SUMMARY: Ed Wilson talks about a hacker scenario.
A hacker scenario.
A hacker decides to target MegaCorp. Why? Remember my article about hacker motivation? It may be for revenge, it may be to make a political statement, or maybe for fun (and as a learning experiment) or maybe for profit (to gain access to trade secrets, or even to embarrass the company). Really, at this point, the motivation is not the key thing because it does not affect either the methodology, or even the outcome of the attack.
Although it will be very important for your readers. Readers want to know WHY is this hacker doing this thing. Give the hacker a compelling, and a legitimate reason. Revenge, may not ring true with the majority of your readers unless you do two things: Show in advance that the hacker has the necessary skills to pull off the hack, and show something in the hackers personality that points to the hacker actually going and doing this. Thousands of people lose their jobs every day, and yet very few of them go off on a quest to exact revenge on the company that fired them. Usually, they lick their wounds, polish up their resume, and move on with their lives.
Maybe the hacker cannot simply polish up the resume and move on. Maybe the CIO (Chief Information Officer) fired the hacker for alleged incompetence and then blackballed him / her by ruining their reputation in the IT community. Now they can’t even get an entry level job on a help desk. They can’t get unemployment benefits because they were fired for cause, the poor hacker is becoming desperate. To make matters worse, maybe the hacker can’t get health insurance and has a handicapped son. Government insurance says he has too much money. But the money is tied up in a 401K. They say he has to sell it, but if he sells it, the government will take so much out in taxes and in penalties there will be little left to pay for his sons operation. He is caught in a between the cracks in the system and no one seems to listen or to care.
How will the hacker make any money?
How will he make any money by hacking his former company? Well he will hold them up for ransom. There are many ways of doing this, it all depends on what kind of company MegaCorp really is.
- One way is to access their customer database, steal all of their customer data. Now what does he do with it? Well he can blackmail the company. Give me $1,000,000 dollars or I release all this customer information to the Internet. So? Well this will make the news, and the MegaCorp may lose business. Their stock may decline in value. At a minimum, it will cost them money as they notify customers, get involved with the FEDS who come and investigate. If MegaCorp is found negligent, then the company, and company officials can be fined, or even sent to jail.
- Another way is to access their computer systems, sabotage their data backups, and then change the security permissions so that they are locked out of their own systems. Now the hacker once again issues the demand. But this time, the hacker threatens to destroy all of their data, and with it the company. Because the back up systems are also taken out, the company could be in real trouble. But don’t most companies have off site data backup? Well yeah, but suppose they didn’t. Or suppose the hacker, disabled the backup system prior to leaving, and the company did not discover that the backups were not working. Maybe it really is the CIO who is incompetent, and is more interested in reducing cost, and therefore getting a larger bonus at the end of the year, than ensuring that the IT staff has the tools to do the job. Maybe our hacker threatened to blow the whistle, and that is why the hacker was fired and blackballed. Remember, my article about people being the weakest link in the security chain? Budget cuts, increasing demands on IT Pro’s time, and reduced training can all come into play here.
- Maybe the hacker just steals the company secrets, and offers to sale them to a competitor, or to a foreign government.
Evaluation of the scenarios.
The trick to making either scenario one or two work is to keep the ransom demand low. Most CIO’s have a certain level of discretionary budget they can spend, without having to seek approval. If this amount is large enough to be worthwhile, our hacker friend can get the money with little hassle. In addition, if the CIO really is culpable, then there is the implicit desire for a cover-up.
If more money is required, go up a level in the food chain. Maybe the COO (chief operating officer) will desire to keep things quiet. It might even be that the board will pay the blackmail, but getting board approval will require more time, and time is not on either the companies or the hackers side.
If the hacker gets too greedy, the government will be called in. This can involve lots of different agencies depending on the company, what they do, and who the board members play golf with.
Scenario number three is much riskier. If the sale is offered to a rival company, it is quite possible that the other company is an ethical. That they would never have anything to do with stolen secrets. Most companies have mandatory ethics training for their staff, and would not have anything to do with misappropriated trade secrets. In fact, this would be a nice twist from the run of the mill stuff we see on the big screen nowadays. In fact, they might very well call in the FBI and report the attempted sell.
If an attempt is made to sell the secrets to a foreign government, the hacker could run afoul of the NSA, the CIA, the DOD, and any number of other three letter agencies. Even the US Marshals are flying around hacking cell phones these days. This particular scenario is pretty much of a fools errand, unless the hacker somehow has knowledge of international espionage. The hacker can’t just have been a US Naval intelligence officer ten years ago. This world changes dramatically every few months. So, unless the hacker has current experience they will not be successful – unless you (as the writer) want your hacker to get caught.