Infosec pros usually toil unappreciated in organizations, often fighting sometimes losing battles against well-armed opponents, and sometimes seemingly deaf employees.
They ache to be superheros. Well, Aamir Lakhani, a global security strategist at Fortinet, believes fictional superheroes like Iron Man Tony Stark can teach them some lessons.
At least that’s the way Lakhani figured he could get his message across to his audience at this month’s SecTor security conference in Toronto. He argues Stark and his fellow Marvel movie colleagues have a few things to pass on to the real world of fighting bad guys (and gals).
So, here’s what you can learn from the adventures of Captain America, Spider-Man, Black Widow and their friends (assuming you’ve seen the movies …):
- Know your enemy: Research possible adversaries through Google searches, open-source intelligence threat feeds and other sources;
- Know yourself: Know your organization’s cyber weaknesses. “Your enemies are definitely doing research on you” through everything from the Shodan search engine (to find you exposed IP addresses) to social media, Lakhani said.
- Log your research findings;
- Hacking is easier in real life than it is in movies: No one yet needs artificial intelligence to break into a company and plant malware. So network segmentation is vital to protect the enterprise. (Otherwise you get creations like Ultron);
- Always have a backup plan: Most adversaries do. That’s how Ultron replicated himself. In cybersecurity, the backup plans adversaries have are used when they run into an obstacle;
- Attacks come over OT and IoT networks: Think of Tony Stark taking over a display screen at a Congressional hearing from his witness chair;
- Test your systems, just like Tony Stark tested his first Iron Man suits: Recently hackers tried and failed to disable many state agencies in Texas with ransomware, Lakhani noted. Most were able to shrug it off because they had backups that had been tested;
- Always be prepared for an attack, like the Avengers;
- Unlike the movies, not everything is encrypted: Many criminals don’t use it in their communications. At the same time, your organization shouldn’t be afraid to encrypt sensitive data because it might add latency or complexity to the network. With today’s CPU power there shouldn’t be a problem;-
- Don’t forget about physical security: Tony Stark did, and that allowed is evil partner to literally pull the reactor from his chest;
- Fighting the enemy is a team effort: Everyone on the security team brings a skill to the table. Take advantage of that.
- Asked in an interview what the most important lesson to be learned from the Marvel world, Lakhani didn’t hesitate. “Don’t be afraid to explore things you’re not comfortable with.” There are infosec pros who don’t want to evolve, he said, who argue, ‘I’ve always done things a certain way. It works for me.’
“Well, your security was good 10 years ago,” says Lakhani. “But just because you haven’t been attacked doesn’t mean you’re not vulnerable. I see this in operational environments where people say, ‘We’ve had this plant for a hundred years, we’ve never been attacked.’ But things have changed and attackers are getting so much smarter.”