This article was previously posted on 2017-05-04
Pop-culture can teach us a lot about computer security if we’re willing to dig a bit beneath the surface.
1. R2-D2 hides important data in plain sight
During the opening scene of A New Hope, we see Princess Leia quietly interact with a random R2-unit on a rebel ship that has just been captured. R2 and his companion C3PO then get away in an escape pod, and land on Tatooine where they meet a young Luke Skywalker.
While poking around the R2 unit, Skywalker stumbles upon a secret distress message. We later learn that Leia planted the Empire’s Death Star plans—valuable intellectual property—in plain sight, hiding them in an unassuming astromech droid.
That scenario perfectly illustrates what InfoSec professionals call, “security by obscurity.” In general, experts don’t really consider security by obscurity a good thing. While “obscurity” does make things harder to find, it doesn’t really fully protect them the way, say, encryption does.
However, I think there’s value to obscurity when used as an additional layer of security, and this Star Wars scene proves it. None of the Empire’s troops suspected that two lowly droids held the plans to their ultimate weapon.
These ordinary droids made the perfect cover for Leia’s stolen data. Granted, if the Empire had caught our hero droids, we’d also see the flaw in security by obscurity.
2. Little vulnerabilities can blow up the biggest Death Star
Everyone remembers the exciting conclusion to A New Hope. Skywalker was able to perfectly launch a pair of X-Wing proton torpedoes into a little thermal exhaust port in the Death Star, blowing it to smithereens.
This concept applies to cyber security as well. Sometimes the smallest vulnerabilities in the most niche software can lead to the chain of events that allow malicious attackers to gain complete control of a network.
Many IT professionals have stories about finding old, unpatched, and forgotten servers on their network, which were exposed to the public.
Hackers might take advantage of little vulnerabilities in these forgotten servers to gain a foothold into the network, and leverage them as a stepping-stone for gaining complete control. Don’t end up like the Death Star.
3. Jedi mind tricks are used by the Dark AND Light-side hackers
In A New Hope, we also see Obi-Wan Kenobi perform a Jedi mind trick. Using The Force, he guiles Storm Troopers into not seeing something that’s right in front of them.
Believe it or not, both good guy and bad guy hackers leverage technical “Jedi mind tricks” to get computers or programs to miss important details as well.
Looking at the Dark-side of hacking, many advanced malware samples include Something called a rootkit, which is a component that helps malware hide inside operating systems.
For instance, when a security program uses a Windows function to list the files in a folder, in hopes of scanning for malware, the rootkit might perform a technical “Jedi mind trick” on Windows, telling it, “This isn’t the file you’re looking for.”
4. Master or Padawan, never underestimate training and preparation
One of Skywalker’s biggest philosophical dilemmas in The Empire Strikes Back was whether or not to ditch his Jedi training and leave to save his friends. His experienced teachers encouraged him to complete his training so he’d have the skills he’d need to actually help. However, Skywalker choose to delay his training and save Han and Leia. Perhaps if he finished his training he could have helped more?
Information security professionals cannot underestimate the importance of training, either. The ISO 27001 ISMS training and certification can help you to become a security Jedi.
5. “Ewok” Tactics Can Defeat Sophisticated Attacks
Love them or hate them, few can forget the Ewoks, or the Endor forest scene where they fought alongside the Rebel Alliance against the Empire. Yet, the Ewoks were effective; their giant trees, rocks and guerrilla warfare were incredibly successful against a more sophisticated opponent.
In the same way, basic security practices can still be effective today. Though more advanced attacks can bypass some of our older security measures, additional layers of security can still save you when the previous layer failed. Learn from the Ewoks, and make sure you’re implementing basic security practices like layered security.