First off, may the force be with you on this May the Fourth. Each year we like to celebrate by watching the only trilogy that matters (sorry LoTR). And by that, we of course mean the original Star Wars trilogy. Now we could spend all day here engaging in enlightening criticism of both the prequels (terrible), the new trilogy (meh), or the stand-alones (give us more Rogue One, less Solo)...but this is after all a cybersecurity blog already excessively full of parenthetical snarky statements, so let’s talk about A New Hope– one of the greatest data breach movies ever made and what we as security professionals can learn from it.
A data breach movie you say? Isn’t Star Wars one of the great hero’s journey archetype stories? Hell yeah it is. But the plot device that moves the entire movie forward is a data breach. The rebels have stolen the plans to the Empire’s new super weapon (and for that particular story you should watch the excellent stand alone film Rogue One), and are trying to get it into the hands of the rebel fleet to stop the Empire from going all HAM on everyone who opposes them. While some of the tech, like tape drives and discs, may feel charmingly dated in a cloud-first world, there is still a lot to be learned from both the Rebels and the Empire.
The biggest mistake the Empire made was believing that the Death Star itself, and not information about the Death Star, was their most powerful weapon. While the Emperor did dispatch Darth Vader to recover the stolen Death Star plans, the Empire’s leadership made the tactical mistake of disregarding the significance of that information and instead focused on the value of the destructive power of the space station. As such, they prioritized physical defense of the station over information security. In this instance, it's useful to think of the Death Star as the product and the plans as the source code.
But as any hacker, or spy, knows, the most powerful weapon in the world is information, and it needs to be defended appropriately. Once it’s in the wild, it’s nearly impossible to control what can be done with it. While your organization may not harbor the plans to any secret planet-destroying super weapons (at least not that you know of), you likely still hold valuable IP, source code, customer, or financial data that can be dangerous if allowed to be breached.
So while most organizations prioritize protecting their products or physical assets, the protection of information tends to be much less strategically orchestrated, and suffers from chronic underinvestment. The reality is we will never get to a world of zero breaches, but organizations need to prioritize which information assets are the most critical to the organization, and invest in hardening the defenses around them.
Apparently on the Death Star, user authentication isn’t a thing. Any old droid can just roll up on any terminal and access anything it wants…including sensitive information like the location of prisoners or control of systems like trash compactors. The designers of the Death Star’s information security systems (if there were any) may have been overly confident in the protection afforded by the Death Star’s physical isolation. We mean, it's hard to imagine a more literal walled perimeter than a giant metal sphere floating in space.
But this was essentially the Imperial equivalent of letting anyone that gets on the guest wifi have access to anything and everything on your network. The security architect probably never envisioned that an adversary would manage to get inside and physically survive long enough to breach the systems. But it’s exactly that kind of laissez-faire attitude and lack of imagination that leads to most security breaches. Engineers and architects believe something to be impossible or unlikely, and so they unintentionally create vulnerabilities.
At the very least the Death Star’s computer systems should have required user authentication, even something as basic as a username and password. If the data ports accessed by R2D2 were indeed public access… a sort of galactic version of a public wired network, then they should have followed the principles of least privilege, and hidden all but the most basic information– and certainly control of any systems– behind a stepped ladder of escalating privilege requirements.
Sure…we bet the plans for the Death Star were absolutely enormous. But apparently not so enormous that the Rebel Alliance couldn’t find a vulnerability almost immediately. The thermal exhaust port the Rebels targeted was probably viewed by the Empire as the equivalent of an open web port. You know it’s bad, but it’s probably not the worst thing in the world when you have ten thousand other competing priorities and it’s not going to keep you up at night. But what the Empire’s risk assessment likely didn’t factor in was the outcome of that exhaust port being breached. However unlikely it may have been, a successful attack on the port would have been (and was) catastrophic. If they had, it would have either been fully shielded or better defended.
The Empire also failed to anticipate what type of attack they would likely face. The defenses of the Death Star featured mostly heavy anti-ship weaponry, instead of point defense guns that could target smaller fighters. Yet again, the Empire’s leadership failed to think through the types of realistic attacks they would suffer. Large warships are expensive to acquire and operate, and their movements are easy to track. That type of attack was unrealistic. Fighters on the other hand are small, agile, and relatively cheap and easy to acquire. In other words, a much more likely vector of attack for a small but determined force to use. Similarly, because most organization's cyber defenses are tuned for large but rare frontal assaults, many security programs lack the point-in-time tools and agility to deal with real time small-scale attacks.
Often organizations focus on the flashiest and most headline grabbing cybersecurity vulnerabilities. We like to envision that the things that go bump in the cyber night are large state-sponsored actors using expensive custom exploits and malware, because it makes the world easier to understand. That’s also often where corporate executives and boards want to direct their security budgets. But as we all know, it’s the little things we don’t see coming that come back to haunt us, and it’s usually because it's those small things that end up with outsized weights when a true end-to-end risk assessment is done.
It’s seldom the state sponsored actors, but the small determined cybergang that manages to get through our defenses. Meanwhile important work like scanning for overprivileged AWS services, anti-phishing training, setting up and requiring 2FA, and shielding thermal exhaust ports gets overlooked because those things aren’t sexy– they’re small, out of sight, and not easily defended with massive turbolaser batteries. But we overlook them at our own peril.
Few people who watch Star Wars stop to think about how perilously close the Rebel’s came to failure. Even though the Empire was shamefully arrogant in its approach to defense, they still nearly defeated the Rebel’s attack. Between their point defense weapons and TIE fighter ace Darth Vader, the Empire had nearly defeated the Rebel attack. It was only through sheer luck and perfect timing that Luke and Han managed to take the lucky shot that saved the Alliance and the galaxy. Even from the outset, the Rebels placed a lot of stock in hope. Hell, even the movie is named A New Hope.
But one has to wonder if the Rebel’s attack would have been more successful if they had been more strategic and less rushed in their planning. Granted, they were quite literally under the gun to come up with and execute a plan, but the mission plan as presented to the pilots was widely perceived to be impossible with the time and resources they had available. They just had to do what they could and hope for the best.
And that, unfortunately, is the position that many security pro’s feel that they find themselves in as well. We know we can’t do everything, and there are a million competing priorities, so we just have to do what we can and hope for the best. But, as the title to this section suggests … hope is not a strategy.
When resources and time are limited, we have to be strategic about how we use what we have available to us. That means architecting a security strategy that accounts for the reality of the world as it is as well as the vanity projects often dictated by boards, accounting for changes in how organizations work through shift left processes, and investing in automation and tools that help us reduce risk and speed time to detection and remediation.
So there it is. 1465 words on a few lessons we can take from Star Wars. Which is about 500 more than the other marketing folks allotted for us, but hey– they asked us to write about Star Wars and we were more than happy to let that nerd flag fly. There’s probably plenty more in there that we missed or just ran out of space, but feel free to reach out on social and share your thoughts.
And in the meantime if you want to see how Uptycs can help prevent your cloud or endpoint from becoming your organization’s thermal exhaust port, don’t hesitate to reach out. We’re more than happy to chat Star Wars (and Star Trek…we guess…we’re sure we can scrounge up a Trekkie around here somewhere if we had to), cloud, end points, Kubernetes and all kinds of other cool stuff all day long. And if you're going to be at RSA next month, come on by our booth and say hello. Don’t be a stranger now!