Upload
stu-sjouwerman
View
235
Download
1
Embed Size (px)
DESCRIPTION
What do you do when you need to explain the history of hacking to a busy non-technical manager in five minutes or less? Here is an attempt to make this extremely complex subject into a 5-minute "cliff-note".
Citation preview
What do you do when you need to explain the history of hacking to a busy non-‐technical manager in five minutes or less? Here is an a>empt to make this extremely complex subject into a 5-‐minute "cliff-‐note". Hacking started out as a hobby and was a cool thing to do. Late eighEes, early nineEes hacking was the domain of young people that were trying to push the envelope and see how deep they could get into networks. They were surprised they could get much farther than expected and some like Kevin Mitnick decided to go all the way down the rabbit hole.
The early hackers focused mainly on servers on the Internet which were UNIX machines at the Eme. But IT security specialists countered by installing firewalls to try to keep hackers out.
A7ack UNIX Servers 1
So the hackers focused instead on trying to break into how the data was transported from one computer to the other (the Internet's communicaEon protocols) and get in that way. However, firewalls conEnued to improve and locked hackers out.
A7ack the Data Transport 2
Next, the hackers starEng to a>ack the employee workstaEons instead in the early 2000's. To block that type of a>ack, IT security people started running anEvirus on all workstaEons and making sure the Windows OperaEng System was always patched.
A7ack the Employee WorkstaDons 3
However, the during the mid-‐2000's, the hackers changed their strategy once more and started a>acking the applicaEon soVware on the workstaEon, things like the browser or PDF reader soVware. From 2007 forward that trend really took off. But IT security people countered with automated tools to patch all applicaEon soVware so vulnerabiliEes in those soVware products were covered too. This brings us to the last few years with the observaEon that criminal hacking has gone pro since about 2005 and is a $3 Billion industry.
A7ack the ApplicaDon SoEware 4
As their most recent and very successful way to a>ack, the hackers are now focusing on the real weak link in IT security: the employee. They started with sending phishing emails by the millions, trying to make employees fill out a form on a bogus website and steal confidenEal data that way. Today, they are sending sophisEcated, personalized a>acks via email that we call spear-‐phishing. An employee only has to click one link in one of these spear-‐phishing emails to get their workstaEon infected with malware which allows the hackers into the network.
A7ack the Employee via Email 5
To counter this most recent hacker strategy, all employees need effecEve security awareness training so that they do not expose the network to cyber criminals. Note that this is like a game of chess, with the bad guys having the first-‐mover advantage and that IT security is forced into a defensive role.
The problem with having a defensive role is that the home team has to have a 100% success rate, but the a>ackers only need to succeed once. This is a losing game for the defenders and that is why the hackers are winning. OrganizaEons need to be fully focused on "defense in depth" and the very first layer of that defense is Policy, Procedure and Awareness. Hence the urgent need for employee training and inoculate them against social engineering so that they do not fall for hacker tricks.