Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/27/2020
02:00 PM
Bil Harmer​
Bil Harmer​
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The Wild, Wild West(world) of Cybersecurity

Though set in the future, HBO's "Westworld" works as an allegory for the present moment in cybersecurity.

In the gunslingin' world of cybersecurity, there are threats everywhere. It can sometimes feel as dangerous to run a modern business as it was to run a saloon in the shadiest part of the Wild West.

Actually, the parallels between the cowboy days and modern cybersecurity issues are aplenty — and one need look no further for proof of that than HBO's standout series Westworld

If you haven't seen Westworld yet, here's the general gist (Note: spoilers ahead!): The story centers around a Western-themed amusement park populated by robots (or "hosts") who spend each day acting out the same storyline as the day before.

Visitors to the Westworld park interact with the hosts and are free to indulge their most hedonistic desires, spared from the consequences of the real world. But Westworld suffers from issues that are strikingly similar to the ones faced by cybersecurity professionals today. In fact, Westworld's flaws are a useful allegory for navigating today's most insidious digital threats.  

Identity
If your business struggles with verifying identities, you're not alone: The same issues exist in the Westworld park.

After all, we thought we knew who Charlotte Hale was — the executive director of Westworld's board — but it turns out that she was killed at the beginning of season two by a robot version of herself. And then there's Bernard. Who's actually Arnold, the creator of the hosts. Who's dead.

If you're confused by all of this, imagine how confused your systems are by the millions of access requests coming from both legitimate and illegitimate users, day after day.

Credentials don't cut it: They can be easily stolen in today's threat landscape. Instead, the best bet for accurately identifying users (or hosts) is to rely on a combination of validations like multifactor authentication, behavioral biometrics (such as voice recognition, typing patterns, mouse movements, etc.), and browser and IP information. 

If a system were to analyze Charlotte Hale during season two, it would discover that, even though she looks exactly like Charlotte, she's not. Similarly, even if an attacker possesses a single authentication, it's still nearly impossible for him or her to replicate a combination of validations.

AI Regulation
Part of Westworld's appeal is its examination of what makes us human. If our consciousness is the crux of individuality, what happens in a world when consciousness can be constructed, altered, downloaded, uploaded, and destroyed at will? It's the question that weighs on Arnold's conscience so heavily that it determines his own demise.

But while this wrangling of human and artificial consciousness isn't easily resolved in Westworld, it's no more cleanly handled in real life. In 2017, Elon Musk called for the regulation of artificial intelligence (AI) before it posed a risk to humanity. And yet regulation hobbles innovation, so Congress adopted a "wait and see" approach to AI legislation. The result so far has been a quantum leap of AI innovation — for proof, one need look no further than the proliferation of deepfakes that have been created using machine learning and AI — without stringent regulation, standards, or requirements.

I believe a practical approach to regulating AI would be to use existing data privacy laws and expand or replicate them to cover machine learning and AI.

Threats and Vulnerabilities
Even the most advanced hosts in Westworld are susceptible to malware. But what's most interesting about this, perhaps, is that the threats manifested in the show can easily be seen as allegories for modern cybersecurity threats:

  • Insider threat: A Westworld programmer, Elsa, finds a laser-based satellite uplink inside a robot host that someone has been using to smuggle data out of the park.

  • Advanced persistent threat: The robot host Maeve uses Felix, a Westworld technician, and other hosts to start an uprising — because someone has programmed her to take over Westworld and infiltrate the mainland in a pre-scripted insurgency.

  • Malware: Clementine, who works in the saloon, is updated with a new code that turns her into a walking virus. With only a thought sent through the mesh network, Clementine can force hosts to brutally kill each other.

  • Internet of Things vulnerabilities: In the season three premiere, Dolores hacks into the smart house of a billionaire, making the home no longer responsive to his commands. The show doesn't make it clear whether the smart home was compromised by insecure network services, ecosystem interfaces, or default settings, but Dolores is able to take control quickly.

What can we learn from the threats and vulnerabilities above, as well as the identity issues and the AI quandaries seen in Westworld? To take them seriously. It's tempting to think of cybersecurity as existing only in a vacuum, affecting only digital networks that can be ignored as soon as we step away from a computer. But the reality is that cybersecurity is tied to the real world, and its breaches have very real damage. Westworld shows us that issues can only be ignored for so long before they demand their time in the spotlight.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?"

Bil Harmer is the CISO and chief evangelist of SecureAuth. He brings more than 30 years of experience in leading security initiatives for startups, government, and established financial institutions. He's CISSP, CISM, and CIPP certified — and is recognized for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.