Picture this, the stereotypical hacker: black hoodie, hunched over a laptop festooned with stickers, in a dark bedroom.
That’s not what the hackers I’ve met look like. In fact, quite a lot of hackers look a lot like information security professionals. They have the same training and share the same interests.
In some cases, they are even the same people: security professionals enjoy penetration testing, for instance, in which they essentially 'pretend' to be a hacker to find vulnerabilities.
In addition, plenty of security pros started out hacking, and only later got a respectable job. The older generation of network analysts often started out 'phreaking,' hacking phone systems, before graduating through black-hat hacking, white-hat pen testing, and finally to network security analysis.
Types of Hackers
That said, there are significant differences between different types of hackers. The clearest way to define these different types is to look at their motivations for hacking. By doing that, we can break hackers into several groups:
- Black hat hackers are the stereotypical hacker, interested in financial gain or just infamy.
- White hats, by contrast, are hackers who have authorization to try and breach a system and then report back on any security holes they find.
- In between, we have gray hats. Typically, these hackers are not interested in destruction, but neither do they have authorization to test a system. Instead, they can be motivated by trying to raise awareness of how insecure public systems are by posting vulnerabilities to message boards. These hackers, for instance, have recently taken aim at city governments and aimed to convince them to improve cybersecurity.
- Hacktivists and Red Teams are generally 'ethical hackers,' who use illegal means, but do so in a way that they believe will improve the world (or at least the security of a particular system)
- Then we have spy hackers and state-sponsored hackers, who are paid by corporations or governments to obtain secrets. These hackers are generally the most sophisticated and dangerous because they have the most expertise and a huge level of resources. This allows them to use advanced social engineering techniques and huge amounts of computing power.
- Lastly, there are the script kiddies, inexperienced hackers looking to cause havoc. Though not as dangerous for well-protected corporations, these kids can still mess with your home network, and potentially steal personal data from poorly-protected individuals.
Whatever their motive or level of expertise, it’s interesting to note that research on Hacker Personality Profiles Reviewed in Terms of the Big Five Personality Traits has found that all hackers share a remarkably similar type of personality.
Specifically, this research shows that hackers are unusually open to new experiences in comparison to the general population. In practice, this personality trait is manifested in the fact that hackers love a challenge, and that personal infamy is often as important to them as monetary gain.
Some security firms have attempted to use this trait against hackers. The use of decoy systems, for instance, relies on giving hackers what appears to an achievable challenge and then identifying those who take it up.
A second personality trait of hackers is the high level of neuroticism among the group. "Neuroticism", here, doesn't mean 'neurotic' in the everyday sense. Instead, the concept of neuroticism is closely akin to that of emotional stability: hackers, in other words, tend to be emotionally reactive, and tend to seek the adulation of their peers.
This trait has also become an important part of systems that aim to identify hackers. Some systems scan message boards for emotionally intense language, which can be an indication of someone who will try and cause harm to a system. This can help in identifying potential hackers before they have a chance to do any real harm.
Hardening Your Defenses
In order to defeat network hackers, it pays to think like them. It’s worth noting that many hackers are just as motivated by fame as money. This means that scanning message boards for mentions of your company can be an effective way of identifying risks. You should also make sure that you are clear about just how many systems you have that are vulnerable to attack: it’s no good securing your email systems if your VOIP system offers up gaping security holes to whoever wanders past.
It’s also worth trying to hack your own system, and this is the basis of white hat pen testing. If you were going to try to get into your own network from the outside, how would you do it? Think like a hacker. Pay particular attention to services that are so much a part of your daily routine; they seem innocuous. Even the most-highly recommended web hosting services, ones who should know better, can slip up when it comes to hack-proofing their product. The same goes for your email system and any marketing tools you have installed. Compile a list. Check it twice to make sure you close any security holes. You can also have a look at our four tips to make your network security worse, and make sure that you don’t take those tips!
It’s also worth thinking about the wide range of hacker types and making sure that you are protected against all of them. While preventing sophisticated corporate espionage might be your priority, don’t forget that a kid sat in their bedroom can also be a real nuisance. They might not do any real damage, but even if they manage to shut your system down for a day, that equates to a lot of lost revenue. Often, for this type of low-level hacker, scaring them off is the best approach: make a decoy system, and then tell them that you can see them trying to hack it.
The Bottom Line
Ultimately, the stereotype of the hacker might not be very useful. Rather than looking out for cybercriminals in hoodies, security pros should realize that the average hacker looks a lot like them.
This makes them harder to spot, of course, but also comes with a huge advantage: it makes it easier to think like them and to anticipate how they will try to attack your systems. Armed with that knowledge, you can protect your network before an attack even begins.