TrimSize:6inx9in Moschovitis ffirs.tex V1-03/21/2018 7:21pm Pagei (cid:2) CYBERSECURITY PROGRAM DEVELOPMENT FOR BUSINESS (cid:2) (cid:2) (cid:2) TrimSize:6inx9in Moschovitis ffirs.tex V1-03/21/2018 7:21pm Pageiii (cid:2) CYBERSECURITY PROGRAM DEVELOPMENT FOR BUSINESS THE ESSENTIAL PLANNING GUIDE (cid:2) (cid:2) Chris Moschovitis (cid:2) TrimSize:6inx9in Moschovitis ffirs.tex V1-03/21/2018 7:21pm Pageiv (cid:2) Copyright©2018byChrisMoschovitis.Allrightsreserved. PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJersey. PublishedsimultaneouslyinCanada. Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmittedin anyformorbyanymeans,electronic,mechanical,photocopying,recording,scanning,or otherwise,exceptaspermittedunderSection107or108ofthe1976UnitedStatesCopyright Act,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthrough paymentoftheappropriateper-copyfeetotheCopyrightClearanceCenter,Inc.,222 RosewoodDrive,Danvers,MA01923,(978)750-8400,fax(978)646-8600,orontheWeb atwww.copyright.com.RequeststothePublisherforpermissionshouldbeaddressedtothe PermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030, (201)748-6011,fax(201)748-6008,oronlineatwww.wiley.com/go/permissions. LimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveusedtheirbest effortsinpreparingthisbook,theymakenorepresentationsorwarrantieswithrespecttothe (cid:2) accuracyorcompletenessofthecontentsofthisbookandspecificallydisclaimanyimplied (cid:2) warrantiesofmerchantabilityorfitnessforaparticularpurpose.Nowarrantymaybecreatedor extendedbysalesrepresentativesorwrittensalesmaterials.Theadviceandstrategiescontained hereinmaynotbesuitableforyoursituation.Youshouldconsultwithaprofessionalwhere appropriate.Neitherthepublishernorauthorshallbeliableforanylossofprofitoranyother commercialdamages,includingbutnotlimitedtospecial,incidental,consequential,orother damages. Forgeneralinformationonourotherproductsandservicesorfortechnicalsupport,please contactourCustomerCareDepartmentwithintheUnitedStatesat(800)762-2974,outside theUnitedStatesat(317)572-3993,orfax(317)572-4002. Wileypublishesinavarietyofprintandelectronicformatsandbyprint-on-demand.Some materialincludedwithstandardprintversionsofthisbookmaynotbeincludedine-booksor inprint-on-demand.IfthisbookreferstomediasuchasaCDorDVDthatisnotincludedin theversionyoupurchased,youmaydownloadthismaterialathttp://booksupport.wiley.com. FormoreinformationaboutWileyproducts,visitwww.wiley.com. LibraryofCongressCataloging-in-PublicationDataisAvailable: ISBN9781119429517(Hardcover) ISBN9781119430056(ePDF) ISBN9781119430001(ePub) CoverDesign:Wiley CoverImage:©phive2015/iStockphoto PrintedintheUnitedStatesofAmerica. 10 9 8 7 6 5 4 3 2 1 (cid:2) TrimSize:6inx9in Moschovitis f03.tex V1-03/21/2018 7:21pm Pagev (cid:2) CONTENTS FOREWORD vii PREFACE xi ABOUTTHEAUTHOR xiii ACKNOWLEDGMENTS xv CHAPTER 1 UnderstandingRisk 1 CHAPTER 2 EverythingYouAlwaysWantedtoKnowAboutTech (ButWereAfraidtoAskYourKids) 9 CHAPTER 3 ACybersecurityPrimer 15 (cid:2) CHAPTER 4 Management,Governance,andAlignment 47 (cid:2) CHAPTER 5 YourCybersecurityProgram:AHigh-LevelOverview 67 CHAPTER 6 Assets 81 CHAPTER 7 Threats 95 CHAPTER 8 Vulnerabilities 105 CHAPTER 9 Environments 113 CHAPTER 10 Controls 131 CHAPTER 11 Incident-ResponsePlanning 147 v (cid:2) TrimSize:6inx9in Moschovitis f03.tex V1-03/21/2018 7:21pm Pagevi (cid:2) vi CONTENTS CHAPTER 12 People 163 CHAPTER 13 LivingCybersecure! 175 BIBLIOGRAPHY 187 APPENDIX:CLEARANDPRESENTDANGER 195 INDEX 199 (cid:2) (cid:2) (cid:2) TrimSize:6inx9in Moschovitis fbetw.tex V1-03/21/2018 7:21pm Pagevii (cid:2) FOREWORD Ifyouknowtheenemyandknowyourself,youneednotfeartheresultof ahundredbattles.Ifyouknowyourselfbutnottheenemy,forevery victorygained,youwillalsosufferadefeat.Ifyouknowneitherthe enemynoryourself,youwillsuccumbineverybattle. —SunTzu,TheArtofWar Who better to write a foreword for a cybersecurity book than a hacker? An “infamoushacktivist,”asJohnLeydencalledmefiveyearsback.Afterall,I’m the kind of person who, with help from this book, you will be prepared to defendyourselfagainst! I started out as a kid in the ghetto where I went into gang life and drug dealing.AtsomepointIaskedmyself,“DoIfollowinmyfather’sfootsteps, ordoIfindmyownpathinlife?”Irealizedthatlivingthefastlifeandbeing inthestreetswasonlygoingtokeepmethere. (cid:2) Iwantedmore. (cid:2) I discovered the Internet at age 12. We’re talking about a time when Googlewasn’twhatitistoday,andfindinginformationonlineentailedgoing toforums,searchingbulletinboardsystem(BBS)archives,andrelyingonthe likesofCompuServ,AmericaOnline(AOL),andInternetRelayChat(IRC). AsIexploredthisworld,Ibegantohearaboutcertainmysteriousfigures who,likeancientsages,hadawealthofknowledgeandexperiencethatmany Internet users lacked, but respected. I became attracted to the hacker ethic andlifestyle.Reading“TheHackers’Manifesto”cementedexactlywhatitwas aboutbeingahackerthatIliked:thathackingwasmydecision,mychoice,and noonecouldsayotherwise. Itriedtoreachouttohackersandjointhem.Iwasdisappointedtolearn these hackers belonged to invitation-only and private communities. It was impossibletospeaktothem.So,Imademyownway.Ichoseanomdeguerre, “Sabu.”AssoonasIadoptedthispersona,Ibegantothinkdifferently,without boundaries. TofullymakethetransitionfromHectortoSaburequiredalotofknowl- edge I didn’t have. In short, I needed education. To compromise a server, I had to understand and be able to communicate with the underlying system, soIbecameasystemsadministratorofvariousUNIXesandPOSIXsystems. Towriteaproof-of-conceptexploitforavulnerability,Ihadtolearnseveral programminglanguages,andsoon. vii (cid:2) TrimSize:6inx9in Moschovitis fbetw.tex V1-03/21/2018 7:21pm Pageviii (cid:2) viii FOREWORD As I slowly grew out of my awkward teenage years, I became more interested in the world from a geopolitical perspective, which attracted me to “hacktivism,” where you combine hacker skills withactivistcauses. In theyear2000,Ibeganhacktivistoperationsagainstgovernmentsaroundthe world. I went from a curious hacker to a persistent threat to governments I did not agree with. That decision ultimately led to my downfall as a hacker andahacktivist. Just before my arrest, I had decided to leave the hacking world. All my experience as a hacker, security researcher, and systems administrator pro- videdmeawealthofexperiencethatIcouldnowapplytoanybusiness—and Idid.Ibecameseniorsystemsadministratorforoneofthebiggestnonprofit technology-orientedorganizationsinNewYorkCity.Lifewasgood,andevery decisionImade,includingbecomingafosterparent,waspositive. That’swhenImademymistakeandgotbackinthegame.IunretiredSabu andreconnectedwiththehacktivistscene.Itwas2010,theheightofAnony- mous and online hacktivism. I involved myself in the Arab Spring, shutting downgovernmentcommunicationsattheapexoftheTunisianrevolution,as well as targeting federal contractors and media platforms. This was a time when cybersecurity was forever changed—from the tools and the scope of attacks to how hackers were organized, were funded, and acted. I knew our (cid:2) worldwouldnotbethesameagain. (cid:2) Iamnotproudofthattime.ButwhenIrealizedhowfarI’doverstepped theline,itwastoolate. Iwasarrested,and“Sabu”becameinfamous. I had to accept the consequences of my actions and change my life for good.Thismeantleavingbehindmostofmyfriends,expandingmyperspec- tive,andrealizingwhatreallymeantthemosttomeinlife:myfamily. Mylifeoffersyouaglimpseintothehackerworld.It’simportantforyou to understand that we come from all walks of life, from privileged suburbs to the ghetto. We may be working in so-called legitimate jobs one day and hackingthenext.Somedoitforthethrill,whereasothersstilldoittosupport theircauses—asinmycase. Buthackersalsohackforrevengeandoutofgreed.Thevariednatureof hacker threats and motives means that cybersecurity is not easy. It requires dedicationtopreparedness,education,andconstantvigilance. Those three things, preparedness, education, and vigilance, are what ChrisMoschovitis’sbookisallabout.IfirstmetChrisatISACACSX,andwe quickly discovered that our thinking on cyberthreats and possible solutions was in alignment. Most important, I share with him the critical importance ofbeingprepared,stayinginformed,thinkingahead,andremainingvigilant. ChrisandIagree:Thisistheonlypathtocyber-resilience. (cid:2) TrimSize:6inx9in Moschovitis fbetw.tex V1-03/21/2018 7:21pm Pageix (cid:2) FOREWORD ix Like the choices I made in my life, the choices you make in your organizationhavethepotentialtochangeitspath.Thethingsyouwilllearn in these pages will help you get ahead of the curve, become cyber-resilient, andbepreparedforthenexttimeyou“meet”ahacker,who,unlikeme,isnot inretirement. Hector“Sabu”Monsegur DirectorofAssessmentServices RhinoSecurityLabs (cid:2) (cid:2) (cid:2) TrimSize:6inx9in Moschovitis fpref.tex V1-03/21/2018 7:21pm Pagexi (cid:2) PREFACE “Enoughalready!” This was the (only half-joking) reaction of a well-respected editor of a majorpublishinghousewhenIsuggestedheproduceyetanothercybersecu- ritybook.“Enough!Youcybersecuritypeoplehavedemoralizedeveryoneso muchthatnoonewantstohear,read,ortalkaboutthisanymore.We’renot publishinganymorecybersecuritybooks!Done!Finished!” Icouldn’targuewithhim.He’sright.Cybersecurityexpertshavedonea wonderfuljobofterrorizingeveryoneaboutthethreatswhiledoingnothing by way of offering some hope, some light at the end of the tunnel. Every security discussion seems to boil down to the same, dire predictions of cyber-doom: “It’snotif,it’swhen!” “Thereareonlytwokindsofcompanies: Thosethathavebeenhackedandthosethatdon’tknowit!” Gotit!We’realldonefor,thankyouverymuch.Nowwhat? (cid:2) (cid:2) Something Completely Different Whatiftherewasabookthatputthewholecybersecuritythingintoperspec- tive,usingsimple,directlanguage?Whatifthereweresectionsandchapters explainingwhatisgoingon,whattherisksare,andwhatallthetechnobabble really means? And what if the book had a step-by-step, actionable approach on what you can do about all this? A book that aggregated the current best practices,puttheminperspective,injectedmyexperienceandmyownpoint ofview,andhowIappliedallthisacrossallourclients?Allthewhilepoking alittlefunatourselves,too? Ithoughtthatthiswouldbeagreatidea!AndsinceIcouldn’tfindany,I decidedtowriteone. Throughoutmycareer,I’vefeltanattractiontoscience,technology,man- agement,andgovernance,aswellasadeepempathyformyclients’businesses. No matter what their industry, I understood their struggles, their anxieties, andwhatitmeanstomakepayrollnomatterifitisfor10employeesor5,000. I understood that I was their Rosetta stone—someone who could translate tech-speaktobusiness-speak—andIfelttheweightofthatresponsibility.My clients count on me and my recommendations. They are placing their trust xi (cid:2)