It is unfortunate but true that more organizations are subjected to hack attacks. A 2003 survey indicated that as many as 75% of companies polled cited employees as a likely source of hacking attacks. The same survey found that it cost those companies more than $120 million to recover from the activities of the malicious insiders. These numbers should start to drive home the importance of good operational controls. It is much cheaper to be proactive and build in the good controls than it is to be reactive and figure out how you are going to respond.
Who are the people you have to worry about? Well, generally, they can be divided into two groups:
So which group represents the biggest threat? You might have already guessed that it is insiders. Criminologists describe criminals as those who possess three items: means, motive, and opportunity. This is known as the crime triangle, shown in Figure 8.1. Insiders typically have the means and the opportunity to commit a crime. All they lack is a motive. Outsiders, on the other hand, are not trusted with access, and being outside the organization's structure could present them with little opportunity to launch an attack. Individuals must possess all three items shown in the crime triangle to successfully commit a crime.
Figure 8.1. Crime triangle.
Common Attack Methodologies
Hack attacks typically target one or more items that are tied to the security triad: confidentiality, integrity, or availability. Whereas confidentiality and integrity attacks actually give the attacker access to your data, availability attacks do not. Availability attacks usually result in denial of service (DoS).
DoS Attacks in Real Life
In February 2000, websites including Yahoo! and eBay were shut down due to persistent DoS attacks. Although the attack didn't give the attacker access to these networks, it caused a loss of service to the organizations. In 2001, a Canadian court sentenced a youth nicknamed Mafiaboy to 8 months in jail as a result of these attacks.
Hackers target a variety of devices, but their modus operandi remains fairly constant. Their methodology of attack generally proceeds as follows (see Figure 8.2):
Figure 8.2. Attack methodology.
Phreakers and Their Targets
Long before modern-day hacking existed, phreakers were practicing their trade. Phreaking is the art of hacking phone systems. Now, although this might sound like a rather complicated affair, back in the early 1970s, John Draper discovered how to make free phone calls by using a Capt. Crunch Whistle. The 2600Hz tone it produces is the same as what's required for bypassing the normal billing process.
Today phreakers can still pose a threat to operational security by hacking into PBX systems. Many times, these individuals sell off time on the victim's phone network. These charges are usually discovered after 30 to 60 days, but this window of opportunity allows the phreakers to run up thousands of dollars in phone charges. Other modern-day phreakers hack caller ID or target VoIP phone systems for DoS attacks.