By Kevin Beaver

Hackers hack because they can. Period. Okay, it goes a little deeper than that. Hacking is a casual hobby for some hackers — they hack just to see what they can and can’t break into, usually testing only their own systems. Some are obsessive about gaining notoriety or defeating computer systems, and some have criminal intentions.

Many hackers get a kick out of outsmarting corporate and government IT and security administrators. They thrive on making headlines and being notorious. Defeating an entity or possessing knowledge that few other people have makes them feel better about themselves, building their self-esteem. Many of these hackers feed off the instant gratification of exploiting a computer system. They become obsessed with this feeling. Some hackers can’t resist the adrenaline rush they get from breaking into someone else’s systems. Often, the more difficult the job is, the greater the thrill is for hackers.

It’s a bit ironic given their collective tendencies but hackers often promote individualism — or at least the decentralization of information — because many believe that all information should be free. They think their attacks are different from attacks in the real world. Hackers may easily ignore or misunderstand their victims and the consequences of hacking. They don’t think long-term about the choices they’re making today. Many hackers say they don’t intend to harm or profit through their bad deeds, a belief that helps them justify their work. Many don’t look for tangible payoffs. Just proving a point is often a sufficient reward for them. The word sociopath comes to mind.

The knowledge that malicious attackers gain and the self-esteem boost that comes from successful hacking might become an addiction and a way of life. Some attackers want to make your life miserable, and others simply want to be seen or heard. Some common motives are revenge, basic bragging rights, curiosity, boredom, challenge, vandalism, theft for financial gain, sabotage, blackmail, extortion, corporate espionage, and just generally speaking out against “the man.” Hackers regularly cite these motives to explain their behavior, but these motivations tend to be cited more commonly during difficult economic conditions.

Malicious users inside your network may be looking to gain information to help them with personal financial problems, to give them a leg up over a competitor, to seek revenge on their employers, to satisfy their curiosity, or to relieve boredom.

Many business owners and managers — even some network and security administrators — believe that they don’t have anything that a hacker wants or that hackers can’t do much damage if they break in. They’re sorely mistaken. This dismissive kind of thinking helps support the bad guys and promote their objectives. Hackers can compromise a seemingly unimportant system to access the network and use it as a launching pad for attacks on other systems, and many people would be none the wiser because they don’t have the proper controls to prevent and detect malicious use.

Remember that hackers often hack simply because they can. Some hackers go for high-profile systems, but hacking into anyone’s system helps them fit into hacker circles. Hackers exploit many people’s false sense of security and go for almost any system they think they can compromise. Electronic information can be in more than one place at the same time, so if hackers merely copy information from the systems they break into, it’s tough to prove that hackers possess that information and it’s impossible to get it back.

Similarly, hackers know that a simple defaced web page — however easily attacked — is not good for someone else’s business. It often takes a large-scale data breach; however, hacked sites can often persuade management and other nonbelievers to address information threats and vulnerabilities.

Many recent studies have revealed that most security flaws are very basic in nature. These basic flaws are the low-hanging fruit of the network just waiting to be exploited. Computer breaches continue to get easier to execute yet harder to prevent for several reasons:

  • Widespread use of networks and Internet connectivity

  • Anonymity provided by computer systems working over the Internet and often on the internal network (because effective logging, monitoring, and alerting rarely takes place)

  • Greater number and availability of hacking tools

  • Large number of open wireless networks that help hackers cover their tracks

  • Greater complexity of networks and the codebases in the applications and databases being developed today

  • Computer-savvy children

  • Unlikeliness that attackers will be investigated or prosecuted if caught

A malicious hacker only needs to find one security hole whereas IT and security professionals and business owners must find and block them all!

Although many attacks go unnoticed or unreported, criminals who are discovered are often not pursued or prosecuted. When they’re caught, hackers often rationalize their services as being altruistic and a benefit to society: They’re merely pointing out vulnerabilities before someone else does. Regardless, if hackers are caught and prosecuted, the “fame and glory” reward system that hackers thrive on is threatened.

The same goes for malicious users. Typically, their criminal activity goes unnoticed, but if they’re caught, the security breach may be kept hush-hush in the name of shareholder value or not wanting to ruffle any customer or business partner feathers. However, information security and privacy laws and regulations are changing this because in most situations breach notification is required. Sometimes, the person is fired or asked to resign. Although public cases of internal breaches are becoming more common (usually through breach disclosure laws), these cases don’t give a full picture of what’s really taking place in the average organization.

Whether or not they want to, most executives now have to deal with all the state, federal, and international laws and regulations that require notifications of breaches or suspected breaches of sensitive information. This applies to external hacks, internal breaches, and even something as seemingly benign as a lost mobile device or backup tapes.