What Do Star Wars and Recent Data Breaches Teach Us About Cyber Ethics?

Monday, December 21, 2015

Dan Lohrmann


As media headlines were dominated by the launch of Star Wars: The Force Awakens and shenanigans (or worse) with voter data by Bernie Sanders political campaign, I pondered the question: what do these recent news stories have in common?

Without going into the specific details of what happened (especially in the new movie), a few possible answers include:

  • We have seen the enemy, and they are us. Or, not all data breaches come from foreign hackers, organized crime or other “outsiders” with malicious intent.
  • Security controls and even technology training have limitations. Or, Darth Vader (and several other Jedi Knights) were well-trained – but used their skills to go over to the “dark side.”
  • There are shades of gray that technology professionals face in their daily duties that often get darker if not exposed and corrected early enough. Or, “the road to hell is paved with good intentions.”  

Perhaps this story will help explain my thought process.

Fictional Characters Based on Real World Data Breach Events

Trevor is a computer security expert who works for a large corporation. Recently, he was working on a computer security investigation involving unauthorized activities within his company network.

Following corporate forensic processes and specified security procedures, he accessed several accounts and online folders of a company executive suspected of wrongdoing. Sure enough, he uncovered unauthorized file transfers to overseas and domestic locations.

Trevor also discovered that company sensitive data was also being copied to flash drives against policy. In addition, this rascal was getting around firewall rules and other safeguards put in place by his team to access data storage locations in the cloud – all against the rules. 

This individual was smart – but not smart enough. Using the USB drives that were found inside the employee’s office to help guide his investigation, Trevor carefully built a rock solid legal case that would stand up in any court of law. All the evidence was carefully compiled and chronicled in a report provided to Trevor’s boss and the HR team that requested the investigation in the first place.

But then something unexpected happened as Trevor was “cleaning-up” his digital fingerprints. Trevor uncovered a directory that had the performance appraisals of everyone in the company, as well as the detailed rationale for raises and promotions (or lack thereof) in his group.

Trevor was intrigued by this “eyes only” corporate data, so he opened and read many related files regarding pay, raises, benefits and more. Along the way, he learned about the intricacies of why someone was promoted over him the year before, the advantages given to minorities and women and other related matters in his company’s “inclusiveness” program.       

Trevor had already violated policy by opening the files and reading this material, but he could easily explain away the situation under his authorized investigation. Besides, he was so good, he was very unlikely to be caught accessing these records – which should not have been on this person’s USB drives in the first place.

Now Trevor faced another set of ethical decisions. Should he copy these files and send them to friends who were fighting a reverse discrimination case against the company? Should he just save them for personal use? Could he gain an advantage in an upcoming promotion interview by leaking some negative information as rumors to others?

Trevor also knew many friends both within and outside the company who would love to see these files to assist in their group’s wider hacktivist activities. He was furious with some of the “company facts” he had uncovered.  He was tempted to dig even deeper to learn more about how the company was really run and decisions were made at the top levels of governance. He justified his actions, since he disagreed with management decisions.    

Ethical Challenges for Security Professionals

The names and a details have been changed, but I have come across many professional stories like Trevor’s over the past decade, many in recent times in my role of CSO and Chief Strategist at Security Mentor.  Oftentimes, security pros quietly think they are above Internet laws, company rules and regulations. As the cyber police, bending (or breaking) a policy may seem acceptable, as long as no one catches you in the process. Sometimes, it may even seem to be required – like the state police needing to speed to catch a car going 100 miles per hour.

Beyond cyber war and the good guys having the right tools to catch the bad guys, there can be a tendency to ignore “more mundane” acceptable use directives. That is, security staff can download copyrighted material (movies and games), view porn at work, look at information that is private (like promotions, raises or other data from management), “borrow” passwords or delete log files to cover their tracks, etc. These acts may almost be viewed as “the spoils of war.” Hackers come across this data once as part of their job, and later they become accustomed to accessing it freely.

But actions have consequences. Much like Anakin Skywalker falling to the dark side of the force…this is a slippery slope.

The reality is that the smarter you are, the more you advance as a cyber security expert, the farther you go as a hacker, the greater your temptation will be. As you learn what the enemy does and how they do what they do (in order to stop them), the new ways to avoid detection, the secrets of the trade and the best ways to build and get around defenses, you will face a series of crossroads. Your ethics, values and beliefs will inevitably be tested. This is similar to a cop who arrests drug lords and finds a stash of cocaine or cash. Should he/she take a bit of the money while no one is looking? It seems so easy, so close and perhaps even innocent.

Sadly, I have seen talented security and technology professionals disciplined for inappropriate behavior at home or work such as stealing property, downloading files or distributing child porn. I personally know technically savvy staff members who are in jail, and I must say that I never would have guessed that certain “experts” would turn to the dark side. Additionally, I have read and heard about dozens of such cases. People are blinded to their own deceitfulness.

I know, you want some “hard data” to back up what I’m saying. OK.

Data Leaks and Professional Security Ethics

A recent report by Enterprise Management Associates (EMA) on behalf of file security company FinalCode, reported that 80 percent of information security professionals have experienced a data leak. This article on the report pointed to some important findings:

David Monahan, research director for security and risk management with EMA, said a majority of the 150 participants from mid-market and enterprise markets reported data loss as a substantial concern, while the minority reported moderate concern on the topic.

“Within the study, 83 percent of the people said they had some kind of significant file leakage via either insider-to-outsider or insider-to-insider. Fifty percent said that happens frequently in their organization.”

While many in this study believed that the data leakers did not have hostile intent, most respondents believed this to be a serious issue that needs to be addressed within their organizations.

And this study raises other serious questions regarding what parameters are being used by staff to make these decisions regarding the sharing of company data.  

Meanwhile, another related and growing trend is social activism with hacking. No doubt, some of the same people who are hacking outside of work also have access to sensitive data on corporate networks.

Of course, hacking can be a good thing or bad thing. There are “white hat” and “black hat” hackers, and plenty of data to show that hacktivism is a growing trend online. The subtlety of this topic is that moral erosion can happen gradually. See this chart to view detailed metrics documenting this growing social activism and hacking trend.

May the Force Be With You

So what can be done to strengthen the ethical culture in your situation?

First, we need to be aware of the problem. Ethics is important, not only my children when on Facebook, but perhaps even more vitally for veteran security and technology professionals who know how to beat the system.

No doubt, we are all susceptible to slip and being honest about the challenges and temptations is a good start. Understanding that these situations will arise and discussing appropriate actions with your team is a good initial step.

Here are a few other ways to help in this area:

  • Seek advice from respected colleagues regarding practical ethical behavior as a security pro. Find one or more accountability partner(s) who share your professional values. Remember that accountability is for winners, not losers. The best musicians, artists, athletes, and other experts are accountable to teachers or coaches. Everyone who strives to improve needs accountability.
  • Find a trusted mentor who you admire in the industry. Make yourself accountable to this person regarding the direction of your professional career decisions.
  • Practice these seven habits of online integrity.

Several years ago I was having lunch with John Stewart (Cisco VP and CSO) between sessions at RSA. We were discussing assorted security war stories. I asked him what motivates exemplary cyber ethics for his staff. He said something to the effect: if pros know that they will be held to account, they will usually act responsibly.

I agree with John. Our technology teams need better measures of accountability. 

Bottom line, cyber ethics is not just an academic topic or a class you once took to get a computer degree.

Cyber ethics are the brakes that enable us to traverse cyberspace safely.  

Cloud Security General HIPAA PCI DSS General Infosec Island Budgets Enterprise Security Policy Security Awareness Security Training General Impersonation Phishing Phreaking Breaches CVE DB Vulns US-CERT Privacy Vulnerabilities Webappsec->General General PDAs/Smart Phones
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked