by: Joe Gross
Every single parent on this planet seems to have that one story. The one where, when they tell it, it’s always a bit humorous, embarrassing, and begs the question of, “are they proud of their child for what they accomplished, or do they know it is so embarrassing, for the child, they just have to tell it?” In my case that story essentially boils down to how much I have loved Star Wars from an early age.
Apparently, when you watch a single VHS tape over 5,000 times in a 4 year period, it begins to whine, and that is exactly what happened to my copy of Empire Strikes Back. I would sit down in the morning and start watching whichever Star Wars, original trilogy, movie I left off from the day before and continue watching these movies in rapid succession. This started from the time I was around 2 until I started having places to be, like school or soccer practice.
My exorbitant love of Star Wars continues to this day, and I often devote entire days or weekends to re-watching all of the movies, searching for that one hidden bit that I heard about in some random YouTube video that changes the entire perspective of the saga.
It was during one of these binge sessions that I made an incredible discovery!
All of the Empire’s problems could have easily been solved
by implementing a robust cyber security platform.
Imagine that, $15,602,022,489,829,821,422,840,226.94 (or $ 15.6 septillion) and 1.7 million lives down the tubes, all because good ole’ Emperor Palpatine and his horde of evil doers (yeah, I’m looking at you Grand Moff Tarkin and Darth Vader) were too proud to implements even the most basic of protections.
Now, don’t get me wrong. I understand that there are many different ways to implement cyber security tools, policies, and consulting into an effective stack. Even at a basic level, there are competing views on what should be implemented to provide a foundation of protection, but I am going to focus on 3 basic things that the Empire missed that you definitely shouldn’t:
- Limitation of Publicaly Available Information
How can it be possible that every rebel has a laundry list of Imperial security credentials that just let them waltz into highly secured areas and planets? In nearly every installment of Star Wars there is some crazy plan concocted to really stick it to the bad guys. The lovable droid tells someone, who does not want to hear the odds, the odds, and in the final preparation, the leader of the mission exclaims “We will utilize stolen Imperial clearance codes to get past the force field.” What is the Empire doing with these codes? Putting them on giant posters? Tweeting them out to all their followers? At a certain point, you have to wonder if these clearance codes were really ever a secret.
Any decent hacker, or spy, knows that the work involved in pulling off a successful attack really lies in its reconnaissance phase, the time spent gathering as much intelligence about your target as possible. In Star Wars, this was spent skimming Imperial clearance codes, convincing distressed Imperial Officers to give up sensitive information, and using a set of binoculars to survey the Empire’s defenses. In the hacker community, this phase consists of weeks or even months of scouring the internet and social media for email addresses, employee names and information, trusted vendors, IP addresses, websites, the list goes on and on.
Each piece of information at they are able to obtain gets them one step closer to compromising your network. An email address can be used to send phishing emails as the username in brute force attacks on cloud providers, or spoofed to send accounting an email asking for thousands of dollars to be wired to what looks like a distressed employee. Vendors give the attacker the ability to walk in the door. If it is known that you always use ABC Smoke Detectors to test your fire suppression and alarm systems then it is as easy as the attacker saying they are from that company and instantly everyone in the company trusts them.
Some information is nearly impossible to keep off the web. Your employees are proud that they work for you and will more than likely post that on their LinkedIn and Facebook and your website is an essential piece of marketing for your business, but that doesn’t mean there is nothing you can do about what is publically available about your company. Remove all personal email addresses and direct phone numbers from your website. Instead put something like firstname.lastname@example.org and the main office line of your business, your customers will still be able to reach you with ease, but the attacker now has to work a lot harder to get to an actual person. Keep your list of vendors to yourself. No one needs to know who you buy what from, and if for some reason they do, ensure they sign an NDA and that you trust who it is that you are dealing with.
- Security Awareness Training
Alright, so the Rebels got a hold of some old clearance codes, who cares? The Empire has highly-trained soldiers monitoring the clearance codes being submitted 24/7/365. Well, it turns out those “highly-trained” soldiers have real issues distinguishing between legitimate and illegitimate authentication attempts. It has happened countless times throughout the Star Wars saga; the rebels do a bit of smooth talking, submit some questionable clearance codes, and BAM! They are in. Those poor soldiers must get thousands of clearance requests every day. At that rate, it would be easy for even the most diligent of employees to succumb to the monotony of the job and begin to allow any object with a hyper drive into even the most sensitive of Imperial controlled bases.
Don’t even get me started on the number of times some piece of Rebel scum has just popped on a Stormtrooper uniform and just traipsed through the most secure facilities in the galaxy without so much as a second look. Leia exclaimed, “You look a little short to be a Stormtrooper,” as soon as Luke walked into her prison cell, but the 5,000 actual Stormtroopers he passed on the way didn’t even give him a second look.
This shear lack of ability to distinguish between the good guys (obviously talking about the legitimate Imperial forces here) and the bad guys (affectionately known as “Rebel scum”) represents a massive, gaping hole in the Empire’s defenses. Generally speaking, users treat their incoming emails and phone calls with the same care as the Imperial soldiers treat clearance codes, like they are all created equal. The truth is, 91% of all cyberattacks start with some kind of social engineering. That could be a phishing email, a USB stick someone dropped in the company parking lot, or a simple phone call (vishing). To protect your business from a potential breach, it is imperative that you implement a rigorous Security Awareness Training program, and by rigorous, I don’t mean having your employees spend hours in front of online modules or in a classroom with an instructor. I mean implementing quick 15-20 minutes worth of learning once every three to six months, all while testing their skills with simulated phishing, USB, and vishing attacks all year round. When someone fails to properly identify a simulated attack, your give them a little extra training that quarter, and phish them a little more often than the others. You would be surprised how quickly your employees will go from being extremely prone to phishing attacks to almost impenetrable. At most organizations we work with, we see a 93% reduction in risk from social engineering attacks within the first 60 days of implementing Security Awareness Training. Your employees are an amazing asset to your company, but they are also your greatest risk.
- Data Classification and Protection
Near the end of Rogue One, just as hope is running out for Jyn and team, Jyn makes a harrowing leap onto a massive tower of storage tapes to retrieve the Death Star plans. She rips them out of the tower and proceeds to stream all of the Empire’s most sensitive secrets about their brand-new, shiny Death Star to her rebel friends over head… I mean come on… You mean to tell me that after spending the equivalent to 15.6 septillion dollars on the battle station to end all battle stations that the best they could do to protect its plans was rename the file to “Star Dust”? I mean they also put the drive behind a massive force field and had it protected by armed guards, but all of that was easily penetrated by essentially wearing an “I the Empire” t-shirt.
The Empire did do one thing right in this scenario, they had the Death Star plans locked away behind an impenetrable force field in a dark corner of the galaxy. This is a great example of data classification and segmentation, but there are places where they fell short. The main issue with their tactic was that all data was treated equally. All of it was behind a fairly easily penetrated defense and simply listed under its project name. Not all data is created equally. Some contains the names of all your pets and others contain information that could be used to ruin your customer’s lives. Classifying these documents differently allows for easy acknowledgement of the risk associated with the document, and enables you to protect them differently based on the inherent risk associated with the document and the rate at which it will need to be accessed. For example, documents containing PII that only need to be accessed at the customer’s request may be placed encrypted on a removable hard drive locked in a safe, but documents containing PII that must be accessed on a daily basis may reside on the main file server, but in an area that only allows certain people to access them and they are monitored by a Data Loss Prevention tool. The Data Loss Prevention tool allows you to ensure data is utilized in the way in which it is intended and not being exfiltrated in a way that is not approved. The use of data classification and differential protection schemes will greatly reduce the amount of risk at all levels of your data while ensuring that it is still easily accessible and can be relied upon.
Overall, the Empire was an incredible force to be reckoned with, but their inability to see threats of all sizes as legitimate and respond appropriately ultimately led to the destruction of one of their most valuable assets, the Death Star. Similar missteps by a small business owner would result in hefty fines, significant losses in business, and, in 60% of cases, the business shutting its doors forever. Even the simple steps laid out in this blog can reduce your exposure to a breach exponentially over night.