First a little on terminology.  Every industry has their own "insider terminology" that only the people in the particular field use and understand.  Computers and computer security is no different, to understand some computer security terms a few "insider terms" needs clarification.  Merriam-Webster defines a hacker in the two senses that are in popular use today:  the original and classical usage - "an expert at programming and solving problems with a computer"; and the more modern application - "a person who illegally gains access to and sometimes tampers with information in a computer system".  Most computer experts use the word in it's original sense, a hacker is a person who is an expert at solving computer problems.  The media has propagated the second definition, and most non-technical people keep that usage in circulation.  Although the term "hacker" may not be used much on this site, the preferred term is "attacker", out of respect for all the real hackers that are out there doing good in the world.  A note of interest, another definition in the same Merriam-Webster dictionary for the word "hacker" is "one who is unskilled or inexperienced".  As an anomaly of techno-lingo, the term "hack" is used to indicate a poor job or a clumsy, if not failing, accomplishment, i.e. "His fix was a real hack" or "His application doesn't work, he just hacked it together."

One last comment on media perception.  Any movie or TV show that have "hackers" breaking into computer systems are not realistic.  They are good for hyping up the public and making money, but they fail to deliver a true picture of what an attacker is like, what methods and tools are used, and how security technology is defeated.  Often computer screens are simple mock applications displaying data or images that have absolutely nothing to do with the task being portrayed.  Most computer security experts may find the story line interesting, but the display of technology laughable.  But that's Hollywood.

Now on to some useful info.  Attackers generally come in three basic varieties:  the script kiddie; the advanced "blackhat"; and the insider.  Each pose different levels and types of risk.  Most organizations need to be prepared to handle all three.

The Script Kiddie

While most script kiddies are neither children nor is their average tool a literal shell script, the script kiddie is aptly named for their usage of automated tools and their lack of knowledge and experience.

Motivation.  Script kiddies are motivated by social status and quick accomplishment.  They generally don't care if the system they are attempting to compromise is a corporate system or a home user.  They want one more notch on their belt to show off to their friends, hoping to raise their social status among their peers.  They may try to break into high-visibility sites for the purpose of placing their computer handle on the site for the world to see.  They may seek such occasion over the home computer for the purpose of a higher degree of respect within their social circle.

Tools.  As their name denotes they have very little knowledge and depend heavily on someone else's tool to do all the technical work for them.  Often after compromising a system's security they find themselves at a loss of what to do with this newly "acquired" resource.  Their first tool used in an attack is a scanner, which is set to check a range of IP addresses (computers) for a list of services that may be running on those computers.  The scanner "takes inventory" of the computers and their services, and provides a list of computers that were found and what services were found running.  The script kiddie then takes this list and downloads a specific tool for a particular service that was found running.  The tool was created by someone who understood the service and it's vulnerabilities.  The kiddie executes the tool to exploit the known weakness of the service compromising the computer system the service runs on.

Detection.  Script kiddies are easily detected.  Because the tools they use are also know by the "white hat" community, the tools' signatures (network activity that the tool generates when looking for or taking advantage of a security weakness) can easily be detected and counteracted.  It's actually possible (but not recommended) with a good detection mechanism in place to effectively block script kiddies from detecting you services and compromising your systems even though your services may have known vulnerabilities.

Also, because a script kiddie is looking for peer recognition, they will usually leave highly-visible signs of their activity for all their peers to see.  This includes defacing a web site or re-routing a web site to their own server.  Such activity is highly detectable, any company that monitors it's own web site will quickly see such obvious changes.

Because the script kiddie is a novice, he generally won't know how to cover his trail once he's in a system and won't know how to maintain control over the system using advanced stealth methods.

Prevention.  A good detection mechanism that can block script kiddies is an obvious initial step. Another excellent prevention that comes up time and time again in computer security is keeping the current level of patches and updates on all running systems.  As new vulnerabilities are found and published by "crackers" (those that actually find and determine how to take advantage of computer vulnerabilities), they are patched by security professionals who monitor cracking activity.

The Intermediate

The intermediate is someone who is gaining a deeper knowledge and broader experience in various methods to attack and compromise computer security, and is developing reasons other than the ego-centric script kiddie to perform attacks and compromise computer security.  An intermediate will begin to have a working knowledge of security measures such as IDS (Intrusion Detection Systems) and firewalls and will be aware of methods that circumvent such measures.

Motivation.  The intermediate has begun developing more serious relationships that motivate his illegal activity in financial, political, or other non-egocentric directions.  The intermediate is not commonly accepted as advanced and will show some ego-centric behavior in efforts to "prove" his skills or technical status.  If the intermediate is rising in the ranks of his peers he may target computer systems that will help him maintain or progress his status in the group, not the just easy "notch in the belt" targets of the script kiddies.

Tools.  The intermediate has a greater technical understanding of the process of compromising computer security systems and various computer services.  While the intermediate may use some of the same tools as the script kiddie, his choices will be more deliberate and focused on exactly what is needed to bypass certain security measures.  He will have already tried many of the automated attacks and discarded those that didn't work well or consistently.  In this manner he is honed in on what is required to accomplish his goals.  The intermediate's longer term of exposure to various computer systems will also allow him to "work outside of the box" when he gets in situations where there isn't a tool to accomplish what he needs or when he needs to coordinate compromising several vulnerabilities in order to meet his objective.  In such situations the script kiddie would be lost, here the intermediate begins to surpass the script kiddie.

Detection.  Because the intermediate initially relies on the same tools as the script kiddie to perform reconnaissance, he will uncover his presence or at a minimum his target to the same security systems that detect script kiddies.  The intermediate's broader range of experience will make him more active once he has compromised security.  By establishing legal internal activity and detecting and investigating anything beyond this, an organization can quickly become aware of when security has been compromised and the extent of the security breach.

Prevention.  A good IDS that responds to reconnaissance measures is essential in early prevention of security breaches by the intermediate as well as keeping all systems up-to-date with the latest patches and updates.

The Advanced Blackhat

The advanced blackhat is someone with a significant amount of experience and a broad scope of exposure to computer technology.

Motivation.  An advanced blackhat is not motivated by status or prestige.  Their motivation is usually for the satisfaction of having accomplished a difficult and challenging task, for financial gain, or for political/ideological purposes.  Because their motivation is so specific, their selection of targets is highly focused.  Often their target will have a high degree of importance, unlike the script kiddie who will take any easy target he thinks he can compromise.  Computer security from highly targeted attacks will be the next focus in securing the economic system of the world from terrorism and in securing corporations against competition in the form of corporate espionage.

Tools.  Because of the wide range of experience a blackhat has, his selection of tools will be extensive.  While a blackhat may initially use the same or similar scanners to detect vulnerabilities in his target of choice, he will often not use the same methods to compromise the security on a system that the script kiddie used.  And once he has compromised a system, he will quickly cover his tracks by modifying logs and restoring the system to a condition similar to what it was like before the attack was initiated.  Often a blackhat will set up a backdoor to allow easy access in the future.

Backdoors and tools to keep a blackhat's presence hidden come in packages called rootkits.  Rootkits get their name from the common functionality of giving the blackhat "root", or administrative, rights over the compromised system.  Rootkits can also modify the logs and provide backdoor access to the system.  Some rootkits can also modify the system in such a way that if the system's services were examined they would appear to be exactly as they were before the attack, even though they had been modified by the attacker.

Detection.  Detecting blackhats is much more difficult than the script kiddie because the blackhat doesn't intend to be notice and takes pains to hid his access, the opposite of the sloppy script kiddie who just wants to boast about his accomplishment.

The blackhat has three areas of detection:  (1) Because a blackhat's early steps of reconnaissance are similar to those of the script kiddie, early detection comes from the network signature of the tools used; (2) Because a blackhat's intent is to leverage the compromised system in a coordinated attack against an organization's computer systems he will often modify the OS or configuration in significant ways to maintain control of the system, such a significant change can be detected by tools that check the state of the system and compare it to the state of the system at some stable point in the past; (3) Often one system that can be accessed from the outside will not have enough value to suffice the intent of the intrusion, instead it will be used to compromise other key systems internally, and such internal activity can be detected if strict internal access policies are in place, adhered to, and systems and networks are monitored for compliance.

Prevention.  Since a blackhat's initial steps of compromising security are similar to those of the script kiddie, the same preventive steps need to be in place to detect and thwart a blackhat's attempt to compromise the security of a system.  Removing all tools and applications not essential to the function of a system helps handicap a blackhat if he's able to penetrate the outer ring of security.  For example, a web server has no need of the C compiler, but if an attacker were to gain access to the web server the C compiler would serve him well in installing backdoor patches into the OS source or other services' source code and recompiling them with these vulnerabilities built in.  Also, the removal of tools on the system may further prevent the attacker from additional activity.  For example, by not having a ftp client installed the hacker will have a more difficult time in getting his backdoor patches and rootkits to the box for installation.  "Fingerprinting" a system (taking a snapshot of pertinent services and configurations) and regularly comparing past fingerprints agains the current system's state can give an early warning when an attack is just underway.

Additionally, by implementing strict internal security policies and remaining vigilant against infraction of these policies, detecting abnormal network activity from a system can be the first flag that there is a security problem and swift action can prevent the attacker from perpetrating other systems.  

The Employee or Affiliate Employee

This category represents the internal threat though it may come in a form other than the employee or an affiliate company's employee.  Often in computer security so much emphasis is placed on external threats and securing outward-facing servers that internal systems lay unprotected.  While it may be more permissive, internal security is essential to the overall security of an organization's computer systems.  Employee's have a working knowledge of the security systems and the available targets within the organization, something most intruders have to figure out as they go.  Such knowledge makes the employee's plan of attack much more powerful and successful.

Motive.  The internal threat ranges from the revenge-seeking disgruntled employee who was passed up for promotion to the curious newbe that wants to see exactly what can be accomplished.  For highly political or highly competitive organizations the target may be politically or financially motivated.

Detection.  In general the reconnaissance we saw in the external threats isn't necessary in most cases of "inside jobs" although it may appear in areas where the insider can not otherwise determine the vulnerabilities of his target systems.  Internal IDS and strict usage rules with mechanisms to detect unusual activity is the best way to detect internal security breaches.

Prevention.  Knowing your employees, granting only those permissions required for each job function, security audits, and an enforced policy of no-tolerance are some of the best ways to prevent the internal compromise of security systems.