05/04/2018 | Bochum, Author: Tim Berghoff

Why the Galactical Empire failed in data security

May the 4th be with you: Explanation and tips for better handling of galactic data breaches

It just so happens that the Star Wars saga (at least Episode IV-VI) is a textbook example of how not to handle what is basically a data breach. The Empire is, to put it mildly, woefully unaware of how data security works, resulting in less than ideal reactions in responding to the breach.

In fact, security has failed in so many ways that it is hard to pick any one of them without at least touching other areas as well. Therefore, we have just picked a few things they should have handled differently from a security perspective.

Shooting the messenger is bad form and brings with it tons of paperwork as well as unpleasant conversations if taken too literally (outside the silver screen universe, that is). You might as well find yourself in the situation of the messenger who has to break news to the CEO that the web shop was put out of action because the website was bombed into next week by a DDoS attack. Or, you know, someone has managed to steal the classified construction data for your new headquarters. You know it’s not your fault because funds for security measures were not approved, you didn’t get the three new hires you were promised to polish up the shop platform, the antivirus license renewal still was not greenlighted though four weeks out of date etc.. Yet, you stand there in front of your boss and are being told off for “your” fault.

 
Listen to what people tell you and don’t automatically assume that they are at fault. Besides: good messengers are not easy to come by, so don’t shoot them on a whim – even if you do not like the news they bring you.
So, in that respect, you have to give props to Kylo Ren – at least he only wrecked the office furniture instead of the officer who informed him about his escaped prisoner. The officers who served under his idol fared a lot worse – bring bad news and you will inevitably die, even if you just skype in. And the guy next to you who already looks decidedly uneasy gets your job while you - or rather your corpse - are being dragged out.

Make sure your troops have confidence and no reason to be afraid of getting shot at the first sign of failure. In all likelihood, the person informing you about an incident is not the one responsible for it. They should also know that you trust them.

If something doesn’t work, it doesn’t work and should be removed. It has no place in your plans unless you are looking for something to worry about. To stay in our picture: The Bad Guy kidnapped the Princess because he wants a slave/wife. Much to his dismay she does not seem to be too fond of the idea of being pressganged into this relationship and fights tooth and nail to get away. Try hugging a cactus and you get the idea. It will never be comfortable, ever. The smart choice would be to let her go. The not-so-smart choice for the Bad Guy is to hold on to his prize by way of an iron chain and to try to force her to do his bidding. Word to the wise: that chain might wind up around your neck if you are not careful. Just saying.

Here are eight tips on how to be a better evil overlord:

  1. Don’t brag, don’t gloat.
    We all know your defenses and your action plans are perfect. That doesn’t mean, however, that everyone (especially your adversaries) should hear about them.
     
  2. Get other people involved in your planning.
    If you plan it all on your own, you’re going to miss something. Asking for other opinions is not a sign of weakness or incompetence, on the contrary.
     
  3. Test and review your security regularly. If needed, improve it.
    It might stand up to a tidal wave, a hurricane and a magnitude 9 earthquake, but if an unchallenged intruder can disable your power source by operating two circuit breakers, you have a problem.
     
  4. Do not shoot the messenger.
    If everybody is afraid to tell you that something is not right, then there is a big chance that what information you get is "filtered" and incomplete. By the time you get the complete picture you may face an unfixable mess that 5 different people have already had their hands on.
     
  5. Do not bring knives to gunfights.
    If you have tools at your disposal which are guaranteed to address a threat to your plans, use them. When it comes to defense, it is better to start big than running through an arsenal of smaller tools and wasting lots of time (and money) in the process. If Indiana Jones has taught us anything, then it is this: If an opponent is wielding a saber in front of your face while you have a gun, don't be a sportsman. Make it quick instead. 
     
  6. If something is not working as intended or expected, get rid of it.
    An application or an appliance which is not performing as expected, should first get a thorough review to see if issues can be fixed without compromising the mission. Holding on to a piece of infrastructure for sentimental value, out of complacency or for political reasons will sooner or later make it a liability instead of an asset. If it turns out that something is unreliable, make a move to replace it, but be prepared to fight an uphill battle.
     
  7. Physical security is at least as important as securing your data.
    All the fancy appliances and applications will count for nothing if somebody could just walk into your archive and start pulling drives with the files containing your secret plans. Or if some droid can just roll in, plug into a random, publicly accessible data port and start siphoning off all the data from every system he wants. And we haven’t even talked about encryption at this point.
     
  8. Technology is not a silver bullet.
    No matter how proud you are of the technological terror you constructed: technology is potentially a double-edged sword. You may solve one problem but inadvertently introduce another. While technology can be of great value to security, it should not (and cannot) replace everything. Whether you like it or not: You have to give Vader this one.

Always be aware that Assuming that having a bigger security budget implicates a higher security level has no basis in reality. Throwing money at a problem rarely makes it ‘go away’ – most of the time it just relocates the issue until it comes back to haunt you from a direction that nobody expected.
At the end of the day, there are still human beings involved. If the user decides that it is safe to override a certain security feature because he is not aware of a danger and hell-bent on opening that hatch with an angry Wookie behind it, training is the only way of getting what you want.


Share this article

G DATA | Trust in German Sicherheit