Professional Documents
Culture Documents
The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking
The Basics of Protecting Against Computer Hacking
You can manage what you know about; it's what you don't
know about that creeps up and stabs you. For the IT The hacker
manager, computer hacking is one such sword of Technically, a "hacker" is someone who is
enthusiastic about computer
programming and all things computer
Damocles for which sensible preventive related, and is motivated by curiosity to
reverse engineer software and to explore.
and detective measures have become
essential. And in common with other
disasters in waiting, infiltration should
feature in contingency planning.
1
Hardware or software than captures the user's keystrokes, including their passwords.
into IT I 15
Rootkit - a collection of tools and Spoofing - in essence a technique that Trojan horse - a name derived from
utilities that a hacker can use to hide depends on forging the identity of the classic Trojan horse in Homer's
their presence and gather data to help someone or something else ("mas- Iliad. After spending many months
them further infiltrate a network. querading"), the aim being to alter the unsuccessfully besieging the fortified
Typically, a rootkit includes tools to log trust relationship between the parties city of Troy, the Greeks evolved a
keystrokes (see keylogger above), to a transaction. strategy. They departed leaving behind
create secret backdoor entrances to them as a gift a large wooden horse,
In the online world, there are different
the system, monitor packets on the which the citizens of Troy brought into
flavours of spoofing. A hacker might
network to gain information, and alter town. Unknown to them the horse
employ sophisticated e-mail spoofing to
system log files and administrative tools contained Greek warriors, who at night
make it appear that an e-mail requiring
to prevent detection. jumped out and opened the city gates
the victim to confirm their account
letting in the Greek army who had
Social engineering - in his book, The details, including such information as
been in hiding.
Art of Deception: Controlling the Human their logon ID and password, has been
Element of Security4, arch hacker Kevin sent by a reputable person or organisa- In the IT environment - and setting
Mitnick poses the question: why bother tion (see "phishing" and "social aside the legitimate use of network
attacking technology when the weakest engineering" above). administration tools - Trojans are
link lies not in the computer hardware generally considered a class of
IP spoofing is another common form of
or software, but in humans who can be "malware" that, like their predecessor,
online camouflage, in which a hacker
tricked into giving up their passwords contain covert functionality. They act as
attempts to gain unauthorised access to
and other secrets? Mitnick goes on to a means of entering a target computer
a computer or network by making it
state that social engineering "uses undetected and then allowing a remote
appear that a packet has come from a
influence and persuasion to deceive hacker unrestricted access and control.
trusted machine by spoofing its unique
people by convincing them that the social They generally
Internet IP address. A countermeasure
engineer is someone he is not, or by incorporate a rootkit
is to use of a Virtual Private Network
manipulation. The social engineer is able (see above).
(VPN) protocol, a method that involves
to take advantage of people to obtain
encrypting the data in each packet as
information with or without the use of
well as the source address using
technology."
encryption keys that a potential attacker
4 doesn't have. The VPN software or
Wiley, ISBN 0-471-23712-4 firmware decrypts the packet and
source address, and performs a
About the author
checksum. The packet is discarded if N. Nagarajan CISA joined the Office
either the data or the source address of the Comptroller and Auditor
has been tampered with. General of India in 1989, and is
presently employed as Senior Deputy
Accountant General in Mumbai. In
addition to his wide experience in
auditing IT (particularly in the field of
Electronic Data Interchange) and in
training staff in IT audit skills,
Nararajan has also worked as a
developer of pensions systems.
Nagarajan's international work
includes audit assignments at the
United Nations in New York, and a
two year secondment to the Office of
the Auditor General of Mauritius
where he was involved in training
staff and in the audit of EDI systems
operated by the Customs
department. Nagarajan has been
published in a number of international
journals.