Six infosec tips I learned from Game of Thrones

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.net-security.org/article.php?id=2001


In Westeros—the land of dark knights, backstabbing royals, dragons,
wildings, wargs, red witches, and White Walkers—even the youngest ones have
to learn basic self-defense if they’re to have any hope of surviving the
cruel fictional world imagined by A Game of Thrones (GOT) author, George R.
R. Martin. And so too, must every CISO and security pro learn the latest
information security best practices if they’re to survive today’s Internet
threat landscape.

If you’re a GOT fan, you’re probably excited about the recent launch of
season four. Accordingly, the second article of my
pop-culture/cyber-security series explores the information security tips
you might extract from the morbidly dark, yet inescapably intriguing
fantasy series. Here are six security tips I learned from Game of Thrones:

1. The sturdiest wall may conceal a hidden passage. In Game of Thrones, The
Wall is a colossal fortification that protects the Seven Kingdoms from the
mysterious and malignant beings (the Others), who live in the far north.
Made entirely of ice, it runs more than 300 miles in length and stands 700
feet tall. Even from the defender’s side, riding the rickety lift to the
top seems like a petrifying proposition, let alone trying to breach it from
the outside. On the surface, The Wall offers an impressive, seemingly
impenetrable defense.

So how does this relate to information security (infosec)? I could go the
obvious route and talk about how your network needs a “wall” to defend its
perimeter, or maybe mention the importance of manning your network wall the
way the Night’s Watch guards the gates of the North. However, though those
tips ring true, I’m going a more unconventional direction by reminding you
there are cracks or holes hiding in every wall.

As impassable as The Wall seems, many groups were able to breach it
throughout Martin’s narrative. For instance, a group of wildlings and Jon
Snow simply climb over it at one point. Even Bran and his ragtag group of
kids, with help from Samwell, find a secret passage called The Black Gate.

The point here is no defense is perfect. Every defense can fail under the
right pressure, or miss certain types of attacks. This is why infosec
experts have long relied on the basic concept of defense in depth.

Here’s a concrete example. If you manage a network, you need a firewall.
However, firewalls—especially traditional ones—will miss many types of
attacks. Today, most network attacks originate from the inside (your users
clicking a link), and occur over ports you must allow through your firewall
(80, 443). Most legacy firewalls miss these. In fact, no technical security
control, no matter how advanced, can prevent every type of attack. This is
why you need to layer multiple defenses together, so others can catch what
the first layers miss.

While the final battle between the White Walkers and The Wall has yet to
begin, I feel safe in predicting that if Westeros relies on The Wall alone
for defense, they have a lot to fear!

2. Heed the warnings of ravens. In the Game of Thrones universe, maesters
(and by extension the kings they serve) send important messages to one
another through ravens; in the same way we used carrier pigeons in the
past. However, over time these raven messengers developed an unfavorable
reputation, likely since they often delivered bad news. “Dark wings, dark
words,” as the in-world saying goes. Nonetheless, bad or not, these
messages usually contain important news, and ignoring the news carries
consequences.

In one such example, Aemon (maester to the Night’s Watch) bade Samwell to
ready Castle Black’s forty-four ravens to send messages warning the Seven
Kingdoms of the return of the White Walkers, and the impending threat on
Castle Black. However, most of the kings ignored these messages, not
believing the threat really existed. Ultimately, this would have ended in
tragedy if not for one king. Eventually, Davos convinced King Stannis to
heed the warning, and ride to Castle Black’s rescue. If not for this, the
Seven Kingdoms may have fallen.

In network security, our ravens come in the form of log messages and
reports. We deploy various network and security controls that monitor our
computers and networks. They record logs of interesting or unusual
activity, probable malicious activity, and even prevented attacks. However,
if you don’t regularly inspect these logs and heed their potential
warnings, you may miss the opportunity to take actions that could prevent
an impending breach.

The recent Neiman Marcus and Target breaches are great examples of not
heeding warnings. In both cases, forensic investigations uncovered that
these organizations had security logs that identified malicious activity
related to the breaches. Neiman Marcus’ systems apparently logged over
60,000 security events, and Target had an advanced threat protection
solution that identified the POS malware in their systems. However, Target
and Neiman Marcus either didn’t registers these warnings, or ignored them
outright, and thus missed the opportunity to take actions that may have
prevented the data theft.

In short, watch for ravens and heed their warnings. They may deliver the
intelligence you need to withstand an attack. As an aside, if you think
using birds to send digital messages sounds ludicrous, check out this fun
RFC (1149).

3. Words carry more power than weapons. Game of Thrones likely enjoys a
wider mass appeal than most fantasy since it spends more time exploring
political intrigue and human sociology than it does swords and sorcery.
Many of the fictional world’s conflicts are fought in council chambers, at
dinner tables, and in gardens, not on battlefields. Lies and manipulations
are the weapons of choice. In fact, many of the physically weakest
characters, who don’t carry positions of authority, often wield much more
influence and power than is first apparent.

Lord Varys (The Spider), Lord Baelish (Littlefinger), and Tyrion Lannister
(The Imp), are all perfect examples of this type of smart, manipulative
character and savvy politician. They use well-placed words and subtle
suggestions to manipulate events to their liking, rather than armies or
direct power. Often, their victims don’t even realize they are targets of
attack, until it’s too late. When you see a sword being swung at you, it’s
obvious to defend with your shield and counter attack, but how do you
defend against malicious whispers and rumors that you may not even hear
yourself?

In the security industry, we call this sort of threat actor a social
engineer. Social engineers prey on weaknesses in human behavior to trick
unsuspecting users into doing things they shouldn’t, rather than exploiting
technological flaws to break into networks.

Unfortunately, our industry spends more time defending against
technological threats than human ones. Social engineering attacks don’t
rely on technical flaws, so the best mechanical defenses do little to stop
them. While you should certainly bolster your technical defenses, don’t
forget to spend time educating your users to make them aware of the tricks
social engineers exploit. You may have erected a castle wall, but that
won’t prevent an attacker from tricking an untrained guard into opening
your gates.

4. Beware the insider threat. While you’re considering the manipulative
characters in Game of Thrones, don’t forget that these characters often
attack people in their own group. If, say, the Lannisters used every shady,
backhanded, manipulative trick in their book to defeat an obviously evil
enemy, such as the White Walkers, you’d probably forgive them. However, the
manipulators in GOT target members of their own kingdom, council, and even
family, for personal gain. In other words, they are insiders carrying out
insider attacks.

Spoiler alert: Avoid the next paragraph if you haven’t watched the latest
TV episodes.

Perceptive viewers just saw a perfect example of an insider attack during
the latest TV episode (S4EP2), when King Joffery dies under mysterious
circumstances (hurrah!). If you’ve read the books, or noticed some of the
subtle visual cues in the episode, you may have already guessed the
culprit. But even if you have no clue whodunit, you probably still suspect
poison, and realize that Joffrey’s attacker must have been close. One
second he was drinking a cup of wine without issue, the next second a sip
of wine resulted in swift death; a classic insider job.

The take-away here is obvious, but still quite important. Inside attackers
are not fiction. Malicious insiders have carried out many real-world
security breaches and data leaks. It’s easy to overlook the insider threat,
since malicious insiders are harder to identify and do anything about (they
already have elevated access), but you need to remain wary of the threat.

Some basic defensive advice includes vetting your employees and partners
carefully, implementing internal segmentation and access control to enforce
least privilege principles, and leveraging data loss prevention technology
to identify leaks, even when they come from within.

5. The best training makes the best defenders. One of the things I like
most about A Game of Thrones is its strong female characters. Unlike in
stereotypical, outdated fantasy troupes, most women in this story aren’t
princesses in need of saving. One of my favorite female characters is Arya
Stark. When we first meet Arya, she’s a small, nine-year-old girl.
Initially, most would not suspect her to be a character of much consequence
in an epic tale about battles with medieval knights, wicked sorcerers,
mystical zombies, and dragons. Yet, Ayra develops into one fierce warrior.

What makes the difference? Well, Arya’s heart and attitude have much to do
with it, but ultimately, I would argue training is what makes her the
accomplished fighter she becomes. Arya hones her skills every chance she
gets. Early in the series, the girl strives to receive bow training that
the menfolk typically reserve for boys. In King’s Landing, she trains in a
graceful style of swordplay called Water Dancing, chasing cats to improve
her balance. Finally, for those who read the books, she joins the guild of
Faceless Men, where she receives even more specialized training from the
Kindly Man. Through this training Arya becomes a formidable character, and
as a result, I’m sure we’ll see great things from her.

Like the best warriors out there, the best network defenders are those who
train the most. The more you immerse yourself in information security
knowledge, news, and practices, the better you’ll be at defending your
organization. While every pundit has a different view of the various
certifications out there, all of them require some study, which means you
are training in your field. If you are passionate about protecting your
network, continue to learn all you can about infosec. Play with attacker
tools (many are freely available in Kali linux), not just security
controls. Read the latest research from the smartest whitehat hackers.
Simply put, the more you train in your field, the better you’ll get at it.

6. Winter is coming (or stay vigilant). Even if you’ve not caught a single
episode of Game of Thrones, or cracked any of the books, if you follow
Internet pop culture you’ve probably seen references to the phrase “Winter
is coming.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!