Unit.2 | Cybersecurity
Learning Unit | Cybersecurity

How a Hack Happens

Chapter 03/04

Snapshot

Learn more about how hacks occur. Explore hacker motivations and the techniques hackers use to steal your data.

Key Terms:

  • Vulnerability
  • Encryption
  • Malware
  • Ransomware
  • Phishing
  • Social engineering

Too often we hand over our data without even realizing it.

Photo apps that add filters to give you a goofy dog nose and floppy ears are also facial-recognition tools collecting data points to identify you. When you say “yes” to sharing information with a third party in order to find out what your taco preferences mean or to play the free version of Fortnite, you’re agreeing to share a broad spectrum of your personal data. Sometimes those apps reach out even further to gather data from your online connections. Sure, you get a free game out of it, but companies get something too: your data.

Breach vs. Hack

A user about to turn her laptop to watch a movie in bed.

A hack is just a way to make something work differently. For instance, if you rotate your computer screen 90 degrees, you can watch a movie lying on your side. #lifehack

Early computer hackers were looking for workarounds and shortcuts to make programs work better, and they got a rush from being able to hack things and figure out what others couldn’t. Some were trying to prove they were clever by installing keyloggers to lift passwords and writing code to see if they could control or break into other people’s systems.

Those tests of the system led to what we call breaches. A hack is the act of breaking in, and a breach is often the result of that hack.

When Equifax left open a security gap so large that 143 million people’s data was exposed for months, that was a breach. When WikiLeaks broke into the CIA’s computers, it was a hack.

A breach can be either accidental or intentional, but a hack is always done with intent.

Sometimes it’s unclear whether a security issue qualifies as a breach or a hack, like the Target case in 2013, when 40 million consumers had their data stolen from checkout station card readers. Technically, the whole incident is considered a breach because it occurred at the point-of-sale machine, before the data was encrypted. A breach can be either accidental or intentional, but a hack is always done with intent.

Evolution of Hacker Motivations

Typically, hackers are people who believe that working inside a computer network is a lot more powerful than working outside of it. They often have a rebellious streak, and they hack based on their own ideas of how the world should work.

Some hackers think of themselves as heroes, and some are treated that way. People who dislike or distrust the government think it’s a good thing to have people working behind the scenes to disrupt business or government—a rogue form of checks and balances. Some hackers got into it because they don’t like being monitored; they think of the internet as a giant tool for keeping tabs on people.

A hacker at his laptop.

By now you may be thinking of the standard image of a paranoid hacker alone in a dark basement, but some hackers work on behalf of governments or other large organizations. In some parts of the world, state-sponsored hackers are assigned to meddle in elections and steal intellectual property.

People hack for money, too, whether because they plan to exploit the illicit data themselves or because they’ve been hired to steal it. Others are hired to perform ethical hacking: the attempt to breach software and systems in an effort to find vulnerabilities before an unethical hacker does.

Threats

Hackers use all sorts of tricks to steal digital data:

Malware is a software virus or worm that burrows into a computer system and takes over. Some are designed to reformat discs, others to corrupt data. They’re made to replicate and infect many computers in a network, spreading like the flu.

Hackers use all sorts of tricks to steal digital data.

Ransomware does the same kind of things, and then it demands payment to end the spread of the virus. When hackers in the 1980s stole data like this, they would set up a physical mailbox where people could mail the ransom check. Today’s hackers demand payments in cryptocurrency, which is harder to track. Most ransomware hackers don’t deliver on their promises, though, so if you’re considering a payout to retrieve your data, understand that you might be out your data and a bunch of cash.

A hacker at his desktop.

Phishing is when hackers fool people into voluntarily providing personally identifiable information that can later be used to hack a system. It’s like casting out a line with a worm of clickbait on the end. Most people who try phishing send fake emails that look like normal correspondence. When the fish takes the bait—like signing into a mocked-up account—hackers steal usernames, passwords and any details they can get the fish to hand over.

Bots are software applications that run automated tasks. They aren’t a threat on their own; in fact, more than half of all web traffic is made up of bots. They fetch and analyze information on the web at a super-fast rate. But when hackers use bots, they can be dangerous. Hackers use bots to have fake conversations with unsuspecting people, attempting to get them to hand over personal information.

Social engineering plays on people’s helpful nature and their willingness to trust what they’re told to get them to hand over personal information. The attacker can get creative by using social media to find out exactly what could motivate a person to share personal information. It might be fear, in which case the attacker could write or call, saying something like, “This is the IRS. You owe us money. You can stop this by giving me your credit card information right now.” Also, lots of people are willing to click unfamiliar links or open unknown USB drives on their computers. When they click on a folder with an enticing name like “Top Secret” or “Million Dollar Ideas,” the computer and any attached networks are suddenly in danger.

Targets

A ceo's headshot.

“Whaling” is the hacker term for targeting a big fish, like a high-level executive with access to the company’s entire system. Company presidents, CEOs and information officers are highly visible online and leave trails of information that are easy for hackers to discover and exploit.

The whale’s personal data might not be that valuable, but hackers can use what they find to leverage an attack on the whale’s organization. They target the whale to gain access to more systems, change passwords and steal information.

This is where a small business really has to pay attention.

This is where a small business really has to pay attention. Small business owners often assume that they’re beneath hackers’ attention—but they’re not. The types of information hackers can steal might lead to an attack on a bank or a partner company.

Most companies aren’t being actively hacked, but a breach is always possible, especially when businesses let people use their own phones and devices for company work. For hackers, the payoff can be huge. Hackers who catch the big fish get access to personal information they can use to catch others—and the more data they collect, the more snares they can create to drag more people into danger.

Attractive Data

Wall to wall shelving of medical files.

Look at the prices on the dark web, and you’ll see your health records are far more valuable than your Social Security number.

Do hackers really want details on your exercise-induced bronchial spasms? Not at all. Hackers hunting health care data want the personally identifiable information that your health records contain: birth dates, billing information, policy details and Social Security numbers. Stealing multiple data points means hackers can create fake identities to buy and resell prescription drugs, set up fraudulent claims with insurers and even file fake tax returns.

Your personally identifiable information floats around in other places, too: social media posts, emails to your therapist and details in your online profiles. Posting “Love you, Grandma Hanson!” can be a direct clue to your mother’s maiden name. Your LinkedIn profile includes the schools you attended.

When vice presidential candidate Sarah Palin’s email got hacked, it wasn’t a high-tech affair. Hacker David Kernell looked up publicly available biographical details, such as Palin’s high school mascot and birth date, and plugged them into a Yahoo! account recovery system for forgotten passwords. He was able to reset her password, which gave him access to her entire account.

Anatomy of a Breach

Here’s the basic story of every security breach:

Testing

Hackers test systems for vulnerabilities and weaknesses so they can gain access.

Permissions Changed

Once hackers can access a system through any door—whether they got in through phishing, social engineering or other vulnerabilities—they change permissions so they have the same access as high-level administrators.

Control of Systems

When access is granted, hackers have control of your system.

Havoc

Things get wild. Windows pop up and won’t close, systems shut down and ransomware messages appear. By then, the hackers are long gone.

A team of cybersecurity experts restoring a system.

Restoration

If you’re lucky, a good cybersecurity team takes over. Cybersecurity experts identify the problem, restore the system from secure backups and get everything up and running again. But they also have to discover which information was compromised and what the hackers’ ultimate goal was.

Next Section

Careers in Cybersecurity

Chapter 04 of 04

Explore the educational requirements and average salaries of different types of cybersecurity jobs.