Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly
E-Mail vvv

5 Reasons You 'Better Call Saul' To Protect Corporate Data

These pop-culture lessons from the entertaining Breaking Bad spinoff will make security awareness training both fun and effective.

HELPDESK GUY: I was a highly respected IT help desk analyst until my boss got infected by some nasty ransomware.

AVERAGE CIO: I thought I knew where my company’s important data was, but then it got stolen.

SOCCER MOM: I was minding my own business, responding to a Nigerian diplomat’s email when my bank account was suddenly drained.


Who’s the first person who comes to mind when you’re thinking of protecting networks and digital data? Why it’s surely a shady, fast-talking, strip mall criminal attorney in Albuquerque, New Mexico… right?

No? Well, I’m writing this blog to convince you that even a nutty lawyer on a popular TV show can teach you a few new things about information security. At the same time, we can make security learning a whole lot more fun (and effective) by mixing it with pop culture. To prove it, consider these five security scenarios inspired by the popular Breaking Bad spin-off Better Call Saul.

Scenario 1: Scareware. Early in the season, we follow Saul, whose real name is “Jimmy” McGill, driving to his office/home (which is located in the back of a hair salon). Out of nowhere, a skater lands on his windshield claiming broken bones and demanding $500. Good thing Jimmy can spot scammers (likely because he was one himself) and recognizes this as a typical scare extortion tactic.

This trick lives on in the digital age with scareware and “police” ransomware. One tries to convince users that their computer is infected in hopes of tricking them into buying a fake security product. The other tells them that the authorities (usually the FBI) have detected that they’ve done something illegal, but can pay a small fine to get out of it.

Luckily, these sorts of scams are relatively easy for users to recognize. In the same way a real accident victim wouldn’t normally ask for a cash payment, the police wouldn’t be asking anyone to pay a fine by changing the message on your computer’s background. Like Jimmy, if users watch for these basic scare tactics, they will avoid many cyber scams and malware.

Scenario 2: Social Engineering. Jimmy and his partner leave a bar and stumble upon a wallet full of cash. After grabbing the cash, they notice a man passed out in that alley—presumably the owner of the wallet. After looking over the drunken guy, Jimmy quietly takes his watch, while also trying to avoid his partner’s attention. Of course, the greedy partner notices, recognizes the watch as a Rolex, and forces Jimmy to trade the cash, plus a little extra, for the Rolex.

This was a classic example of social engineering. Jimmy’s “partner” was actually the mark, the drunk was his real partner, and the Rolex was a fake. The mark was duped into giving up his own cash for a worthless knock-off watch. Social engineering, the act of deceiving or manipulating someone into doing something they shouldn’t, is a very common practice among digital criminals. InfoSec professionals often focus on the technical nature of cyber attacks and less on the human, psychological aspects of digital crime. This is a mistake! Even if we had perfect technical defenses that could block every attack (we don’t), smart attackers could still become cyber shrinks, and trick users into doing dumb things. Make sure you mitigate social engineering by training your users well.

Senario 3: Insider attacks. Mike, who we first meet as an ornery parking lot attendant, is actually an important character with much history in the Breaking Bad world. In this new series, we learn his son was killed, and he followed his daughter-in-law to Albuquerque. I won’t reveal all the details, but we eventually learn Mike and his son were cops, and some fellow officers killed Mike’s son.

This simple storyline reminds me of insider attacks. Nowadays, statistics tell us that most network attacks originate from external actors. However, that doesn’t mean we should drop our guard against inside attackers. When malicious insiders do attack (and they do) the consequences can be much more devastating, simply because the insider has so much access to our network. Although the majority of insider leaks or breaches are accidental, be sure to have controls in place to catch malicious insiders. Otherwise, you might lose your favorite son (metaphorically).

Scenario 4: Metadata. During episode 3, Jimmy is trying to track down a family that is accused of embezzlement. The police think the family was kidnapped, but Jimmy suspects they have skipped town and might be hiding closer than one might think. He searches their house finding no obvious clues, until he serendipitously notices a stick-figure sticker of a camping family on their minivan. What does that have to do with information security? That sticker is metadata!

The Snowden leaks have revealed to the world that government agencies have performed mass surveillance and gathered petabytes of digital data. The authorities have told us not to worry. They aren’t targeting us specifically, and what they gather is just metadata; it’s not important and doesn’t sacrifice our privacy. Unfortunately, metadata is important and can tell others a lot about you. That simple car sticker told Jimmy that the Kettlemans were campers, which lead him to the insight that they might be camping close by. Likewise, user phone calls and Internet browsing habits tell anyone watching a lot about you.

Scenario 5: Disposal of Sensitive Data. In episode 8, Jimmy found an elder care facility engaged in fraud. In the course of his forensic investigation, Jimmy dove into a dumpster, recovered the paper shreds, and painstakingly remade the incriminating documents. As his brother said, if only the facility had used cross-cut shredding, the case could never go forward.

Network professionals can learn from this. If you or your users handle sensitive data and want to dispose of it, it better be done securely. Cyber criminals dumpster dive for data, too. There have been many cases where companies haven’t properly wiped the hard drives they throw out, or didn't even wipe them at all. Be a “cross-cut shredder” and dispose of your digital data properly.

Okay, so I probably haven’t convinced you that Better Call Saul is all about computer security. But I hope I have at least persuaded you that there are fun ways to pull security awareness lessons from just about anything. Let’s share some more Better Call Saul – or other pop culture -- security awareness tips in the comments.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/9/2015 | 11:04:59 AM
Re: I'll call Saul
It's a good one, that I will use to explain the concept of metadata to family and friends!
User Rank: Author
4/8/2015 | 6:41:49 PM
Re: I'll call Saul
Thanks Marilyn. That one was my favorites too... Being that Better Call Saul is already about con men and scammers, the other angles were pretty obvious, but I tend to like the less obvious metaphors. ^_^
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/8/2015 | 3:27:04 PM
I'll call Saul
Great idea for user ed! Particularly love your metadata explanation. 
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-03-31
A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.
PUBLISHED: 2020-03-31
Dell EMC iDRAC7, iDRAC8 and iDRAC9 versions prior to,, contain a stack-based buffer overflow vulnerability. An unauthenticated remote attacker may exploit this vulnerability to crash the affected process or execute arbitrary code on the system by sending specially cr...
PUBLISHED: 2020-03-31
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and admini...
PUBLISHED: 2020-03-31
Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
PUBLISHED: 2020-03-31
In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.