ANATOMY OF A SUCCESSFUL INTRUSION – IN YOUR LANGUAGE

Have you wondered what all this fuss about hacking is about? You might have asked yourself what is hacking and how is it done. The hacking process is really quite simple. You can compare it to a burglary because the concept is basically the same. A burglar will ask himself how and when he will break in, what is he looking for and how can he cover his tracks so that he is not caught.

Hackers are abit more systematic so they break down their attacks similar but more explicit stages: Stage 1 is gathering information about the target system; Stage 2 is an analysis of this gathered information; Stage 3 entails researching of the target system’s vulnerabilities and the fourth and final stage is the implementation of the attack. This modus operandi is universal and can be successfully transplanted into any other criminal activity. Understanding and adhering to these stages means that twenty five percent of your job is done and dusted, even before you begin.

Let’s begin with the first stage, gathering the relevant information about the target company and its computer systems. At this stage any kind of data is relevant. Knowing the company’s business core activity, the Board/Management structure, the physical location, branch locations, the approximate number of employees, product range and computer system infrastructure details are obtained.

Sources of information include websites, financial statement reports, discarded documents and of course the employees (through social engineering). Gathering of information also means the hacker has to determine how many computers are publicly exposed to the internet. Among this is the web server which is usually a good starting point. Scanning is done by using various software tools akin to the burglar’s “bag of tricks”. The scan results will outline the system’s characteristics, for example, the open ports, its internet location, the IP addresses of its computers and whether the web server (that hosts the company website) is in-house or not.

The second stage is the analysis of the information obtained. At this point the hacker wants to determine where to apply his most effort. Should the emphasis be more towards social engineering? Or should it be at hacking away, in ungodly hours of the night, trying to find out the vulnerabilities of the targeted computer system. A simple example would be where the hacker learns that the senior system administrator usually visits a certain bar every evening. The next step is to find out whether he carries his laptop home. The hacker can observe the said employee leaving the premises to establish this fact. Better still is to pretend that he is colleague and he makes a call to the office security (some minutes after 5pm) asking whether they have seen the said laptop the system administrator told him to collect from the office. They will unwittingly tell you that they saw him leaving with it.

Next step will be to break-in to his car when he’s inside the bar. This will save the hacker vital time because he will obtain crucial access data like passwords from the stolen laptop. The data from such a laptop, if relevant to the attack, would negate the next stage which is researching the vulnerabilities of the company’s systems.

The sole objective of this next stage is to determine the vulnerabilities of the systems so as to exploit a discovered vulnerability to gain entry. The experienced burglar also conducts this stage by either visiting the premises to find out which window is usually left unlatched at night or uses an insider to describe the vulnerabilities of the house. The hacker does the same.