Unless you have literally been living on a remote,
desert-like planet in a galaxy, far far away, spending your days looking out
over the horizon as two suns start to set, then you might have missed a certain
level of buzz about a certain new Star Wars movie.
Indeed, the world has gone positively potty over The Force Awakens,
the seventh and latest instalment in the now possible endless franchise. Without giving anything away
(this feature is entirely spoiler free), the J.J. Abrams directed film has
been declared a triumph by critics all over the world. In short, it has been
described as both a fitting tribute to the original trilogy and a
triumphant start to what will be the next chapter of the saga.
Like most Star Wars fans, we’ve made an effort
to rewatch all of the movies – not that we needed an excuse to revisit
this captivating world – and in doing so, we inadvertently uncovered some
interesting information security insights, specifically from the first ever
flick, A New Hope.
After some further scrutiny (i.e. we watched the
movie again and again), it became all too clear that there’s a lot that can
actually be learnt from this magical space opera. So, here we are … a Star
Wars-inspired cybersecurity feature. Enjoy, and may the force be with you.
1.
Do not
underestimate the power of end-to-end encryption
If you want to ensure that the details of your
communication remain hidden from prying eyes, so that only the sender and the
receiver have access to it, then end-to-end encryption will serve you well.
The Rebel Alliance is big on encryption. Princess
Leia needs to get a message to her “only hope”, Obi-Wan Kenobi, and, attune to
the fact that the Empire is hot on her heels, she duly encrypts her plea for
help (as well as the Death Star blueprint) and hides it in everyone’s favorite
little droid R2-D2.
Leia understands that if R2-D2 is captured, she can
feel somewhat confident that data will remain secure – in other
words, while it might now be in the hands of the bad guys, it’s
unreadable. Only Obi-Wan has the key needed to decrypt the message, meaning the
princess’ secret plea for his assistance can only ever be unlocked by the
Jedi Master.
2.
You must
learn the ways of social engineering to stay secure
Social engineering is an effective form of manipulation that
allows cybercriminals to deceive victims. From an information security point of
view, it’s used to covertly gather sensitive information and/or gain access to
devices and accounts, usually for fraudulent reasons.
The Jedi are, in some ways, masters of social
engineering (used, of course, for the greater good of the galaxy). We first get
a glimpse of this when Obi-Wan, accompanied by Luke, is stopped by
stormtroopers on their way to meet Han Solo and Chewbacca.
They are asked for identification, and swiftly,
with a subtle wave of the hand, this is rebutted. They stormtroopers have no
idea what’s happened. Being aware of social engineering techniques might have
made a difference, as in Return of the Jedi, Luke’s efforts to sway Jabba with
the force fail.
3.
I find your
lack of faith in your vulnerabilities disturbing
Even the most comprehensive security systems
have their vulnerabilities, which is why it is important to constantly assess the means by which you’re protecting your
assets to uncover hidden flaws.
General Tagge is all too aware of this. In a
meeting with his colleagues and superiors he cautions that the data breach
experienced by the Empire might leave them open to an attack.
“They might find a weakness and exploit
it,” he warns, appreciating the fact that because the information that was
accessed was highly sensitive, it presents a grave danger.
“Any attack made by the
Rebels against this station would be a useless gesture, no matter what
technical data they have obtained.”
However, this analysis of the situation isn’t
shared by all. General Motti, for example, underestimates the skillset of the rebels:
“Any attack made by the rebels against this station would be a useless gesture,
no matter what technical data they have obtained.”
While the Death Star is pretty heavily protected, a
small vulnerability, overlooked by the Empire, is discovered: a thermal exhaust
port that is connected to the space station’s reactor core. If you can gain
entry through that small opening, well, it’s game over.
4.
I sense the
presence of a something I can’t quite put my finger on (trojan horse)
A trojan horse
is a type of malicious software that purports to be anything but. In other
words, as in the Greek mythology from which it gets its name from, the
superficial and seemingly innocuous nature of it belies the devastating and
harmful nature which lurks below.
The crew of the Millennium Falcon, when caught in
the Death Star’s tractor beam – after discovering the planet Alderaan has been
destroyed – possess all the hallmarks of a trojan.
Although the Empire is initially cautious about
what they have just beamed into the battle station – the equivalent of
downloading a shortened link – the check they perform doesn’t spot the hidden
crew (ultimately the trojan).
“Great shot kid! That was one in a million!”
While Darth Vader kills Obi-Wan – they have finally
spotted the malicious software and attempted to contain it – it is too
late. The tractor beam is disabled, the Millennium Falcon escapes, the Rebel
Alliance gets hold of the Death Star’s blueprints and … well, you know the
rest: “Great shot kid! That was one in a million!”
5.
The password
protection and 2FA is not strong with this system
If you don’t invest in strong passwords and two-factor authentication (2FA)
solutions, coupled with an open access policy to your network – as opposed to
only senior employees possessing the rights to this – then you’re likely
to experience some sort of data breach, big or small and intentionally or otherwise.
R2-D2 – who faces stiff competition from BB-8 these
days – makes easy work of the Death Star’s lack of password protection. Not
only is he able to plug himself into the battle station’s central computer, he
is able to locate specific information with very little effort (specifically
Leia’s location).
Moreover, later on, when the heroes are trapped in
the trash compactor, R2-D2 is once again able to effortlessly locate the kind
of data and controls he needs. To all intents, there is nothing by way of
security to stop him in his tracks.
However, had the Empire anticipated the threat of a
cyber expert; had strong passwords in place; and had invested in two-factor authentication, then the ending of a New Hope would
have been remarkably different.