Long ago in a movie theater far far away, a little film by the name of “Star Wars” would take the world by storm and change the course of sci-fi, cinema, and pop culture for decades to come.
But believe it or not, this intergalactic tale of droids and lightsaber duels can actually teach us a lot about the importance of cybersecurity.
On the occasion of Star Wars Day (May the 4th be with you), here are 5 cybersecurity lessons we can all learn from "Star Wars” ("Episode IV – A New Hope” to be precise).
1- Help me encryption, you’re my only hope
Early on in the film, Princess Leia hides some “information vital to the survival of the rebellion” and a plea for help addressed to Obi-Wan Kenobi inside R2-D2.
When R2-D2 ends up in the possession of Luke Skywalker on Tatooine, Luke accidentally stumbles across the message while cleaning the droid, however only a small preview of it plays on a loop. R2-D2 explains that is is a private message meant for Obi-Wan and refuses to play it in full until he is delivered to him by Luke.
This is a lot like what encryption is meant to achieve. Private data meant for a specific recipient is rendered indecipherable to anyone who's not authorized to view it, especially if they're a random moisture farmer.
2- Social engineering can have a strong influence on the weak-minded
Luke, Obi-Wan, R2-D2, and C-3PO make their way to Mos Eisley, that wretched hive of scum and villainy, where Imperial stormtroopers are on the hunt for the two fugitive droids.
They get pulled over by some stormtroopers who begin asking questions and demanding to see some ID. That is until Obi-Wan uses a Jedi mind trick to convince them to let Luke go about his business and move along, which they do.
This is a textbook example of social engineering, except in real life, criminals will use lies, charm, and charisma to get what they need, not the Force.
3- That’s no moon… It’s a Trojan virus
After making a deal with Han Solo and his co-pilot Chewbacca, the gang all board his ship, the Millennium Falcon, and blast off into outer space.
Eventually, they encounter the Galactic Empire’s giant space station, the Death Star, where Princess Leia is being held captive. Using its tractor beam, the Death Star draws them into it, without ever thinking to investigate who might be on this unknown ship first. This allows everyone to sneak deeper into the Death Star, cause a lot of chaos, and ultimately free Princess Leia.
That is essentially what happens when you download a Trojan virus. You download what you assume to be a legitimate file, but in reality, it turns out to be a virus in disguise, which you might have spotted had you stopped to take a closer look first.
4- The entire Imperial network, no password required
While onboard the Death Star, R2-D2 is able on several occasions to plug directly into it and seemingly do everything from finding out where the tractor beam controls are located, to deactivating the trash compactor before it crushes our heroes.
This highlights 2 major cybersecurity flaws. First, the lack of any authentication requirements. Instead of having to provide a password, a code, or anything, a random droid was just able to plug in and immediately gain access.
The second flaw would have to be the lack of network segmentation. Had the Galactic Empire divided the Death Star's network into multiple independent segments, R2-D2's access might have been more limited, preventing him from doing everything he was able to do.
5- I find your lack of faith in security threats disturbing
Remember that “information vital to the survival of the rebellion” from earlier? It turns out to be the Death Star plans, which ultimately make it to the Rebel Alliance.
After learning about this, the Galactic Empire's General Tagge proceeds to point out that with this kind of information, the rebels might find and exploit a weakness in the Death Star. But Admiral Motti is quick to shut him down and dismisses his warnings.
As you might have guessed, the plans do allow the rebels to identify the Death Star’s one weak point, formulate an attack strategy, and ultimately destroy it. Moral of the story: don’t be like Admiral Motti. If your CISO or IT department warn you about a potential threat or security vulnerability, it’s probably worth looking into.