Gary Rivlin - Becoming an Ethical Hacker

B ECOMING A N EUROSURGEON

B ECOMING A V ETERINARIAN

B ECOMING A V ENTURE C APITALIST

B ECOMING A H AIRSTYLIST

B ECOMING A R EAL E STATE A GENT

B ECOMING A M ARINE B IOLOGIST

B ECOMING AN E THICAL H ACKER

B ECOMING A L IFE C OACH

A LSO A VAILABLE

B ECOMING A Y OGA I NSTRUCTOR

B ECOMING A R ESTAURATEUR

B ECOMING A P RIVATE I NVESTIGATOR

B ECOMING A B AKER

B ECOMING A S OMMELIER

B ECOMING A C URATOR

B ECOMING AN A RCHITECT

B ECOMING A F ASHION D ESIGNER

Simon & Schuster

1230 Avenue of the Americas

New York, NY 10020

www.SimonandSchuster.com

Copyright 2019 by Simon & Schuster, Inc.

All rights reserved, including the right to reproduce this book or portions thereof in any form whatsoever. For information, address Simon & Schuster Subsidiary Rights Department, 1230 Avenue of the Americas, New York, NY 10020.

First Simon & Schuster hardcover edition May 2019

SIMON & SCHUSTER and colophon are registered trademarks of Simon & Schuster, Inc.

For information about special discounts for bulk purchases, please contact Simon & Schuster Special Sales at 1-866-506-1949 or .

The Simon & Schuster Speakers Bureau can bring authors to your live event. For more information or to book an event, contact the Simon & Schuster Speakers Bureau at 1-866-248-3049 or visit our website at www.simonspeakers.com.

Library of Congress Cataloging-in-Publication Data is available.

Jacket design by Alison Forner

Jacket images by Mona Monash And Vectorchoice/Getty Images

ISBN 978-1-5011-6791-1

ISBN 978-1-5011-6792-8 (ebook)

T O MY MOTHER , N AOMI R IVLIN, WITH LOVE

A ngela Gunn is fried. This is one of those frantic periods when it feels as if she works in an ER or at a fire station rather than holding a staff position with a computer security firm. Its just after Labor Day 2018, and shes chosen as our meeting place a caf with a dive-bar vibe in a trendy stretch of Seattles downtown. Called Bedlam, Gunn declared the place thematically appropriate for any discussion that involves her life and job. A frazzled Gunn plops down in a seat across from mine. Im a hot mess today, she declares.

This is her life every August, Gunn explains. Invariably, its the same around Christmas and New Years as well. Shes busiest when the rest of the world is on vacation and online fraud peaks. People attack when they think your guard is down, Gunn says. At the time of my visit, she was juggling three cases. That made for a hectic August that spilled into September. All three were coming to a close, but she had been roped into a fourth. I was up till four a.m. last night and it wasnt even one of my cases, she says. The late hours were because she needed to speak with the firms malwaremalicious softwarespecialist, who lives in Australia. A brilliant guy. I respect the hell out of him, Gunn says. I just wish he didnt live nineteen time zones away. Her job over the next twenty-four to forty-eight hours will be to find the people her firm needs for this latest case. My guy cant get here so I need to find boots on the ground, she says. So now its about making alliances with people known for wearing hats that are some shade of white.

Gunn orders a tall Rose Mocha latte that the menu describes with flowery prose: Imagine walking in a garden, cool and in the bright sun, a fountain splashing softly, the faint sweet scent of roses & chocolate full of Eastern promise. After reading it out loud to me, Gunn starts rattling off jokes about the new Seattle (she first moved to the city in the late 1990s) and for good measure takes a couple of biting digs at Amazon, which she and others I meet with while in town cast as an Evil Empire, practically swallowing whole the city they love. She brightens when her Rose Mocha arrives. Its been a rough few weeks, Gunn tells me, I could use a cool walk through a garden right about now.

Its people like Gunn that organizations large and small call if theyve had a data breach or suspect they have. People in the industrycybersecurity, if youd like, though Gunns preference is information security, or info-sec for shortcall this incident response. To my mind, though, theyre the online worlds firefighters: those who rush to put out the flames and then assess the damage. Ten years ago, Gunn was working as a tech journalist. Now she works full-time for a long-standing British security firm called BAE Systems, which hired her a couple of years earlier to help them establish a presence in Seattle. Her title is incident response consultant, and its her job to assemble the small crew she needs for each case. Typically, that includes an analyst who can pore over computer logs, a malware specialist, and those she dubs forensic workers, except without the formaldehyde smell and ripped-open chest cavities. Thats if she can find any live bodies to do the work.

Right now, Id sell a right toe for a forensics guy, Gunn says. Like a lot of people in info-sec right now, were agonizingly understaffed.

That morning she had been on the University of Washington campus for the quarterly gathering of the Seattle-area computer security group to which she belongs. As usual, that days talk, about the special precautions a security team must take to protect power grids, water treatment centers, and other critical infrastructure, was off-the-record. The idea, she explains, is to create a safe space for people so they can speak freely without fear of the consequences. Its a network of trust. Except when it comes to stealing everyones best people, she says. People dont say hello so much as let one another know what postings they have that remain open. A typical conversation goes, Oh my God, where did you land? Theyll say Amazon and you ask, Oooo, are you okay? Gunn has been in the business for eight yearsif not quite an old hand, then someone who has learned a lot since taking a job at Microsoft, in 2010, where she helped manage the companys message to the wider world when a bug hit Windows or another Microsoft product.

People in security are changing jobs it seems every year, if not every six months, Gunn says. At the meeting just now, I was like, Maybe one of you guys is my next analyst. Except theyre hoping Ill join their team. A 2015 report by

I T WASNT THAT LONG ago that computer security was more of a niche job categorya wise career choice, perhaps, but a specialty that relegated an employee to a backwater of the computing world. The release of the 1983 movie WarGames woke up many to the importance of cybersecurity in a digital age, including then president Ronald Reagan, who saw the movie the day after its release. Reagan was among those frightened by its depiction of Matthew Broderick as a teen tech whiz who unwittingly breaks into a military computer and nearly triggers World War III. Fifteen months later, in September 1984, the National Security Agency, or NSA, released a policy directive dryly titled, National Policy on Telecommunications and Automated Information Systems Security. The generals and spy chiefs around Reagan concluded that the film wasnt as far-fetched as they might have hoped. The governments systems, the policy directive said, were highly susceptible to attack by foreign powers, terrorist groups, and criminals. Yet networking was still an esoteric issue then, even among computer scientists, and personal computers were only starting to appear inside corporate America and in peoples homes. Most people working info-sec then toiled in the bowels of the Pentagon or worked for a big defense contractor.