Archive for the ‘Worst Practices’ Category

Death Star: Wiped Out by Lax Security

Sunday, May 26th, 2013

The guys at Sith Consulting talk a huge game, but their delivery leaves much to be desired. While some may chide me as being unprofessional for pointing out the flaws in my competition, I’m a planet-crushing deity, so I’ll destroy the souls of my chiders later on. Before that, though, I want to deconstruct the failings of the Death Star project.

The root of the whole issue was a lack of decent security protocols. Someone, an unauthorized someone, got his hot little hands on the plans for the Death Star and used them to find a weakness in its structure. That weakness was exploited, and a galaxy far, far away got treated to the biggest DDoS attack in its recorded history.

While we don’t have full details about the manner in which the sensitive files were accessed, we do have some information about how security generally ran on the Death Star. Let me tell you all that there were holes big enough for Azatoth to fly through in their security policies. Why don’t we start with the holes in the walls, shall we?

By holes in the walls, I refer to the network access points for droids – and presumably other devices. Apparently, any droid could roll up, plug in, and have administrative-level access to key systems. The same droids would be able to snoop in on important transmissions which themselves were sent out on the network in clear, unencrypted text.

How about a little thing called a “password policy”, hm? That would keep the random droid from having access to the datacenters. Machine authenticaion is the next logical step. That would have kept unauthorized droids off the network in the first place. IEEE 802.1x is a standard that’s been around for a good long while. It’s time the Sith caught up with the rest of the universe.

There was the matter of a break-in to a maximum security prison wing to break out an important prisoner. How was it done? Via access to a public elevator shaft. The perpetrators didn’t climb down the shaft or engage in any acrobatics: they simply pressed the button of the floor they wanted and walked on in. One would think there would be at least locked door between the lift and the prison wing.

A locked door would have been good around the Death Star’s shield generator, as well. Security guards are great, but they are helped out a lot by locked doors. There were plenty of other locked doors all around the Death Star: why not around critical systems? For want of a locked door, someone walked in and shut off the generator.

A password would have been a good idea there, too. That way, access would have been denied to persons without proper authorization. Security 101, Sith.

Finally, if the plans for your biggest system are leaked out into an unsecured environment, it’s time to analyze those plans and perform a risk assessment. Look for vulnerabilities and implement stronger security because the people that stole those plans are looking for the same vulnerabilities to exploit. Got an exposed exhaust port that connects to a core power system? Sounds like that would be a good spot to protect.

I’ll pass over the poor navigation that put the Death Star in a position where it would not have a clear shot of the rebel base. I’ll also not dwell on the lack of supporting screening vessels. Really and truly, the battle to destroy the Death Star was already lost for the Sith’s client when ineffective security measures allowed critically sensitive documents to slip out of the facility not once, but twice.

What would I have done? Back in the 1920’s, some unauthorized persons tried to access an extension of my corporate campus. They didn’t get past the front door before they were apprehended and dealt with but one. That last person did share information with several other individuals, but forensics teams tracked down the spread of the information and terminated its flow. R’lyeh Consulting then put in new measures so that sort of thing would not happen again.

And what do you know, I’m still here and the Death Star isn’t. Hopefully, the Galactic Empire learns its lesson and ditches the brain trust at Sith Consulting before they get talked into something insane like a second Death Star.