Hackers… they’re a bunch of social misfits, loners, hoodie-wearing, energy drink slamming programming geeks, right? Well, no. They’re not. The bad guys with computers are not the sort to slide easily into media stereotypes. Most of them are members of criminal organizations or have nation-state backing. Awkward loners don’t fit in with the Russian Mob or the People’s Liberation Army. Gotta have team players in those groups.
Hackers don’t always use computers, either. Social engineering – also known as running a con job – is incredibly effective and simple to do. You’d be surprised how many people will give out their passwords when accused that they’re not strong enough. “Why, you better believe I got a secure password! It’s +O;66fg#3.>ha!” Hint: the password isn’t secure anymore if it’s been read out loud to someone else. It’s also not secure if it’s written on a notepad or post-it note.
Do you have someone that’s always asking questions about where things are on the network? That’s possibly social engineering. One guy did that at a company and learned where the financial data was stored. After a two month interval, a tiger team broke into the server room and stole that exact server. The thieves were caught and the connection to the inquisitive employee became evident. The people at that company were shocked to discover that a guy they all considered to be a cheerful, bumbling, balding co-worker was in fact in league with organized crime.
That guy, and others like him, are well-camouflaged. They blend in. They go to lunch with the rest of the gang. They have neither an excess, nor a deficit, of cool. They live in apartments and homes, they watch sports and reality teevee shows, they drink beer, they may not even know anything more technical than how to copy and paste and add an attachment to an email. Because, face it, if a guy copies a sensitive document and then sends it to someone that shouldn’t have access to it, that’s a data breach. A hack. And the guy that did it could have been a total shlub.
True, he could have been a more exotic chap, say, a soldier in an army unit responsible for espionage via computers. But that guy’s not working alone. He’s also not working on a short timetable. Guys like him or the organized crime types have all the time and patience in the world to find where the weaknesses are in an organization and then exploit them. They develop custom code, just like other corporations do, but their custom code is dedicated to undermining their target, rather than developing just-in-time strategic synergies. Most of what they do goes undetected for the simple reason that the vectors they use are either ones that haven’t been used before or their target isn’t looking where they’re active with .
If you like the shows with slick hackers with social flaws, keep on enjoying them, along with everything else that’s been Hollywood-ed up. But in your real life, the guy compromising your financial data is going to buy a case of beer and then have a trip to Disneyland. Be careful about the questions that you answer and hope that you’ve got a security team that has a data loss prevention tool in place, among other things.