This is a guest article written by François Amigorena. The author’s views are entirely his own and may not reflect the views of IT Governance.
In the James Bond film Casino Royale, have you ever considered the fact that 007 wouldn’t have been subjected to the horrendous torture Monsieur Le Chiffre put him through to obtain his password had he been better protected by access management technology?
The scene goes like this: Bond beats his villain at a high-stakes poker game, denying his opponent a pile of money for terrorist-related activities. Before Bond has the chance to claim his winnings by entering his password into the Swiss bank’s computer system (since they were handling the funds), Le Chiffre kidnaps him, strips him naked, ties him to a chair and repeatedly attacks his crown jewels in an attempt to make Bond give up his password.
Now, I know that Bond is endowed with the kind of fortitude that most men can only dream of, but there’s only so much a man can take when protecting a password. If the Swiss bank’s poker tournament had better protected the access to the winnings funds, Bond’s personal safety would’ve remained far from risk.
One might ask: why did the Swiss bank not use better access management technology to protect the winner’s password? Protection that would’ve rendered the password useless if somebody other than the winner were to use it? Nowadays, it’s possible to protect passwords by ensuring that the IT system requires more contextual information about each particular login attempt — for example, the location where the login is taking place, the time of day, what device is being used, and much more. Thereby, if anything outside of pre-set parameters were to happen, the system automatically denies access, or reverts to the administrator who then can grant or deny access with a click or two.
Because of the huge oversight on the Swiss bank’s part, I’m surprised that Quantum of Solace (the follow-up film) wasn’t about Bond tracking them down to give them a telling off of his own…
Lacklustre stance towards access management
But Casino Royale isn’t the only film to take a lacklustre stance towards access management. The 1983 classic WarGames’s whole premise is based around poor access management. In short, a poxy little kid gains entry to the US military’s computer system via a backdoor password, and nearly starts World War III when he thought he was only playing a game. If the US military had restricted access to location or device, that kid would never have got anywhere close to causing devastation, since he logged in from his own bedroom and his own un-IT-approved computer. Problem solved. Admittedly, the film would’ve stopped a little short if he couldn’t gain access, but I’m all for security, not the entertainment.
Films aren’t the only culprits. The BBC’s Spooks, which is based on MI5, the UK’s home intelligence service, was plagued by poor access management. In virtually every episode, there’s a rogue MI5 officer accessing files they don’t have the clearance for. And if it’s not access, per se, it’s copying entire hard drives of data to a USB without anybody’s knowledge. Surely MI5 would be able to monitor file access and get a simple alert when somebody copies top secret information en masse to another location? Nope. They’re as bad as the rest of us.
Even those films that are based on real-life events suffer from poor security. Snowden, which is based on the ex-NSA computer scientist who stole and exposed classified information about the extent of US public spying, could’ve been easily prevented. With better file-auditing software, Snowden would never have been able to copy a huge amount of data to an external hard drive without alerting someone in IT. Admittedly, what happened was arguably for the greater good, so perhaps – in this case – I don’t mind so much!
However, if there’s one message you take from this article, and you are in charge of your company’s IT security, it’s to never underestimate the seriousness of a breach that can come as a result of a password falling into the wrong hands. And never underestimate the capability of your own employees to cause a breach through malicious behaviour.
Words can only do so much. To illustrate how access management and file auditing technology could’ve worked in these films, IS Decisions has edited some of Hollywood’s most famous hacking scenes for the better. Take a look.