Young Christopher - The Cybersecurity Playbook: Practical Steps for Every Leader and Employee--To Make Your Organization More Secure

ALLISON CERRA

Copyright 2019 by McAfee LLC. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

Mister Cellophane (from Chicago)

Words by Fred Ebb

Music by John Kander

Copyright 1975 (Renewed) Unichappell Music, Inc., and Kander & Ebb, Inc.

All rights administered by Unichappell Music, Inc.

All rights reserved

Used by permission of Alfred Music

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 7508400, fax (978) 6468600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 7486011, fax (201) 7486008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 7622974, outside the United States at (317) 5723993 or fax (317) 5724002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

ISBN 9781119442196 (Hardcover)

ISBN 9781119442165 (ePDF)

ISBN 9781119442134 (ePub)

Cover image: MicroOne/Shutterstock

Cover design: Wiley

For Frank, the love of my life, who has yet to read a single
page of anything I've written, including this one. Thank you
for loving me and keeping me grounded.

Ive had better Sundays.

It was Easter, April 16, 2017. I had just finished a homemade dinner with my husband. It was time to chill and finally enjoy a few hours of downtime, compliments of the latest binge-worthy craze on Netflix. Little did I know, I was about to star in my own real-life drama that was much more cringe-worthy instead.

My cell lit up and I looked down at the display. It was a text from Chatelle, our chief human resources officer (CHRO). Chatelle and I were close. We had just teamed up to help McAfees spinout from Intel as one of the worlds largest independent cybersecurity companies 12 days prior. Seeing a text from her on Easter wasnt unusual, assuming it was the type of well-wishing that happens between friends on a holiday. This was not that type of text.

• You need to check out our social media page. Its bad.

I immediately felt my blood pressure surge as I opened McAfees company page on a very prominent social media platform, the name of which I have redacted from this true story. I was horrified.

Someone had deliberately defaced the social profile of our newly minted, 12-day-old company with the most obscene and offensive language directed at nearly every walk of life. This would be bad for any company. But let me try to express how desperately bad this was for us.

The offensive epithets were in stark contradiction to everything our company represented. We had just relaunched our brand with a new tagline, Together is power, reflecting our belief that it takes all kinds to protect our world from cyber threats. We had just unveiled new values to all employees upon our companys launch, one of which espoused inclusive candor and transparency. And we were a leader in cybersecurity. How would customers feel about our ability to safeguard their most precious digital assets if we couldnt even protect our own companys profile on one of the largest social media platforms? And, to top it off, my teamthe marketing organizationwas responsible for managing our company profile across all social channels, including the debased one staring me in the face.

I jumped into action. I had to get to the leader of our digital team to figure out what was going on. I reached her immediately and didnt even have to explain that the call wasnt to wish her a Happy Easter.

• I know why youre calling. Were on it. Our account was hacked. Were talking to the [social media platform company] to get it resolved.

I started to think the worst. A hacked social media profile was one thing. What if this was a coordinated attack against McAfee with a much bigger prize at stake, with hackers diverting our attention to this fire drill while they seeped in through our companys systems?

She immediately reassured me that our chief information security officer (CISO) was already on the case, confirming our systems were good. Relief washed over me for a momentuntil I realized I needed to make another call. Our CEO needed to know what was going on. And I preferred he hear the news from me. I was about to ruin his Easter Sunday. He picked up the phone almost instantly:

• Chris, one of our social media accounts has been hacked.
• His response was measured. How bad is it?
• Our corporate servers are fine, Chris. Its our corporate page on a social media site thats been hacked.

I explained to him just what had happened. Our social media manager, Gavin, was the first to discover the attack. Gavin had been at home, doing what social media geeks do on holidayshe was online. Around 5 p.m. he saw a status update on the social media platform with a bunch of random letters in it. He figured someone on his team had butt-dialed the update. Gavin deleted the random post.

He then pinged his team to see who might have accidentally created that post. No one knew anything about it. Soon, another meaningless post showed up. This was now not random.

Gavin logged into the social media platform and went to the account settings area. All the names were familiar of the people who had administrative privileges for the account. Even so, to be on the safe side, Gavin started to delete all other admins.