Greg Scott - Bullseye Breach: Anatomy of an Electronic Break-In

Several years ago, I visited a potential customer and showed her how her business was vulnerable to cyberattacks. But I made a mistakeI used a computer and computer screens to illustrate the threats she faced. It was a short meeting. As I tried to explain subjects such as malware and phishing and open TCP ports and IP addresses and NAT, and the threats she faced, she told me she already had somebody who could reset passwords and showed me the door.

Another time, I met with an executive at a bank who also wanted me to go away. In an effort to show he already had all the security he needed, he confidently handed me a folder with the results from a security study he paid somebody else to do. I looked over the report, and then said, This looks good. They did a good job describing the issues around your website. Wheres the part about your internal network right here at the bank?

His reply was quick. Thanks for coming by. Theres the door and have a nice day.

Another time, I ran a virus scan on the store computer at a small retailer and found hundreds of compromised files. When I tried explaining that sharing her public Wi-Fi service with her private store network was like walking into a closed room full of contagious people, she called her bookkeeper and decided it wasnt worth her time or money to fix it. It was another short meeting.

Ive seen countless scenarios play out in hundreds of organizations over the years and they all have one common attributea decision maker either unable or unwilling to believe IT security issues are relevant.

And after all these years, maybe I finally get it. IT concepts are abstract and business decision makers dont deal in the abstract. They deal in the here and now. Security practitioners need to adjust how we present this stuff.

So this book tells a fictional story, inspired by recent headlines, about a large scale attack. Youll meet some bad guys, the clueless, a few victims, and some good guys who come up with a creative way to fight back.

Take away three real-world lessons:

1. Youre right; you probably dont have any secrets anyone cares about. But youre not the target; youre part of the path to the target. Maybe somebody fooled you into running the wrong program and now he or she wants you to pay a ransom to unscramble all your company documents. Or maybe somebody is using you to steal somebody elses secrets. Either way, the fallout will be bad for your business. Just ask Max Rousseau. Or Frank Wright. Or even better, Franks son.
2. The Internet criminal industry is well funded, resourceful, and smart. The bad guys have an entire value chain, including raw material suppliers, manufacturers, logistics, and end user customers. Its an arms race and the good guys are outnumbered and outgunned.
3. Your security practices have real-world consequences, some of them far beyond your company walls. Read about Regina Lopez, who represents millions of real-world innocent victims ensnared by the poor security practices of one large retailer.

The threats are real and the scenarios presented in this book are adapted from real life. Dont bury your head in the sand and pretend your IT systems are not important just because you dont understand them. The Internet is here to stay and you need to protect the confidentiality, integrity, and availability of your data. The future of your company depends on it.

I hope you enjoy reading this story as much as I enjoyed getting to know the characters and writing it.

One more note to keep me out of hot water: although inspired by real life events, the story in this book is straight out of my imagination. Its fiction. I made it up. All characters appearing in this work are fictitious. Any resemblance to real persons, living or dead, is purely coincidental.

All warfare is based on deception.

Sun Tzu , Chinese strategist (544 - 496 BC)

Beneath every inch of the Internet superhighway is a vast sewer system, the underground home of cybercriminals who

Jerry Barkley abruptly paused in the middle of his speech on cybercrime, because he suddenly realized he was the only man in the room not wearing a suit. He gazed across the audience at the Retail Council monthly luncheon tucked in a second floor conference room in the Minneapolis Convention Center. These executives and their staffs represented the entire gamut of retail stores in Minneapolis, from Fortune 500 companies to small businesses. Some wore custom-tailored Italian silks, some wore off-the-rack polyester, but they all wore suits. Jerry didnt feel inferior as much as he just felt out of place. Most of his friends were people in low places, regular folks who valued him for his independent spirit and practical knowledge of computers and networking. They didnt care that he wore tennis shoes and slightly faded khakis. Besides, for this lunchtime talk he wore his very best sweater, the one with all the swirly colors that reminded him of modern art. As far as Jerry was concerned, he was plenty dressed up for the occasion.