Skip to main content
logo
logo

 

UK Cyber Week Blog

Sample Image

11 Nov 2024

The Hollywood approach to security analogies

The Hollywood approach to security analogies

Analogies are a great way to get your security messages across. To take a subject like security, with which most people are not familiar, and put it into terms that they may encounter on a day-to-day basis.

 

Some of my favourites are about how we are all risk assessors in our own lives. We might take a different approach to securing our own home when we are popping out for a few minutes, compared to when we are going away on holiday, as we understand that the longer we are away, the greater the risk of being burgled. We might also consider when driving somewhere at night, paying to park our car in a well-lit carpark with 24/7 security, rather than leaving  it on a dark back street for free – the investment we make in paying to park is much less than the cost and inconvenience of having our car damaged or stolen. We would reason that the risk of this is far lower in the carpark and therefore it is a wise investment.

 

Do the baddies align to a good-practice security standard? Probably not!

One approach to analogies I also enjoy using, is to demonstrate how the baddies in Hollywood movies might have succeeded in their dastardly plots, had their information security been better. No matter how well funded the evil villain/mad scientist appears to be, and despite the amount often spent on physical security, henchmen, lasers, etc, the cyber budget often isn’t given the required level of investment.

 

The first time I made use of this was as part of an introduction to security for new starters at a company I had just joined. Having been through the induction myself already, it was a full day of “death by PowerPoint”: So much text, so many transitions and animations. Typically, security was the last topic of the day, so by the time my opportunity came to motivate the next generation of security champions, all the light had gone from their eyes. I needed something visual, with minimal text, engaging and different enough to awaken them.

 

The security mistakes the baddies make (spoiler alert!)

This situation was quite a while ago now, but I needed a movie that most people would likely have seen, or at least be familiar with the plot. I settled on Independence Day – it had been a very popular movie and even if people hadn’t seen it, the plot was quite simple: Aliens seek out a new home and take a fancy to Earth. The only problem is that there’s an infestation of humans there, and they’re not up for sharing with us. To begin with, their intentions appear to possibly be benign, but they soon start destroying major cities, and forcing humanity to fight back with our inferior technology, which fails until a brilliant yet underappreciated techie, finds a way to get into their technology and bring them down from within. The aliens are defeated, humanity is (mostly) saved, and as a bonus our brilliant yet underappreciated hero is reunited with his estranged wife, as the trauma of the invasion reminds them about why they fell in love in the first place.

 

Using just the most basic presentation, with mainly pictures to act as a storyboard, I recounted all the security errors made by the aliens, to demonstrate why these are all important facets of security by our company. The relevant scenario here is that there is a business deal underway to be the population of the Earth. The humans are the incumbent provider of this service and therefore should be at an advantage. The aliens are a competitor looking to make an alternative bid. The process is highly confidential as neither party wants to give the other any advantage.

 

Following the plot of the movie, it went a bit like this:

 

  • Firstly, the aliens make it all the way from their previous world to our moon and set off a powerful signal, clearly announcing their presence and taking the element of surprise away from their business plan. This data leakage gives the competition time to react and takes the edge off their competitive advantage.
  • The positioning of the alien ships above key global locations does not necessarily signal an intention to attack, they may simply want to say hello to all the world leaders at once. However, when the humans find a signal being used as a countdown to attack, this is enough for them to act. Using encryption in their transmissions would have masked this and not given the humans the heads-up. A serious breach of confidentiality there!
  • Not all the authorities on Earth are convinced though, and some want to give the aliens a second chance. However, the helicopter they send up to perform a close-encounters style light show gets blown out of the sky by the aliens. This removes all doubt of their intentions with still nearly half an hour to spare before the main attack, giving our heroes plenty of time to escape. Whether this is a gunner with an itchy trigger-tentacle (unauthorised escalation of privileges) or a ship commander who does not appreciate the need to keep their plans confidential (security integration into job roles), the intent of the aliens is now truly confirmed.
  • When our heroes escape to Area 51, they discover that the Roswell UFO legend is true, and in fact the UFO is a craft belonging to one of these aliens, clearly on some sort of data-gathering mission in the 1950s. Since the aliens returned, all the systems on the ship have come back to life and are fully functional – giving the humans a huge amount of information about their technology and the capabilities of their craft. This raises a lot of questions around how the aliens perform asset management, client authentication, their leavers process and several other security principles which should have rendered the craft inoperable once it had been lost. Clearly, there hadn't been any sort of process or asset audit in the last few decades that might have raised the issue of this lost ship.
  • When a live alien rears its ugly head in person, it starts shooting its mouth off (or brain, to be more accurate) about who they are, what they are doing and what their plans are for Earth. They say that loose lips sink (space)ships, and in this case the information imparted is enough for the US President to make the decision to increase the force used against the invading aliens, and try to “nuke ‘em”. Clearly the baddies don't operate their own security awareness training to cover the importance of not disclosing confidential information in public. Whatever happened to "name, rank and serial number"?
  • Physical security clearly isn't a big concern of the aliens. Our heroes can fly the now operational Roswell craft straight in through the front door of the mothership unchallenged, with a large nuclear explosive device attached, and successfully dock right in front of the control room. That's like someone walking into your building without any ID, carrying a bomb, and sitting down in a secure area without anyone blinking an eye.
  • What are the chances of the aliens' IT systems and communication interfaces being compatible with those used on Earth? Fortunately, this was the case, and our heroes can successfully infect the ship’s systems with malware. No Anti-malware, most likely a poor vulnerability management process and ineffective patching regime are clearly to blame here, not to mention a clear lack of protection of critical systems from the user domain. Defence in depth is another thing that didn't catch on with these baddies.
  • Finally, flying an aircraft into the main weapon of one of the larger spaceships not only destroys the weapon but the rest of the ship too. Surely this would have come up as an issue during development and testing!

 

I suggest in finishing my induction day graveyard slot presentation, that if the aliens had taken more care of these things, then the humans would not have been able to mount such an effective response, and the aliens would now be happily setting up home on the newly vacant Earth, so these are all lessons for us to remember if we want to avoid losing business to our competitors.

 

I got some really good feedback from the presentation, both in terms of how much more engaging it was, but also showing a clear understanding of the security messages, which is the whole point I wanted to get across.

 

Other options?

If Independence Day isn’t your choice, then there are plenty of good examples of poor security in movies and TV shows, either by the goodies in the first place to allow the baddies to execute their evil plans; or by the baddies, which ultimately allows the goodies to triumph at the end.

 

For instance, another personal bugbear of mine is in the movie I Robot. The Evil AI system seemingly has access into every device, home and car but has decided to implement absolutely no monitoring of the maintenance tunnels underneath its own HQ, allowing the goodies to gain access undetected and save the day. Did these people learn nothing from the 1960s Mission Impossible TV series, where agents were able to enter any Top-Secret location by wearing overalls, carrying a toolbox, and claiming they’d come to fix the air conditioning?

 

Matt Gordon Smith As Director of Resilience InsightsMatt Gordon-Smith specialises in delivering cyber security leadership and advisory services for clients globally. With over 20 years of experience in information security, he has held senior leadership roles, including Chief Information Security Officer (CISO) and Director, across industries such as civil nuclear, mining, and aviation.

Starting his career in 2000 as an IT Security Architect at IBM, his expertise spans enterprise security architecture, consultancy, and IT managed services. This broad experience has provided a solid foundation for guiding organisations through complex security challenges. 

Since 2022, Resilience Insights has been providing tailored services, including fractional CISO support, regulatory compliance strategies, and interim leadership. The consultancy focuses on helping organisations strengthen their security frameworks, address new challenges, and meet evolving regulatory requirements.

View all UK Cyber Week Blog
Loading
Search