A computer is used to perform different kinds of functions by different people. The uses of a computer are endless – some use it to listen to music and others use it to create music, some use it to create documents and others use it to read those documents, and so on.
A computer is an electronic device that can only function according to the instructions (or commands) that we provide it. To perform a type of function, e.g. create documents or read documents, some people write programs to perform the specific kind of function. People who write these programs are known as programmers, developers, or even coders.
The basis of hacking
When programmers write these programs, they do so based on their own understanding of what the program is expected to do. It may happen that these programmers or their teams are not able to think of all the possibilities regarding what input different users will give to this program, or what actions they will perform. Also, the programmer may not be handling the user inputs properly and this may cause the program to behave in a manner in which it is not expected to normally work. Besides this, the user themselves may take unsafe actions unknowingly which in turn may again make the program behave in an erratic manner.
As a simple example, let’s say that a program takes two numbers from the user and divides the first number by the second one. The program works perfectly fine as long as the second number is not zero. If the programmer does not check for this condition, the user can make the program malfunction by entering the second number as a zero. All of a sudden, the program will crash.
This concept forms the basis of hacking – making programs or systems do something that they are not normally supposed to do and taking advantage of this behavior. The existence of areas in the program which can be made to behave in unusual ways is called a vulnerability. A hacker is a person who takes advantage of this vulnerability. This doesn’t mean that the term hacker defines someone of malicious intent. From a broader perspective, the term hacker defines someone who uses a system or hardware in ways outside of the original developers’ intent. For this reason, there are multiple different terms used to separate hackers who mean to do harm versus others. We will cover these terms later in the post, but for now, we will sometimes use the term malicious hacker when describing an individual or group that means to do harm. You may also sometimes see the terms threat agent or threat actor being used to mean the same.
It is worth mentioning here that a computer usually has 2 types of users:
- Administrator, Super User, or Root – This type of user is able to perform any operation on the computer, e.g. change system settings, change passwords, modify important files, etc.
- Regular users – Accounts of these users are generally limited in some way and they generally cannot tweak important files/settings or open important files/applications
The ultimate aim of a hacker is usually to get administrator access to the computer so that they can access sensitive data which may be unavailable to other users. When hackers get regular user access to a computer and then escalate themselves to administrator level access, this is called Privilege Escalation.
Common application flaws
Usually, hackers take advantage of one of the following flaws in an application as a starting point:
- Existence of default settings in an application/hardware
- Existence of some misconfigured settings in an application/hardware
- Existence of improper input validation
- Code that can’t withstand unknown use-cases
- Existence of some function of the application from where the hacker can obtain some information and then exploit it somehow
- Existence of improper permissions associated with an application, e.g. anyone can run an application that grants administrator access
Exploits and payloads
Any input given to a program that takes advantage of the vulnerability and makes it do something unusual is called an exploit. The core part of the exploit that actually takes advantage of the vulnerability is called a payload.
Now, an exploit may be known publicly or it may not be available in the public domain. If an exploit is not available in the public domain or the developer is not aware of the same, there is a special name for it – zero-day exploit. Every exploit starts as a zero-day until it is made public. Exploits are usually made public only when they are fixed (i.e. the wrong portion of the program is corrected), or else everyone will start exploiting the vulnerability. Zero-day exploits are the most harmful since their existence is not known until they are made public. Until they are known to the developer, the developer cannot fix it, and thus the vulnerability can be exploited over and over again by those who find it.
This exploitation may be done manually by a hacker or it may be automated by a bot (short for the word robot), or even automation tools. An integral feature of bots is that they are able to take commands from whoever controls them remotely over the Internet and execute them on the host computers. Automation tools are built to perform specific tasks, such as finding information, finding vulnerabilities, or exploiting those vulnerabilities.
The aim of a hacker using exploits is typically one of the three below:
- To gain access to information
- To alter information
- To delete information
This can usually be done in a stepwise manner as follows:
- S/He first gathers as much information about the computer, application, or the person using the computer or the company to which the computer/application belongs. This may be done with the help of search engines (e.g. DuckDuckGo, Google, Bing, etc) and automated tools.
- Then s/he actively or passively looks at the computer or application to get an idea about the applications running on the computer, or the software powering the application(s).
- Then s/he uses exploits in one of the vulnerable applications or software to gain access to the computer or application.
- Then s/he may need to escalate privileges to gain administrator access to the system.
- Then s/he runs a small program of his own on the computer or servers so that the said program will allow him/her to access the said system again as and when needed.
- Then s/he will clear access logs to ensure that their access is not visible.
With that in mind, it’s worth mentioning that if a computer, server, or device is connected to the Internet, then it can face threats from malicious hackers at 4 main levels:
- Hackers may target the applications running on the computer or server
- Hackers may target the system software (e.g. Operating System, etc)
- Hackers may target the network on which the computer exists
- Hackers may target specific hardware existing on the computer
This is why we are seeing a large increase in devices being hacked. As Internet of Things (IoT) devices (fridges, watches, cars, sensors, cameras, etc…) are increasingly becoming connected to the internet, they become targets for malicious hackers.
The CIA Triad
If a hacker gains access to information, they bypass the confidentiality of the said information.
If they are also able to alter it, they change the integrity of the said information.
If they delete the data altogether, they affect the availability of the said information.
This is often known as the Confidentiality-Integrity-Availability Triad or the CIA Triad. It is the aim of a hacker to have an impact on the CIA of a system, and so the CIA Triad is used as a security model to help people think about the various parts of IT security that need to be defended.
Motivations for malicious hackers
Some of the reasons why someone may want to hack into a computer system may be any of the following:
- Stealing someone’s personal details (e.g. personal information about someone, credit card details, etc)
- Changing information associated with an account (e.g. changing the recovery email so that the malicious hacker can change someone’s password)
- To make the business unavailable or to damage their finances
- To encrypt the files of the users, making those files unusable, and asking for a ransom in order to decrypt them
Ultimately, most attacks are done for the attacker’s financial gain, for political or religious reasons, or in some cases, out of spite.
It’s worth mentioning that attackers can be individuals or groups of people. Nation-state actors, for example, are either an individual or a group of individuals acting on behalf of a government, typically against foreign governments or foreign countries. Their motivation may be intellectual theft, cyber warfare, and so on.
Types of hackers
Now it must be made clear that there are different categorizations of a hacker. Three of the most common are as follows:
- Black hat hacker – These hackers perform hacking for malicious purposes
- White hat hacker – These hackers perform hacking professionally with the permission of the person/company they are targeting
- Grey hat hacker – They fall in between black and white hat hackers
There are various other types of terms that you may have come across. Some of them are as follows:
- Script kiddies – This is often used as a disparaging term to describe individuals that do not have deep knowledge or expertise, but rather blindly use the tools developed by black/white/grey hat hackers. They may not even have a full understanding of what they are doing and just follow the manual that came along with the said tool.
- Hacktivists – They are hackers that use hacking for some form of activism, e.g. political activism.
A mention also needs to be made for Ethical Hackers – a term that has gained popularity in recent years. An Ethical Hacker is a hacker who assists companies in securing their applications or computers or networks or websites. Essentially, they tell the companies of their vulnerabilities before the black hats exploit them. They may also suggest ways in which the said vulnerabilities can be patched. An Ethical Hacker usually signs an agreement with the company for non-disclosure of their findings to the outside world. The same document may also state the scope of the testing that the hacker will do on the said computer/website.
Access Control Policies
Even though companies may recruit Ethical Hackers to assess their systems, they may have already put in place some policies which define the ways in which a computer may access the outside world or the outside world may access the said computer. These are called Access Control Policies. These policies may be of the following types:
- Unrestricted policy – all access is allowed
- Permissive policy – all access is allowed except if something is specifically banned
- Restrictive policy – all access is denied except if something is explicitly allowed
- Paranoid policy – no access is allowed
These policies play an important role in the vulnerability of a computer. As expected, an unrestricted policy is a nightmare whereas a paranoid policy may lead to the unavailability of information. Achieving a fine balance between what is allowed and what is not allowed forms the basis of system security.
When Ethical Hackers find vulnerabilities, they must work together with the organization in order to determine a proper vulnerability severity rank.
The severity of a vulnerability may be of different types:
- Critical Severity – This vulnerability usually gives administrator access to the attacker or affects a large amount of data or a large number of users. A severity of this level typically also indicates that exploitation is fairly straightforward. It should be fixed immediately.
- High Severity – This vulnerability severity usually can result in administrative privileges, significant data loss or access, or even service downtime. Exploitation is typically more difficult. These vulnerabilities should be fixed quickly.
- Medium Severity – This vulnerability may give restricted access to the hacker or may leak out some unwanted information. The likelihood of exploitation is typically also lower.
- Low Severity – This vulnerability usually is harmless except that it gives out low-risk information to the hacker, or requires very unlikely circumstances to be exploited such as physical or local access to a system.
There are widely recognized frameworks, such as the Common Vulnerability Scoring System (CVSS) that provide a common way of calculating and communicating vulnerability severities.
Till now we have mainly talked of only security in terms of computer applications or programs. But companies also need to have strong physical security mechanisms or else anyone can walk into an office and copy confidential information onto a USB drive and move out with the said data. What I want to convey is that there should be some physical restrictions too on what all a person can access.
Some of the physical restrictions can be:
- Using gates, fencing, walls, etc
- Restricting the access of people to some areas based on their roles (i.e. Access Control)
- Having a separate record room
- Using CCTV (closed-circuit television, aka cameras) coverage in all areas. This will act as a deterrent.
It is important to know about physical security since there might be cases when an Ethical Hacker may have to physically infiltrate some premises. On the other hand, companies should have physical restrictions since they need to avoid disclosure of information to unwanted persons.
Till now we have talked about hacking of applications or physical security, but there is another important ingredient that deserves mention here – people. Eventually, people will run software or ensure physical security as we talked about earlier. Hackers often employ a technique called social engineering which refers to exploiting the human element, i.e. manipulating human behavior and emotions to gather information (and sometimes confidential or sensitive information too).
On the side of the companies, the following steps need to be taken to avoid an incident related to vulnerability exploitation:
- The company should be prepared to handle any such incident by means of proper access policies. They should assess their vulnerabilities with the help of Ethical Hackers and fix those vulnerabilities.
- Even then if an incident happens, the system or network administrators should be able to identify the same and prevent further propagation of the exploit.
- The said exploit should be removed from the computer.
- There should be a forensic audit of the computer to know more details of the exploit that happened.
- A security audit of the computer/website should be done so as to assess the completeness of the security measures adopted by the company.
- A thorough vulnerability assessment should be done again to know of any other hidden vulnerabilities.
Vulnerability Assessments and Penetration Testing
The process of vulnerability assessment along with a security audit of the website/computer is also known as Penetration Testing or PenTesting.
PenTesting is usually of 3 types:
- Black Box: The Ethical Hacker knows nothing of the computer system or website and starts from scratch. This emulates the real-world scenario wherein a hacker may try to exploit a website.
- White Box: The Ethical Hacker knows all details of the company infrastructure, software used, security policies, network details, etc.
- Grey Box: The Ethical Hacker is given partial information and it falls in between Black and White Box testing.
This brings us to the close of this article. In the next article, we will learn the basics of PenTesting methodology.
About the author and cybersecurity 101 series
Amandeep is a young Indian Police Service officer of the 2014 batch. Being from a Computer Science background, he is passionate about technology with a keen interest in computer programming and cybersecurity. He is enthusiastic about fitness. He is an avid reader and considers himself a “forever student.” Even though he serves in the police, he is still in touch with his technical side and is interested in increasing cyber awareness amongst the general public. He maintains a website at thecybercops.com can be reached via aman at thecybercops.com
CyberSecurity 101 will teach you about the basics of cybersecurity. It will be helpful for you if you are interested in knowing more about cybersecurity or are starting out a career in the field of cybersecurity or information security. It will start with the very basics of computer security and then move onto more complex topics. The aim will always be to explain everything in an easy way so that new users can grasp the concepts with ease.