Hacking. We’ve all heard the stories. We’ve all been told it’s “so important” to learn about it and become a hacker. Well, the truth about learning hacking might surprise you.
To defeat a hacker, you need to think like a hacker? Or to catch a thief, you need to think like a thief.
Have you ever heard that before? It’s a pretty common expression. Especially in the reasoning behind ethical hacking and penetration testing.
Even in my law enforcement training, I’ve heard this same concept from investigators and other officers alike.
But, what many will fail to tell you, this concept does not apply the way you think it does. And hacking or penetration testing is not the “end-all-be-all” of information security.
Wait, what? Yep. You DO NOT need to know how to hack, crack, or pen test to be good at information security.
In this article, I’m going to analyze the popular term: hacking. I’m going to show you why hacking may not be what you think it is, and how marketing hype has a lot to do with its popularity.
I’ll also show you how you don’t need to be a “hacker” to be good at information security.
What is hacking?
First, let’s define a few terms about hacking to create some context.
What is a hacker? Well, frankly, it’s a manufactured term to describe a computer attacker.
“A hacker broke into a database and stole millions of accounts…” Sounds familiar, right?
A hacker is “a person who circumvents security and breaks into a network, computer, file, etc., usually with malicious intent” – Dictionary.com
Ironically, they also have another definition of a hacker as “a person who engages in an activity without talent or skill”. You’ll see why I find that ironic here in a minute.
What is a Cracker?
Years ago, the term for computer attackers was actually called “cracker”. Crackers are people who are curious about computer functionality and capabilities, with an interest in dissecting how things work.
Crackers are generally obsessed with the engineering and reverse engineering of how computers, applications, and other components work.
And some crackers would use their technical knowledge to take advantage of computer weaknesses they learned through their engineering and reverse engineering efforts.
What is a Script Kiddie?
By today’s standards, the hackers you have come to know are not crackers. Today, hackers mostly consist of what’s called script kiddies.
Script kiddies use other people’s software, scripts, tools, or techniques in an attempt to “crack” a computing component.
Script kiddies are not generally interested in the science of computers, reverse engineering components out of mere fascination.
Instead, they use well-known tools that are pre-programmed to execute information gathering, vulnerability scanning, and attempt to exploit known vulnerabilities.
So in actuality, they are not hacking at all. They are actually performing a vulnerability assessment…and usually not a very good one at that.
In other words: “a person who engages in an activity without talent or skill.” Ironic right?
“anybody can utilize the tools online and go off merrily hacking other people’s networks with virtually no ‘skill’ whatsoever.”
For the record, being called a script kiddie is the ultimate insult within legitimate hacking (cracking) circles. It basically means you have no skill of your own.
Strive to be a crackers
Crackers are in it for the intellectual challenge. They live for the challenge of solving or reverse engineering a problem.
Script kiddies typically “hack” for their own personal gain. Whether it be money or ego, they are in it for themselves. They are not in it for the greater good of computing science or information security.
Here is an example of some “hacking” question I found on quora.com
See what I mean? How do I change my location, change my grades, even hack? These questions are not out of interest of becoming a better security professional.
These questions are about personal gain.
What about an ethical hacker?
Now, there is also the “ethical hacker”. This term is a manufactured term as well. This basically defines a cracker that uses their skills for the purposes of helping others.
Ethical hackers use their cracking skills to help organizations or clients understand the nature of threats and vulnerabilities within their information systems.
The most common ways ethical cracking skills are used are either through vulnerability assessments or penetration tests.
Vulnerability assessments is just how it sounds…searching the information system to find possible threats and vulnerabilities that could be exploited by an attacker.
A penetration test (or pentest) takes things a step further. A pentest is used to discover threats and vulnerabilities, but the tester then attempts to exploit the discovered flaws in an attempt to simulate what a potential attacker might do.
And within these “hacking” circles, you have black hats (bad), white hats (good), and grey hats (good intentions, but crossing the line at times). Straight up, grey hats is usually where most of the ethical hackers operate.
Now, let’s circle back on the statement “To catch a hacker, you need to think like a hacker”.
The truth about hacking
Personally, having worked in IT for 17 years, and INFOSEC for 10 years, I don’t agree with this concept. I understand the logic behind this statement, but it’s very misleading and creating a bad name for the art of pentesting.
And I’ll show you why.
To catch a hacker, you need to think like a hacker…
…says to me that “you need to become a hacker to be good at INFOSEC”
Which is simply not true. It’s not true at all.
Have you ever tried to break into someone’s home? How about someone’s car? How about your own home or car?
Ever try and pick the lock on your front door to break into your home?
Likely not, right? Why? You need to break into your home to make sure it’s safe right?
Why, in this context, does that seem unnecessary?
Because when you lock the door, you check that it’s locked. You test the lock by twisting the door knob or pulling on the door. And that verifies the door lock works.
Through that test, you trust the door lock works as it’s designed to. You don’t need to break into your own home to verify that.
To take it a step further…
If you lived in a castle, and all you did was go and attack other people…
…who is defending your own castle? How are the people in your castle safe?
Well, they are really not safe. Because you have put all of your efforts into trying to “catch” or “attack”, you forgot all about defending what’s really important.
The people under your protection.
And this is where the truth lies. And the marketing statements mislead.
There is a place for everything. But there is NO single answer that solves multiple problems.
Yes, testing and assessing the security of an information system is very important. But it needs to be done by those who REALLY know HOW to test and assess the system.
The only people who can do that, and do it well, are the people who know HOW the system works!
Not by so-called hackers, who are really script kiddies. Not by so-called pentesters who are really running vulnerability assessments.
Hacking is popular today because of marketing. That’s really it. It sounds sexy. It’s mysterious and looks cool. And some hacks that you hear about sound hard.
But again, that’s just marketing. Anything can sound awesome with the right words behind it.
When it comes to information security, only the professionals who know the ins-and-outs of the information system are in the best position to protect it.
Ethical hackers and penetration testers have an important place in INFOSEC.
But, it’s not something you learn in a course, certification program, etc.
It takes years of experience and deep technical knowledge of multiple technologies to be good at. It also takes endless levels of problems solving.
To be effective at ethical hacking and penetration testing, you have to be a cracker, not a hacker or a script kiddie.
And to do that correctly, you need to understand ALL of the underlying technologies. Which means you need working knowledge and skills of those technologies.
You also need to understand how to test and assess the various ways an attacker might try to compromise your information system. This will allow you to truly understand the security needs to protect the system from would be attackers.
Using other people’s (or vendors) tools will only get you so far. And those tools do not test everything.
There are many security gaps that even the most popular tools miss, leaving your system much more vulnerable than you might think.
Are security tools effective? Yes. Do they find every security flaw? No. No tool can possibly do that.
Another problem with using these security tools is remediation. What do you do to correct anything the tool discovers?
If the result true or false? What is the next course of action?
So let’s look at this in a different way to bring the concept full circle.
Let’s say you’re using a password cracking tool and found a password on the system.
Great! You found a weak password on the system.
Ok…Now what? What happens next?
Simply saying “you need to change your password” is not enough.
Because the natural response to that statement might be…
What passwords? On what devices? And change them to what? How do you enforce complex or strong passwords? How often should those passwords be changed? Who changes them? And so on.
What are the answers to those questions? What do you recommend to do with your discovery?
That is the difference between using a tool to find something, and truly understanding the underlying security risks of something as simple as passwords.
A tool cannot tell you the answer. So called “hacking” is not the answer.
Even the best security assessment will detect potential risks…
A true information security professional knows how to find and solve security problems to reduce the risk of an attack.
This is where the truth between the marketing of “hacking” and true information security cross paths.
And a good ethical hacker or penetration tester can combine the best of both worlds (cracking skills along with problem solving/resolution skills). And they can be a tremendous asset to an organization.
A script kiddie can be a liability. Because a script kiddie is using someone else’s hacking tools. And they may not know or understand the effects of the tool they are using.
That tool may crash a server, bring a network down, or break into an unauthorized area on the system. That tool could literally impact the very thing you’re trying to protect…business operations.
And if you don’t have permission to use a specific tool, in a specific capacity…that may actually be a crime.
Disclaimer: There are TONS of security laws that hacking may or may not apply. Be 100% certain about any applicable computer laws before you engage in any security testing and assessment activities. If in doubt, get written permission from the information system owner before proceeding.
“Curiosity killed the cat” as the saying goes. Meaning, treading into unknown territory can get you into a lot of trouble. Especially when it comes to trying to hack stuff.
My recommendation is don’t “hack” because some vendor advertisements tell you that’s the next big thing. Because it’s not.
Would you want someone working on your computers or system that says “I want to be a hacker.” Yeah…neither do I. 😉
Instead, strive to have a clear understanding of any technology you are working with. Whether that be operating systems, networks, software, web applications, etc.
The only way to know how to fix something correctly is to understand how it works.
Then learn what to do to securely configure those technologies, and verify the security is working correctly.
Yes, this takes time. Yes, this takes hard work. But, you will be a true information security professional and have a profound impact in the technology world doing this.
Any unskilled person can learn to use someone else’s tools. But a true professional understands the underlying technologies and looks to solve problems for others.
“In short, ‘hackers’, the ‘hacker community’, and ‘elite secrets’ are really myths created by the media because they sell.” – Unknown
In my words…focus on being a cracker…not a hacker.
What do you think? Leave me a comment below. Let me know what you think about “hacking” and if you think it has a place in information security.