We live in a world of constant entertainment, of expensively crafted stunts and computer aided imagery that ensure our favorite movie studios are forever linked to excitement – no matter how implausible it may seem. We love it.
But out in the real world of cybersecurity, we always need to look beyond the fantasy. Our businesses and indeed the personal details, livelihoods and finances exposed through those same businesses are all under attack at levels that just might make the movies look tame.
If you still think that to rob a casino you need an Oceans Eleven class team of professionals, this tale is for you. We should warn you that this article may not be suitable for those of a sensitive nature, especially if you are in a top business risk management role.
Our story begins:
“Hi, Welcome to the Universal Exports IT Support Desk. How can I help you today?”
“Hi, My name is Jump, Steve Jump. Employee number 001. I need a password reset. I’m locked out of the system.”
“Certainly Mr. Jump, can you please read to me the three digits I just sent to your Encrypted Authenticator App?
“Sorry I can’t do that, my phone just updated, and the app isn’t working”
“OK, let’s see what I can do. Is your phone number still 1-234-56789?”
“Yes”
“OK, that’s simple. Can you please read to me the three digits I have just SMS’d to your phone?”
“Hold on, yes, my phone just buzzed. 456 “
“That’s great. Thank you, Mr. Jump, I have just texted your temporary password, ‘Password123!’ you will need to change it when you log on. Is there anything else I can help you with today?”
“Actually, there is, the last time I tried to update the ‘Ultra Top Secret Agent Assignments’ database it said I wasn’t authorized, can you check that for me please?”
“Just Checking… Ah I see the problem; you don’t have administrator rights for the ESXi cluster. I can fix that for you, but I need to ask you a personal question to confirm your identity.”
“That’s OK, go ahead.”
“Who is your favorite movie character?”
“James Bond.”
“Thank you. Access Granted. Enjoy your day Mr. Bond”
[Ominous Background Music] Now, back in the real world could you ever imagine this type of conversation taking place with your own service desk? Or via your WhatsApp support line? And if you can, how do you think real-life agents on minimum wage might handle the situation?
[Scary Music] When did you last test your service desk to make sure that they follow all your validation and recovery rules? You do have such rules, don’t you? Are they automated or written rules?
[Really Scary Music] What would your support desk agent do if during a request such as this the caller just hung-up, only to call back an hour later with the answer needed? Perhaps even with a recently cloned SIM card now in their phone?
[Music so Scary it’s X-Rated] Did you know that SMS alone has not been considered technically secure for MFA purposes in recovering sensitive or administrator accounts since 2016? For very good reason. It’s not!
Do you have multiple security questions in addition to your Authenticator and recovery number system? And an alert process for suspicious requests or forgotten answers?
Do you require a second party/supervisor to approve any changes at senior staff/administrator level or for access to critical data and systems?
Do you automatically report all new admin/privilege increase events to your SOC? Whether they occur from a service desk ticket, or manual change on a system?
Does your cyber risk register include compromise of privileged account details as a threat? And if so, how large did you estimate the financial impact of loss of control of a single domain admin account?
Anyway, no need to worry, this sort of thing only happen in the movies, doesn’t it?
In the real world though we know that almost 80% of data breaches are caused by human error, so if you are serious about managing your business risk, you really should already know what an access control failure would cost? The magnitude of likely loss due to a fraudulent financial transaction? The economic consequences of a classified data breach? Or the business damage a data center lockout might cause? Useful numbers to have at hand, even if only for an insurance claim.
The truth is often stranger than fiction when you are paying attention.
So? Are you paying attention?
Or are you still reaching for the popcorn?
[Dramatic background music]
[Gunshot]
[Sound of penny dropping]
[Old lion roaring faintly in the distance]
<fade to black>
Disclaimer: Any resemblance or similarities in this story to actual events, real persons living or deceased, or any other potentially embarrassing operational situations within large movie related businesses may or may not be entirely coincidental.