cybersecurity

profileK-A
ToImproveCybersecurityThinkLikeaHacker.pdf

S P R I N G 2 0 1 7 I S S U E

José Esteves Elisabete Ramalho Guillermo de Haro

To Improve Cybersecurity, Think Like a Hacker Cyberattacks are an increasingly common and worrisome threat. To combat the risk, companies need to understand both hackers’ tactics and their mindsets.

Vol. 58, No. 3 Reprint #58314 http://mitsmr.com/2mXYJdD

PLEASE NOTE THAT GRAY AREAS REFLECT ARTWORK THAT HAS BEEN INTENTIONALLY REMOVED. THE SUBSTANTIVE CONTENT OF THE ARTICLE APPEARS AS ORIGINALLY PUBLISHED.

SPRING 2017 MIT SLOAN MANAGEMENT REVIEW 71

IF YOU HAVE any doubts about the need for a new corporate cybersecurity mindset, the daily news

contains plenty of sobering evidence. Recently, Yahoo Inc., which was in the midst of a planned transac-

tion to sell its core businesses to Verizon, disclosed that it had been the target of two of the biggest data

breaches ever, with sensitive information stolen involving more than 1 billion user accounts in 2013 and

500 million in 2014.1 In addition to highlighting Yahoo’s cybersecurity vulnerability, the attacks have

resulted both in a delay in the planned acquisition by Verizon and in a probe by the U.S. Securities and

Exchange Commission about the disclosure of the breaches.2 The incident raises broad questions about

how cyberthreats affect mergers and acquisitions

deals, and it could have an impact on disclosure

guidelines and regulations.

In the past several years, the list of companies

whose internal systems have been hacked has

grown rapidly. In addition to hundreds of small

and medium-size companies, it now includes such

high-profile businesses as Target, JPMorgan Chase,

Home Depot, Sony Pictures, Ashley Madison, and

Yahoo. In many cases, cybersecurity breaches go

on for weeks or months before they’re discovered.

Cybersecurity breach response times can be a cru-

cial factor in the data breach scale, its mitigation,

the determination of its source, and also future

legal issues involving the disclosure period. Not

only have the attacks in the past few years been

costly for the companies, but they also shake the

confidence of customers, shareholders, and em-

ployees. And no industry appears to be safe from

attacks, regardless of the specific measures indi-

vidual companies use to defend themselves.

As a result, spending on cybersecurity is poised

to accelerate. Gartner Inc., the information tech-

nology (IT) research and advisory firm, has

estimated that global spending on information

To Improve Cybersecurity, Think Like a Hacker

R I S K M A N A G E M E N T

Cyberattacks are an increasingly common and worrisome threat. To combat the risk, companies need to understand both hackers’ tactics and their mindsets. BY JOSÉ ESTEVES, ELISABETE RAMALHO, AND GUILLERMO DE HARO

THE LEADING QUESTION What do executives need to know about improving cybersecurity?

FINDINGS �Hackers will patiently and thor- oughly examine a target company’s systems, looking for vulnerabilities.

�People often repre- sent the weakest link in an organiza- tion’s cybersecurity.

�Senior management needs to stress the importance of cybersecurity.

72 MIT SLOAN MANAGEMENT REVIEW SPRING 2017 SLOANREVIEW.MIT.EDU

R I S K M A N A G E M E N T

security would reach $81 billion in 2016 and may

grow to $101 billion by 2018, with the highest

growth in security testing.3 Unfortunately, invest-

ment in security measures is only part of the

answer; traditional methodologies can only do so

much. To be effective, executives in charge of cyber-

security need to adjust their mindsets and become

as open and adaptive as possible.

To help companies respond to new types of

threats, we have developed a framework that is

informed by our understanding of the process

hackers employ to attack an organization. We de-

signed this framework in collaboration with expert

hackers using the Delphi method, a structured

technique that draws on the knowledge and opin-

ions of experts.4 We also relied on in-depth

interviews with more than 20 experienced hackers.

(See “About the Research.”)

The Hacker Mindset If organizations want to reduce the risk of external

hacking attacks, they need to understand the hacker

mindset.5 In other words, companies need to com-

prehend the expertise of successful hackers to

anticipate and confront attacks. Companies such as

Facebook Inc. and Microsoft Corp., for example,

have even hired hackers.6

To think like a hacker, you need to know the traits

that characterize a competent and sophisticated

hacker. Hackers tend to be highly skilled and intelli-

gent, and enjoy taking risks. They typically have

backgrounds in computer science and have been la-

beled geeks for many years. Many successful hackers

have good social and communication skills that en-

able them to manipulate people to release essential

information or to perform critical actions.7

Many hackers are drawn to the possibility of

earning thousands or possibly millions of dollars.

They are accustomed to operating in the black

market and committing crimes far away from

where they live. They generally enjoy the adrenaline

rush they get from taking high-stakes risks. Indeed,

many hackers have nerves of steel — not much

frightens them. Although it used to be common

for hackers to work independently, few of today’s

hackers operate alone. They are often part of an

organized hacking group, where they are members

of a team providing specialized illegal services such

as credit card or loan fraud, theft of intellectual

property or personally identifiable information,

identity theft, or counterfeiting documents.8

Thinking Like a Hacker Fully protecting a company’s data is no easy task.

Dan Chenok, a former chairman of the Informa-

tion Security and Privacy Advisory Board for the

U.S. National Institute of Standards and Technol-

ogy, has asserted: “The only way to 100% protect

yourself from attacks is to turn off your comput-

ers.”9 However, learning to think like a hacker can

help your organization anticipate what a hacker

might do and then take actions to reduce those

risks. So what is a hacking mindset, and how should

it influence the way organizations approach

cybersecurity?

We found that hackers actually have two differ-

ent mindsets during different stages in an attack:

explorative and exploitative. (See “How Hackers

Approach an Attack.”) In the initial stages of an at-

tack, hackers typically use an exploration mindset

that combines deliberate and intuitive thinking

and relies on intensive experimentation. For exam-

ple, an experienced hacker will not attack a new

system a company has just activated. He or she will

prefer to wait and continue to search for the weak-

est link (such as a vendor, a new employee, or a

situation that is not in compliance with the organi-

zation’s security standards). Once access to a system

is gained, hackers rely on an exploitation mindset to

meet their goals — for example, to gain as much

information for profitable resale as they can. This

ABOUT THE RESEARCH We conducted a web-based study consisting of two rounds of surveys with 23 experi- enced hackers through an anonymous consensus-building process. The hackers list was obtained through a variety of methods: screening hackers offering their hacking and cybersecurity services on the internet, people mentioned in the media, introduc- tions from other hackers, recommendations from chief security officers who knew hackers, and individuals whom the research team knew. We asked hackers to label and prioritize the steps to perform a successful cyberattack. We subsequently con- ducted 17 in-depth interviews with panel experts to get more detail on the different phases of cyberattacks. The article is based on insights from our study, the interviews, and our own experience in cybersecurity and digital and information technology. In conducting our study, we used the Delphi method, which has been employed since the 1950s to obtain real-world knowledge. The method is based on several iterative rounds of questionnaires among experts to obtain data or test hypotheses. We used this approach to uncover the policies followed by hackers and to define what an adap- tive cybersecurity strategy should be.

SLOANREVIEW.MIT.EDU SPRING 2017 MIT SLOAN MANAGEMENT REVIEW 73

strategy of exploration followed by exploitation

typically involves four steps; the first two steps

focus on exploration, and the third and fourth em-

phasize exploitation.

STEP 1: Identifying Vulnerabilities Hackers are

patient, studious, and clever. If they think your

company is worth attacking, they will examine it

thoroughly for weaknesses, surveying the network

information, organizational information, and

security policies. This process of gathering infor-

mation is known among hackers as footprinting.

They may also study your suppliers and other con-

tractors that your company works with, as well as

your subsidiaries. Before launching a cyberattack,

hackers will map out the target network and sys-

tems and take note of all holes and vulnerabilities,

potential entry points, and any security mecha-

nisms that could be hurdles. At this stage,

information such as server names, IP addresses,

and user accounts can help them prepare the at-

tack. As noted earlier, hackers also attempt to

interact with company insiders who might have

critical information that would not be easily ob-

tained under normal circumstances and that could

help the hackers gain access to company systems.

At this stage, a hacker’s most important charac-

teristics are curiosity, patience, and communication

and social skills. Recognizing this, you need to turn

these characteristics to your company’s advantage:

Be curious about your systems and how they relate

to any vulnerability. In 2014, JPMorgan Chase &

Co., one of the biggest U.S.-based banks, was

reported to have suffered a cyberattack that com-

promised the data of 76 million households and

7 million small businesses. Although login infor-

mation, passwords, user IDs, birth dates, and Social

Security numbers were not compromised in

this attack, other information that can be used for

identity theft — names, email addresses, postal ad-

dresses, and phone numbers — was exposed. How

did this happen? Most big banks use two-factor

authentication, which combines static passwords

with codes dynamically generated by physical

devices. Unfortunately, JPMorgan’s IT security

team failed to update one of its network servers to

enforce two-factor authentication, leaving the bank

vulnerable.10 Hackers used this weakness, together

with stolen credentials from a bank employee, to

gain access to some 90 servers inside the company.

Companies can help protect themselves by adopt-

ing an iterative and adaptive process and making a

point of conducting a high-level “footprint” of their

systems on a regular basis. In addition, they should

make sure that employees are well informed on poli-

cies regarding sharing of information and offer them

periodic reminders about the various ways hackers ob-

tain information. For example, if someone unknown

begins to interact with a bank employee in a friendly

way, maybe that person’s purpose isn’t so friendly.

STEP 2: Scanning and Testing After a hacker has

broken into your network, weaknesses in the appli-

cations running on your systems could become

avenues for further unauthorized access. Hackers

often use scanning tools on applications running

on a company’s system once they enter. Cumula-

tively, small security vulnerabilities and design

weaknesses can add up to major security holes.

To protect your company, you should identify

potential weaknesses once you have created a

footprint of your systems. Examine every element

(hardware, software, and protocols) of the company’s

HOW HACKERS APPROACH AN ATTACK To protect their organizations, companies need to understand how hackers go about their work. Our research suggests that hackers’ attacks typically involve four steps: identifying vulnerabilities; scanning and testing; gaining access; and maintaining access. The first two steps primarily emphasize an exploration mindset, and the third and fourth steps involve efficiently exploiting the access the hackers have gained.

ATTACK PHASES

Design of Attack

• Experimental • Procedural

Role of Knowledge

• Gaining know-how • Using know-how

Aim of Action

• Effectiveness • Efficiency

Competencies Required

• Creativity • Tenacity • Persistence • Curiosity • Observation • Critical thinking

• Problem-solving • Adaptability • Focus on results • Planning and organizing • Analysis

1. Identifying

vulnerabilities

2. Scanning

and testing

3. Gaining access

4. Maintaining

access

EXPLORATION EXPLOITATION

74 MIT SLOAN MANAGEMENT REVIEW SPRING 2017 SLOANREVIEW.MIT.EDU

R I S K M A N A G E M E N T

network. In testing your network’s security, evalu-

ate cases of use and misuse from as many angles

as possible, and run penetration tests for your

applications as a “power user” — or better yet, as a

hacker — as opposed to as an average user.

Failure to take such measures could expose

you to a cyberattack, which is what happened to

TalkTalk Telecom Group PLC, one of the largest

providers of broadband and phone service in the

United Kingdom, in October 2015. The data

breach exposed the records of more than 150,000

customers. In the wake of the incident, the com-

pany lost customers, and it was hit with a £400,000

fine by the U.K. government. The government

criticized TalkTalk’s failure to implement basic

cybersecurity measures such as software updates

and regular system monitoring, thereby making it

relatively easy for hackers to break in.11

STEP 3: Gaining Access Among the factors that

influence a hacker’s chances of gaining unauthor-

ized access to a particular system are the system’s

architecture and configuration, the hacker’s skill

level, and the initial level of access the hacker is able

to obtain. For example, hackers often contact

organizations by telephone, a “phishing” email

campaign, a forged email message, or instant mes-

sages asking individuals for login and password

credentials, usually by pretending to be someone

with credibility (for example, a senior company of-

ficer or a help desk technician).

At Target Corp., a retailer based in Minneapolis,

Minnesota, hackers broke into the corporate net-

work using stolen credentials from a third-party

vendor who had provided air-conditioning ser-

vices. They then installed malicious software

(commonly called “malware”) to siphon customer

information from the company’s networks and

point-of-sale system in more than 1,800 brick-and-

mortar stores in the United States.

The malware the hackers of Target used is available

on cybercrime forums for about $2,000. The hackers

had explored a variety of ways to enter Target’s sys-

tem before identifying the entranceway through the

vendor. Once inside Target’s network, the hackers

gained access to cash registers in stores.12

The tactics the hackers used against Target were

unusual. At Anthem Inc., one of the largest health

insurers in the United States, hackers used a stolen

login and password to steal up to 80 million records

of personal information pertaining to customers

and employees — even the company’s CEO — in

2015.13 Once in the network, they obtained per-

sonal information such as names, Social Security

numbers, birthdays, addresses, email addresses,

and employment information (including income

data) — all of which can be quite valuable in the

black market for the purpose of identity theft.

To protect your company, you need to consider

how a hacker could gain access to your organiza-

tion’s systems, based on the information you have

collected in the first two steps. While those steps

were designed to identify security vulnerabilities,

this third step is geared toward exploiting them, or

what’s known in the hacker world as “owning the

system.”

On Feb. 5, 2016, hackers sent emails with links to

malware to employees of Hollywood Presbyterian

Medical Center in Los Angeles. When an employee

clicked on one of the links, the system locked and

disabled the hospital’s electronic communication.

For more than a week, the hackers had unfettered

access to Hollywood Presbyterian’s data (although it

was reported that no data was actually taken). The

nightmare ended only after the hospital paid a ran-

som of 40 bitcoins, valued at the time at about

$17,000, at which point the hackers sent them a digi-

tal decryption key to unlock the system.14

Hackers tend to play on both sophisticated tech-

nical knowledge and communication skills to breach

company security. If you are equally sophisticated in

your knowledge of common hacker tactics, you can

mount an effective defense. An awareness campaign

that alerts your employees, contractors, and third-

party users to common hacker strategies should be a

critical component of that defense.

STEP 4: Maintaining Access Hackers try to re-

tain their ownership of the system and access for

future attacks while remaining unnoticed. Some-

times they “harden” the system from security

personnel (and even from other hackers) by secur-

ing exclusive access and uploading a piece of code

that’s known as a “backdoor.”

Once hackers “own” a system, they can use it as

a base camp for launching new cyberattacks.15

SLOANREVIEW.MIT.EDU SPRING 2017 MIT SLOAN MANAGEMENT REVIEW 75

An owned system is often referred to as a “zombie”

system. In the final stages of an attack, hackers often

cover their tracks to avoid detection by security

personnel and remove evidence of hacking, to

avoid legal consequences. Skilled hackers use to

their own advantage their technical knowledge of

how systems detect wrongful activity. Therefore, it

is critical for organizations to remain vigilant for

suspicious activity in system logs and to ensure that

monitoring systems are always up to date.

Putting the Hacker Mindset to Work Once companies are familiar with the basic re-

quirements, what should they do to protect the

organization from cyberattacks? We believe effec-

tive cybersecurity practices need to be implemented

both from the top down and from the bottom up.

In support of this approach, we have developed five

recommendations.

1. Get senior management on board. Sustained

support from senior management is crucial to ensur-

ing that action plans are in place to mitigate the risk

of cyberattacks. The message needs to come from the

top down that “we” as a company need to be more

secure so that staff is more likely to engage. No matter

how technically competent the IT department is, it

can’t change the vision of the company. Rather,

senior management needs to ask for complete buy-

in, hold periodic meetings with line managers, and

deliver the message from the top down.

In order to get executive-level decision makers

on board, it’s important to emphasize the role of

cybersecurity in addressing market, privacy, tech-

nology, and regulatory risks and demands. To do

this, top managers may need to explain how the

cybersecurity strategy enables business objectives

and initiatives, and highlight how effective security

governance can enhance the interests of all stake-

holders (customers, business units, employees, and

auditors) in a cost-effective manner.

It is also critical to demonstrate that the compa-

ny’s long-term profitability and resilience are

contingent upon security. Companies should cre-

ate a security communication plan for the whole

organization that includes content aimed directly

at executives and that gets updated on a regular

basis. The material should include guidelines and

processes on how to manage and communicate

about security breaches that may arise.

2. Design a security strategy. As we have noted,

technology alone is not enough. Companies must

address cybersecurity from both technological and

nontechnological perspectives. In many organiza-

tions, the people aspect of cybersecurity is one of

the weakest links. Security experts recommend

adopting a “threat-centric” and operational secu-

rity model that looks at security from a hacker’s

perspective. This requires looking at cybersecurity

from both inside out (to understand what employ-

ees, strategic business partners, and third-party

vendors are doing within their organizations and

how they are interacting with high-value assets

such as systems, facilities, and data) and outside

in (to consider what an enemy might see when

scoping out weaknesses from the outside). The lat-

ter is often referred to as “turning the map around,”

and the goal is to ensure a comprehensive ap-

proach to mission planning and to help the

company prepare for actions an enemy may take in

the future.16

Executives and information managers should

examine how their information systems are cur-

rently managed to assess their level of cybersecurity,

and they should determine how secure each asset

needs to be. They need to assess whether they have

the right competencies and whether they have the

right organizational design to anticipate and re-

spond to potential cybersecurity threats.

In developing strategies, companies need to

make choices: whether to build full-fledged in-

house security capabilities, rely on external experts,

The message needs to come from the top down that ‘we’ as a company need to be more secure so that staff is more likely to engage. No matter how technically competent the IT department is, it can’t change the vision of the company.

76 MIT SLOAN MANAGEMENT REVIEW SPRING 2017 SLOANREVIEW.MIT.EDU

R I S K M A N A G E M E N T

or adopt a hybrid approach. According to Stephan

Somogyi, security and privacy product manager at

Google Inc., “no company can do everything well.”

For many companies, he recommends hiring exter-

nal contractors so that the companies can “focus on

their core competencies while taking advantage of

the scale and skills of those that specialize in infor-

mation security.”17

3. Build security awareness. Effective security

awareness training is essential. Raising cybersecurity

awareness is critical, and every part of the organiza-

tion should become familiar with cybersecurity best

practices. All employees who have access to confi-

dential information, whether they are in sales,

marketing, human resources, finance, or senior

management — even temporary staff — should

receive cybersecurity awareness training.

Companies should encourage behaviors and

processes that integrate information security into

daily routines, and they should be sure to explain

why it’s important. Some companies are approach-

ing cybersecurity training in ways that are similar

to training for ethics and regulatory compliance. A

few, such as Salesforce.com, are attempting to im-

prove security-related behavior with gamification

programs. According to Patrick Heim, the compa-

ny’s chief trust officer, employees who participated

in its security-related gamification program “were

50% less likely to click on a phishing link and 82%

more likely to report a phishing email.”18

4. Create alliances. Recent data breaches show

that skillful hackers can replicate successful attacks.

Once hackers identify one security threat and ex-

ploit it, oftentimes they reuse the methodology to

attack another target. Given this possibility, it’s im-

portant for IT security staff to coordinate and share

information within their organization, within their

industry, and even with their competitors. Thus, it’s

important to create alliances with other companies

and with government agencies.

The private and public sectors need to come to-

gether to address the cybersecurity challenge. The

North Atlantic Treaty Organization (NATO) has

called on members to build alliances to combat

cybercrime.19 By joining together, private busi-

nesses will be able to develop more comprehensive

cybersecurity strategies more economically.

5. Keep abreast of and follow best practices.

Many recent data breaches show that security pol-

icies are meaningless unless companies have a

rigorous, continual way of monitoring compli-

ance. Cybersecurity threats are constantly shifting

as new security vulnerabilities are identified and

new types of malware are created. Sometimes,

even older threats that were thought to be under

control rear their heads with a vengeance. The

only way to confront modern cybersecurity

threats is to keep defensive processes up to date,

continually train personnel, stay current on the state

of information security, and use control-enabled

tools to proactively detect, analyze, and respond

to incidents.

Although hackers are always looking for new

ways to break in, organizations are also getting bet-

ter all the time at “knowing their enemies.” Some go

so far as to invite hackers to identify vulnerabilities.

In March 2016, for example, the U.S. Department

of Defense launched a four-week bug bounty pro-

gram in which participants were asked to use their

hacking skills to break into selected U.S. Depart-

ment of Defense public web pages in exchange for

prizes and recognition. More than 250 participants

submitted at least one vulnerability report, and

more than half of the vulnerabilities were “legiti-

mate, unique, and eligible for a bounty,” said

then-Secretary of Defense Ashton B. Carter.20

(Mission-facing systems were not included in the

program.) Other organizations, including MIT,

also use bug bounties21 along with more traditional

approaches to cybersecurity.

It’s important to create alliances with other companies and with government agencies. The private and public sectors need to come together to address the cybersecurity challenge.

SLOANREVIEW.MIT.EDU SPRING 2017 MIT SLOAN MANAGEMENT REVIEW 77

New approaches to cybersecurity — and new

threats — will undoubtedly continue to evolve. Cy-

bersecurity is a game of cat and mouse in which the

cat always makes the first move. But the more you

can think like a hacker, the better able you will be to

protect your organization.

José Esteves is an associate professor of informa- tion systems and digital innovation at IE Business School in Madrid. Elisabete Ramalho is head of pro- grammatic client strategy for Europe, the Middle East, and Africa at Google Inc. Guillermo de Haro is an associate professor of applied economics at King Juan Carlos University in Madrid. Comment on this article at http://sloanreview.mit.edu/x/58314, or con- tact the authors at [email protected].

REFERENCES

1. V. Goel and N. Perlroth, “Yahoo Says 1 Billion User Accounts Were Hacked,” New York Times, Dec. 14, 2016, www.nytimes.com; S. Fiegerman, “Yahoo Says 500 Million Accounts Stolen,” Sept. 23, 2016, http://money.cnn.com; and D. Shepardson, “Verizon Says Hack ‘Material,’ Could Affect the Deal,” Oct. 13, 2016, www.reuters.com.

2. H. Kuchler, “Yahoo Data Breach Will Delay $4.8bn Verizon Deal,” Financial Times, Jan. 23, 2017, www.ft.com; and “Yahoo Says the SEC Is Investigating Its Recent Data Breaches,” Fortune.com, Jan. 23, 2017, http://fortune.com.

3. R. Contu, C. Canales, S. Deshpande, and L. Pingree, “Forecast: Information Security, Worldwide, 2014-2020, 2Q16 Update,” Aug. 25, 2016, www.gartner.com.

4. N. Dalkey and O. Helmer, “An Experimental Application of the Delphi Method to the Use of Experts,” Management Science 9, no. 3 (April 1963): 458-467.

5. C.S. Dweck, “Mindset: The New Psychology of Success” (New York: Random House, 2006).

6. J. O’Dell, “How 7 Black Hat Hackers Landed Legit Jobs,” June 2, 2011, http://mashable.com.

7. R.J. Anderson, https://en.wikipedia.org/wiki/Ross_J._ Anderson, “Security Engineering: A Guide to Building Dependable Distributed Systems,” 2nd ed. (Indianapolis, Indiana: Wiley, 2008).

8. “Underground Hacker Marketplace Report” (see https://www.secureworks.com/resources/rp-2016- underground-hacker-marketplace-report) April 2016, www.secureworks.com; V. Goel and N. Perlroth, “Hacked Yahoo Data Is for Sale on Dark Web,” New York Times, Dec. 15, 2016, www.nytimes.com; and D.L. Leger, “How Stolen Credit Cards Are Fenced on the Dark Web,” USA Today, Sept. 3, 2014, www.usatoday.com.

9. A. Jeng, “Minimizing Damage From J.P. Morgan’s Data Breach,” SANS Institute, March 15, 2015, p. 3; and “Senior Managers Account for Greatest Information Security Risks: Survey,” Jan. 7, 2014, www.security- week.com.

10. T.S. Bernard, “Ways to Protect Yourself After the JPMorgan Hacking,” New York Times, Oct. 3, 2014; D. Rushe, “JP Morgan Chase Reveals Massive Data Breach Affecting 76m Households,” Guardian, Oct. 3, 2014; M. Goldstein, N. Perlroth, and M. Corkery, “Neglected Server Provided Entry for JPMorgan Hackers,” New York Times, Dec. 22, 2014; and E. Glazer, “J.P. Morgan CEO: Cybersecurity Spending to Double,” Wall Street Journal, Oct.10, 2014.

11. “TalkTalk Gets Record £400,000 Fine for Failing to Prevent October 2015 Attack,” Oct. 5, 2016, http://ico.org.uk; and P. Sandle, “TalkTalk Lost More Than 100,000 Customers After Cyber Attack,” Reuters, Feb. 2, 2016, www.uk.reuters.com.

12. P. Ziobro, “Target Breach Began With Contractor’s Electronic Billing Link,” Wall Street Journal, Feb. 6, 2014; and B. Krebs, “Non-US Cards Used at Target Fetch Premium,” Dec. 13, 2013, krebsonsecurity.com.

13. “Letter From Anthem President & CEO, Joseph Swedish,” Feb. 6, 2015, www.myrha.org; D. Walker, “Exclusive: Mandiant Speaks on Anthem Attack, Custom Backdoors Used,” Feb. 5, 2015, www.scmagazine.com; and C. Terhune, “Anthem Data Breach Poses a Big Test for Its CEO,” Los Angeles Times, Feb. 12, 2015, www.latimes.com.

14. K. Zetter, “Why Hospitals Are the Perfect Targets for Ransomware,” March 30, 2016, www.wired.com; and B. Barrett, “Hack Brief: Hackers Are Holding an LA Hospital’s Computers Hostage,” Feb. 16, 2016, www.wired.com.

15. K. Graves, “CEH: Official Certified Ethical Hacker Review Guide: Exam 312-50” (Indianapolis, Indiana: Wiley Publishing, 2007).

16. Based on the military concept of a “kill chain” (a systematic process to target and engage an adver- sary), Lockheed Martin Corp. developed the “cyber kill chain” model that details each step of a cybercriminal’s operation from reconnaissance to actions on objectives. Many companies have adapted the cyber kill chain model to address their own risks. See E. Hutchins, M. Cloppert, and R. Amin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” Leading Issues in Information Warfare and Security Research, vol. 1 (Reading, U.K.: Academic Publishing International Limited, 2011), 80-106.

17. S. Somogyi, interview with authors, Feb. 2, 2016.

18. L. Wood, “Boost Your Security Training With Gamification – Really!,” July 16, 2014, www.computerworld.com.

19. L. Thompson, “Cyber Alliances: Collective Defense Becomes Central to Securing Networks, Data,” Sept. 19, 2014, www.forbes.com.

20. L. Ferdinando, “Carter Announces ‘Hack the Pentagon’ Program Results,” June 17, 2016, www.defense.gov.

21. The MIT Security Bug Bounty Program is a student- founded project, run with the school’s Information Systems and Technology department. It can be found at https://bounty.mit.edu.

Reprint 58314. Copyright © Massachusetts Institute of Technology, 2017.

All rights reserved.

PDFs Reprints Permission to Copy Back Issues

Articles published in MIT Sloan Management Review are copyrighted by the Massachusetts Institute of Technology unless otherwise specified at the end of an article.

MIT Sloan Management Review articles, permissions, and back issues can be purchased on our Web site: sloanreview.mit.edu or you may order through our Business Service Center (9 a.m.-5 p.m. ET) at the phone numbers listed below. Paper reprints are available in quantities of 250 or more.

To reproduce or transmit one or more MIT Sloan Management Review articles by electronic or mechanical means (including photocopying or archiving in any information storage or retrieval system) requires written permission.

To request permission, use our Web site: sloanreview.mit.edu or E-mail: [email protected] Call (US and International):617-253-7170 Fax: 617-258-9739

Posting of full-text SMR articles on publicly accessible Internet sites is prohibited. To obtain permission to post articles on secure and/or password- protected intranet sites, e-mail your request to [email protected].

MITMIT SLSLOOAN MANAAN MANAGEMENGEMENT REVIEWT REVIEW

DIGITDIGITALAL

Copyright © Massachusetts Institute of Technology, 2017. All rights reserved. Reprint #58314 http://mitsmr.com/2mXYJdD

  • 58314-autogen
  • 58314