attacks are successful. Having certificates is a tick box for HR and recruitment processes. It’s by no means an indication of experience, or ability.
- Surprised at my response ? Don’t be – this site is founded on experience gained on the battlefield alone.
- Don’t like my response ? That’s your right. Don’t bother to read on.
Without wasting any more time, let’s get back to the article. Hope you enjoy it.
Think you can spot a hacker ? Think again. Hackers do not live up to the stereotyping that we have grown accustomed to, and are convincingly portrayed in films as breaking into high profile organisations using state of the art technology. In reality, it’s a lot less glamorous and exciting than the movies. If you consider the effort that is often involved in compromising the intended target, the process is far from action packed and exciting. The reward for the hacker however is paramount and he or she will never lose sight of this. The dark web market for data stolen from organisations is rapidly increasing, and a significant profit can be made from such activity.
How did hackers evolve ?
Here, we take a look at how hackers evolved and broke free from their geeky personas into the advanced cyber criminals they are today. Years ago (and I’m perhaps showing my age here), hackers were considered as being along the lines of Linux and Unix fanatics – long hair, beard, glasses, and sandals. Very much a 70’s look, and somewhat stereotypical. Hackers in the 80’s were seen as nerds or geeks with big teeth, big glasses, zero charisma, and no social skills when it came to dealing with the opposite sex (think Napoleon Dynamite). They were often the target of “bigger boys”, who made their lives intolerable.
Between the 90’s – 00’s, hacking suddenly became cool thanks to films like The Matrix. Almost as if overnight, three-quarter length coats, shades and boots became essential attire if you wanted to look like a hacker. Of course, the colour had to be black to finish the look.
Now here’s the truth. hackers do not look like something out of Lynrd Skynrd, Bill Gates as a teenager, or Neo from The Matrix – they look like ordinary people – ordinary like you and I. The chances of you hand picking a hacker out of a crowd is virtually zero.
Hackers are often very intelligent individuals, and should not be underestimated in terms of their abilities. After all, they’ve found a way into your network and stolen gigabytes of personally identifiable data, and dumped it onto Pastebin for everyone to see. If they breached any point of sale terminals or other payment system, they’ve possibly also taken credit card information and will sell this data to the highest bidder. Another point is education. Hackers are not a dumb bunch -some of them have had top tier education, and obtained recognised qualifications. Having said that, do you think hackers sit exams such as CISSP, CISM, or OSCP ?
The answer to this is a firm no. In fact, you’ll probably find that a hacker or cyber criminal knows excessively more about breaking into a network than you know about securing it. Take the recent high profile breaches and their success level (bearing in mind that the perpetrators are still at large), and then consider the accrediation curriculum.
Certainly makes you stop and think. I personally do not carry any accreditation, and this could be seen as a defensive stance. In fact, it’s quite the opposite. Had I been twenty years younger when cyber security became the “next big thing”, I would have gone down this route myself – you could make an absolute fortune out of providing training for certification. There’s several discussions on LinkedIn and Reddit around this very topic. However, I’m at the stage of life where I don’t want to reinvent the wheel and would rather teach others the real world skills, knowledge, and proven techniques needed to fortify and secure their castle. I’m not looking to cast doubt or be dismissive of these qualifications, as I do believe they add value if you are looking to get past HR departments and those employers who seem to insist on academia over experience. My question is how much of this “information and training” can really be used in the real world ?
The answer ? Not much.
What I am alluding to here is that a hacker possess skills you cannot buy – knowledge and experience. Some of the best hackers known are extremely creative, and those who have decided to work on the right side of the law have become white hat penetration testers, and are the cream of the crop when it comes to cyber security and the associated awareness requirements.
Why are hackers so successful ?
With this knowledge and experience, a hacker becomes a formidable force to be reckoned with. The best hackers are those who enter and leave a network without being detected, with the modus operandi then described as a “sophisticated attack”. But how “sophisticated” is the attack in reality? Is this terminology being overused to hide inefficiencies in security, or to make the hacker sound like they breached Fort Knox ? Either way, we’ll never know the full extent of any breach, and there are always elements of an attack where an organisation will not make the full details known publicly due to the potential client confidence impact and loss of business, or a similar vulnerability being leveraged against another key system. Hacking isn’t always about financial gain either. Many attacks are borne out of several reasons, but if not financially motivated, are often political or state funded. A hacker can be motivated by something they read about, which then becomes the focus of their attack. In most cases, this type of attack is usually DDoS based, and is designed to wreak havoc in terms of performance, availability, and in essence, damage credibility.
Knowing what to hack is a skill on it’s own, and actually breaching a defence is a “kudos” in the underworld community. As a hacker, you have to understand how systems work in the first place before you can exploit any vulnerabilities in them. Hackers are known for their ability to leverage a buried vulnerability in a system – one that you did not know even existed – until it is used against you to breach your environment. Also consider the lengths a hacker will go to in order to gain access. Applications that are reverse engineered look innocent on the outside, but once executed, the intended target becomes compromised and can be controlled remotely. A similar principle is used when downloading legitimate software from a compromised site. Effectively, you land up with more than you bargained for as a result of a drive-by download.
Who do hackers target ?
Hackers do not just use technology. They exploit it’s benefits, are exceptionally adept at social skills and can engage someone they have never even met, convincing them to hand over substantial amounts of money without fear of reprimand. This nefarious activity is mostly associated with cyber gangs targeting individuals, known as a “soft target”. The so called “soft target” can arrive in various forms, but is often an individual exploited owing to their trusting nature – typically on business and emotional levels. The true identity of the criminal is rarely divulged, and within the consumer sector, this activity often goes unreported and ultimately undetected, as the victim is too embarrassed to admit they’ve been duped.
Still think you’d be able to spot a hacker given the above ? I doubt it. Hackers and cyber criminals are years ahead in terms of ability, and attitudes around upcoming and established talent need to change in order to tackle this increasingly powerful and damaging phenomenon. By attitudes, I refer to actually hiring talent with experience rather than accreditation. Without this change, we are simply running on a huge hamster wheel and not addressing the core issue.
What’s your view ?