HELPDESK GUY: I was a highly respected IT help desk analyst until my boss got infected by some nasty ransomware.
AVERAGE CIO: I thought I knew where my company’s important data was, but then it got stolen.
SOCCER MOM: I was minding my own business, responding to a Nigerian diplomat’s email when my bank account was suddenly drained.
SECURITY EXPERT IN A BIKINI: Better Call Saul!
Who’s the first person who comes to mind when you’re thinking of protecting networks and digital data? Why it’s surely a shady, fast-talking, strip mall criminal attorney in Albuquerque, New Mexico… right?
No? Well, I’m writing this blog to convince you that even a nutty lawyer on a popular TV show can teach you a few new things about information security. At the same time, we can make security learning a whole lot more fun (and effective) by mixing it with pop culture. To prove it, consider these five security scenarios inspired by the popular Breaking Bad spin-off Better Call Saul.
Scenario 1: Scareware. Early in the season, we follow Saul, whose real name is “Jimmy” McGill, driving to his office/home (which is located in the back of a hair salon). Out of nowhere, a skater lands on his windshield claiming broken bones and demanding $500. Good thing Jimmy can spot scammers (likely because he was one himself) and recognizes this as a typical scare extortion tactic.
This trick lives on in the digital age with scareware and “police” ransomware. One tries to convince users that their computer is infected in hopes of tricking them into buying a fake security product. The other tells them that the authorities (usually the FBI) have detected that they’ve done something illegal, but can pay a small fine to get out of it.
Luckily, these sorts of scams are relatively easy for users to recognize. In the same way a real accident victim wouldn’t normally ask for a cash payment, the police wouldn’t be asking anyone to pay a fine by changing the message on your computer’s background. Like Jimmy, if users watch for these basic scare tactics, they will avoid many cyber scams and malware.
Scenario 2: Social Engineering. Jimmy and his partner leave a bar and stumble upon a wallet full of cash. After grabbing the cash, they notice a man passed out in that alley—presumably the owner of the wallet. After looking over the drunken guy, Jimmy quietly takes his watch, while also trying to avoid his partner’s attention. Of course, the greedy partner notices, recognizes the watch as a Rolex, and forces Jimmy to trade the cash, plus a little extra, for the Rolex.
This was a classic example of social engineering. Jimmy’s “partner” was actually the mark, the drunk was his real partner, and the Rolex was a fake. The mark was duped into giving up his own cash for a worthless knock-off watch. Social engineering, the act of deceiving or manipulating someone into doing something they shouldn’t, is a very common practice among digital criminals. InfoSec professionals often focus on the technical nature of cyber attacks and less on the human, psychological aspects of digital crime. This is a mistake! Even if we had perfect technical defenses that could block every attack (we don’t), smart attackers could still become cyber shrinks, and trick users into doing dumb things. Make sure you mitigate social engineering by training your users well.
Senario 3: Insider attacks. Mike, who we first meet as an ornery parking lot attendant, is actually an important character with much history in the Breaking Bad world. In this new series, we learn his son was killed, and he followed his daughter-in-law to Albuquerque. I won’t reveal all the details, but we eventually learn Mike and his son were cops, and some fellow officers killed Mike’s son.
This simple storyline reminds me of insider attacks. Nowadays, statistics tell us that most network attacks originate from external actors. However, that doesn’t mean we should drop our guard against inside attackers. When malicious insiders do attack (and they do) the consequences can be much more devastating, simply because the insider has so much access to our network. Although the majority of insider leaks or breaches are accidental, be sure to have controls in place to catch malicious insiders. Otherwise, you might lose your favorite son (metaphorically).
Scenario 4: Metadata. During episode 3, Jimmy is trying to track down a family that is accused of embezzlement. The police think the family was kidnapped, but Jimmy suspects they have skipped town and might be hiding closer than one might think. He searches their house finding no obvious clues, until he serendipitously notices a stick-figure sticker of a camping family on their minivan. What does that have to do with information security? That sticker is metadata!
The Snowden leaks have revealed to the world that government agencies have performed mass surveillance and gathered petabytes of digital data. The authorities have told us not to worry. They aren’t targeting us specifically, and what they gather is just metadata; it’s not important and doesn’t sacrifice our privacy. Unfortunately, metadata is important and can tell others a lot about you. That simple car sticker told Jimmy that the Kettlemans were campers, which lead him to the insight that they might be camping close by. Likewise, user phone calls and Internet browsing habits tell anyone watching a lot about you.
Scenario 5: Disposal of Sensitive Data. In episode 8, Jimmy found an elder care facility engaged in fraud. In the course of his forensic investigation, Jimmy dove into a dumpster, recovered the paper shreds, and painstakingly remade the incriminating documents. As his brother said, if only the facility had used cross-cut shredding, the case could never go forward.
Network professionals can learn from this. If you or your users handle sensitive data and want to dispose of it, it better be done securely. Cyber criminals dumpster dive for data, too. There have been many cases where companies haven’t properly wiped the hard drives they throw out, or didn't even wipe them at all. Be a “cross-cut shredder” and dispose of your digital data properly.
Okay, so I probably haven’t convinced you that Better Call Saul is all about computer security. But I hope I have at least persuaded you that there are fun ways to pull security awareness lessons from just about anything. Let’s share some more Better Call Saul – or other pop culture -- security awareness tips in the comments.