The Successful Hacker and the Path of Least Resistance
By Frank J. Ohlhorst
Sometimes it takes a journey down a dark path to understand the mind of a hacker, especially when the motivations are not clear. Much like the parable of Mohammed and the mountain, many hackers took on the challenge of breaking into a system simply because it was thought to be near impossible and presented an opportunity to demonstrate their skills to others in their quasi-formal club of compatriots. Times have changed, and for the most part hackers have evolved into cyber criminals whose focus has become financial gain paired with anonymity. Simply put, successful hackers today pick targets of opportunity, where the most can be gained with the least of effort, or more importantly, detection.
Cyber criminals now look for easy marks, such as systems with weak passwords, mobile applications with lax security, systems without intrusion detection, and so forth. The tools cyber criminals use have evolved as well, and have moved on from basic brute force attacks, where login credentials are attempted with numerous iterations, to automated data gathering tools that sniff network traffic of user names, passwords, or any other information that can be used to compromise a system. What’s more, the rise of the bot powered lateral attack has proven tricky to detect or combat. Those attacks work by infecting a system with a form of spyware, which then traverses the machines and applications on the network to gather information for future use.
Simply put, what was once considered the traditional hacker has now become a construct of the past and is no longer the whiz kid looking to have fun at others’ expense. Today, cybercriminals are exactly what the term embodies; they are criminals looking to steal using the flaws found in technology. Much like how a burglar targets an empty house without an alarm or dogs, today’s cybercriminals are looking to attack the sites with the least resistance and the lowest probability of being detected and caught. This fact is evidenced by some major breaches that took months to uncover in the real world, long after any damage was done and the trail had gone cold.
Yet for all the sophistication in today’s attacks, cyber criminals still must rely on the key aspect of access. In other words, they must gain access to a system to do any harm. That makes access the key point of contention for protecting systems. Or think of it this way, why should you make it easy for a cybercriminal?
Of course, things such as complex passwords and verifiable account information are a good start towards securing systems, as is the deployment of intrusion detection systems,VPNs and so forth. Yet, all of those are easily hacked if an attacker gains access to a system, either by subverting security protocols or stealing credentials. Perhaps the only way to remove credentials from the attacker’s equation is to make credentials useless to anyone that does not possess all of the components needed to gain access. If one were to think like a hacker (or cybercriminal), they would come to the same conclusion, it is easier to break through a locked door than it is to try to pick a complex lock.
The solution here is to deploy technologies that are much like an unpickable lock. In the realm of cybersecurity, that means adopting MFA (Multi Factor Authentication), along with some form of identity management that validates the user beyond a reasonable doubt. MFA solutions, such as those available from AuthAnvil bring forth the control necessary to eliminate that path of least resistance.
For more information on how MFA can secure your business, please download “An Introduction to Two-Factor Authentication” to find out how AuthAnvil can quickly bring an additional layer of security to user accounts and keep hackers at bay.