The Death Star: A Lesson in CyberSecurity

December 15th, 2016   /     /   security and compliance, smarter identity

Tomorrow marks the release of the first ever standalone Star Wars film, Rogue One. The story follows rebellious protagonist, Jyn Erso, as she joins the Rebel Alliance and works with her team to steal the design schematics of the Empire’s new superweapon, the Death Star. This, of course, sets the stage for the original Star Wars movie, now called Episode 4, where Luke Skywalker and the gang use the stolen information to destroy the Death Star.

Having not seen Rogue One yet, I can’t speak to the details of how the Death Star plans get stolen. But when you consider how powerful the Empire is compared to the relatively meager rebel forces, it’s uncanny how our heroes were able to infiltrate the Death Star, rescue Princess Leia, and completely obliterate the station.

I think it’s safe to say that the imperials are not employing the best security practices. So what can we learn from their mistakes about security and compliance?

Not Encrypting Death Star Plans

You have to wonder: even if Jyn Erso and her friends stole the plans to the Death Star, why weren’t they properly encrypted so the rebels couldn’t read them? Surely, an empire capable of building something as big as the Death Star could pony up some computers to encrypt the plans to their ultimate weapon.

Here on Earth, organizations should be sure to setup disk encryption for all their machines. On Macs, FileVault disk encryption is turned on by default in Yosemite and later. On PCs, you get encryption in Windows 10 Professional. Android devices are a mixed bag in terms of encryption. Perhaps the best disk encryption is on iOS devices, which have sophisticated encryption hardware and software, making them the ideal choice for the Imperial engineering corps had they been able to find an Apple Store in their galaxy.

Not Verifying Stormtrooper Identity

In Episode 4, after first entering the Death Star, Han and Luke are able to disguise themselves with stormtrooper uniforms, and sneak into the detention center where Princess Leia is being held.

You would think that such an advanced space station would be equipped with some means of identity verification. Especially since any human can put on a stormtrooper uniform and have their face, and thus identity, obscured. Even here in our comparatively low-tech world without hyperdrive or light sabers, many companies have ID badges with photos to affirm identity before someone can enter their premises.

It also pays to look for identities (user accounts) accessing applications that they shouldn’t be by streaming application access to SIEM systems, such as Splunk, ELK, or Sumo Logic. Ideally, you’d want to be able to monitor these events in realtime, so that you can investigate security incidents as they are unfolding.

Finally, it’s crucial that employees are trained to know when they are receiving emails from an untrusted identity so they can better detect phishing emails. Phishing emails can be a serious threat, which can be reduced if you’ve used phishing assessments to show employees what to look for.

Providing Access to the Entire Death Star

This scene also begs the question, do all stormtroopers have access to every part of the station? If so, the Empire failed to implement least privilege access, a basic security principle stating that people (or software) should have only the privileges needed to do their job. Even if outsiders sneaking into your building to commit malicious acts weren’t a factor, regulating employee access is still crucial to security, since 55% of security threats actually come from individuals working within the company. It’s not necessary for every stormtrooper to have access to every security control room, just like its not necessary for every employee to have access to all of the sensitive data your security team uses.

Not Restricting Imperial Network Access

Earlier in the film, our heroes have the lovable droid, R2D2, plug into a control console in a security room of the Death Star. In no time at all, R2 is “able to interpret the entire Imperial network.” The fact that any droid, especially a malicious one from the Rebel Alliance, can effortlessly plug into the entire Imperial network is a laughably awful security flaw. R2 now has access to a detailed schematic of the station, which Luke and company exploit to escape the Death Star later.

Here on Earth, the obvious answer is to restrict company network access by requiring users to authenticate their identities before accessing a company WiFi network. It’s also best to use MFA for an extra layer of security. This solution would ideally integrate with a CASB (Cloud Access Security Broker), which picks up on suspicious app sign-ins and allows your IT team to instantly shut out potentially malicious users with a click.

Not Securing Trash Compactors

It’s also worth mentioning that R2 gained access to some motor functions within the Death Star, like trash compactors, which he used to save Han, Leia, Chewy and Luke from a tight spot.

This may seem insignificant compared to the other access R2 managed to gain, but is reflective of another common trend in today’s technology - the Internet of Things (IoT), in which anything with electronics, such light bulbs, garage door openers and appliances, can be remotely controlled over a network. Gartner predicts there will be 20 billion devices connected to the Internet by 2020. But it’s likely that in the coming years, malicious hackers will continue to compromise IoT devices, as they did with the recent Dyn DNS server DDoS attack. This vulnerability means that it’s critical to bake security into IoT devices in their first iteration.

Not Plugging Obscure Security Holes

The Death Star, as we all know, had just one obscure security hole: exhaust ports left unprotected since they could only be attacked by a single person spaceship, which the Empire didn’t consider a threat:

It turns out that many other organizations have similar obscure security holes: “zombie accounts”. These are accounts of former employees that haven’t been decommissioned, and available to be exploited by hackers that discover them. Since one out of ten users haven’t been fully deprovisioned from all the accounts of their former employers, this can be an issue for your company, as well.

Not Considering Potential Damages

The Empire’s security negligence ultimately lead to the destruction of the Death Star- a devastating blow in terms of finances, casualties, and morale. One estimate is that it cost the Empire $852,000,000,000,000,000, roughly 13,000 times Earth’s GDP, to build the Death Star — not to mention the significant competitive advantage lost to the rebels.

Hopefully your company will never experience a security failure this damning, but that’s not to say that enterprise security breaches are not serious. Forrester estimates that cyber attacks typically cost organizations $3.5 - 4 million, with each record lost costing anywhere between $50 and $300.

Conversely, consider how the total economic impact of OneLogin can result in an ROI of nearly 500% in the first two months. I don’t know what this translates to in Imperial Credits, but you can calculate how much OneLogin can save your organization with our free Forrester Forrester ROI Calculator.

Security Hubris

Emperor Palpatine believes that events in the Star Wars universe are proceeding as he has foreseen.

However, he didn’t exactly foresee all the security flaws above. While he’s good at shooting force lightning from his hands, he still suffers from a flaw afflicting villains throughout history: hubris. Security is a constantly-moving target, and security teams need to be constantly upping their game — because you can bet their adversaries are.

Rogue OneLogin: Secure Your Death Star

The foundations of cybersecurity are people, process, communication, and politics. That said, implementing systems that addresses all of these factors is critical to your organization’s security. To learn more about how OneLogin can secure your battle station, contact us here.

About the Author

Jack Shepherd is a Content Marketing Specialist at OneLogin, and is responsible for the production and management of original marketing content. Jack specializes in producing content around the latest trends in cyber security and cloud technology, as well as the developing areas of Identity and Access Management (IAM), software as a service (SaaS) and the internet of things (IoT).

View all posts by Jack Shepherd