Hacking is the act of getting unsanctioned access to computer systems and networks, exploiting vulnerabilities in an organization’s systems, software, people, etc.
Vulnerability exploitation may be as simple as using trickery or social engineering to get someone’s credentials to log in as them, using a malware-as-a-service provided by other hackers, or using proof-of-concept code for a vulnerability that is fairly easy to exploit and use and is provided by someone else.
It may also be very technical and require more advanced skills and knowledge of targeted systems. Winners of Pwn2Own – a hacking contest – often chain together multiple vulnerabilities to take over a system or browser. Likewise, the success of targeted phishing attacks and supply chain attacks involves in-depth research of victims and software and months of planning.
Historically, what may have started out as the fun of the challenge or a test of one’s computer savvy or ability to trick the system, has turned into a multi-billion dollar industry where a single bug in a popular device, application, operating system, or system can pay the finder a six-digit dollar figure for their effort.
Today the skills of security hackers are valued by businesses, law enforcement, nation-states, and criminal enterprises alike. We are in a constant state of change where on one side cybersecurity defenses are probed for weaknesses and on the other side countermeasures are developed to combat those hacking techniques and procedures.
Hacking is not all bad or all good. For instance, businesses have created bug bounty programs to pay hackers for vulnerabilities found in their products or services. In a similar fashion white hat hackers offer penetration testing services to businesses to find weaknesses in their security protections so that they can close these open gaps before a black hat hacker finds them.
Complicating the financial aspects of hacking are political motivations and interests of individual hackers. For example, hackers who work for law enforcement or a nation-state likely have interests that align with the goals of these organizations and governments. There is also a hacking culture that promotes free access to software and services. In addition hacktivists (like Anonymous) are groups who have coalesced around common political goals and interests.
Vulnerabilities exist in hardware, software, network, personnel, and even in a physical site. They can also be found in organizational processes where there is a lack of regular auditing or security.
Vulnerabilities can be classified as known and unknown. Ideally, when a vulnerability is found, it is responsibly disclosed to the owner and then fixed and a patch made available before the vulnerability becomes public knowledge.
Known vulnerabilities are entered into a database where a score is available. For instance, the CVSS (Common Vulnerability Scoring System) provides a severity rating that ranks the attack vector (network vs physical access), attack complexity, whether user interaction is required or not, and if the attack requires privileged access.
The impact of a cyberattack is also included in the severity score. This includes the scope (one system vs many), the confidentiality and integrity of the information available as a result of the attack, and, finally, the impact on the availability of the resource (see CVSS User Guide scoring rubrics).
Vulnerability severity scores help users assess their systems and plans for updating them. There is still a window of opportunity for black hat hackers between when the vulnerability is disclosed and users patch their affected systems. Unfortunately, malicious hackers do not responsibly disclose vulnerabilities found, but instead use them until they are discovered.
The success of a hacker depends upon several factors, including:
Hackers can be classified in a few different ways. One of the most common breakdowns focuses on how and why a hacker operates, including:
Hackers can also be classified based upon their level of knowledge and underlying motivations. For example, script kiddies are entry-level hackers reliant on tools, while more sophisticated hackers may work for organized crime, nation-states, etc.
Cyberattacks can target anyone, including both individuals and organizations. Some simple steps that individuals can take to protect themselves against attack include:
Companies are more likely to be the target of cyberattacks because they are more valuable targets with a wider attack surface. Some key anti-hacking steps for business include:
Security is a process, and security solutions should be selected to address the cyber threats that organizations and individuals are most likely to face. Learn more about the current cyber threat landscape in Check Point’s 2021 Cyber Security Report.
Check Point also offers solutions for organizations looking to understand their vulnerability to cyber threats. Take the free Security CheckUp for a comprehensive vulnerability analysis and then assess the vulnerability of your remote workforce to cyber threats.