Bog'liq (CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)
Thrill Attacks Thrill attacks are the attacks launched only for the fun of it. Attackers who lack the abil-
ity to devise their own attacks will often download programs that do their work for them.
These attackers are often called
script kiddies because they run only other people’s pro-
grams, or scripts, to launch an attack.
The main motivation behind these attacks is the “high” of successfully breaking into a
system. If you are the victim of a thrill attack, the most common fate you will suffer is a ser-
vice interruption. Although an attacker of this type may destroy data, the main motivation is
to compromise a system and perhaps use it to launch an attack against another victim.
One common type of thrill attack involves website defacements, where the attacker
compromises a web server and replaces an organization’s legitimate web content with other
pages, often boasting about the attacker’s skills. For example, attackers launched a series of
automated website defacement attacks in 2017 that exploited a vulnerability in the widely
used WordPress web publishing platform. Those attacks managed to deface more than
1.8 million web pages in one week.
Recently, the world has seen a rise in the field of “hacktivism.” These attackers, known
as
hacktivists (a combination of
hacker and
activist ), often combine political motivations
with the thrill of hacking. They organize themselves loosely into groups with names like
Anonymous and Lulzsec and use tools like the Low Orbit Ion Cannon to create large-scale
denial-of-service attacks with little knowledge required.
Ethics
Security professionals hold themselves and each other to a high standard of conduct
because of the sensitive positions of trust they occupy. The rules that govern personal con-
duct are collectively known as rules of
ethics. Several organizations have recognized the
need for standard ethics rules, or codes, and have devised guidelines for ethical behavior.
We present two codes of ethics in the following sections. These rules are not laws. They
are minimum standards for professional behavior. They should provide you with a basis for
sound, ethical judgment. We expect all security professionals to abide by these guidelines
regardless of their area of specialty or employer. Make sure you understand and agree with
the codes of ethics outlined in the following sections. In addition to these codes, all infor-
mation security professionals should also support their organization’s code of ethics.