The Rise Of Security Awareness
Like many Star Wars fans, I was eagerly anticipating the last installment of the series last month. While The Rise of Skywalker has earned countless articles on its storytelling, its plot holes, and how it stands up as the final film in the nine-part saga, I haven’t seen any articles on what it means to the security industry. The movie actually says a lot about security, so if you aren’t afraid of some (minor) spoilers, head below the break to see what I’m talking about.
Without giving too much of the plot away, at one point in the movie, a lost or stolen, um, “access token” is abused by the Resistance to gain access to a location they should not be in. Clearly, the “lost and stolen” process that is implemented by the First Order is not a robust one, as the access token was clearly not deactivated when it was misplaced. One also wonders why a security auditor was not around to call this out as a gap and insist on remediation – are there SOC2 audits in the Star Wars universe? Seriously, though, this is a very clear and understandable example of why it is so important to have well-defined processes for reporting and deactivating items like badges that grant access to sensitive areas, as well as ensuring that all holders of said credentials are aware of those procedures.
But what if the problem isn’t the lack of the process, but lack of adherence to it? After all, in the Star Wars universe, those who make mistakes tend to get painful demonstrations of the Force. This is exactly why security programs need to avoid being punitive when users admit to making mistakes. It is far more valuable to an organization when users feel that they can report errors of their own making without feeling that they will be punished for it. The alternative may be what happened in this case: fear of being punished for losing a valuable item prevented the reporting of said loss until it was too late and the damage was compounded. No matter what security tools you have in an organization, they will not be 100% effective, and security teams need to rely on users to be their last line of defense, willing and able to report anything they think is suspicious or even their own mistakes. At Code42, our employees routinely report strange emails, or links that they may have clicked on but had a bad feeling about, and this helps us immediately investigate and limit any potential negative consequences. By feeling that they can report issues to us without fear of overreaction, our overall security posture is improved.
The last takeaway I had from this scene relates to authorization, and what that means with regards to granting access to sensitive assets. In the movie, this access token was associated with a certain rank of First Order officer, and physical possession of the token granted authorization to sensitive areas. It is easy enough to spot the issue here: authorization is meant to be granted to a certain type of person (based on rank), but is instead granted to a physical object that anybody can get to. It is always important to remember that merely having access to something like a password or a badge doesn’t mean that the holder of such an item should be authorized to perform a task. Whether those tokens are compromised via theft, phishing, keylogging, or the old Post-it on a monitor, they may be used by unauthorized people. Determining how to identify such misuse is usually a good exercise for blue teams, and all users should be on the lookout for attempts to abuse authorized access.
Running an organization as large as the First Order is certainly a monumental undertaking when it comes to logistics, access control, employee onboarding and offboarding, and security awareness. As the movie shows, however, get security wrong and you may end up defeated once again.