Why hackers don’t need to be smart

Online, in print, on TV, and on the radio, report after report claims that malicious hacking is “more sophisticated than ever before.” The media seemingly wants the world to believe it’s besought by impossible-to-stop uberhackers with supersophisticated tools and skills.

The reality is far different: Malicious hackers are using pretty much the same old tools and exploiting the same old weaknesses. However, companies and end-users aren’t doing what they need to defend themselves. Anyone who promotes today’s attackers and their tools as near-invincible is doing a serious public disservice.

[ Download Roger Grimes’s new “Data Loss Prevention Deep Dive” PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

Attackers’ strategies and techniques have not changed since computers were invented: malware, buffer overflows, social engineering, password-cracking, and so on. With very few exceptions (such as dynamic botnets), nothing has changed — except for the fact that the intruders are doing more with the access they get.

For example, there’s a new rootkit called Mebromi that modifies computer motherboard BIOs to make detection and removal more difficult. That’s slightly interesting — but not new: The CIH virus did this quite successfully in 1998. Malware that encrypts data and holds it hostage for payment always makes headlines. The AIDS Trojan horse program did this in 1989.

The most common ways of compromising servers — application exploits and SQL injection — are more than 10 years old. Even the most popular end-user attacks — fake antivirus programs and exploits of unpatched programs — have been around forever. The first fake antivirus program appeared in 1989 and masqueraded as McAfee software. John McAfee started using digitally signed programs shortly after, and the rest of the online software industry followed suit.

It’s not too surprising that the bad guys are reusing the same ol’ tactics and technologies: Why come up with new ways to hack when the old ways work just fine? Organizations that want to make their environment significantly more secure should be doing the following better: patching systems regularly; creating and enforcing password policies; embracing configuration management; adopting a least-privilege strategy; and training end-users.

You don’t need ultrasophisticated defenses. Defending against malicious intruders is not impossible, but you must concentrate on doing the basics better.

Improving some defenses require global coordination, such as making it harder to carry out malicious deeds across the Internet. But even those issues haven’t changed in 20 years. The only difference is that we now have the expertise and protocols to implement what we’ve needed all along to keep our systems safe — but we don’t. One day we will; unfortunately, it will happen only after we’ve allowed the cyber crime issue to harm far more people than necessary.

Until we make it globally harder for the bad people to do bad things across the Internet, your organizations needs to better embrace the basics to keep your own systems safe. In the meantime, don’t get caught up in the hype.

This story, “Why hackers don’t need to be smart,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.