Sometimes two things that don’t seem to go together, make the most magical combinations. This article is the first in a new series of security articles I’ll be writing that tries to uncover an unexpected pairing – information security and pop culture.
What can popular movies, TV shows, books, or video games teach us about cyber security? Maybe nothing, maybe everything. Join me to see if your favorite guilty pleasures can uncover any cyber security insights you’d never have expected, starting with The Walking Dead.
If you fall into the typical security/technology geek stereotype (of which I consider myself a proud member), you’ve probably already heard of The Walking Dead (#TWD). If you’re one of the few who haven’t, TWD was first a comic book series, and is now a popular television series chronicling the journey of a small town sheriff as he tries to locate his family and survive a zombie apocalypse.
So what does TWD have to do with information security (infosec)? On the surface, absolutely nothing!
Sure, I could say something about how botnet-infected computers are a lot like their namesake—zombies. Or, maybe how the evil-intentioned humans in TWD act similarly to malicious cyber actors. But, the truth is infosec plays no direct role in this popular zombie series. In fact, considering electrical power is hard to come by in apocalyptic situations, computers play almost no role at all.
That said, TWD—like all good apocalypse fiction—is all about surviving a threat-infested, risky environment. Because of this, the series naturally explores different strategies and tactics its characters employ to survive their hazardous surroundings. And as much as I love the Internet, what is it, if not a hazardous and risky environment?
In this article, I hope to draw parallels between some of the zombie apocalypse survival tips we learn about in TWD’s fictional world and cyber security strategies you can implement to protect your organization in the real world. So let’s dive in with the eight cyber security tips I learned from TWD.
1. Perimeters matter – One of the first things any character does in a zombie apocalypse is find or setup some perimeter of protection. Whether it’s shacking up in Morgan’s old house, hiding in Dale’s RV, defending Hershel’s farm, fortifying the prison, or (comic-based spoiler alert) walling off the town of Alexandria, zombie survivors need a safe place where they can let their guard down and rest.
This tip still holds true for cyber security. While our work habits and technologies have evolved, allowing us to work from many places, and changing our traditional perimeter, our headquarters and data centers will never go away. Servers—physical, virtual, or otherwise—have to live somewhere, and you will have to create a perimeter of defense to protect them. Sure, your full security strategy also has to account for mobile and external resources, but you don’t go tearing down your walls just because you have an away team.
2. Living, not surviving, is what’s important – Many first-time zombie survivors make the mistake of thinking that defending themselves against “walkers” is the most important part of their day. However, the TWD survivors quickly learn that for long-term survival, you need to concern yourself with normal living. You must eat, rest, exercise, think and find a way to relax or unwind—in other words, normal human business.
This rings true for business infosec as well. Just change the statement to, “business, not security, is what’s important.”
Many security professionals make the mistake of thinking their job is to keep their organization perfectly protected. They only focus on having the best possible security, without regard to anything else. Really, your job is about keeping your organization’s business running, while minimizing risk. Of course, you implement protection when it makes sense. But sometimes it’s not only ok, but also preferable to take an acceptable risk to ensure your business runs smoothly.
Take, for example, when Hershel decides to join the quarantined sick patients despite the risk to his own health. If he hadn’t taken this risk, he couldn’t have put his medical training into practice and saved some of those survivors, who might later save him (if only).
3. Suit-up your away team – Earlier, we covered perimeters. However, apocalypse survivors need constant resources, and it’s highly unlikely that you’ll always find everything you need in one place. In TWD, our beloved survivors had to make many outings to scavenge for supplies or run a particular mission. For instance, when Shane and Otis go searching for medical supplies for Carl, or the many instances when Glenn and the team go searching for more food and supplies. In all these cases, the “away team” geared up with guns and protection, knowing they will be leaving their safe perimeter and entering an unfriendly environment. My favorite example of “suiting-up” is the recent episode where Glenn dons his trusty, and quite effective, riot gear.
The parallel is obvious. You need mobile security solutions to help protect your telecommuting workforce. Some of your employees will have to leave your perimeter; others may spend most of their time outside. Be sure to suit-up those employees’ devices with the appropriate cyber “riot gear” to ensure they survive the harsh Internet environment and don’t bring any contagions home.
4. Stay frosty – The characters who stay calm during life-or-death emergencies are the ones that seem to survive the longest in TWD. For me, Michonne exemplifies this trait the most (though Daryl is a close second). We’ve seen her stuck many times in the middle of a walker herd, hopelessly outnumbered 20 to one with nothing but her trusty katana. Yet somehow she quietly, coolly, and meticulously slices her way to freedom, with nary a bead of sweat on her brow. Calmness is her secret weapon. It frees her mind to remain analytical, allowing her to make the most advantageous decisions during a tough situation.
This applies equally to security incident response teams handling information breaches. Freaking out, and turning off or unplugging everything when you think you might have seen a sign of a breach is not a good security practice. Every good forensic examiner knows turning off systems wipes critical evidence. Rather, do your best to remain relaxed, gather evidence and methodically examine the situation to decide your best course of action.
5. A good team increases your survival odds – A poet/lawyer/cleric once said, “No man is an island.” While some fierce survivors in TWD may be able to technically survive on their own, none could flourish alone. They all have had their weak moments. Morgan is a perfect example of this. In season three of the TV series we find Morgan has isolated himself from the rest of the world. While he technically has survived on his own, he ultimately goes bat-guano insane. Meanwhile, we see Rick surrounding himself with a go-to, ace team of frosty warriors. You all know the ones: Michonne, Daryl, Glenn, Carl, and others. This team not only increases Rick’s odds of surviving the harsh zombie apocalypse, but it allows him to thrive in a dangerous environment because others have his back.
Infosec professionals need a good team, too. In big organizations this might mean having security specialists who allow you to concentrate on each layer of information security. For instance, you might have a perimeter guy, a mobile security gal, a forensics and incident response person, a secure webdev code-monkey and so on. However, even at a small company where you’re the only security professional, or maybe even a traditional IT guy who has to do security on the side, it helps to recruit a team of allies to help you achieve your goals. This may be as simple as helping educate and build security awareness among normal employees so they have the skills to make your job easier. Think of how Rick taught Carl (and then later Andrea taught the group) to shoot. The more trained guns you have, the less you worry about cyber outlaws.
6. Don’t be a jerk! – Every zombie apocalypse story has that guy. The antisocial, disagreeable jerk who just continues to bicker and bring the group down. This guy is a lightning rod for disaster and tragedy. For instance, remember Carol’s abusive husband, Ed? His bad decisions put the group, and ultimately himself, in harm’s way.
Don’t be that guy at your organization! Cyber security has risen in prominence the last few years. It’s left the LAN room closet and entered the business mainstream, and even the boardroom. Whether it’s educating users, helping HR, or campaigning for an increased budget, good infosec professionals should find themselves interacting with people from other departments more often. Unfortunately, technical security experts have the reputation as sometimes coming off as cynical know-it-alls, who just impose draconian rules for no perceivable reason. Don’t be that guy.
Gaining allies rather than enemies is often more about how you communicate, not necessarily what you communicate. If you take the time to listen to your co-workers, educate with patience, and communicate in a friendly manner, maybe the next time you have to impose a new security policy, your co-workers will recognize it for the well-intentioned security strategy it is, rather than interpreting it as a heavy-handed roadblock. Furthermore, if you spend time making friends rather than enemies, you might find the purse strings a bit looser the next time you need budget for some new security project.
7. Malevolent humans are scarier than zombies – In my opinion, TWD isn’t a story about zombies, it’s a story exploring human sociology in extreme situations. While you may think zombies are the biggest threat at first, you quickly realize that humans who’ve suddenly risen to positions of power can be much more evil, and less predictable, than any walker. Case in point; The Governor (need I say more?).
Now just imagine the walkers as automated, opportunistic cyber threats (such as botnets, worms, and viruses), and imagine the evil human characters as the advanced human attackers targeting our companies today, and you have the same situation. The latter concerns me much more than the former.
The tip here is, spend more of your time and money trying to defend against advanced targeted attackers. In the end, any security solution that protects against the more sophisticated attacks dreamed up by human hackers will easily block your run-of-the-mill automated attacks as well.
8. Security is all about trust – One of the biggest lessons TWD characters learn time and time again in the series is to be careful whom they trust. Meeting new people in this fictional apocalyptic environment is dangerous. Strangers can either be for you or against you—they’re rarely neutral. You have to quickly figure out who you can trust, in order to set your proper guard. That’s why Rick designed a three-question test to quickly assess new people: How many walkers have you killed? How many humans have you killed? Why?
Information security is also all about trust. Really, our whole job as infosec professionals deconstructs down to:
- Figuring out who our organization trusts (and how much they trust them); then
- Finding what data our organization values, and trying to limit access to that data to those we trust enough.
All the technical security measures we use to control access to information don’t help at all without the right policies in place; and you can’t write those policies if you don’t know who you can trust.
Many organizations trust their “insiders” equally and design flat internal networks. That’s a big problem. As the Governor demonstrated to Martinez using the heavy end of a golf club, you can’t trust that everyone on your team is really on your team. As you design your organizations cyber defenses, spend some time segmenting your internal network, and separating employees and data by their organizational role and value. If you have a better idea of who you can trust the most, you can protect your data accordingly.
Ok, perhaps I’m slightly stretching some of the “learnings” I perceive in Robert Kirkman’s fictional zombie apocalypse series. He wasn’t writing an allegory for cyber security, after all. However, war and peace, offense and defense, attackers and victims are all as old as human history. Fiction draws on human experience, and you can extract wisdom from the oddest places. At the very least, it was certainly entertaining to try.
Who said TV rots your brains? At least it doesn’t eat your brains! (Bah-dum-bump)