The motivation of hackers has changed in the last 20 years. It used to be a relatively innocuous phenomenon, affecting few companies, and mostly conducted for fun rather than profit.
"In the 1980s, a hacker was someone who wanted to prove their worth, often shunned by society, and the motivation was fame," says Sanjay Bavisi.
Some security consultants' business cards may contain lock-pick tools, but Bavisi's has no space for that: he is an entrepreneur, attorney, consultant, columnist, speaker, and co-founder and president of the EC-Council, the agency behind the Certified Ethical Hacker and other forensics and penetration-testing credentials.
"Now, the motivation is far more about making money," he says. "It could be corporate espionage, or organised crime. The script kiddie will always exist, but the scale is moving towards where the money is. There's more money in organised cyber-crime than there is in drugs, according to a report I read recently, and many cartels are switching away from drugs, because the risk is less and the capital is lower, it's almost anonymous, and you don't have to stand in the line of fire."
<B>ITWeb</B> <B>Security Summit 2008</B>
More information about the ITWeb Security Summit 2008, which takes place from 6 to 8 May at Vodaworld, Midrand, is available online here.
He is particularly concerned about the tendency among companies to simply install security equipment or software, and relax under the false impression that this makes their networks secure.
"This is the trend that I'm beginning to see across the world, that a lot of people feel there's always a quick fix for any problem. There ought to be a box out there that I can just buy and make my problems go away. Unfortunately, that's not the way the world works," Bavisi says. "Just by having a lot of boxes or devices or software does not guarantee a lot of security. In many cases, a more complex network, in fact, leads to more vulnerabilities and more potential exploits."
He cites anti-virus as a simple, baseline example, though is careful to point out that similar arguments hold across the security spectrum. "A lot of people feel that as long as they have anti-virus software, they're protected from Trojans and viruses. What they fail to understand is that it's based on signatures, and they only recognise those signatures."
Even updating signature databases regularly is no guarantee, he notes. "What hackers use is something called a virus reconstruction kit. They rip apart viruses and mash them up together to create a brand new virus, and when this is passed through the anti-virus program, it just goes through, because it has a different signature and payload."
A case in point, he says, is an organisation that used to think it was tightly locked down. "They had almost all the equipment you could think about. What a hacker did to get in was use a physical key-logger. He drafted in the cleaning crew, plugged it into the target machine, it transmitted the data it logged via wireless, and the systems administrator was never even alarmed," says Bavisi.
"A lot of people talk about encryption," he adds, "but the data is only encrypted point-to-point, but if I had a Trojan which could do a screen capture, it's beaten."
The EC-Council has recently been granted the Committee on National Security Systems 4011 certification by the National Security Agency (NSA) of the US. It now is part of an exclusive club that includes the US Air Force Academy, US Military Academy, the Air Force Institute of Technology and Carnegie Mellon University.
"The NSA in the US recognises the professional qualification of information security professionals, and has a set of minimum standards. The EC-Council's course meets all the requirements of the NSA's standard," says Bavisi.
"The 4011 standard is not very common in the commercial world, but many of the larger and more prestigious universities have aimed at the 4011 certification, to reduce the time from graduation to productivity in the industry. Since government agencies apply the 4011 standards, that is what they chose. In the commercial sector, we are one of the few that have it."
Bavisi will present his critique of the equipment-based security mentality at the ITWeb Security Summit 2008, to be held from 6 to 8 May, at Vodaworld, in Midrand.
Related stories
Hacking into Hollywood
Hacks for sale, get 'em while they're hot!
Security Summit 2008 excites
Share
