One of my favorite film sagas of all time is “Star Wars.” Forever a classic franchise, these films, especially the original trilogy, are responsible for inspiring generations to open their imaginations and think beyond the stars.
Tomorrow is the release date of “The Force Awakens”, and I was so excited that I went back and watched all six of the other movies. And I noticed something – with all of the incredible technology they had, the Empire was really terrible at cyber security.
So, along with learning to control our anger, not give in to the dark side, and not to play the odds, there are actually valuable cyber security lessons we can take from Star Wars.
So what are the cyber security lessons you can learn by watching Star Wars? Read on to learn more!
Bad Access Controls Will Allow Anyone Into Your Networks
In “A New Hope,” when R2D2 is on the Death Star, he plugs into its networks with no problem. R2D2 is then able to find out that Princess Leia is being held captive on the ship, and control machinery on the Death Star such as the trash compactor on the prison level.
It’s rather interesting that, for as much money as it took to build the Death Star, cyber security is curiously lax on the Empire’s most strategically important business critical asset.
Knowing what we know about how “A New Hope” ends, it’s safe to assume the Empire’s priorities are mixed up. It’s also possible Empire security personnel haven’t reviewed their information security program in a while. To me, this immediately demonstrates that the Empire probably doesn’t think anything could be a threat to the Death Star which leads us to learn that …
Underestimating Your Threats Could Be Your Downfall
“The Empire doesn’t consider a small one-man fighter to be any threat, or they’d have a tighter defense.”
- General Dodonna
“Evacuate? In our moment of triumph? I think you overestimate their chances.”
- Grand Moff Tarkin
And those two statements nicely sum up the Empire’s hubris. As a consequence, not only does the Empire fail to properly safeguard technical data to a strategically important asset, they don’t even take into account the possibility of a single entity destroying it … And you want to know what the result of The Empire’s hubris was? Some punk moisture-farmer from Tattoine blows the whole party for them.
Similarly, in the real world, large companies that underinvest in their cyber security efforts are successfully breached by a small group of hackers or even a lone wolf.
But pride goeth before the fall, sometimes long before. Because they underestimated their threats they failed to take other security precautions. The lesson here is …
Failing to Conduct Proper Risk Assessments on A Regular Basis Will Increase The Likelihood of A Data Breach
So I’m willing to make a wager here based on these facts:
- A copy of the Death Star plans left the Empire’s control
- Said plans appear to be unencrypted – it seems as if R2D2 displays the technical plans with relative ease
- R2D2 accessed the Death Star networks with no issues
The wager I’m making is that Empire security personnel either failed to conduct regular risk assessments, or performed them incorrectly.
However, there’s a long standing issue that eludes Empire security personnel that may not be obvious to most and that’s …
Bad Security Knowledge Transfer Leads To The Same Mistakes Happening Again
In three of the Star Wars films, an attack on a ship’s reactor causes it to blow up
- In “The Phantom Menace,” Anakin Skywalker blows up a Trade Federation droid command ship by destroying its reactor core. Where’s the reactor core? It’s completely exposed in a hangar bay.
- In “A New Hope” The Death Star gets blown up by an attack on the reactor core.
- In “Return Of The Jedi” the new Death Star gets blown up by an attack on the reactor core.
Apparently Empire security personnel aren’t good at passing on what they learn to their peers. By “Return of The Jedi,” they had no excuse not to mitigate this single critical point of failure.
Similarly, in the real world, one topic of interest we’ve heard come up in our own research is the need for good security knowledge transfer initiatives, but this depends on the organization and its network. When security professionals leave an organization, they should share what they know about the particulars of securing that organization’s environment with their successors.
But you know what, even if the Empire did adhere to all the points made above, there’s one very simple thing they could have done that probably would have prevented all this, which should remind you to …
Encrypt Your Most Important Data
So not only did the Empire lose a copy of the technical plans for the Death Star, it also appears the data was unencrypted. When R2D2 displays the battle station’s data for the first time, the same as opening a file in the real world, the plans show up right away. Why the Empire didn’t encrypt that specific piece of data? We’ll never know.
The Empire’s failure to encrypt the Death Star plans, along with other mistakes, lead to a quintillion dollar loss. In the real world, large losses can be catastrophic, but can be prevented, in some cases, with simple security measures.
If you’re worried about your organization’s cyber security uhm … Search your feelings. You know something’s not right. It’s only a matter of time.
Don’t keep yourself in the “dark side” of cyber security. Sign up for a Compromise Assessment and find out your current security posture.