Global Information Assurance Certification Paper - GIAC Certifications
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecNicolas-Loïc Fortin
Version 1.2f
Original submission
Who is the intruder?
s.
ht
Once upon a time, burglars and bandits were easily identifiable bad guys. Nowadays, with
telecommunications and computers appears a new kind of criminals: the hackers. Actually, the
rig
word « hacker » refers to any curious person who possesses computer related abilities and a great
interest for information technologies. The vast media coverage of various computer attacks, these
ull
last few years, has not only helped to popularize the word « hacker » but also, often, to define its
f
meaning. The hackers' community is becoming one of computer passionate capable and likely to
ns
attack
Keybusinesses
fingerprintand governments
= AF19 computer
FA27 2F94 998D networks.
FDB5 DE3D F8B5 06E4 A169 4E46
tai
The lack of uniformity in the definition of the word « hacker » does not help to the
re
comprehension of this highly diversified community. The hackers have various motivations,
different knowledge and goals, complicating our understanding of their community. Such a
or
matrix inevitably takes on a social character. The behavioural rules in a virtual world are not
th
different then the fundamental ones in the real world.
Au
In an effort to present the «hackers' community» in the best manner possible, I have consulted
some of the contributions made to help create these definitions. The main sources used are some
2,
texts by Mr Marc Rogers, from Deloitte & Touche, documentation produced by Shaw, Post &
00
Ruby as well as the community itself. In addition, I have participated in various discussions on
Internet sites and forums.
-2
I have found these contributions of the utmost interest because of their respective point of view.
00
Shaw, Post & Ruby propose an enterprise oriented approach; Mr. Rogers, an individual oriented
approach while the community suggests its own view on its composition. A table showing some
20
of the types is presented in the appendix.
te
Therefore, I hereby wish to present a summary of the hackers' community typology, inspired by
tu
the various sources I have consulted. As well, I will propose a few comments for each group in a
sti
computer security perspective.
In
The hackers' community: who are they ?
NS
The hackers' community can be divided in three main groups, according to their computer
SA
knowledge: first, the script kiddies (low level of technical knowledge), then the crackers (low to
regular level of technical knowledge) and finally, the elite hackers (high level of technical
©
knowledge).
The script kiddy is often at the beginning of his teenage years and his main motivation is easy
glory. He can be characterized by weak technical knowledge and his need to vandalize
(glorification). Quickly, he goes from one target to another, looking for easy kills, without
Key fingerprint
targeting = AF19
any specific FA27 2F94
organization 998D FDB5
in particular. DE3D
Thus, theF8B5
script06E4
kiddyA169 4E46simply looking
is often
for the respect he hopes to get from the elite hackers, gaining somewhat of a status inside the
community.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.The cracker is usually in the middle of his teenage years or so. His technical knowledge is not
impressive, if he has any at all. His main motivations are, as for the script kiddy, glory and
vandalism. On the other hand, the cracker has or gives the impression of being also motivated by
s.
a certain social justice (without understanding its range). Therefore, often, he will justify his
ht
actions by Robin Hood's principle, robbing the rich to give to the poor. Contrary to the script
rig
kiddy, the cracker will not limit his targets to easy ones. As a matter of fact, he will often try to
hit well renown companies or military and/or governmental sites. In so doing, he boosts his ego
ull
and prestige.
f
As for the elite hacker, he is often an adult with a regular job. His level of technical knowledge is
ns
much higher, usually working in a highly technical environment. His motivations vary depending
Key fingerprint
on what = AF19
"side" he has FA27
chosen. It 2F94 998Dsecurity
goes from FDB5 DE3D
officerF8B5 06E4
(white hatA169 4E46
hacker) to industrial spy
tai
(black hat hacker) or any other possibility in between (grey hat hacker).
re
or
The groups in the community : history and recognition
th
q Script kiddies
Au
The script kiddies' group is the most recent of the three in the hackers' community. On the level
2,
of technical knowledge, this group is on the lower rung of the ladder. Mainly constituted of
00
beginners, they expect to become part of the elite, eventually.
-2
We could compare this group to teenagers responsible for vandalism and graffiti, acting in such a
manner to feel extreme sensations and hoping to impress the hackers' community in general. One
00
very good example of this is Mafiaboy, a young man right in the middle of an identity crisis.
20
The media coverage of the feat of arms claimed by the script kiddies has attracted the attention
te
of the general public on the hackers' community capacity to access information databases of
tu
various nature (personal, financial, scientific, etc.) or to vandalize, to disturb the regular
functioning of electronic systems. Such coverage, sometimes extending to sensationalism, also
sti
has the effect of minimizing the meaning of what hackers are, therefore contributing to the
In
problem of understanding the structure of their community, who they are. As well, the group of
elite hackers does not appreciate them very much, finding them too "visible" in the media's eye,
NS
asking for too much attention to be brought on the community in general by their need for
recognition and easy/fast glory.
SA
It is my opinion that by increasing the public's awareness in regards to the rules and laws
©
applicable as well as by working in prevention with internal operations policies and control, the
number of such illegal and frivolous acts would decrease, the script kiddies becoming more and
more discouraged to even try these operations. In fact, such an education would have an impact
on the whole hackers' community activities.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
q Crackers
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.The crackers are forming one of the well defined groups of the hackers' community. "Born" in
the 1980's, they were the script kiddies of the time, on the level of technical knowledge as well as
for the motivations. In the same fashion as the script kiddies, the crackers were motivated by the
hope of, some day, becoming a member of the presumed elite. Their way of operating would be
what separates them from the script kiddies. The latter work in solo, the former often groups,
s.
seaming more structured in their operations.
ht
Their level of technical knowledge is roughly similar to the one of the script kiddies though a bit
rig
refined. The crackers are often mistaken for hackers because of their average level of exploits.
One of their main activities is software piracy (softwares, music, films, etc). They are the
ull
creators of warez sites, responsible for the propagation of illegal copies of softwares or movies.
f
They are pleased when having broken the anticopy protection of softwares like Windows XP, for
ns
example, and will even distribute it to the members of their community and to the script kiddies.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
Another activity they like to participate in is the creation of modern viruses, demanding more
programming then before, since the elite hackers have increased their "level of difficulty". They
re
are often the authors of scripts found on the Internet to help use more sophisticated tools. Seldom
or
they possess the necessary knowledge to create tools or solve problems.
The limit between crackers and black hat hackers (see section below), as far as their motivations
th
are concerned, is quite thin. Generally speaking, the crackers are younger and possess more
Au
restricted technical capabilities. Therefore, the possibility of them participating to economic or
military crimes is lesser, by far, than it is for the black hat hackers. As a matter of fact, most of
2,
the time, the crackers simply borrow principles established by the "elite" without truly
00
understanding the economic and/or social aspect of their actions.
-2
q Elite hackers
00
The group of elite hackers is the oldest group of this particular community. Generally older in
20
age, they are also more experienced and technically knowledgeable than the script kiddies and
the crackers. Their motivations are more complex in nature and this group can be divided in
te
three sub-groups according to their value and morals, by using three explicit colours: white,
tu
black and grey.
sti
In
• First sub-group : "white hat hackers"
NS
A white hat hacker is quite enthusiastic over technology, being fundamentally very curious and
SA
doing all he can to satisfy his interest. Some members of this group are responsible for the birth
of the Internet and form the club of those who took pleasure in studying the phone system. The
©
white hat hacker tries to get into the system for the shear challenge it presents. For him,
bypassing a system or find its weaknesses is part of the pleasure he is looking.
The most noteworthy type of this group is the one we could qualify "samurai", as much because
of their method as for their code of honour. The samurai hackers are often called upon by the
police
Keyforces to help= catch
fingerprint AF19aFA27
hacker with998D
2F94 less noble
FDB5intentions.
DE3D F8B5 According to Shaw,
06E4 A169 4E46 Post & Ruby,
we could include in this group every curious person interested by computers. In an enterprise,
they would be the colleague looking into the network or giving the most hip command to use.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.• Second sub-group : “black hat hackers”
The black hat hackers are members of the elite who have been seduced by the darker side of the
Force, to make an analogy with the famous Darth Vader in Star Wars. They often hold positions
as spies, industrial spies, cyberterrorists or criminals working for some mafia organization.
Many insider dealings are committed by them. They are not different from the conventional
s.
ht
criminals except for the tools they use to perpetrate their crimes. The black hat hackers are
motivated by the lure of a reward, vengeance or are simply attacking with a Robin hood
rig
philosophy. This type of action is often called hacktivism, a form of pressuring measure used to
see modifications applied.
ull
In today's generally computerized environment of organizations and processes, these kind of
f
people are to be feared. More and more, enterprises depend upon computers and for many of
ns
them, a failure
Key extending
fingerprint = AF19over a long
FA27 2F94period
998Dof time DE3D
FDB5 (more F8B5
than 48 hours)
06E4 A169can4E46
be fatal. In such a
tai
context, it is strongly recommended to be protected against such people as black hat hackers are
always in advance on their knowledge of the conventional market of computer security, therefore
re
presenting a serious threat to enterprises in such a weak condition.
or
Not enough computer professionals take this kind of person (black hat hackers) into
th
consideration in their daily operations. As a matter of fact, there is a rather curious paradox to be
Au
made when comparing computer security to the security of your home, for instance. It seems
quite obvious that you should install an anti-burglar system to protect your habitation but such a
2,
reasoning does not seem to apply to the virtual world.
00
As it can be stated from the events of September 11th, the terrorists have a strong proclivity to do
damage to the vital centres of the Occident and such a potential threat should be feared. As a
-2
matter of fact, it has often happened that crackers have entered sensible systems in the United
00
States, controlling the electricity systems for example (California power grid).
20
Another great problem faced by big corporations is industrial espionage. In today's world of
telecommunications and electronic computer systems, it becomes easier, for a competitor, to gain
te
access to strategic information or even to attack the reputation of its opponent by modifying web
tu
sites or the integrity of the networks. There is no more need of a face mask, a gun and to risk
sti
your life to rob. The simple use of a PC and an Internet connection are enough to embezzle a
bank or an enterprise. Many insider dealings have been done with the help of computers, for
In
example by modifying accounting systems or payroll systems, a problem unfortunately
becoming more and more common within enterprises.
NS
We are also noticing an increase of unhappy and/or frustrated employees who are forming the
SA
greatest plague a company could suffer of. These « black hat hackers » are employees who
believe they are important in the organization and, feeling aggravated, wish to get vengeance.
©
The company's hardware is often their target, presenting a minimum risk if the protection against
such acts is low, if present at all. When an employee is terminated, it is often forgotten to lock
the key after his leave. Such an omission could prove to be a bigger mistake if the employee in
question has a very good knowledge of the technological infrastructure and is able to damage it
anonymously.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
• Third sub-group : "grey hat hackers"
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.The grey hat hackers are characterized by their ambiguity and pragmatism. In a certain way, they
are at the intersection of the choices to be made: which side of the Force will it be ? Therefore,
they are hard to track. They could just as well follow the noble principles of the « white hat
hackers » but will practice on commercial web sites, as would « black hat hackers », but without
criminal intentions.
s.
ht
These hackers form the most populous of the elite hackers' groups. Usually crackers in the first
place, they are often in their twenties, students in college or at the university or even young
rig
workers with a tight budget. Actually, it is often at this stage that they become pragmatic.
Without looking for personal growth like the « black hat hackers », they will have a tendency to
ull
profit from the basic commodities and, to some extent, from a certain luxury. For example, they
f
will begin to copy softwares, when lacking money, but will not try to make long term profit from
ns
the activity.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
Excellent experts in the world of computer security might even be ex-grey hat hackers. Although
it is quite controversial, their experience of many behaviours related to black hat hackers helps
re
them to understand their methods and, in so knowing, propose and/or apply appropriate security
or
measure to help protect from possible attacks.
th
Conclusion
Au
2,
By using the generic term “hacker” to define any person able to use the advanced functions on a
computer, it is hard to understand the motivations and the means characterizing the various
00
categories of hackers. The better we understand each group's motivations, the more we will be
-2
able to understand their acts.
00
If we comprehend the place we have to give each group, we will be able to focus our efforts
more accurately, by using white hat hackers to help secure our technological infrastructures for
20
instance. As well, coercive actions and a better education will help in reducing the growth of the
script kiddies, grey hat hackers and crackers groups. The implementation of laws and an increase
te
in the presence of police force will help to catch the black hat hackers. By understanding that the
tu
virtual world is nothing but a reflexion of the real world, it will become possible to adapt our
sti
systems according to these new concepts. Nevertheless, a robber, be it virtual or real, will always
In
be nothing but a robber.
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Appendix Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Analogy by the author Actual names in the According to Mr Accor
with the reality community Marc Rogers & Rub
Teenagers vandal, punk Script Kiddies Newbie/tool kit
s.
Old fashion bank robber Cracker Cyber-punk Hackers
ht
rig
Explorer
Nerd White hat hacker Old guard hackers
ull
Good Sa
f
ns
Grey hat hacker
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
Spy Professional criminals Career th
re
Terrorism Cyber-terrorists Moles
or
th
Black hat hacker Exceptio
White collar criminal
Au Internals Machiav
2,
Avenger
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.References
Inside the mind of the insider
http://www.securitymanagement.com/library/000762.html
(Shaw, Post & Ruby)
s.
ht
Psychological Theories of Crime and “Hacking”
rig
http://www.escape.ca/~mkr/crime_doc.pdf
(Marc Rogers)
ull
A New Hacker Taxonomy
f
ns
http://www.escape.ca/~mkr/hacker_doc.pdf
Key
(Marc fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Rogers)
tai
re
Modern-day Robin Hood or Moral Disengagement: Understanding the Justification for Criminal
Computer Activity
or
http://www.escape.ca/~mkr/moral_doc.pdf
th
(Marc Rogers)
The new hacker’s dictionary
Au
http://www.tuxedo.org/~esr/jargon/jargon.html
2,
(communauté)
00
-2
Hacker, 15, charged in Web attack
http://www.freep.com/news/nw/cyber20_20000420.htm
00
(mafiaboy)
20
Poking Holes in Microsoft's Copy Protection
te
http://www.pcworld.com/news/article/0,aid,69203,00.asp
tu
(Windows XP)
sti
FBI Issues Cyberthreat Advisory
In
http://www.pcworld.com/news/article/0,aid,61764,00.asp
(cyber-terrorisme post 11 septembre)
NS
SA
California hack points to possible IT surveillance threat
http://www.infoworld.com/articles/hn/xml/01/06/13/010613hnprobe.xml
(California power grid hack)
©
Cybercrime Skyrockets, Say Security Reports
http://www.pcworld.com/news/article/0,aid,54591,00.asp
(white collar crime)
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Introduction to Hacktivism
http://www.collusion.org/Article.cfm?ID=109
(Hacktivism)
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Last Updated: May 25th, 2019
Upcoming Training
SANS Atlanta 2019 Atlanta, GA May 28, 2019 - Jun 02, 2019 Live Event
SANS San Antonio 2019 San Antonio, TX May 28, 2019 - Jun 02, 2019 Live Event
Mentor Session @work - SEC401 Birmingham, AL Jun 03, 2019 - Jul 08, 2019 Mentor
SANS Kansas City 2019 Kansas City, MO Jun 10, 2019 - Jun 15, 2019 Live Event
SANSFIRE 2019 Washington, DC Jun 15, 2019 - Jun 22, 2019 Live Event
SANSFIRE 2019 - SEC401: Security Essentials Bootcamp Style Washington, DC Jun 17, 2019 - Jun 22, 2019 vLive
SANS Cyber Defence Canberra 2019 Canberra, Australia Jun 24, 2019 - Jul 13, 2019 Live Event
SANS Cyber Defence Japan 2019 Tokyo, Japan Jul 01, 2019 - Jul 13, 2019 Live Event
SANS Charlotte 2019 Charlotte, NC Jul 08, 2019 - Jul 13, 2019 Live Event
Community SANS Ottawa SEC401 Ottawa, ON Jul 08, 2019 - Jul 13, 2019 Community SANS
SANS Cyber Defence Singapore 2019 Singapore, Singapore Jul 08, 2019 - Jul 20, 2019 Live Event
Community SANS Philadelphia SEC401 Philadelphia, PA Jul 08, 2019 - Jul 13, 2019 Community SANS
SANS London July 2019 London, United Jul 08, 2019 - Jul 13, 2019 Live Event
Kingdom
Pittsburgh 2019 - SEC401: Security Essentials Bootcamp Style Pittsburgh, PA Jul 08, 2019 - Jul 13, 2019 vLive
SANS Pittsburgh 2019 Pittsburgh, PA Jul 08, 2019 - Jul 13, 2019 Live Event
SANS Columbia 2019 Columbia, MD Jul 15, 2019 - Jul 20, 2019 Live Event
SANS Rocky Mountain 2019 Denver, CO Jul 15, 2019 - Jul 20, 2019 Live Event
SANS San Francisco Summer 2019 San Francisco, CA Jul 22, 2019 - Jul 27, 2019 Live Event
Mentor Session - SEC401 Seattle, WA Jul 25, 2019 - Aug 29, 2019 Mentor
SANS Boston Summer 2019 Boston, MA Jul 29, 2019 - Aug 03, 2019 Live Event
SANS London August 2019 London, United Aug 05, 2019 - Aug 10, 2019 Live Event
Kingdom
SANS Crystal City 2019 Arlington, VA Aug 05, 2019 - Aug 10, 2019 Live Event
SANS Melbourne 2019 Melbourne, Australia Aug 05, 2019 - Aug 10, 2019 Live Event
Minneapolis 2019 - SEC401: Security Essentials Bootcamp Style Minneapolis, MN Aug 12, 2019 - Aug 17, 2019 vLive
SANS San Jose 2019 San Jose, CA Aug 12, 2019 - Aug 17, 2019 Live Event
Community SANS Raleigh SEC401 Raleigh, NC Aug 12, 2019 - Aug 17, 2019 Community SANS
SANS Minneapolis 2019 Minneapolis, MN Aug 12, 2019 - Aug 17, 2019 Live Event
SANS Chicago 2019 Chicago, IL Aug 19, 2019 - Aug 24, 2019 Live Event
SANS Virginia Beach 2019 Virginia Beach, VA Aug 19, 2019 - Aug 30, 2019 Live Event
SANS New York City 2019 New York, NY Aug 25, 2019 - Aug 30, 2019 Live Event
SANS Tampa-Clearwater 2019 Clearwater, FL Aug 25, 2019 - Aug 30, 2019 Live EventYou can also read
