Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:00 PM
Bil Harmer​
Bil Harmer​
Connect Directly
E-Mail vvv

The Wild, Wild West(world) of Cybersecurity

Though set in the future, HBO's "Westworld" works as an allegory for the present moment in cybersecurity.

'Your face doesn't matter--it's your actions that identify you.'
 Source: AF Archive/Alamy Stock Photo
"Your face doesn't matter--it's your actions that identify you." Source: AF Archive/Alamy Stock Photo

In the gunslingin' world of cybersecurity, there are threats everywhere. It can sometimes feel as dangerous to run a modern business as it was to run a saloon in the shadiest part of the Wild West.

Actually, the parallels between the cowboy days and modern cybersecurity issues are aplenty — and one need look no further for proof of that than HBO's standout series Westworld

If you haven't seen Westworld yet, here's the general gist (Note: spoilers ahead!): The story centers around a Western-themed amusement park populated by robots (or "hosts") who spend each day acting out the same storyline as the day before.

Visitors to the Westworld park interact with the hosts and are free to indulge their most hedonistic desires, spared from the consequences of the real world. But Westworld suffers from issues that are strikingly similar to the ones faced by cybersecurity professionals today. In fact, Westworld's flaws are a useful allegory for navigating today's most insidious digital threats.  

If your business struggles with verifying identities, you're not alone: The same issues exist in the Westworld park.

After all, we thought we knew who Charlotte Hale was — the executive director of Westworld's board — but it turns out that she was killed at the beginning of season two by a robot version of herself. And then there's Bernard. Who's actually Arnold, the creator of the hosts. Who's dead.

If you're confused by all of this, imagine how confused your systems are by the millions of access requests coming from both legitimate and illegitimate users, day after day.

Credentials don't cut it: They can be easily stolen in today's threat landscape. Instead, the best bet for accurately identifying users (or hosts) is to rely on a combination of validations like multifactor authentication, behavioral biometrics (such as voice recognition, typing patterns, mouse movements, etc.), and browser and IP information. 

If a system were to analyze Charlotte Hale during season two, it would discover that, even though she looks exactly like Charlotte, she's not. Similarly, even if an attacker possesses a single authentication, it's still nearly impossible for him or her to replicate a combination of validations.

AI Regulation
Part of Westworld's appeal is its examination of what makes us human. If our consciousness is the crux of individuality, what happens in a world when consciousness can be constructed, altered, downloaded, uploaded, and destroyed at will? It's the question that weighs on Arnold's conscience so heavily that it determines his own demise.

But while this wrangling of human and artificial consciousness isn't easily resolved in Westworld, it's no more cleanly handled in real life. In 2017, Elon Musk called for the regulation of artificial intelligence (AI) before it posed a risk to humanity. And yet regulation hobbles innovation, so Congress adopted a "wait and see" approach to AI legislation. The result so far has been a quantum leap of AI innovation — for proof, one need look no further than the proliferation of deepfakes that have been created using machine learning and AI — without stringent regulation, standards, or requirements.

I believe a practical approach to regulating AI would be to use existing data privacy laws and expand or replicate them to cover machine learning and AI.

Threats and Vulnerabilities
Even the most advanced hosts in Westworld are susceptible to malware. But what's most interesting about this, perhaps, is that the threats manifested in the show can easily be seen as allegories for modern cybersecurity threats:

  • Insider threat: A Westworld programmer, Elsa, finds a laser-based satellite uplink inside a robot host that someone has been using to smuggle data out of the park.

  • Advanced persistent threat: The robot host Maeve uses Felix, a Westworld technician, and other hosts to start an uprising — because someone has programmed her to take over Westworld and infiltrate the mainland in a pre-scripted insurgency.

  • Malware: Clementine, who works in the saloon, is updated with a new code that turns her into a walking virus. With only a thought sent through the mesh network, Clementine can force hosts to brutally kill each other.

  • Internet of Things vulnerabilities: In the season three premiere, Dolores hacks into the smart house of a billionaire, making the home no longer responsive to his commands. The show doesn't make it clear whether the smart home was compromised by insecure network services, ecosystem interfaces, or default settings, but Dolores is able to take control quickly.

What can we learn from the threats and vulnerabilities above, as well as the identity issues and the AI quandaries seen in Westworld? To take them seriously. It's tempting to think of cybersecurity as existing only in a vacuum, affecting only digital networks that can be ignored as soon as we step away from a computer. But the reality is that cybersecurity is tied to the real world, and its breaches have very real damage. Westworld shows us that issues can only be ignored for so long before they demand their time in the spotlight.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?"

Bil Harmer is the CISO and chief evangelist of SecureAuth. He brings more than 30 years of experience in leading security initiatives for startups, government, and established financial institutions. He's CISSP, CISM, and CIPP certified — and is recognized for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.