One of our family traditions that I thoroughly enjoy is family movie nights. Every Sunday we gather in the theater to watch a family movie. It reminds me of Sunday nights when I was a kid, and Disney would show the Sunday night movie on ABC. It marked the end of the weekend, and the dreaded school week ahead loomed just over the horizon. The kids have gotten interested in Star Wars thanks to new cartoons that are being released, so this Sunday we decided to watch the original Star Wars. It has been a long time since I have seen the movie, but there is a great lesson for all organizations in the movie in regards to their risk management and information security programs. At this point, you are probably wondering if my misspent youth has clouded my judgment here, or perhaps I am one of those people who have a life size Darth Vader in their house and know all of the Star Wars trivia. I assure you that neither of these are in play here, so hang on a minute while I clarify. For the purposes of my illustration here, the Death Star and the baddies on it are a large organization with aspirations of intergalactic domination, not unlike (insert large organization from your “I hate them” list here).
At one point in the movie there is a meeting with the Generals, leaders, and Darth Vader where one of the individuals (I’ll call him the CSO) comments that the death star has several vulnerabilities and not to get too cocky (I’m paraphrasing here). The others dismiss his notions as nonsense, and Darth Vader proceeds to choke him without actually touching him. This would equate to the CEO or Executive Board shooting down your most recent proposal. As if the physical breach of the Death Star’s security by a newbie, a freighter pilot, a Princess, a Wookie, and two robots was not enough of a wakeup call, the Rebels eventually figure out that there is indeed a vulnerability in the Death Star that can be exploited by a single X-Fighter. We will equate this to a web vulnerability in one of your front-end applications that when exploited gives someone complete control over the back end system that holds credit cards. As this attack is underway the same person advises one of the Generals that perhaps it is time to get his escape pod ready (DR plan) and is again dismissed because hey what could possibly go wrong when we have enough money to build a ship the size of a planet.
In the end of course the vulnerability is exploited and the entire thing gets blown to bits. I found myself hoping that the CSO got out of there somehow since he was the only one who knew the BCP plan by memory, and is now living a peaceful life on some planet.
Anyone who has ever read any of my blogs (thanks Sis) knows that at this point, I will try and tie this to some nugget of Information Security gold, and they are right. No matter how much money you spend on Information Security in an organization, there is probably some vulnerability in something you coded or bought that can wreak havoc on your organization. The trick is to catch as many of these as you can without driving your company into bankruptcy, or the CSO into an early grave doing so. Additionally, when things do go terribly wrong you had better have a BCP/DR plan that everyone knows how to execute.
No comments:
Post a Comment