Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
This is the sequel to “Lessons we can learn from the movies” – the initial batch of non-cyber security movies that we should be able to learn from. Here is the second instalment.
We outlined our brief plot last time – lots of cyber security, technology or spy movies exist and many of these have interesting takes on the real world of protection information systems and cyber risk. But there are other, less technology focussed films that also bear scrutiny.
Having previously presented 5 examples of movies containing cyber security lessons, this follow-up set provide further examples of case studies, risks and quotes that have specific resonance with the world of cyber security, data breaches and information risk.
The imitation game is the story of the British attempts to break the German ciphers used during World War 2. Germany had the notoriously famous Enigma machine that it used to encrypt communications. However the crypto-algorithm had a weakness – it would never encrypt a letter to itself so it was possible to rule out keys if the plain text/cipher text contained a matching letter. The operators also made several “user” mistakes – signing in with a random string of their girlfriends’ names, and signing out with “HH” (for “Heil Hitler”).
The story is well known, especially in security circles, and the science of cryptography is still taught using Enigma as an example of how these systems can be attacked.
The solution Alan Turin and the team devise is machines, the early computers, to reduce the problem space and automate calculations based on known facts. A technique that is today being brought back to the forefront in the fight against cyber attacks in the fields of security analytics and automated response.
BEST QUOTE: “There were 159 million, million, million possible Enigma settings … we would have to check 20 million years’ worth of settings in 20 minutes.”
LESSON: This kind of problem is pretty much why computers were invented. 70 years on we still find cryptographic weaknesses in implementations that expose data and other problems in cyber security where the volume of data needs computers to assist with the analysis.
In the first Jurassic park movie, the annoying IT guy who no one likes (most factually accurate part of the film) is bribed by a competitor to steal embryos/DNA samples of the dinosaurs that the team have developed.
He does this by installing malware that locks people out of the computer systems and disables all the security systems, causing chaos and a mass escape of the dinosaurs. It’s a good case study relating to high-level insider access threats, and change control, intellectual property protection, and IT governance processes. But it also highlights the dangers of physical security and environmental systems that are under the control of computers. Computers that can, as we know, get hacked or fail in a variety of ways.
In the modern corporate environment the rise of smart building control systems and networked security systems and cameras is fairly close to the scenario painted in the film – except that most offices don’t have roving packs of Velociraptors and a T-Rex.
BEST QUOTE: “God damn it! I hate this hacker crap!”
LESSON: No business that gets hacked (externally or by an insider) is ever happy about it!
This Harrison Ford classic movie is about a doctor who is wrongly convicted of his wife’s murder. He escapes from a prison transport bus and sets out to clear his name by finding the famous “one armed man”.
The film is littered with security exploitations (once again, the good guy is the hacker so we must put any divided loyalties aside).
Ford’s character, as a former Doctor, gains access to the hospital he once worked at and creates a fake ID card – a fairly low tech, but effective way, to breach physical security. He then gains access to a terminal (while pretending to clean the offices) and accesses patient records to find details of prosthetic arms and the patients they relate to.
This enables him to go to the suspect’s house and leave enough clues for Tommy Lee, as US Marshall, to piece together the case.
The excitement of an innocent man working to clear his own name does rather outweigh the significance of a really quite alarming breach of the security of patient records.
BEST QUOTE: “Well, I am trying to solve a puzzle … And I just found a big piece!” [slams down phone on desk so trace can continue].
LESSON: Patient confidentiality aside, this is a story about an investigation. The answer lies in various information sources, so it is apocryphal for the challenges when investigating security breaches.
As an example of how a security failure can occur, when one single obscure vulnerability is targeted, look no further than the destruction of the Death Star at the end of the movie.
Following the analysis of the plans the rebels find a single vulnerability in the system that is largely undefended and exploit it. It is even called a “port” for heaven’s sake (albeit it an exhaust port rather than a network port).
For anyone defending a large complex system, the challenge is the same – you have to be able to defend all the vulnerabilities at all times (and know where they are). The attacker only has to find one small vulnerability that they can exploit or access on one occasion.
Once again, the attackers are the good guys in this case 🙁
BEST QUOTE: “Do. Or do not. There is no try.”
LESSON: If you apply this ethos to finding vulnerabilities and patching them, you will be in a pretty good place from a cyber security perspective.
“Based on a true story” of the takeover of the American embassy and hostages in Iran, 6 members of embassy staff escape and hide in the home of the Canadian ambassador. The security parable comes from the fact that the Iranians take all the shredded paper records that the embassy had tried to destroy and use teams of child labour in sweatshops to try and piece together the information.
The big risk for those still trapped is that the Iranians manage to restore records or photographs showing that not all the US embassy staff are in captivity and some are still at large PLUS they would know what they look like.
We can learn from this that even if you think you have secured or destroyed data or (in the cyber security world) protected systems – if your adversary is determined enough, patient enough and has sufficient resources to bring to bear on the problem of getting to your information there is still a risk and you are still exposed.
BEST QUOTE: “There are only bad options. It’s about finding the best one.”
LESSON: A determined attacker or one with higher levels of skill or resource, is tough to defend against. Cyber security teams have their work cut out – but avoiding falling foul of trivial attacks is a good start.
As we concluded at the end of the first post – there is no shortage of films where cyber security features but they commonly have a degree of hyperbole that can be a distraction.
As stressed previously, it is unlikely anyone is going to make a movie out of your security breach (unless it is a very bad one). However it is better to stay backstage and out of the limelight when it comes to cyber security breaches.
Defend your network as much as possible, monitor closely, and when a problem occurs detect it quickly and respond intelligently.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.