Cyber Security Quotes: More lessons from security breaches in movies – The new batch
This is the sequel to “Lessons we can learn from the movies” – the initial batch of non-cyber security movies that we should be able to learn from. Here is the second instalment.
We outlined our brief plot last time – lots of cyber security, technology or spy movies exist and many of these have interesting takes on the real world of protection information systems and cyber risk. But there are other, less technology focussed films that also bear scrutiny.
Cyber Security Quotes: The new batch
Having previously presented 5 examples of movies containing cyber security lessons, this follow-up set provide further examples of case studies, risks and quotes that have specific resonance with the world of cyber security, data breaches and information risk.
The Imitation Game (2014)
The imitation game is the story of the British attempts to break the German ciphers used during World War 2. Germany had the notoriously famous Enigma machine that it used to encrypt communications. However the crypto-algorithm had a weakness – it would never encrypt a letter to itself so it was possible to rule out keys if the plain text/cipher text contained a matching letter. The operators also made several “user” mistakes – signing in with a random string of their girlfriends’ names, and signing out with “HH” (for “Heil Hitler”).
The story is well known, especially in security circles, and the science of cryptography is still taught using Enigma as an example of how these systems can be attacked.
The solution Alan Turin and the team devise is machines, the early computers, to reduce the problem space and automate calculations based on known facts. A technique that is today being brought back to the forefront in the fight against cyber attacks in the fields of security analytics and automated response.
BEST QUOTE: “There were 159 million, million, million possible Enigma settings … we would have to check 20 million years’ worth of settings in 20 minutes.”
LESSON: This kind of problem is pretty much why computers were invented. 70 years on we still find cryptographic weaknesses in implementations that expose data and other problems in cyber security where the volume of data needs computers to assist with the analysis.
Jurassic Park (1993)
In the first Jurassic park movie, the annoying IT guy who no one likes (most factually accurate part of the film) is bribed by a competitor to steal embryos/DNA samples of the dinosaurs that the team have developed.
He does this by installing malware that locks people out of the computer systems and disables all the security systems, causing chaos and a mass escape of the dinosaurs. It’s a good case study relating to high-level insider access threats, and change control, intellectual property protection, and IT governance processes. But it also highlights the dangers of physical security and environmental systems that are under the control of computers. Computers that can, as we know, get hacked or fail in a variety of ways.
In the modern corporate environment the rise of smart building control systems and networked security systems and cameras is fairly close to the scenario painted in the film – except that most offices don’t have roving packs of Velociraptors and a T-Rex.
BEST QUOTE: “God damn it! I hate this hacker crap!”
LESSON: No business that gets hacked (externally or by an insider) is ever happy about it!
The Fugitive (1993)
This Harrison Ford classic movie is about a doctor who is wrongly convicted of his wife’s murder. He escapes from a prison transport bus and sets out to clear his name by finding the famous “one armed man”.
The film is littered with security exploitations (once again, the good guy is the hacker so we must put any divided loyalties aside).
Ford’s character, as a former Doctor, gains access to the hospital he once worked at and creates a fake ID card – a fairly low tech, but effective way, to breach physical security. He then gains access to a terminal (while pretending to clean the offices) and accesses patient records to find details of prosthetic arms and the patients they relate to.
This enables him to go to the suspect’s house and leave enough clues for Tommy Lee, as US Marshall, to piece together the case.
The excitement of an innocent man working to clear his own name does rather outweigh the significance of a really quite alarming breach of the security of patient records.
BEST QUOTE: “Well, I am trying to solve a puzzle … And I just found a big piece!” [slams down phone on desk so trace can continue].
LESSON: Patient confidentiality aside, this is a story about an investigation. The answer lies in various information sources, so it is apocryphal for the challenges when investigating security breaches.
Starwars Episode 4: A New Hope (1977)
As an example of how a security failure can occur, when one single obscure vulnerability is targeted, look no further than the destruction of the Death Star at the end of the movie.
Following the analysis of the plans the rebels find a single vulnerability in the system that is largely undefended and exploit it. It is even called a “port” for heaven’s sake (albeit it an exhaust port rather than a network port).
For anyone defending a large complex system, the challenge is the same – you have to be able to defend all the vulnerabilities at all times (and know where they are). The attacker only has to find one small vulnerability that they can exploit or access on one occasion.
Once again, the attackers are the good guys in this case 🙁
BEST QUOTE: “Do. Or do not. There is no try.”
LESSON: If you apply this ethos to finding vulnerabilities and patching them, you will be in a pretty good place from a cyber security perspective.
“Based on a true story” of the takeover of the American embassy and hostages in Iran, 6 members of embassy staff escape and hide in the home of the Canadian ambassador. The security parable comes from the fact that the Iranians take all the shredded paper records that the embassy had tried to destroy and use teams of child labour in sweatshops to try and piece together the information.
The big risk for those still trapped is that the Iranians manage to restore records or photographs showing that not all the US embassy staff are in captivity and some are still at large PLUS they would know what they look like.
We can learn from this that even if you think you have secured or destroyed data or (in the cyber security world) protected systems – if your adversary is determined enough, patient enough and has sufficient resources to bring to bear on the problem of getting to your information there is still a risk and you are still exposed.
BEST QUOTE: “There are only bad options. It’s about finding the best one.”
LESSON: A determined attacker or one with higher levels of skill or resource, is tough to defend against. Cyber security teams have their work cut out – but avoiding falling foul of trivial attacks is a good start.
Cyber Security Quotes vs. Movie Quotes
As we concluded at the end of the first post – there is no shortage of films where cyber security features but they commonly have a degree of hyperbole that can be a distraction.
As stressed previously, it is unlikely anyone is going to make a movie out of your security breach (unless it is a very bad one). However it is better to stay backstage and out of the limelight when it comes to cyber security breaches.
Defend your network as much as possible, monitor closely, and when a problem occurs detect it quickly and respond intelligently.