"Plug in. He should be able to interpret the entire Imperial computer network." – Obi-Wan Kenobi, speaking about R2-D2 seconds after accessing a “secure” Death Star control room
In our last post inspired by the release of Rogue One: A Star Wars Story, we looked at how lessons from the Star Wars films reveal three key ways that every organization can better secure themselves against modern cyber threats: don’t be arrogant, keep an active imagination, and create a culture of security. William Lederer, chief security officer at kCura (respectfully and affectionately known as “Security Bill”) helped provide some insights into how these tactics can impact an organization’s security strategy.
But as Obi-Wan and R2-D2 prove in the Death Star control room, adherence to these three tips isn’t enough if your strategy doesn’t look beyond your employees’ computers (or their planet, if you’re operating an intra-galactic empire). You need to look up and out, too.
Defending on Multiple Fronts
Throughout the Star Wars franchise, we rarely see data being transmitted wirelessly. Droids communicate with each other verbally, and sensitive data is placed on discs, chips, and memory sticks. While we hear occasional references to “intercepted transmissions,” to access anything important it is essential to obtain a physical copy or be at a physical network terminal.
At first glance, eliminating wireless access options sounds almost like a smart (if severe) move to limit the potential for network incursions, but droids like R2-D2 could hack into any system with ease. Get him in front of a network port and before you could say bleep bloop bleep, he could open a door, shut a down a garbage compactor, find a princess, or pull up the detailed schematic for a tractor beam’s power source. By assuming the Death Star was physically secure and leaving network terminals accessible to any device (or droid), the Empire opened up an extreme vulnerability.
According to Security Bill, this is exactly why defenses against both network penetration and physical intrusion must be an integral part of any company’s security strategy. If anyone can plug in a laptop in your office and have total control over the data housed there, you’re in trouble. With a porous physical defense, the everyday scoundrel can take over anything.
A Holistic Cybersecurity Strategy
From a network perspective, says Security Bill, “a lot of big mistakes look really tiny.” That’s why regular, close audits and examinations are critical, in addition to strong firewalls, robust encryption, and well-rounded problem-flagging protocols.
While using firewalls and encryption to prevent network penetration from outside your organization is obviously important, even the best safeguards can be rendered inert if your physical defenses are porous.
One common example is a harmless-looking individual “tailgating” through a door behind company employees into a secure area (how many times did we see our our Star Wars heroes casually sneak through a door just before it closed?). If this individual plugs their laptop directly into a network port and they’re savvy enough, just like R2-D2 they may be able to gain some control. Investments in physical barriers and detection technology is a start, but one of the most effective methods is disarmingly simple: just ensure employees coming through badge-restricted security doors ask anyone behind them to badge in, as well.
Staying Agile in an Evolving World
In The Empire Strikes Back, we learn not to assume that all organizations are as unprepared as Darth Vader and his less-than-attentive staff of Stormtroopers. It seems that the remote Cloud City of Bespin was better prepared than the Empire (insert witty “cloud security” remark here …). During the Rebels’ escape, we see that security codes have been altered, and computer terminals are less prominently accessible than those in Imperial facilities. Even R2-D2 receives a huge shock when he accidentally plugs his computer interface arm (or “scomp link” for you superfans) into an electrical port. While this just delays the inevitable, these small measures are almost enough to prevent Lando, Leia, Chewbacca, and the droids from getting away.
The Empire did eventually get wise to the threats around them—their hulking, top-down leadership structure just didn’t move fast enough to adjust to imminent security threats. No, learning in the Return of the Jedi that the details and the location of the second Death Star were also stolen doesn’t reflect well on the Imperial security team—but at the very least, the Empire made life very difficult for the Bothan spies who hacked the data. (Though it’s later revealed that the data may have been leaked in an effort to thwart the Rebellion, we doubt many security consultants would recommend revealing your biggest trade secrets just to set a trap.)
Take that as a good Star Wars security lesson, too: learn from your mistakes, and don’t lose sight of your enemies. Penetration testing is a good way to accomplish both of those goals without actually risking anything first—and making it a habit will enable your team to see new vulnerabilities as technologies (and the hackers who love them) evolve.
And remember that even when the Empire began to respond competently to security threats, the damage had already been done—as we e-discovery professionals know, once the cat is out of the bag, there’s no putting it back.