Inside the Mind of a Hacker
A Juniper Research report estimates that cybercrime will cost businesses over $2 trillion by 2019. To protect against the massive impact of cybercrime, it’s important to get inside hackers’ heads to better understand their motivations.
While hackers are often portrayed as criminals, there are many ethical hackers, also called white hat hackers, that seek to find problems so they can be fixed. Companies pay for these services as it makes their products more secure. Indeed, the Spectre and Meltdown vulnerabilities that have made recent headlines were discovered by three ethical hackers studying at Graz University of Technology. They discovered the two-decade-old critical security flaw and reported it to Intel and other companies long before making the problem public.
On the criminal side, malicious hackers, sometimes referred to as black hat hackers, have different motives for their actions. Some may just be acting opportunistically, some are in search of money, some are sponsored by a criminal or state organization. They use different methods depending on the situation and what they think might be available. Other hackers carefully plan attacks for revenge on a friend, former employer, specific agency, or organization. The U.S. 2016 election is a prime example, where state-sponsored hackers reportedly targeted some states’ election infrastructure, allowing personal voter information to be accessed. Hackers like this can find targets through a published exploit or through their own research. This was also seen through WannaCry, the ransomware attack that targeted unprotected computers throughout the world using a well-documented problem in the Windows operating system – and made many organizations ‘want to cry’.
With these motivations in mind, what do organizations need to do to prevent becoming a potential target for hackers?
Aside from understanding who a hacker is, businesses and individuals should understand that hackers ultimately go after people or data. People “hacks” include phishing scams, phone calls, or internet ads, typically aimed at getting someone to click a link or otherwise enable access for the hacker. Data hacks (such as WannaCry) break through networks, passwords, or other exploits with a goal of controlling or taking over a site or machine.. These different techniques are all part of a hacker’s toolkit. Phone call hacks, for instance, come with a huge price tag. According to the FTC, “individuals posing as other people cost consumers $744.5 million in total in 2016, with the average loss amounting to $1,124, government officials said. Impostor scams can take on many forms, from someone posing as an ‘IRS agent’ calling to demand overdue tax payments or fake ‘police’ calling to collect unpaid traffic tickets.”
It’s also important for leaders to remind their employees to lock machines when away from the office and to never grant access over the phone, regardless of what someone is telling you. Specifically, don’t believe pop-ups or emails that claim you have a problem; never give credit card or personal information over the phone unless you know the company or person personally; and lastly, don’t believe people who call you that you don’t know. If it is important, they will send you a letter or otherwise prove their identity. It is just as easy for a hacker to set up a fake web site with a fake phone as it is for a reputable company.
Leaders should also stay proactive and aware that the landscape is always changing. Businesses need to establish clear boundaries and policies and educate their people through training, maintaining a positive culture, and through simulated attacks. Hackathons are a great use case for this. They raise awareness and may expose some weaknesses in organizations’ own systems while also providing hands-on training.
While we may never be able to stop all attacks, understanding a hacker’s mentality and toolkit is an important step to protecting businesses worldwide.