Brian Minick - Facing Cyber Threats Head on: Protecting Yourself and Your Business

Facing Cyber Threats Head On

Facing Cyber Threats Head On

Protecting Yourself and Your Business

Brian Minick

ROWMAN & LITTLEFIELD

Lanham Boulder New York London

Published by Rowman & Littlefield

A wholly owned subsidiary of The Rowman & Littlefield Publishing Group, Inc.

4501 Forbes Boulevard, Suite 200, Lanham, Maryland 20706

www.rowman.com

Unit A, Whitacre Mews, 26-34 Stannary Street, London SE11 4AB

Copyright 2016 by Brian Minick

All rights reserved . No part of this book may be reproduced in any form or by any electronic or mechanical means, including information storage and retrieval systems, without written permission from the publisher, except by a reviewer who may quote passages in a review.

British Library Cataloguing in Publication Information Available

Library of Congress Cataloging-in-Publication Data Available

ISBN 978-1-4422-6548-6 (cloth : alk. paper)

ISBN 978-1-4422-6549-3 (electronic)

The paper used in this publication meets the minimum requirements of American National Standard for Information SciencesPermanence of Paper for Printed Library Materials, ANSI/NISO Z39.48-1992.

Printed in the United States of America

To my wife, Anne Lynn:
Thank you for loving and supporting me as I have taken on numerous projects. Your trust and confidence in me makes me better. I also want to thank you for using your literary talents to make this work so much better. You are a blessing to me.

Contents

Like many boys growing up, my friends and I used to play cops and robbers. In that game you are either a good guy or a bad guy, and I always liked being the good guy. There was just something appealing about being the hero who could protect the innocent, stop the bad guys, and generally save the day. While playing cops and robbers, we would invent elaborate and fantastical ways for the good guys to win. They usually involved some level of superhuman strength and agility.

As I got older I came face to face with the fact that I was not the superhero type. In fact, I was more like the ninety-pound weakling. To further drive this point home to my developing mind, about this same time, I discovered that Im a bit of a computer nerd. My illusions of protecting people and saving the day were soon put behind me. My cape would eventually be stuffed in the back of my closet with my safety blanket.

The upside to this is that Im one of those people who have always known what they wanted to do when they grew up. I got my first computer in the mid-80s and never looked back. The only question in my mind was what exactly I would end up doing with computers. Whether it would be writing programs for computers, teaching computer classes, or any of a large number of options in betweenI wasnt sure. Generally speaking, I liked it all and would have been satisfied with any of them.

I spent a lot of time after college writing computer programs. I loved solving problems for people by making computers do things that others couldnt. I still believe that computer programs are works of art. Not only is there art and elegance in the algorithm, or the way the programmer instructs the computer, but also artful is the code itself and how it is formatted. At one point, I thought about printing some of my code and framing it. Yep, that superhero cape was completely forgotten about and the dorky glasses and pocket protector had officially taken over.

Then, one day, something happened that forced me to dig deep into the closet and pull that cape out. When I was first asked to be a cyber security leader, my primary directive was to keep bad guys from breaking into computers and stealing information. It was like playing cops and robbers. I was the good guy, once again trying to stop the bad guy and save the day, only this time it was for real. To make it even better, the battleground was on computers. I got to put on the cape and keep the pocket protector. What could be better?

As a cyber security leader, I dont really wear a cape, and for the record, I have never worn a pocket protector either. However, myself and many other cyber security leaders like me do view ourselves as defenders of good. In cyber security there really is a bad guy who is trying to break in, steal, harass, and take advantage of people. It is the defenders job to stop these bad guys. I find doing that fascinating.

I personally find cyber security to be one of the most interesting topics. It is not just good versus evil; it is not just technology against technology; it is strategy against strategy. You have to out think the bad guy. In some ways cyber security is like a chess game, and I love this element of the challenge.

As you read this book, we will explore not just the technical aspects of cyber security and how it got to be as large of a challenge as it is today, but we will also explore the personal nature of cyber security and how that needs to drive how we defend ourselves. Cyber security is a rare discipline that combines technology with strategy. I hope you come away from the book as intrigued and interested in cyber security as I am.

In the middle of this normalcy, a news story broke. Years after this news came out, people do not necessarily remember where they were when they heard it. It was not like the JFK assassination, the space shuttle Challenger disaster, or 9/11. However, unlike most news, years after this event, many people still do remember the story. They remember the story as the news that introduced them to a new problem that most had not even thought of before.

A reporter named Brian Krebs revealed that Target stores across the United States were investigating a data breach that may have compromised millions of credit and debit cards. This news was big, but many people were left scratching their heads wondering what a data breach was and why they needed to care. Talking headswho were computer expertscame on the news programs to offer their explanation of the situation and help people understand how this data breach may have impacted them.

For many people, this news story was the first time they had even heard the term data breach. Many were left wondering what exactly a data breach was. Most people knew what data meant. Most people also had heard the term breach used before as well, but put the two together and what does it mean exactly? Was this concept similar to a baby being born breach? Was data coming out of computer systems backward? Or was it like a ship whose hull is breached? Was data flooding into something? Either way, the term data breach was related to computers, and many people do not fully understand computers, nor do they particularly care to. The public did realize, though, that this breach could not have anything to do with backward data or data floods because something was happening with millions of peoples credit and debit card numbers, and that something was not at all good.

Most people understand the concept of having their credit or debit card numbers stolen. This can happen if a dishonest waiter wrote down the numbers on his customers cards or if someone stole your purse and headed to the store. Could this breach, and the many others that have since followed at numerous retailers, have similar consequences? As more and more retail data breaches made the news, it became clear that these data breaches did have similar consequences. In fact, the more these stories developed, the more they became a bit like something out of a James Bond film. Similar to the scene in Skyfall where the bad guy Silva hacks into MI6 in order to do all kinds of devious things, including blowing up Ms office; to a lot of people, stories behind all the retail breaches seem like something Hollywood made up.

A massive conspiracy was underway to steal millions of card numbers and then sell them to the highest bidders on the black market. The mastermind of this conspiracy would get very rich, and the people who bought these cards on the black market would then use them to buy whatever they wanted. In the old days, something of this scale would have required a criminal mastermind to convince thousands of store employees to covertly write down card numbers and then funnel those card numbers back to a single person. Can you imagine an evil organization like James Bonds nemesis SPECTRE controlling all the cashiers in a large retail chain, with each cashier faithfully following orders from the top of the evil organization as they pilfer card numbers? Unfortunately, this scenario is not very far from what really happened.