Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
This is the sequel to “Lessons we can learn from the movies” – the initial batch of non-cyber security movies that we should be able to learn from. Here is the second instalment.
We outlined our brief plot last time – lots of cyber security, technology or spy movies exist and many of these have interesting takes on the real world of protection information systems and cyber risk. But there are other, less technology focussed films that also bear scrutiny.
Having previously presented 5 examples of movies containing cyber security lessons, this follow-up set provide further examples of case studies, risks and quotes that have specific resonance with the world of cyber security, data breaches and information risk.
The imitation game is the story of the British attempts to break the German ciphers used during World War 2. Germany had the notoriously famous Enigma machine that it used to encrypt communications. However the crypto-algorithm had a weakness – it would never encrypt a letter to itself so it was possible to rule out keys if the plain text/cipher text contained a matching letter. The operators also made several “user” mistakes – signing in with a random string of their girlfriends’ names, and signing out with “HH” (for “Heil Hitler”).
The story is well known, especially in security circles, and the science of cryptography is still taught using Enigma as an example of how these systems can be attacked.
The solution Alan Turin and the team devise is machines, the early computers, to reduce the problem space and automate calculations based on known facts. A technique that is today being brought back to the forefront in the fight against cyber attacks in the fields of security analytics and automated response.
BEST QUOTE: “There were 159 million, million, million possible Enigma settings … we would have to check 20 million years’ worth of settings in 20 minutes.”
LESSON: This kind of problem is pretty much why computers were invented. 70 years on we still find cryptographic weaknesses in implementations that expose data and other problems in cyber security where the volume of data needs computers to assist with the analysis.
In the first Jurassic park movie, the annoying IT guy who no one likes (most factually accurate part of the film) is bribed by a competitor to steal embryos/DNA samples of the dinosaurs that the team have developed.
He does this by installing malware that locks people out of the computer systems and disables all the security systems, causing chaos and a mass escape of the dinosaurs. It’s a good case study relating to high-level insider access threats, and change control, intellectual property protection, and IT governance processes. But it also highlights the dangers of physical security and environmental systems that are under the control of computers. Computers that can, as we know, get hacked or fail in a variety of ways.
In the modern corporate environment the rise of smart building control systems and networked security systems and cameras is fairly close to the scenario painted in the film – except that most offices don’t have roving packs of Velociraptors and a T-Rex.
BEST QUOTE: “God damn it! I hate this hacker crap!”
LESSON: No business that gets hacked (externally or by an insider) is ever happy about it!
This Harrison Ford classic movie is about a doctor who is wrongly convicted of his wife’s murder. He escapes from a prison transport bus and sets out to clear his name by finding the famous “one armed man”.
The film is littered with security exploitations (once again, the good guy is the hacker so we must put any divided loyalties aside).
Ford’s character, as a former Doctor, gains access to the hospital he once worked at and creates a fake ID card – a fairly low tech, but effective way, to breach physical security. He then gains access to a terminal (while pretending to clean the offices) and accesses patient records to find details of prosthetic arms and the patients they relate to.
This enables him to go to the suspect’s house and leave enough clues for Tommy Lee, as US Marshall, to piece together the case.
The excitement of an innocent man working to clear his own name does rather outweigh the significance of a really quite alarming breach of the security of patient records.
BEST QUOTE: “Well, I am trying to solve a puzzle … And I just found a big piece!” [slams down phone on desk so trace can continue].
LESSON: Patient confidentiality aside, this is a story about an investigation. The answer lies in various information sources, so it is apocryphal for the challenges when investigating security breaches.
As an example of how a security failure can occur, when one single obscure vulnerability is targeted, look no further than the destruction of the Death Star at the end of the movie.
Following the analysis of the plans the rebels find a single vulnerability in the system that is largely undefended and exploit it. It is even called a “port” for heaven’s sake (albeit it an exhaust port rather than a network port).
For anyone defending a large complex system, the challenge is the same – you have to be able to defend all the vulnerabilities at all times (and know where they are). The attacker only has to find one small vulnerability that they can exploit or access on one occasion.
Once again, the attackers are the good guys in this case 🙁
BEST QUOTE: “Do. Or do not. There is no try.”
LESSON: If you apply this ethos to finding vulnerabilities and patching them, you will be in a pretty good place from a cyber security perspective.
“Based on a true story” of the takeover of the American embassy and hostages in Iran, 6 members of embassy staff escape and hide in the home of the Canadian ambassador. The security parable comes from the fact that the Iranians take all the shredded paper records that the embassy had tried to destroy and use teams of child labour in sweatshops to try and piece together the information.
The big risk for those still trapped is that the Iranians manage to restore records or photographs showing that not all the US embassy staff are in captivity and some are still at large PLUS they would know what they look like.
We can learn from this that even if you think you have secured or destroyed data or (in the cyber security world) protected systems – if your adversary is determined enough, patient enough and has sufficient resources to bring to bear on the problem of getting to your information there is still a risk and you are still exposed.
BEST QUOTE: “There are only bad options. It’s about finding the best one.”
LESSON: A determined attacker or one with higher levels of skill or resource, is tough to defend against. Cyber security teams have their work cut out – but avoiding falling foul of trivial attacks is a good start.
As we concluded at the end of the first post – there is no shortage of films where cyber security features but they commonly have a degree of hyperbole that can be a distraction.
As stressed previously, it is unlikely anyone is going to make a movie out of your security breach (unless it is a very bad one). However it is better to stay backstage and out of the limelight when it comes to cyber security breaches.
Defend your network as much as possible, monitor closely, and when a problem occurs detect it quickly and respond intelligently.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.