A short time ago, in a city not far from Seattle, I began frantically encouraging (forcing) my pre-teen daughter to watch the original Star Wars trilogy. This, of course, was in preparation for the newest film, Star Wars: The Force Awakens.
As we watched, it dawned on me that there are tons of subtle parallels between information security (InfoSec) and the original Star Wars movies. A universe filled with spaceships, computers, AI controlled robots, big brother governments, and The Force is bound to have some correlation to InfoSec, right? Let’s dive into the Sarlacc pit like Jedi knights and find out.
R2-D2 Hides Important Data in Plain Sight
During the opening scene of A New Hope, we see Princess Leia quietly interact with a random R2-unit on a rebel ship that has just been captured. R2 and his companion C3PO then get away in an escape pod, and land on Tatooine where they meet a young Luke Skywalker. While poking around the R2 unit, Skywalker stumbles upon a secret distress message. We later learn that Leia planted the Empire’s Death Star plans—valuable intellectual property—in plain sight, hiding them in an unassuming astromech droid.
That scenario perfectly illustrates what InfoSec professionals call, “security by obscurity.” In general, experts don’t really consider security by obscurity a good thing. While “obscurity” does make things harder to find, it doesn’t really fully protect them the way, say, encryption does. However, I think there’s value to obscurity when used as an additional layer of security, and this Star Wars scene proves it. None of the Empire’s troops suspected that two lowly droids held the plans to their ultimate weapon. These ordinary droids made the perfect cover for Leia’s stolen data. Granted, if the Empire had caught our hero droids, we’d also see the flaw in security by obscurity. Vader would have cracked R2 open like a tin can, and without encryption, Leia’s stolen plans, and any other rebel information, would be open for the Empire to see.
Little Vulnerabilities Can Blow Up the Biggest Death Star
Everyone remembers the exciting conclusion to A New Hope. Skywalker was able to perfectly launch a pair of X-Wing proton torpedoes into a little thermal exhaust port in the Death Star, blowing it to smithereens. This little tunnel was the tiny Achilles heel of the heavily reinforced, planet-sized battle destroyer called the Death Star.
This concept applies to cyber security as well. Sometimes the smallest vulnerabilities in the most niche software can lead to the chain of events that allow malicious attackers to gain complete control of a network. Many IT professionals have stories about finding old, unpatched, and forgotten servers on their network, which were exposed to the public. Hackers might take advantage of little vulnerabilities in these forgotten servers to gain a foothold into the network, and leverage them as a stepping-stone for gaining complete control. Don’t end up like the Death Star. Patch even your smallest vulnerabilities.
Jedi Mind Tricks Are Used by the Dark AND Light-Side Hackers
In A New Hope, we also see Obi-wan Kenobi perform a Jedi mind trick. Using The Force, he guiles Storm Troopers into not seeing something that’s right in front of them. “These are not the droids you’re looking for.” Believe it or not, both good guy and bad guy hackers leverage technical “Jedi mind tricks” to get computers or programs to miss important details as well.
Looking at the Dark-side of hacking, many advanced malware samples include something called a rootkit, which is a component that helps malware hide inside operating systems. For instance, when a security program uses a Windows function to list the files in a folder, in hopes of scanning for malware, the rootkit might perform a technical “Jedi mind trick” on Windows, telling it, “This isn’t the file you’re looking for.”
However, Light-side hackers use these same tactics to trick attackers and malware as well. Simply put, malware has gotten better at avoiding the automated security systems designed to find it. Modern malware might even wait to see mouse movement as a way to ensure a computer is human controlled and not automated. Meanwhile, modern security systems have gotten smarter at detecting this evasion tactic. When these security systems see malware waiting for a human, they perform a “Jedi mind trick” of their own, convincing the malware that it sees the imaginary mouse movement it was looking for.
Master or Padawan, Never Underestimate Training and Preparation
One of Skywalker’s biggest philosophical dilemmas in The Empire Strikes Back was whether or not to ditch his Jedi training and leave to save his friends. His experienced teachers, Yoda and the spirit of Obi-wan, encouraged him to complete his training so he’d have the skills he’d need to actually help. However, Skywalker choose to delay his training and save Han and Leia. As fans, we wouldn’t have it any other way, as it showed Skywalker’s loyal character. However, the truth is his rescue attempted helped no one. Han was still frozen, Leia was already being rescued by Lando Calrissian, and all Luke did was lose a hand to Vader in the process. Perhaps if he finished his training he could have helped more?
Information security professionals cannot underestimate the importance of training, either. Learning about Dark side hackers can help in your Light side defenses. Spending time examining the latest attacks and hacking methods can be an effective way to improve security infrastructure. To really become a security Jedi, I recommend taking some basic penetration testing or ethical hacking courses. Learning to hack like a Dark-side Sith lord will help you realize which defenses really work to protect against the latest attacks.
“Ewok” Tactics Can Defeat Sophisticated Attacks
Love them or hate them, few can forget the Ewoks, or the Endor forest scene where they fought alongside the Rebel Alliance against the Empire. As a kid, I remember watching The Return of the Jedi and thinking it was kind of silly that the Ewoks used low-tech weapons like wooden catapults and swinging tree traps to take on the Empire’s high-tech forces. Yet, the Ewoks were effective; their giant trees, rocks and guerrilla warfare were incredibly successful against a more sophisticated opponent.
In the same way, basic security practices can still be effective today. Lately, we hear about a new type of sophisticated cyber attacker, who uses modern Dark-side hacking tricks to evade traditional defenses. While there’s truth to that, many of our basic and most reliable security practices still work. One of the oldest security ideas in the book is “defense in depth.” This means that there’s a better chance of preventing attacks by layering different defenses together. Though more advanced attacks can bypass some of our older security measures, additional layers of security can still save you when the previous layer failed. Learn from the Ewoks, and make sure you’re implementing basic security practices like layered security.
Pop-culture can teach us a lot about computer security if we’re willing to dig a bit beneath the surface. Now that I’ve caught my daughter up on the original Star Wars series, we’re planning to tackle the prequels next. I invite you to join me in a few weeks when I’ll be explore what Star Wars Episodes 1-3 can teach us about InfoSec. For now, may the InfoSec Force be with you!