The Art of War: Part 3

"If you know the enemy and know yourself, you need not fear the result of a hundred battles."Sun Tzu, The Art of War

To adequately defend your system against attack, it is important to understand the attacker. Last month, we described the five common types of hackers, and discussed the categories of 'kids' and 'crusaders,' which constitute the so-called 'benign' hackers - the ones that do not mean any harm. This month, we will look at the darker side, or those hackers who will break into your system specifically to do you injury. We will then look at the various 'Hats' and how hackers describe themselves.

Malicious hackers may be classified as thieves, insiders and terrorists, or infowarriors.


As a category, thieves are easy enough to understand - they want your money or your valuable information. Regrettably, this is one of the fastest growing areas, and it represents a real danger. These people know their business, and they want to know yours. They are looking for credit information, HR information, corporate and proprietary secrets, and software source code.

They can also access your network to use your system directly. They can, for example, divert funds between payroll accounts, manipulate bank transfers, access and use your internal phone systems, and even use your system as a means of gaining entrance to other systems.


Insiders are employees with a grudge, either currently employed by your company or recently released. This was once the leading category of attackers, but it is being superseded now by the thieves and kids. The numbers are somewhat deceptive, however, because insiders are also often 'enablers' - that is, they intentionally or unintentionally provide access information to the rest of the hacker community. Again, it should be stressed that hackers are a community, and information tends to be shared among all.

Insiders are particularly dangerous because they know the corporate system and have access rights. Even with employees who are dismissed, it may take time before passwords are changed. Because they already have appropriate passwords and clearance, they can enter the system as a legitimate user and perform any function their security level permits - which may be everything. In short, they have the keys to the till.

Insiders might act to steal information, looking for the same items as the thieves above, or they might be motivated to damage systems for revenge. The latter could include destruction of data, tampering with software, compromising security systems, or passing access information to outsiders. Insiders can also use their knowledge of systems to perform any number of frauds or capital diversions, and cover up the electronic evidence.

Terrorists and infowarriors

This category is potentially the most dangerous, but its numbers are, so far, insignificant. The growing reliance on information systems by government and corporations makes them vulnerable to sophisticated 'Information War' attacks. Most countries, including the United States, are developing a capability to wage war online. Other groups moving hostile activities online include terrorists, gangsters and special interest groups.

Attacks of this type, often also called 'cyberwarfare,' encompass a wide range of activities that might include both physical actions and the range of hacker attacks described previously. Added to this are actions designed purely for destruction of systems or disruption of operations. Among the activities to be expected are:

  • release of computer viruses
  • all hacking techniques used for theft and control
  • web site alteration and redirection, such as addition of propaganda messages to legitimate sites
  • theft of systems such as laptops for their information and access contents
  • electromagnetic, microwave or other energy attacks (such as the EMF pulse created by nuclear weapons) designed to scramble systems and bring down communications

There are numerous other activities that would fit into this classification. Overall impact so far has been negligible, involving a few highly publicized incidents, but this area is expected to grow as hostile forces target information system vulnerabilities.

A matter of hats

Having examined the common categories of hackers as they appear from the outside, it is now important to look at how they view themselves. The traditional view is in terms of how they position themselves with respect to the law. Using the language of the Old West, they describe themselves as 'White Hats' for good guys who claim they are helping to keep networks secure; 'Black Hats' for villains who are trying to illegally break into systems; and 'Gray Hats' for those who are somewhere in between. It is important to remember, however, that all 'Hats' are hackers, and all break into systems; the color is simply a matter of intent.

White Hat hackers work entirely within the law, and break into systems only to point out vulnerabilities that might be repaired. These include security specialists and consultants, but also some of the 'Crusaders' who access systems and post vulnerabilities on the web. Many in the industry argue that there is no such thing as a White Hat. This is because vulnerabilities, once exposed, open the way for those with a malicious bent. So White Hats may be facilitators, despite their benign intent.

Black Hat hackers are true villains. As the name implies, they are the ones who go out of their way to break into systems and do damage. These are the thieves, terrorists and ill-willed insiders.

Finally, there are the Gray Hats. These are generally described as 'reformed' Black Hats now working as security consultants, or hackers who mix consulting with fraudulent access. The logic in employing Gray Hats is the same as that of employing a 'reformed' safecracker to guard the safe, and the questions are the same - he certainly knows how the system can be attacked, but can he be trusted?

Next month, we will look at the methods that hackers use to gain access to your systems, and how they can use your network - and even your organization - against you.

Darren Thomas is a security expert at NetIQ Corp. (

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.