What  do  you  do  when  you  need  to  explain  the  history  of  hacking  to  a  busy  non-­‐technical  manager  in  five  minutes  or  less?  Here  is  an  a>empt  to  make  this  extremely  complex  subject  into  a  5-­‐minute  "cliff-­‐note".    Hacking  started  out  as  a  hobby  and  was  a  cool  thing  to  do.    Late  eighEes,  early  nineEes  hacking  was  the  domain  of  young  people  that  were  trying  to  push  the  envelope  and  see  how  deep  they  could  get  into  networks.  They  were  surprised  they  could  get  much  farther  than  expected  and  some  like  Kevin  Mitnick  decided  to  go  all  the  way  down  the  rabbit  hole.

The  early  hackers  focused  mainly  on  servers  on  the  Internet  which  were  UNIX  machines  at  the  Eme.  But  IT  security  specialists  countered  by  installing  firewalls  to  try  to  keep  hackers  out.  

A7ack  UNIX  Servers 1

So  the  hackers  focused  instead  on  trying  to  break  into  how  the  data  was  transported  from  one  computer  to  the  other  (the  Internet's  communicaEon  protocols)  and  get  in  that  way.  However,  firewalls  conEnued  to  improve  and  locked  hackers  out.    

A7ack  the  Data  Transport 2

Next,  the  hackers  starEng  to  a>ack  the  employee  workstaEons  instead  in  the  early  2000's.  To  block  that  type  of  a>ack,  IT  security  people  started  running  anEvirus  on  all  workstaEons  and  making  sure  the  Windows  OperaEng  System  was  always  patched.

A7ack  the  Employee  WorkstaDons 3

However,  the  during  the  mid-­‐2000's,  the  hackers  changed  their  strategy  once  more  and  started  a>acking  the  applicaEon  soVware  on  the  workstaEon,  things  like  the  browser  or  PDF  reader  soVware.  From  2007  forward  that  trend  really  took  off.      But  IT  security  people  countered  with  automated  tools  to  patch  all  applicaEon  soVware  so  vulnerabiliEes  in  those  soVware  products  were  covered  too.  This  brings  us  to  the  last  few  years  with  the  observaEon  that  criminal  hacking  has  gone  pro  since  about  2005  and  is  a  $3  Billion  industry.

A7ack  the  ApplicaDon  SoEware 4

As  their  most  recent  and  very  successful  way  to  a>ack,  the  hackers  are  now  focusing  on  the  real  weak  link  in  IT  security:  the  employee.  They  started  with  sending  phishing  emails  by  the  millions,  trying  to  make  employees  fill  out  a  form  on  a  bogus  website  and  steal  confidenEal  data  that  way.  Today,  they  are  sending  sophisEcated,  personalized  a>acks  via  email  that  we  call  spear-­‐phishing.        An  employee  only  has  to  click  one  link  in  one  of  these  spear-­‐phishing  emails  to  get  their  workstaEon  infected  with  malware  which  allows  the  hackers  into  the  network.

A7ack  the  Employee  via  Email 5

To  counter  this  most  recent  hacker  strategy,  all  employees  need  effecEve  security  awareness  training  so  that  they  do  not  expose  the  network  to  cyber  criminals.  Note  that  this  is  like  a  game  of  chess,  with  the  bad  guys  having  the  first-­‐mover  advantage  and  that  IT  security  is  forced  into  a  defensive  role.    

The  problem  with  having  a  defensive  role  is  that  the  home  team  has  to  have  a  100%  success  rate,  but  the  a>ackers  only  need  to  succeed  once.  This  is  a  losing  game  for  the  defenders  and  that  is  why  the  hackers  are  winning.      OrganizaEons  need  to  be  fully  focused  on  "defense  in  depth"  and  the  very  first  layer  of  that  defense  is  Policy,  Procedure  and  Awareness.  Hence  the  urgent  need  for  employee  training  and  inoculate  them  against  social  engineering  so  that  they  do  not  fall  for  hacker  tricks.