Friday, July 8, 2022

Principle of Information Security: Module 2 The Need for Information Security (Part 8)

In 2017, the Singapore Ministry of Defense invited hackers to test its publicly accessible system for vulnerabilities. In March 2016, General Motors (GM) invited computer researchers to look for vulnerabilities in the software used in its vehicles and Web site, offering a reward to anyone who found an undocumented issue. In April 2015, the U.S. government did the same thing, inviting hackers to “Hack the Pentagon,” of all places—a program that continues to this day. This type of “bug bounty” program is an effort to convince both ethical and unethical hackers to help rather than hinder organizations in their security efforts. Other companies that recently invited such attacks include Tesla Motors, Inc., the ride-share company Uber, and Google.

Once an expert hacker chooses a target system, the likelihood is high that he or she will successfully enter the system. Fortunately for the many poorly protected organizations in the world, there are substantially fewer expert hackers than novice hackers.

A new category of hacker has emerged over the last few years. The professional hacker seeks to conduct attacks for personal benefit or the benefit of an employer, which is typically a crime organization or illegal government operation (see the section on cyberterrorism). The professional hacker should not be confused with the penetration tester (or pen tester), who has authorization from an organization to test its information systems and network defense and is expected to provide detailed reports of the findings. The primary differences between professional hackers and penetration testers are the authorization provided and the ethical professionalism displayed.

Expert hackers often become dissatisfied with attacking systems directly and turn their attention to writing software. These programs are automated exploits that allow novice hackers to act as script kiddies or packet monkeys. The good news is that if an expert hacker can post a script tool where a script kiddie or packet monkey can find it, then systems and security administrators can find it, too. The developers of protection software and hardware and the service providers who keep defensive systems up to date also stay informed about the latest in exploit scripts. As a result of preparation and continued vigilance, attacks conducted by scripts are usually predictable and can be adequately defended against.

Hacker Variants

Other terms for system rule breakers may be less familiar. The term cracker is now commonly associated with software copyright bypassing and password decryption. With the removal of the copyright protection, software can be easily distributed and installed. With the decryption of user passwords from stolen system files, user accounts can be illegally accessed. In current usage, the terms hacker and cracker both denote criminal intent.

Phreakers grew in fame in the 1970s when they developed devices called blue boxes that enabled them to make free calls from pay phones. Later, red boxes were developed to simulate the tones of coins falling in a pay phone, and finally black boxes emulated the line voltage. With the advent of digital communications, these boxes became practically obsolete. Even with the loss of the colored box technologies, however, phreakers continue to cause problems for all telephone systems.


Post a Comment