In the early days (pre-commercial internet) of computers, people often wrote their own software and sold it via floppy disks, or it was downloadable via telephone based bulletin board systems (BBS). While the internet existed, it was mostly for academic (.edu), military (.mil) and some government (.gov) use, and was generally off limits to the general public (.com). Some of these people setup BBS in their homes and had many telephone numbers call into their board via modems. Here people exchanged software for other pieces of software and/or downloaded “shareware” applications where users were “guilted” into donating money for the hobbyist who developed the application. In fact, many of the BBS’s were running on software applications written by these same hobbyists.

Over time, many commercial software vendors came into existence, including companies like Microsoft, Lotus, Wordperfect and various game companies. Unfortunately, with the combination of BBS and commercial software, many people ended up making copies of the commercial software application and posted the files onto the BBS for others to download (similar to today’s Bittorrent). To stop this, the commercial software companies developed ever sophisticated methods of copy protection to try to prevent the unauthorized distribution of their software. This is when the first PC “hackers” were born – people who removed the copy protection from the software because they can. (This cat-and-mouse game with the software vendors continues to this day, and the hackers still eventually find a way around the protection.) Essentially, these first computer attackers removed the copy protection for the notoriety, acceptance, and ego of playing Robin Hood. Since there was no real financial gain, in those days, many of the hackers publicized themselves by using handles, nicknames and monikers to boast their skills on various BBS’s and sometimes on the software themselves (i.e., on the start-up screen), or even through viruses which would display annoying messages in order to claim responsibility.

In the last several years, the world has changed for the networked users, computer software vendors and the attackers themselves. The malicious intent and behavior of the attacker has changed from the ego driven to complex motivations, including:

  • Fraud
  • Theft
  • Challenge
  • Revenge
  • Activism
  • Vandalism
  • Sabotage
  • Competitive gain
  • Religious
  • Power/Control
  • National interests
    • Terrorism, Warfare, Espionage

While many of these cybercrimes still result in destructive and visible damage, such as hacking networks, deleting files, vandalizing web sites, introducing worms, viruses or other malicious code and mounting a DoS attack, a lot are increasingly non-destructive, or at least not as visible. These include advertising, soliciting prostitution services and child pornography; internet gambling, internet drug sales, cyberlaundering and cybercontraband. Most importantly, the attackers are switching from a notoriety based motivation to a financially motivated one, where discreteness and being hidden are now more important than being found out.

Unfortunately, the role of the attacker and the defender in cyberspace is very different from its real world analogue. Military strategists call the defender “the position of the interior.” As the defender, they must:
  • Serve a business goal, yet the attacker has unlimited resources, including time.
  • Defend all points, while the attacker can choose the weakest point.
  • Defend only known attacks, while the attacker can probe for unknown vulnerabilities or master only one attack.
  • Constantly be vigilant and must win all the time, while the attacker can strike at will and only win once.
  • Play by the rules and cannot take the offensive, while the attacker can play dirty.
  • Defend against technology of the future that is not available now, while it will be available to the attacker.

Today, there are three main types of attackers:

  • Class I – Clever Outsiders
    • Very intelligent but insufficient knowledge of the system
    • Have access to moderately sophisticated equipment
    • Take advantage of existing weakness
  • Class II – Knowledgeable Insiders
    • Substantial specialized technical expertise
    • Varying degree of understanding with potential access to most of the system
    • Have highly sophisticated tools and analysis instruments
  • Class III – Funded Organization
    • Team of specialists with great funding resources
    • Capable of in-depth analysis, designing sophisticated attacks and using the most advanced tools
    • They may use Class II adversaries as part of the attack team

Unfortunately, the weakest part of the system is usually not the program or algorithm. It is people. Sometimes it is people who don’t have any malicious intent or who never intended to do anything wrong. To try to defend a system against all threats, it would even need to address the “Four B’s” of human level attack—Break-ins, Blackmail, Bribery and Bludgeoning—which is therefore the hardest part of a system to design for. Furthermore, many security systems are broken by people who use them as honest users typically cause problems because they don’t care about security and only want simplicity, convenience, and compatibility with existing/older (insecure) systems.

The moral of this story is that a well designed system must take people (both attackers AND innocent users) into account, and the hardest part of security is getting people to use it.

Your comments are always welcome.