Who Is the Enemy?

I'm going to arbitrarily lump potential attackers into three groups: script kiddies, disaffected users, and skilled attackers. You will find more fine-grained profiles in books dedicated to network security, but these categories are easily explained, are easily understood, and encompass 99 percent of all the attackers you're likely to encounter.

Script Kiddies

The most numerous attackers are script kiddies (often called "script kitties" in the OpenBSD community). Script kiddies are not sysadmins: They are not skilled and most have absolutely no idea what the heck they are doing. They download small attack programs that work on a point-and-click basis and go looking for systems that the program works on. They're the equivalent of drive-by shooters looking for easy targets. Fortunately, script kiddies are particularly easy to attack against; keeping your programs securely up-to-date will deter most of them.

The other two groups can use any attack that can be used by script kiddies.

Disaffected Users

The second group causes the majority of security problems I've dealt with — a system's legitimate users. Disaffected employees and users know where a system's problems are, and are frequently able to use those problems to their own advantage. If your support people use a password-free modem in a back closet to access the computers, and you have to fire one of them, you may well have unexpected calls at that modem! The ex-employee wouldn't even have to call it himself; he could just post the phone number somewhere on the Internet and let the script kiddies go wild. Or perhaps some company administrator gives the phone number to their child so they can get Internet access, and that child shares the phone number with friends. While an unsecured modem might be an extreme example, almost every network has some "fix" that was hurriedly and thoughtlessly implemented and that can be exploited by a motivated person who knows about it.

The best way to stop these people is to not be sloppy. Keep your systems up-to-date. When someone leaves the company change all administrative passwords, disable any accounts that person had, and tell all employees that the person has left and not to share information with him. And get rid of the unsecured modem, or the decrepit SunOS server with a telnet port open to the world, or whatever hurried hack you put into place thinking that nobody would ever find it.

A skilled attacker can probably use any attack available to a disaffected user.

Skilled Attackers

The last group is actually fairly dangerous: skilled attackers. These are competent systems administrators, security researchers, and penetration specialists who want access to your systems in particular. If one of these people wants into your network, they stand a very good chance of finding any holes that exist and getting in.

Still, the security measures that will stop the first two groups cold can change the tactics that skilled attackers must use. If you secure your network well, the intruder will have to show up at the door dressed as a telephone company repairman lugging a packet sniffer or dumpster-dive for old sticky notes with passwords scribbled on them, rather than break in via the network. This dramatically raises his exposure and can even make a break-in more trouble than it's worth.

Hackers

You'll frequently hear the word "hacker" used to describe people who break into computers. This word has different meanings, depending on the speaker. In the technical world, a hacker is someone who is interested in the inner workings of things. Some hackers are interested in everything; some have a narrow field of interest. In the open source community, "hacker" is generally a title of respect. In the popular media, a hacker breaks into computers. I recommend entirely avoiding the word so as to avoid confusion. In this book, I call people who break into computers "intruders." (In person I call them a variety of names that No Starch Press has yet to print in any of their books.)