Using Hollywood to improve your security program
I spend a lot of time on airplanes, and end up watching a lot of movies. Some of my favorite movies are adventures, spy stuff, and cunning heist movies. Recently, I realized that a lot of these movies provide great lessons that we can apply to information security.
Lesson 1: Be paranoid about handoffs and blind spots
Many data breaches occur because attackers take advantage vulnerabilities in the “spaces between” different functions. They exploit these weaknesses, often during a handoff from one silo to another.
For example, there are a lot of movies in which criminals take advantage of short-term blind spots to do a “switcheroo.” In a lot of heist movies, a truck goes into a tunnel filled with gold but when it exits at the other end of the tunnel the criminals have swapped it for an identical truck filled with something worthless.
The lesson here is “trust, but verify.” Try to instrument as much of your process as possible to minimize blind spots and, when something (a system, a transaction, an install package, etc.) is out of your control for some period of time, validate it before you assume it hasn’t been tampered with.
Lesson 2: Use baselines of what’s normal, so you can quickly detect the abnormal
[Spoiler alert!] In the movie, “The Inside Man,” the police spend a lot of time trying to figure out how criminals got something valuable out of the bank, but are never able to figure it out. In reality, the “stolen” item had never left the bank at all – the criminals had added a false wall in the vault, and one of the criminals was in the resulting hollow space with some food, water, and a bunch of diamonds. He waited a while for the frenzy to die down, left his crawl space, and simply walked out of the bank unnoticed. This technique worked because nobody noticed that the vault room was slightly smaller than it had been in the past.
From this movie, we can learn to rely on baselines and automation to catalog the normal and expected state of things, so we aren’t fooled by the equivalent of a false wall in your infrastructure. Cyber criminals can hide things in plain sight by tucking them away inside an alternate data stream that is invisible to your normal file management tools. Take steps so you aren’t fooled by innocuous appearances. Use file hashes, transaction checksums and signed components to ensure that even subtle changes are brought to your attention.
Lesson 3: Beware of distractions, imposters, spoofed information, and sleight of hand
OK, Lesson 3 is really a bunch of lessons all rolled into one, but I loved the movie so bear with me (and yes, this is another Spoiler Alert).
In the 2001 movie, “Ocean’s Eleven,” Danny Ocean (George Clooney) and his crew are able to rob a casino, right under the owner’s nose. A number of attacks are involved:
- In various parts of the movie, criminals pose as consultants, employees, and other experts to gain access to the inner workings of the casino. This is analogous to credential theft or a compromise of your trusted insiders.
- The surveillance system is compromised to make the casino operators believe everything is normal. Ocean’s crew tamper with the video feed so the casino ends up watching fake camera footage instead of what’s really happening. This is the equivalent of cyber criminals tampering with logs and other traces to cover their tracks.
- There are also several instances in which the casino owner and law enforcement personnel are fed bogus information that sends them on wild good chases with the goal of luring them away from the location where the real crime was occurring. We’ve seen DDOS attacks, cyber vandalism, and other tactics in the infosec world used in a similar way to distract organizations from the real attack (often fraud, or data exfiltration in some other area of the business).
In these examples, we can implement safeguards such as multifactor authentication, strong identity and access management, oversight and “big picture” continuous monitoring. These approaches reduce the risk that we will miss criminal acts because we’re distracted by a theatrical event designed to grab our attention, tie up our resources and lure us away from the real crime.
Think Like Hollywood
These examples provide mental models that can help us think about information security in a different way. If your data security strategy were featured in a Hollywood blockbuster, how would you be fooled? Where are the weak spots that criminals could take advantage to get at your company’s “crown jewels?’
Thinking like Hollywood is a fun and useful way to find weaknesses in your security posture. I think you’ll find that most of the opportunities for improvement center around weak or sloppy handoffs; the lack of a clear picture of what “normal” looks like; the inability to notice small changes in your environment; the tendency to trust without verifying; and a bias to focus on the biggest, latest, and loudest incident you encounter.
In Hollywood heist movies, the bad guys often win. In real life, you have the power to make sure they don’t – imaging you’re in a Hollywood movie can help, and it’s a lot more fun than a pen test.