Game of Thrones can teach you valuable security lessons

01.08.2016
With new hacking techniques, malware, viruses and threats being created faster than Melisandre’s demon babies, the web is indeed dark and full of terrors. Here are seven lessons for security managers pulled straight out of Westeros.

1. Small things can become huge problems

In the age of big data, risk once deemed minimal may pose serious threats to companies concerned with keeping the information they’ve collected private, but that begins and ends within the companies and the parameters and protocols they have in place to keep data secure.

Nobody took the dragons or dire wolves seriously in the beginning of Game of Thrones, but by season 3 they were capable of wreaking havoc and wiping out armies.

Small issues can grow into serious complications If left unchecked.

Everything from employee access to information, to the changing of passwords on a regular basis is uniquely important. Businesses are using mobile systems more often everyday, but mobile security isn’t quite up to par with larger network security endpoints.

“I think it’s more dangerous in some ways with mobile systems that business endpoints do. Even home systems are better monitored to resist attack. Android has critical vulnerabilities,” said Gene Spafford, professor and executive director at Purdue University, Computer Software Consultant. “The trend is generally making mobile devices more powerful, all purpose computer systems, so the threat increases.”

2. Faceless men are everywhere

Anonymous has become synonymous with a global network of hackers, connected through common causes, and faceless men attempting to breach network security is nothing new. Legislators are almost always one step behind, while cybercriminals and hackers are always looking toward tomorrow and how to breach the security of tomorrow.

Much like the faceless assassins of the house of black and white who approach their victims anonymously through seemingly friendly interactions (Season 5 Episode 2), cybercriminals make common practice of seeking out and learning everything they can about a target before phishing for their information.

They may procure the information they seek by phishing for personal information via email, text messages and even phone calls. They will engage their victims slowly but surely taking each step as it comes, and using every bit of information given to their advantage in the retrieval of more.

While a skilled and more often than not lone hacker will often use their talents to breach the gates of companies and corporations alike for the simple purpose of retrieving information for the sake of access to information, networks of cybercriminals, or a particularly malicious individual will break into a network with the intent of interference, surveillance, counter surveillance, cyberlaundering, and the overall goal of bringing a company to its knees.

In the world of Game of Thrones, the many faced god is a just god; who takes a life for a life. In the real world, faceless attackers have far more disguises at their disposal, and will use them to their advantage at every turn made available to them. While the ends differ, the means remain the same.

These days cyber-attacks are more common and becoming more sophisticated every day.

What they’re after isn’t always clear, but for every method used by cybercriminals and hackers seeking information, The implementation of new technology, hybrid cloud storage systems, data-splitting, cryptography and centralized storage databases are becoming the norm.

3. Walls of fire don’t always help

Modern firewalls are complex and take months to become familiar with, but even the most complex firewall is only software and by its very nature has defects. Unidirectional gateways block attacks from untrusted networks no matter what their IP address is, but without them, it’s easy to bypass firewalls with forged IP addresses, especially if someone has access to the same LAN segment as the network they're trying to breach.

In Game of Thrones, the seven kingdoms of Westeros are protected by a 700 foot, 300 mile wide wall of solid ice that was built by “Bran The Builder.”

It has magical spells woven into it to White Walkers out, but many of those spells have been undone by Bran Stark. Now the wall is just a wall.

Sometimes all hackers need to breach a firewall are the magic words.

Password theft is the easiest way to break into a network, and the methods attackers have devised to steal passwords have become far more devious.

Spear phishers use extremely convincing emails targeted at people with access to passwords and protocols. Encryption and two-way factor authentication are practically useless against attacks from within a network, but unidirectional gateways block outside communication and attacks into plant networks.

4. Keeping your friends far and your enemies farther

Access to data by individuals within a network, or by trusted employees isn’t always safe. From Mark Abene and Julian Assange, to Chelsea Manning and Edward Snowden, people with access to networks can gather massive amounts of data with limited resources and small windows of time.

As seen on Game of Thrones, as Lord “Littlefinger” Baelish and Varys “The Spider” use their networks of information in the form of “Little Birds” to grasp and grip in the power struggle between kingdoms, even the weakest link can bring down, or at the very least contribute to the fall of kings.

In September of 2015, Morgan Stanley realized that 730,000 account numbers were stolen by an employee, whom had been gathering account numbers over a period of three years and had them transferred to a private server at his home. It would be wise for companies with sensitive information to implement a “trust but verify” model, storing data in digital safes and data secure repositories, as well as developing and enforcing “need to know” policies among employees.

5. The dead can come back to haunt you

Many small businesses, midsize companies and even large corporations assume that once the hard drives on their computer systems are wiped, they can sell the computers or throw them away without worry, but as we’ve learned from Game Of Thrones, dead doesn’t always mean dead. Some ATA, IDE and SATA hard drive manufacture designs include support for the ATA secure erase standard and have been since the dawn of the 21st century. But research in 2011 found that four out of eight manufacturers did not implement ATA Secure Erase correctly.

If we’ve learned anything from Game of Thrones, it’s that death doesn’t always mean forever.

Much like Melisandre and Thoros use magic words to resurrect the dead,cybercriminals and hackers alike can resurrect data from sources long thought to be dead.

All data has value, and the retrieval of most trivial data from major corporations can be valuable to a company from its infancy to the big leagues.

Small businesses and midsize companies may not be concerned with hackers or intelligence agencies attempting to retrieve data from their hard drives after they’ve been wiped. Larger companies and corporations however, would do best to ensure that data they want gone stays gone.The Gutmann method, a 35-pass overwrite technique, may be considered overkill by some, but it’s been tried and true for years and may work for years to come.

6. The iron price

The biggest issue among leading information security experts is a lack of understanding of cloud-based security. The vast majority of web-based companies put more of their financial resources into security software than they put into hardware and the people working for them. A trend among elite web-based companies in big data is hybrid storage; private cloud storage, hyperscale compute storage and centralized storage, all of which combine yesterday’s technology with the technology of tomorrow. The value of data continues to rise, while the value of human beings with access and control of data has remained stagnant.

From software to hardware, the cost of information security can be expensive, but it’s worth it. In Game of Thrones, Valyrian Steel is a rare commodity, but it’s one of the few things that shatter a White Walker into ice dust.

“It comes down to valuation and people’s understanding, said Spafford. “If people better understood the cost involved. Centralized storage may cost more, but it comes down to valuation of the data. There are some things being tried by organizations using data splitting and cryptography, it requires extra processing and can be hard to audit.  What is the real cost of sharing, valued with operational cost A number of people aren’t willing to spend to protect the information they are trying to protect.”

7. The Old Gods, Or The New Gods

In Game of Thrones, there are many different religions and gods the inhabitants of Westeros and the seven kingdoms pray to, and everyone seems certain that their deities are the greatest, but who can we turn to for protection in the real world

From mom and pop small businesses to corporate giants, with each new advance in information technology, new threats arise. From mobile applications to quantum computing, security must develop and adapt in order to cope with the changing times, but how can cloud based security storage handle the massive amounts of data captured without corruption or interference

“Technology is always evolving. And very fast. This causes a lot of consumer products, whether hardware or software, to be released without having gone through proper security testing as the latter takes time, is costly and could cause delays in product releases which would in turn have a company fall behind competitors,” said Khalil Sehnaoui, founder of Krypton Security, an information security consulting firm. “The future of data protection is safe storage and strong encryption. Safe storage is a wide subject but basically I usually do not like anything cloud based, as we say in InfoSec: Cloud storage is just your data stored in someone else's computer.”

Obviously small to midsize businesses, as well as a majority of single users, have no choice when it comes to using data storage companies as it is cost effective. In that case, those organizations may want to pay extra attention to security practices, redundancy and multi-layer security and encryption procedures.

“Hybrid Data Storage is for now one of the best solutions as it is cost effective, offers high capacity and good manageability. Hybrid Hard Drives mix old Hard Disk Drive (HDD) storage capacity with speedier Solid State Drives (SSD) on a single drive. This allows the most used data to be cached and accessed quickly. Only a small SSD volume is needed to get high performance gains. Booting times are also improved,” said Khalil.

So what is the best solution for companies trying to ensure their data is secure The best solution it seems is a combination of the old and the new.

From small businesses to big data giants, hybrid data storage, repositories and a better understanding of cloud based security systems will become the new normal.

(www.csoonline.com)

By Vincenzo Marsden