Blog | Merlin Cyber | Cybersecurity Resources

Zero trust security at the movies

Written by Dean Webb | Mar 29, 2022 1:35:14 PM

Zero trust security is a simple set of principles: continuous verification, limit the blast radius, automate responses. Quite a simple set of ideas to keep track of. As a buzzword, it truly is what it sounds like: zero trust. It doesn’t matter if I trusted something the last time it requested access: I check and check again, repeatedly. I only grant access to what was asked for and cleared, nothing more. And I am watching, always watching…

I suppose that’s why Roz is my favorite character in Monsters, Inc. Not only does she practice continuous verification—“I’m watching you, Wazowski. Always watching. Always!”—she also limits access: “This office is now CLOSED!” When Mike Wazowski tries to socially engineer Roz, she’s not having any of it: “Wazowski! You didn’t file your paperwork last night!” Oh, Roz, you had me at “always watching.”

Sadly, such maturity in security is absent in the world of Star Wars. “It’s an older code, sir, but it checks out.” Oh, how I cringe at that! And the multi-factor authentication (MFA) sent to the secondary device associated with that code, did that check out? Of course not. Star Wars doesn’t have MFA. That’s why the Sith Lords have to do everything themselves if they want to get anything accomplished.

THE 2022 STATE OF FEDERAL ZERO TRUST MATURITY: DOWNLOAD OUR NEW REPORT

And that flat network on the Death Star… don’t get me started! R2-D2 plugs in to any old network port and has run of the complex. Where is the segmentation? Where is the alert that an unmanaged device connected to the network? Where is the automated ACL or VLAN change to block that access? These Death Star guys could have seriously benefited from a Forescout deployment to address those use cases arising from any old droid jacking into the system.

 

If there are any Star Trek fans chuckling out there, I got bad news for you: those Federation vessels are just as flat and unsegmented as the Death Star. How many times does an alien entity wind up taking control of the entire ship after touching an exposed wire on a bridge terminal? Spoiler alert: it happens at least one more time in the new series of Picard. Well, given how often it happens, that’s not much of a spoiler. But you think the Federation would have done a network path analysis to see what vulnerabilities are exposed to an internal attacker, then moved to close off that access. We have that technology here in the 21st century with RedSeal: Can’t they get some of that secret sauce in the 24th?

While I’m picking on Star Trek, let’s look at their poor record on automated responses. Time and again, the Federation faces down the Borg and time and again, it’s a bag of protoplasm giving the orders to other bags of protoplasm punching buttons. No wonder the Borg are the greatest existential threat to the Federation: the Federation has failed to automate. While the organisms ponder, the automations ravage. We can coordinate responses today with products like Swimlane; where’s the SOAR on the Enterprise?

One more beef with Federation technology: those holodecks are constantly spilling over into other systems. I can solve those issues with a few Palo Alto firewalls…

After all this, it seems anticlimactic to talk about how zero trust principles would have kept the guys in Office Space from putting a virus into the credit union software. Good DLP would have prevented Michael Bolton from copying files to external media and access rights limits would have kept Peter Gibbons from being able to make code changes. Add in an automated code validation process, and Initech would have been saved. In Initech’s defense, it was around in the 1990s, before we knew what we currently know. There’s no excuse, though, for the flyboys up in their star cruisers and Death Stars. Zero trust should have been baked into those platforms. True, it would have forced screenwriters to be a lot more inventive… or maybe they would have just given up on “here’s how someone takes complete control” plot lines. But isn’t that what we ultimately want in real life? Zero trust security principles will make hackers have to be a lot more inventive… or maybe just give up attacking the zero trust organization and go look for an easier target.