1. It depends on what systems you are talking about. Defacing websites, and other publicly acessible systems requires a minimal amount of technical know-how, taking down a section of the national power grid would most likely require months of careful research and planning... 2. Knowledge of LAN/WAN theory, remote access, common security protocols,current exploits for UNIX/Linux/NT, C++, Perl, Java, etc... Beyond the nuts and technical bolts however, their are certain acquired skills ie social engineering, system penatration and take down, that one must acquire within the cracker community. These tricks of the trade are also difficult to practice for most individuals, for fear of involvement with law enforcement or other authorities. 3. Certain system tools, SAINT(satan), as well as other security diagnostics, and cracker script tools can significantly automate the process of cracking less secure systems. I feel that that best use of these script based tools would be to masquerade a more serious attack under the barage of multiple automated, script based attacks. 4. Anything. If you make it, someone will crack it. However, the most secure O/S. out is, IMHO, is OpenBSD. However, even OpenBSD can be made insecure. OpenBSD is the only O/S I know of that has had a complete, line by line audit of the source to spot security errors. 5. Yes, however the speed of recover will depend on the whether or not an attack was prepared for in a proper manner. 6. Most likely, as computer technology continues to intertwine itself into our everyday lives, the threat will grow. 7. If you care about your data, keep a computer security specialist on staff. Impliment wide spread encryption. Also, the most important things is to educate the end users about security. Let's face it. Nobody is going to dive into the sewers, splice into a piece of telco fiber, and spend months decoding that spiffy RSA-512 crypto you've got on your WAN lines to protect you data. They're going to ask Joe sixpacks for the RAS number, and if he could *please* readback his username and password for "validation with our databases".