What do you do when you need to explain the history of hacking to a busy non-technical manager in five minutes or less? Here is an attempt to make this extremely complex subject into a 5-minute "cliff-note".
Hacking started out as a hobby and was a cool thing to do.
Late eighties, early nineties hacking was the domain of young people that were trying to push the envelope and see how deep they could get into networks. They were surprised they could get much farther than expected and some like Kevin Mitnick decided to go all the way down the rabbit hole.
1) Attack UNIX Servers
The early hackers focused mainly on servers on the Internet which were UNIX machines at the time. But IT security specialists countered by installing firewalls to try to keep hackers out.
2) Attack the Data Transport
So the hackers focused instead on trying to break into how the data was transported from one computer to the other (the Internet's communication protocols) and get in that way. However, firewalls continued to improve and locked hackers out.
3) Attack the Employee Workstations
Next, the hackers starting to attack the employee workstations instead in the early 2000's. To block that type of attack, IT security people started running antivirus on all workstations and making sure the Windows Operating System was always patched.
4) Attack the Application Software
However, the during the mid-2000's, the hackers changed their strategy once more and started attacking the application software on the workstation, things like the browser or PDF reader software. From 2007 forward that trend really took off.
But IT security people countered with automated tools to patch all application software so vulnerabilities in those software products were covered too. This brings us to the last few years with the observation that criminal hacking has gone pro since about 2005 and is a $3 Billion industry.
5) Attack the Employee via Email
As their most recent and very successful way to attack, the hackers are now focusing on the real weak link in IT security: the employee. They started with sending phishing emails by the millions, trying to make employees fill out a form on a bogus website and steal confidential data that way. Today, they are sending sophisticated, personalized attacks via email that we call spear-phishing. An employee only has to click one link in one of these spear-phishing emails to get their workstation infected with malware which allows the hackers into the network.
To counter this most recent hacker strategy, all employees need effective security awareness training so that they do not expose the network to cyber criminals. Note that this is like a game of chess, with the bad guys having the first-mover advantage and that IT security is forced into a defensive role.
The problem with having a defensive role is that the home team has to have a 100% success rate, but the attackers only need to succeed once. This is a losing game for the defenders and that is why the hackers are winning. Organizations need to be fully focused on "defense in depth" and the very first layer of that defense is Policy, Procedure and Awareness. Hence the urgent need for employee training and inoculate them against social engineering so that they do not fall for hacker tricks.