Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
After the popularity of our last post on whether cyber security is like a box of chocolates it was noted that there are other movie quotes – more closely related to security – that can be used as lessons or to make points about cyber security and why it is important.
You don’t have to choose from cyber security-based films like Swordfish, Enemy of the State, WarGames, Hackers or The Net. These are all excellent movies but are too easy and obvious to draw parallels from in a blog post on cyber security. We can find more interesting lessons in less IT centric movies.
In this first part of a two-part post we will look at the first batch of movies that have pointers to good cyber security hidden within them.
Lots of films have coverage of thefts, cyber attacks, or break-ins of some sort. It is a common and frequently exploited plot mechanism.
How does the bad guy (or good guy) get hold of the information they need? They hack into something to get hold of it! Cue tense keyboard scene and “rapid typing.mp3” sound effect… But this is not the sum total of what the world of movies can offer us in lessons to learn around cyber security and network defence.
In fact, even quite old films provide coverage and exposure of risks that are perceived as quite modern threats. Threats that we are now only just beginning to think about addressing in the technology we are designing and building today. For example, who would have thought Benny Hill would be a pioneer of cyber attacks on smart cities as long ago as 1969?
A long time ago, in a galaxy far, far away… the Empire suffered a data breach of the worse and most catastrophic kind possible.
At the very start of the original Starwars movie (or the end of the newer “Starwars: Rogue One” if you prefer) the Empire had designed, and almost finished building, the famous Death Star.
Then the designs for the battle station are stolen by the Rebels and loaded onto a droid (the equivalent of a USB memory stick, but with personality, in this context that escapes with the stolen data.
It is arguable whether it is truly a cyber security incident or a more traditional physical security lapse; but either way we now know that sensitive IP and removable storage media don’t mix. Allowing sensitive data to be accessed in an unauthorised way – either physically or logically – is a problem.
Starwars is littered with security failures – stolen Death Star plans are only the start. R2-D2 routinely accesses computer systems and physical access controls with the Empire equivalent of a USB cable, as one example that highlights the need for physical security, controls on removable media, terminating accounts at the end of employment etc.
BEST QUOTE: “It’s an old code, Sir, but it checks out”
LESSON: If it is an old code it has either expired (in which case it doesn’t “check out”) or it’s a valid code in which case the age is largely irrelevant.
This starts as an insider threat/heist movie – where Richard Pryor’s character (Gus Gorman) goes from being down-and-out to an employed computer programmer.
He is able to use his programming skills to syphon off tiny slices of money from multiple accounts, amounting to a huge sum. However, then he comes to the attention of Ross Webster (Robert Vaughn), Webster Industries CEO, (mainly because he turns up for work in a gleaming red Ferrari 308, a fairly obvious clue – a “behavioural anomaly”, if you like).
Webster enlists Gorman’s help for a suitably elaborate, megalomaniac crime spree, which is where the film’s hero comes in. There are missiles and kryptonite etc.
It is an early lesson about staff vetting, insider access, rogue developers and the need for monitoring system and user activity. Also don’t let someone choose “Override all security” and for that to actually work.
So, this is another (early) apocryphal tale about controls on privileged accounts, development practices and change controls.
BEST QUOTE: “Computers rule the world today. And the fellow that can fool the computers, can rule the world himself.”
LESSON: This is fine if the computers are under the control of the owner, not so great if a hacker has taken control of them.
For all the talk today about smart cities and the security vulnerabilities in industrial control systems, the 1969 film “The Italian Job”, a Michael Caine classic and British classic, got there first.
The gold bullion heist is audacious enough but then the gang escape (famously) through the Turin traffic which is brought to a standstill as a result of Benny Hill who plays Professor Peach. In the cyber attack, Peach is able to introduce a computer program/tape into the traffic control systems that makes the lights cause gridlock across the city – causing the gold convoy to get snarled up so it can be robbed, and with a single route for the getaway by the plucky gold thieves in their Mini Coopers.
BEST QUOTE: “You were only supposed to blow the bloody doors off.”
LESSON: This quote has nothing to do with cyber security per se – but it was impossible not to use. However, it is useful if you are doing physical security tests – it reiterates the importance of getting the scope right in any testing process.
With the childlike charms of Macaulay Culkin, Home Alone is a great example of someone taking a more innovative and active defence against intrusions, albeit in the physical domestic setting of a family home at Christmas.
Culkin’s character in the film uses several techniques that have parallels in computer network defence:
Culkin’s goal is to keep the bad guys out, especially when the attackers realise he is home alone. So this is a clear parallel to our objective in cyber security.
As a parable for the importance of creativity and ingenuity in security teams that are faced with determined and perhaps stronger adversaries, it makes some good points.
BEST QUOTE: “This is my house, I have to defend it.”
LESSON: Defending against an attacker who will try anything means thinking on your feet, planning, ingenuity and intelligence to avoid being overwhelmed; but it is possible – even if they do eventually get in – if you know who your friends are.
In the archetypal 80’s cold war movie about pilots at the Top Gun training school – and in between the flight sequences, the demise of Goose and the chemistry between Maverick and Charlie – there is a good example of the value of intelligence in dealing with attacks.
In the case of Top Gun, an encounter between the navy pilots and a brand new Russian MiG fighter prior to their arrival at the flight school means that Maverick (Tom Cruise) has specific intelligence on the flight characteristics of the new MiG. In the cyber security world we also see repeated exchanges of threat information or indicators of compromise relating to new attacks or vulnerabilities.
In both situations we see the challenges of sharing this information. In Top Gun, having blurted out the details Cruise’s character then tells his love interest, school instructor Charlie (Kelly McGillis), that the location is classified and if he told her he would have to kill her.
In cyber security we see a similar need for intelligence and attack sharing, but only in recent years has this been seen as more acceptable and mainstream. Prior to that there was an ethos of keeping security information “classified” lest it reveal vulnerabilities, aid attackers, put off customers or give ammunition to competitors.
See the UK government CiSP programme.
BEST QUOTE: “I feel the need, the need for speed.”
LESSON: In a separate exchange to the discussion about the MiG, the film provides good advice on the rapid detection and response to threats; whether in the traditional theatres of land/sea/air or the more recent “cyber” realm.
There is no shortage of films where cyber security features, and many of these provide some useful lessons – but also commonly have a degree of hyperbole in them that often distracts those of us who work in security from the subtle nuances of the Hollywood plotlines.
Some become cult classics and are lauded for their semi-accurate portrayal of the way computer security works, but many more are scoffed at by those of us who know that “the firewall is holding” is nonsense.
Cast the net (sic) wider though and you can find lots and lots of movies where there are lessons about heists, protective strategies, small defenders overcoming larger attackers and various other plots that highlight valuable (or at the very least interesting) lessons.
There are some quandaries: often the person trying to get into the systems or to get the information is the good guy rather than the bad guy.
We all cheer when the Death Star gets blown up rather than rueing the fact that it had a single vulnerability that could be so damaging; and nobody complains at the bad example Cook County hospital sets in The Fugitive.
If you do happen to suffer a security breach it is unlikely anyone is going to make a movie out of it (unless you are the NSA) – but you never know. It is better to stay out of the limelight when it comes to cyber security breaches. Defend your network as much as possible, monitor closely and when a problem occurs detect it quickly and respond intelligently.
Look out for the second post in this series (register to receive updates!) and when that hits the screen you’ll be in the front row.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.