One of the most important, but often overlooked, aspects of being a programmer is security and protecting against hackers. Developers of all calibers should understand the basics of security as it relates to the technologies they work with.
Become a SubscriberEven though most technology terms are often very lame, hacker lingo is often amusing with origins in something a little more original and unique. In order to understand hackers, you must first understand the history, tools, and techniques which have paved the way for hackers.
If you are like most people without exposure to security or a deep understanding of technology, then your views of a hacker may be skewed by the media. You have probably read or listened to the news reports about Edward Snowden, or think of hackers as the movies would portray them. This post aims to clear some of those misconceptions and show the history of hackers over the last few decades.
For years hacker secs have been relatively small and tight knit. Most have initiation rituals, similar to what you would see in a street gang or fraternity. For a black hat or grey hat group, the reasons behind this are fairly obvious. Since the activities of a black hat group are seldom legal, they need to be more selective about who they allow in. Often times this involves a hazing or initiation ritual to weed out the government spies and to quantify the initiate’s talents and abilities.
Borrowed either from Western movies or Dungeons and Dragons—where dark characters wore black hats and good characters wore white—hackers are labelled as either black hat, gray hat, or white hat. Understanding what these terms and alignments mean is important to how you analyze and respond to these types of hackers in real life.
While most hackers escape with only minor traces of their organization left behind, there have been times when individuals have come forward or been captured. Most of these names never make the headlines, however, and thus tend to only be known within circles involved with security. Names like Snowden and Assange are recognized by most of the general public for their whistle-blower actions while other significant individuals like Mitnick, Iceman, Poulsen or McKinnon may go unnoticed.
Most hackers are hobbyists, tinkerers or they are employed in technology fields. Fictional tales have created the modern day image for what a hacker looks like. In such movies as The Girl With the Dragon Tattoo and Ex Machina hackers are portrayed as possessing a rare combination of genius and skill. If you replace these characters with a humble family technician working for Google, you lose the mysterious edge to the tale. The truth is hackers can be average doers and dreamers with an above average interest in technology.
The resources for a hacker are so numerous, that it is entirely possible that no two hackers have the same tools or approaches for how they operate. With a choice of over a thousand programming languages, dozens of operating systems, and hundreds of different communication protocols, hackers have so many options to explore and test for vulnerabilities. While it would be impossible to describe every tool and technique, it is easy enough to talk address the most common form of attacks and how to protect against them.
Do hackers actually make money? The short answer is: yes. Whether operating as a white hat hacker that audits and pen tests systems, or capturing data to sell on the black market, most hackers can easily earn a six figure income or more. Extortion, scamming and social engineering also allows a hacker to more manually extract money from their victims, often with a much higher rate of return.
With so many businesses doing things wrong, surely some are doing things right. Generally, the individuals and businesses that remain secure have a mindset that things are never secure enough. Regular attention to software and hardware maintenance, monitoring, testing and upgrades tend to make for the best security.
As counterintuitive as it may seem to the average Joe, more security software often brings more vulnerabilities. Security software engineers are often focused on testing and breaking other software with tight integration points and thorough penetration tests. These engineers, however, are not often practiced or conscious towards securing their own software.
It’s a common misconception that big banks, government, and healthcare companies are secure from hackers. Conventional wisdom would say that people who have the most sensitive information should be the ones that have the best security, but the issue is that good security comes from good technology practices. In other words, really secure organizations pay regular attention to software and hardware maintenance, monitoring, testing and upgrades.
As counterintuitive as it may seem to the average Joe, more security software often brings more vulnerabilities. Security software engineers are often focused on testing and breaking other software with tight integration points and thorough penetration tests. These engineers, however, are not often practiced or conscious towards securing their own software.
Many businesses make the mistake of thinking of security and compliance as synonymous terms. While compliance does increase security through a rigid set of requirements and audits, it is more of a reporting tool and minimum set of standards set regulated by organizations such as PCI, HIPAA, or the Sarbanes-Oxley Act.
While investing in better security from a monetary standpoint is certainly not a bad thing, some of the most effective security is free. Educating employees on best practices, potential threats and maintenance is a great place to start. Most businesses leave security to the IT team and think that the responsibility ends there. In reality, everyone from the shareholders to CEO and custodial staff should care about security.
Hackers use a myriad of different tools and techniques. The resources for a hacker are so numerous, that it is entirely possible that no two hackers have the same tools or approaches for how they operate. For this reason, it is virtually impossible to make any system completely impenetrable. Instead, the question asked should be: how do I protect myself better than my competitors?
If you're having issues, you can reach out to us directly at [email protected]