Follow NCC Group Newsroom

Lessons from blockbusters: What Hollywood can teach us about cyber security

Blog post   •   Dec 18, 2019 21:57 GMT

Shutterstock: Royalty-free stock vector ID: 1496846720

“Everything I learned I learned from the movies.”

-Audrey Hepburn, Oscar-winning actress and humanitarian

Few things capture the imagination like movies. From epic dramas to tearful romances, from everyday travails to futuristic science fiction, from chilling horror to feel-good comedy, Hollywood is our great escape into the land of make believe.

And while every movie tells its story in a unique way, each one incorporates elements from the everyday lives of real people with real life problems. Whether it be the emotions that drive characters’ actions or the aspirations that influence the design of futuristic innovations, the human connection endures.

What separates classic movies from the rest? Classic movies will keep you thinking and feeling well after the credits have rolled. Below are some of my favorite movies, the lessons they taught us as moviegoers, and the lessons that translated for me as a cyber security consultant.

Star Wars: Episode IV – A New Hope (1977)

A security lesson we can all identify with: A single point of failure (SPOF) can take down your entire security program.

“A New Hope” is the movie that started the Star Wars phenomenon, introducing us to a plucky Rebel Alliance fighting gallantly against an evil and far-reaching Galactic Empire. The Empire has a secret weapon, a moon-sized space station with a laser powerful enough to decimate planets.

While it does indeed live up to its name at several points throughout the movie, the Death Star is blown to smithereens when a torpedo attack on a thermal exhaust port triggers an explosive chain reaction that causes the main reactor to go explode. However unlikely the success of the attack might have been, that port was a single point of failure (SPOF).

In cyber security, a SPOF represents over dependence on a single component that, if and when it fails, will take down the entire system. This single component can be technical, such as a single router through which all web traffic flows, but it can also be a person, like when someone is alone in their ability to handle a core piece of technology.

How can we limit the potential damage of an SPOF? By putting redundancies into place, such as an additional router or a backup resource. Come on Darth, ever heard of a backup Death Star? Oh wait...

Titanic (1997)

A security lesson we can all identify with: Allot ample resources to disaster recovery planning (DRP).

Titanic was based on the 1912 sinking of the eponymous transatlantic liner on her maiden voyage seen through the eyes of the fictional society heiress Rose DeWitt Bukater. This was one of the greatest non-war losses of life at sea, and subsequent investigations revealed several key mistakes leading to the ship’s untimely sinking:

The ship only contained enough lifeboats for less than half of the passengers onboard, mainly due to archaic regulations that mandated a total of 16 lifeboats with a capacity of 5,500 cubic feet for ships over 10,000 tons (the Titanic was 46,000 tons).

The lifeboats that were available were launched only partially filled. Thus, even though 1,178 people could have been saved, only 705 were.

Distress rockets launched by Titanic after the collision were not recognized as such by crew on the nearby Californian, which could have responded and saved more people.

Each of these examples represent deficiencies in disaster recovery planning (DRP). In cyber security, DRP refers to the planning and execution of processes to recover, within a defined time and cost, an activity interrupted by an emergency or disaster. As can be seen from the information above, there wasn’t sufficient planning done to account for disasters, and operations after disaster struck were lacking.

Lord of the Rings: Fellowship of the Ring (2001)

A security lesson learned from the movie: There is strength in diversity of your security teams, processes, and technology.

JRR Tolkien’s epic fantasy centers around an artifact of unimaginable power (the One Ring), forged by the Dark Lord Sauron to win control over Middle-earth. The trilogy covers the trials and tribulations of the “Fellowship,” a group comprised of hobbits, men, a dwarf, an elf, and a wizard brought together to destroy the ring and frustrate Sauron’s plans.

Perhaps the most important lesson we can learn from the Fellowship is the benefit inherent in creating a diverse team. For example, even though the hobbits were the weakest physically, their courage and willpower were second to none. That’s why Frodo was chosen to carry the ring, which ended up corrupting a strong warrior like Boromir.

Diversity is something that also translates in cyber security, that is, the diversity of people, processes, and technologies. Not only does that reduce the possibility of single points of failure as in the Star Wars example, but also allows security teams to leverage complementary strengths while addressing individual weaknesses.

A mature cyber security program consists of several components: Identity and Access Management (IAM), Logging and Monitoring, Data Protection, Incident Response (IR), Business Continuity Management and Disaster Recovery (BCM & DR). These cannot and should not be handled by concentrated teams, nor implemented via similar technologies.

Avatar (2009)

What we learned from the movie: The concept of an avatar actually comes from a Hindu concept of the manifestation of a deity or released soul in bodily form on earth, most famously represented by the ten incarnations of Lord Vishnu. (Well, maybe we didn’t all get this from the movie, but now you can say that you did)

A security lesson we can all identify with: Have dedicated insider threat monitoring mechanisms in place.

In this epic science fiction film set in the mid-22nd century, scientists on energy-starved Earth have just discovered the superconductor Unobtanium on Pandora, a distant moon in the Alpha Centauri star system.

Desperately wishing to mine the resource, scientists quickly learn that Pandora’s atmosphere is poisonous to humans, and come up with a way to explore the environment using the indigenous population, the Na’vi. The scientists call on the services of a soldier named Jake Sully, who is tasked with controlling a genetically engineered Na’vi body—an avatar— in order to infiltrate the local population and gather intelligence about the land.

To me, this is a perfect example of an insider threat. In cyber security, an insider threat is someone within the organization—current or former employees, contractors, or vendors—who have inside information concerning the organization's security practices, data, and computer systems.

With such privileged information, an insider threat can compromise the organization’s security easier than external threats, and are also more difficult to prevent and detect. It’s not surprising that insider threats are among the top threats we identify during our Cyber Security Reviews. While controls can be implemented to reduce the risk of an insider threat, very few companies have dedicated insider threat monitoring mechanisms in place.

About Cyber Security Reviews

I hope you enjoyed this write-up and the security lessons I took from some of my favorite movies. If any of the sections highlighted gaps in your company’s security profile, a Cyber Security Reviewcan help you identify missing pieces and prioritize them according to your unique business needs. Need a clear picture of where you are? A Cyber Security Review can tell you just that, and helps create a roadmap for where you need to be.

One thing we can all learn from the movies is that history has a way of repeating itself. Call it a foible of human nature, but humanity is replete with the same mistakes being repeated again and again. And this includes mistakes in cyber security as well, some of which are easily fixable. Case in point: open AWS S3 buckets. Case in point: a CSR can help you learn from others’ mistakes and prevent you from making your own.