A hacker is most often an individual that seeks to gain access to information technology resources. Once access is gained, usually through surreptitious means, a hacker could steal data, compromise applications and data, manipulate data and operations, and partially or completely shut down information technology resources. Some hackers, known as ethical hackers, perform their services for the benefit and welfare of the impacted organization. Other hackers, such as malicious hackers, have motives that will in some way harm the targeted organization.
Types of Hackers
Ethical Hackers. Ethical hackers, previously known by the term white hat hackers, perform their tasks generally for the benefit of the public. Many ethical hackers work as penetration testers and are hired to attempt breach of an organization’s information technology and network infrastructure. They only hack systems for which they have permission to hack in order to specifically test the security of the systems. Ethical hacking is generally legal, although this may vary depending on the circumstances.
Ethical hackers attempt to use the same techniques they would expect to be used by malicious hackers. They keep up on the tactics, techniques, and procedures used by the major attack groups. Ethical hackers also follow cyberattacker forums to keep current with trends and activity.
Ethical hackers are clearly the good guys in the hacking community. Their services are often invaluable to many organizations that seek to understand and mitigate weaknesses and associated risk in their infrastructure. It is often the case that many organizations cannot hire these personnel full-time, either due to lack of available experience talent, or due to lack of budgets. But these services can often be found on a contract basis through penetration testing organizations such as Bugcrowd.
Malicious Hackers. Malicious hackers, previously known as black hat hackers, attempt to penetrate information technology and network resources for illegal purposes. Their intent is malicious. The illegal activities of malicious hackers may include, but not be limited to:
- The destruction or manipulation of data in targeted systems.
- The destruction or damage of operational systems.
- The limitation of access to operational systems using ransomware, DDoS, or other techniques to extort funds from the impacted organization or from their partners, vendors, and other closely related parties.
- The exfiltration of data to include, but not be limited to, personal, highly sensitive, proprietary, or government classified data.
- The planting of malware inside of an organization’s systems, such as the CI/CD pipeline, which in turn will distribute this malware to other unsuspecting organizations.
- The recruitment of targeted devices into a botnet for other unauthorized purposes.
- Damage to the brand and reputation of a targeted organization.
- Damage to the reputation of the leadership within a targeted organization.
Most malicious hackers exhibit antisocial tendencies, and, in general, they don’t fit well into society and generally prefer to stay hidden from societal pressures. They have taken their interest in information technology and software to the point where they often spend hours doing much else. Hacking provides one of their few and only avenues of gratification and pleasure. Malicious hacker’s lack of interpersonal skills, status, and recognition tend to cause them to revert to hacking activity, where they find personal reward and gain a sense of recognition, success, and power. Malicious hackers often like to brag, albeit within a small community, about their prowess.
Gray Hat Hackers. Gray hat hackers have characteristics of both ethical and malicious hackers. This is always very situation dependent. They will often access an organization’s systems without permission, which may constitute a violation of applicable laws and regulations. Once they have hacked their way inside the information systems and networks, they may be perhaps less likely to do any damage. Gray hat hackers may be motivated by money, but may choose to privately and/or anonymously report the discovered vulnerabilities to the impacted organization without a request for remuneration.
Script Kiddies. Script kiddies is an old term that goes back to the early days of the internet. Some say it originated sometime between 1994 and 1996. In 1996 the term “script kiddie” was used in an online message board called Yabbs. Then two years later in 1998 the hacking magazine Phrack also referenced “script kiddie behavior” in one of their articles. The name fits so it has been used quite a bit since then.
Script kiddies are described as inexperienced hackers that will use easily acquired pre-written scripts in the hopes of completing a successful hack. Script kiddies generally use existing basic techniques to identify well known weaknesses in systems and networks. They generally do not have the skills to write their own scripts. Their motives may be as much for the thrill of doing something dangerous, and illegal as it might be in support of monetary gain. If hacktivism is involved, then perhaps their motive is in gaining broad attention and visibility. Certainly enhancing their own reputation is at the top of the list.
Script kiddies often use very basic phishing attack techniques and the social engineering that goes with it. They also favor Denial of Service (DoS) or Distributed Denial of service (DDoS) attacks. In the early days they often penetrated website servers and defaced the displayed content.
Laws and Regulation in the U.S. Applicable to Hacking
There are many laws and regulations that address malicious hacking. These may be current law, or are in process to become law, that include, but are not limited to:
- The Federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C 1030
- The Electronic Communications Protection Act (ECPA)
- The Consumer Privacy Protection Act of 2017
- 1996 Health Insurance Portability and Accountability Act (HIPAA)
- 1999 Gramm-Leach-Bliley Act
- HHS/OCR HIPAA compliance regulations and the legislation behind it
- 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA)
- Cybersecurity Information Sharing Act (CISA)
- Cybersecurity Enhancement Act of 2014
- Federal Exchange Data Breach Notification Act of 2015
- National Cybersecurity Protection Advancement Act of 2015
- Several dozen state laws with many pending in this area that include, but are not limited to:
- California Consumer Privacy Act (CCPA)
- New York’s SHIELD Act
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.