Like many, I’ve been getting ready for the new Star Wars: The Pressure Awakens film by revisiting all of the outdated ones. As a passionate security geek, I can’t assist however eat my pop-culture by the filter of Data Security. I’m at all times stunned by the correlations you could find between the two topics (if you happen to look onerous sufficient).
Final month, I explored a few of the security tips that can be gleaned from Star Wars Episodes 4-6, so now lets dive into what the prequel sequence can train us about InfoSec.
Early in The Phantom Menace, we study that Viceroy Nute Gunray, of the Trade Federation, is planning a shock assault on the planet Naboo. When requested if Queen Amidala suspects the assault, he replies that he doesn’t know, however that they need to transfer shortly to disrupt communications. Later, the governor of Naboo says, “A communication disruption can solely imply one factor. Invasion.”
That is a frequent navy tactic. If you need your assault to stay hidden, you knock out your adversary’s communications to trigger confusion and maintain them from sharing data. Sadly, this has additionally develop into a comparatively frequent digital assault tactic. Some superior cyber attackers launch distributed denial of service (DDoS) assaults in opposition to their victims as a smoke display screen. When you’re determining that overwhelming flood of visitors, the hacker launches his actual assault, designed to infiltrate your community and steal your confidential data. You don’t discover the actual assault as a result of the DDoS assault brought about confusion by disrupting your communications.
An excellent instance of this was a 2013 cyber heist in opposition to a Californian monetary institute. The hackers launched a DDoS assault to masks their actual $900K cyber heist. The truth is, examples of DDoS smoke screens return even additional, and a few even mimic the bodily, navy assaults we see in Star Wars. Particularly, in 2008 Russian launched a military invasion against Georgia. Earlier than that assault, Georgia reportedly suffered DDoS assaults. Lastly, this tactic has develop into so widespread that we even see fictional hackers use it (realistically) in exhibits like the Mr. Robot series.
Briefly, whereas DDoS assaults are a downside on their very own, they’ll additionally signify that a extra nefarious assault is underway. Study from Naboo, and be positive to listen to your different methods if you happen to ever develop into confronted with a DDoS. It might simply be hiding the attacker’s actual motive.
Should you’re the common geek, you possibly can’t discuss the Star Wars prequels with out moaning about Jar Jar Binks. Whereas I’ve to admit that my 11-year-old discovered him amusing, most Star Wars followers I do know are disgusted by his slapstick, comedic reduction. Jar Jar typically appeared to trigger extra hassle than he was price; crashing into the heroes, clumsily stumbling round battlefields and performing seemingly brainless. But, one way or the other, Jar Jar’s bumbling at all times appeared to magically work out for the higher.
Most IT skilled in all probability have a story about a Jar Jar-like person of their group. We’ve all seen them; the sort of customers that appear hapless round computer systems, and should fall for the easiest social engineering methods, or take dangerous actions that threaten the group. The truth is, there are limitless IT jokes, calling these kinds of individuals “Lusers,” or saying issues like:
In truth, ignorant Jar Jar-like customers can introduce dangers to their organizations, making primary errors that allow hackers in. And in the actual world, issues don’t at all times magically work out for the higher. Jar Jar is a good instance of an “unintended insider risk,” or a individual that makes an unintentional mistake that threatens your online business.
There’s no getting round the incontrovertible fact that customers want security consciousness coaching. One lethal mistake you may make with Jar Jar-like workers is to assume that they’re hopeless. Of the IT jokes talked about above, the one I hate is, “no patch for stupidity.” There may be a patch: Schooling. You possibly can’t anticipate everybody to intuitively have IT or security experience. Nevertheless, you possibly can anticipate them to study the fundamentals, and enhance their Jar Jar-like methods. Practice your customers in order that they act extra like the Jar Jar diplomat vs. Jar Jar the exile.
Pal: “Do you know that Jar Jar Binks is de facto a Sith Jedi Grasp?”
Me: “WHAT!!! No approach. Jar Jar is an fool and I hate that character.”
That was my response to a latest rumor a pal shared with me. Should you aren’t conscious, a thread on Reddit, and associated video, have just lately gone viral, describing a potential alternate story arc for Jar Jar. I gained’t spoil the particulars (watch the video), however in the finish the creator makes a considerably compelling argument that Jar Jar might be an evil Sith Grasp manipulating Princess Amidala and the Jedi. In the finish, it’s in all probability simply a enjoyable conspiracy idea, however for the sake of argument, let’s think about this chance.
Though I simply in contrast Jar Jar to an unintended insider primarily based on his moronic nature, if this different idea was true, Jar Jar knowingly manipulated our heroes from the inside; making him a malicious insider.
Malicious insiders are one thing that may’t be ignored in data security. We’d all like to utterly belief the individuals we work with, however there are instances involving ethically-challenged and disgruntled workers that pose a risk. These sorts of people have been recognized to take delicate information or proprietary shopper data with out authorization. To guard your self from malicious “Sith” insiders:
Consider it or not firms, lose extra information from unintended insiders than they do from malicious insiders. Should you solely have one greenback to spend, you’re extra seemingly to get a higher return on security consciousness coaching
This title would possibly sound a bit risqué, however hear me out. Padmé was an adept security skilled! A giant reveal from the first film was that “Queen Amidala” was a decoy, and that one in every of her “handmaidens” was truly the true Queen of Naboo. Padmé realized that she was in danger, so her security crew assigned a bodyguard to impersonate her. Throughout an assassination try, the attacker would go after the unsuitable individual, giving Padmé the alternative to determine the assault, and react or escape.
That is a nice instance of what the security business calls a honeypot. Initially designed as a security analysis device, honeypots are methods that fake to be official, however are literally designed to lure in hackers. They provide a secure approach to entice malware and assaults for evaluation that informs the creation of recent defenses. These days, nonetheless, organizations are beginning to use honeypots to each deflect assaults from their actual targets, and as a “canary in a coal mine” that informs you if you happen to’ve been breached.
Firms hoping to defend their very important belongings ought to think about a few of the new types of deception defenses like honeypots.
Whereas not everybody loves the prequel movies, one factor these movies did nicely was bringing again the bounty hunters. It’s in all probability secure to say that Boba Fett is a fan favourite amongst Star Wars geeks, so together with Jango Fett and his minions was a sensible transfer.
In Assault of the Clones, there’s a scene the place a seemingly feminine bounty hunter makes an attempt to assassinate Amidala with toxic worm-like creatures. Obi-Wan and Anakin sense the try, stop it, and pursue the murderer by the skies of Coruscant. In the finish, they nook the human murderer in a bar, solely to study that she is a changeling—an alien that may morph into different types. Clearly, that is a nice talent for an murderer or bounty hunter as they try to keep away from seize or detection.
Changelings’ skills are additionally a nice metaphor for superior malware. So as to evade signature-based defenses, that are on the lookout for particular patterns, subtle malware is designed to continually morph. Cyber criminals use technical methods that constantly repack their malware in order that it appears totally different on a binary stage. In the finish, it would be the similar precise ransomware that you just’ve seen earlier than, nevertheless it’s repeatedly packaged in new methods to escape legacy defenses. The one approach to catch one of these risk is to ignore the exterior packaging, and give attention to the conduct of the risk.
If you need the Jedi expertise required to catch superior malware, think about extra superior risk safety options that use behavioral evaluation and machine studying to catch new threats.
So, if you happen to haven’t watched all three prequel movies… spoiler alert! By the finish of the sequence, we discover that Senator Palpatine was the creator of a sequence of misleading machinations that led to his rise in energy. He was behind the Commerce Federation’s assaults, and leveraged the worry from these circumstances to take away the present Chancellor, finally gaining the place for himself. He exploited the danger posed by the Droid Military to grant himself “emergency powers,” and management of the Clone Military. And in the finish, we discovered he was Darth Sidious – a Sith Lord – all alongside. In abstract, Palpatine exploited worry, uncertainty, and doubt (FUD) to get in any other case sensible individuals to hand over their freedom, by incrementally granting a single authority increasingly energy.
Does this sound acquainted?
There have been many historic examples the place nations have come underneath some actual or perceived risk, and have reacted by on the lookout for options to defend their residents. Sadly, these conditions are sometimes fueled by worry; particularly in the event that they comply with some actual assault. When this occurs, it’s pure to search for new and excessive methods to defend ourselves, together with granting authorities new powers or capabilities.
Nevertheless, we want to be cautious how a lot energy we give one entity. As they are saying, “absolute energy corrupts completely.” Who is aware of if a “Darth Sidious” would possibly someday rise by the ranks, and use these powers in ways in which had been by no means supposed.
How does this relate to data security? The present encryption backdoor debate.
Not too long ago, regulation enforcement and intelligence businesses have argued that they’ll’t proceed to defend us from terrorist threats until they’ve means to intercept and probably learn encrypted digital communications. They’ve recommended that industrial distributors want to design options that enable a way for authorities to get better sure communications. Generally, additionally they leverage our worry of latest threats to proceed to push this agenda.
The issue is, we additionally use encryption to legitimately defend non-public and enterprise communications from actual criminals. Creating encryption backdoors—irrespective of how nicely intentioned—additionally creates a new weak spot that unhealthy actors would possibly ultimately leverage.
As you think about what cyber security powers the authorities ought to have in the future (together with the capability to decrypt industrial information), keep in mind the Darth Sidious story. Nice powers, when left unchecked, might come again to overturn your Republic and launch a Darkish Empire.
Whether or not or not you liked or hated the Star Wars prequels, they make good allegories for a lot of essential data security lessons. Should you’re enthusiastic about what different security suggestions the Star Wars universe would possibly reveal, be part of me in the subsequent few weeks to discover Star Wars: The Pressure Awakens.