Why People Attack Web Servers | Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM

[Previous] [Next]

The complete answer to why people attack Web servers will probably never be known, but it's clear that few attacks are performed with malicious intent; most are made by people who want a little intellectual challenge. Of course, this doesn't mean that you can let your guard down. Even if only an extremely small percentage of people want to hack into your server, that's still a lot of people!

The following three factors generally hold true for people who attack servers:

They have the motivation.

They have a personal justification.

They have opportunity.

Let's take a moment to look at each factor in detail.

Motivation

People who really want to do harm, especially those who attempt to deface a company's Web site, probably dislike the company because of its perceived environmental transgressions, its stance on a political issue, something the company said, or any of a myriad of other reasons. Remember, we're dealing with humans. Humans have emotions, and emotions can lead to irrational or antisocial behavior.

Attacks from within a company are most commonly initiated by a disgruntled employee. Don't overlook the possibility of attack from the inside.

The most likely reason for a disclosure attack (in which company secrets or documents are accessed) is industrial espionage. Your Web site might actually be an entry point into your corporate network!

NOTE
A study conducted by Michael G. Kessler & Associates, a New York-based security firm, found that theft of proprietary information from U.S. companies was committed by the following parties:

Employees: 35 percent

Outside hackers: 28 percent

Other U.S. companies: 18 percent

Foreign corporations: 11 percent

Foreign governments: 8 percent

For more information, go to www.apbnews.com/newscenter/internetcrime/2000/01/04/comptheft0104_01.html.

Justification

A person who's motivated to mount an attack must justify her actions. For example, a discontented employee (or former employee) might rationalize destroying your Web site by thinking that her actions are minimal compared to the mental anguish she's endured because of some action taken by the company (such as firing her).

Opportunity

Finally, the attacker must find the right time to make the assault. Unfortunately, for computers on the Web this could be any time because the Web is open for business 24 hours a day. While you're sleeping, an attack might be coming from the other side of the world.