The weekend Rogue One: A Star Wars Story was released a conversation started on Twitter discussing the missteps made by the Empire which inevitably lead to the theft of the Death Star plans. To avoid spoiling the movie for everyone, Wolf Goerlich (@jwgoerlich) and I moved the conversation to direct messages. He has since posted two great videos, “Rogue One and InfoSec” Part 1 & Part 2. You can find them on his informative YouTube series, Stuck In Traffic with Wolf Goerlich
What follows are my thoughts on the controls the Empire could have implemented to thwart the Rebellion.
Prohibit BYOD (Bring Your Own Droid)
From R2-D2 to BB-8 it seems everyone has their own personal droids in the Star Wars universe. Most are designed with a specific task (Astro Mechs, Protocol Droids, etc.) but all are capable of storing large quantities of data and many are equipped with universal Scomp Links or computer interface arms that allow them to access any computer terminal. Had the Empire prohibited BYOD and implemented network access controls then unauthorized assets (droids) would be unable to connect to computer terminals in the first place.
In Rogue One, Galen Erso is the unwilling head of the Kyber Crystal Research Team working on the Death Star. In this role he was able to architect a flaw in the reactor that would lead to its destruction during the Battle of Yavin. In the movie, a holo-recording of Erso recounted how he had made himself indispensable, “all the while laying the groundwork for revenge.” He accomplished this by, “placing a weakness deep within the system, a flaw so small and powerful that they will never find it.”
The construction of the Death Star was a massive undertaking, one executed with military precision. This should have included extensive reviews of the initial design as well as architectural, electrical, mechanical (and crystalic?) inspections during construction. Appropriate checks and balances would have prevented this flaw from being introduced.
Asset Management and Clearance Code Revocation
During the escape from Eadu the rebels steal an Imperial cargo shuttle. This ship contains clearance codes that allow them to pass through the shield gate and land on Scarif. Chronologically this may be the first time this tactic was used, but as we have seen in Return of the Jedi, the Rebel Alliance would later steal a shuttle in order to bypass the deflector shield and land on the forest moon of Endor. Had the Empire implemented better asset management they would have known these shuttles were stolen and could have revoked the clearance codes. The Empire may have even gone one step further by implementing a system that would allow them to remotely disable the engines on stolen star ships.
Upon gaining entrance to the citadel tower (simply by donning stolen uniforms) Jyn and Cassian access the data vault by placing the hand of an unconscious officer on a biometric pad. While some argue that biometric authentication is better than a password, by requiring a combination of the two, the Empire could have prevented access to its sensitive proprietary information.
Once inside the data vault, Jyn and Cassian were met with a six story shaft containing a spire filled with “data tapes”. The design is reminiscent of a StorageTek 4400 ACS tape library. Following the identification of the correct tape and Jyn’s harrowing escape, she makes her way to the satellite dish in order to transmit the plans to the Rebel Fleet. Once received, the data is transferred to several different forms of media before finally landing in the hands of Princess Leia who included them with her message to Obi-Wan Kenobi inside R2-D2. Had the Empire encrypted this data the rebellion would have likely ended on Scarif, the Battle of Yavin would never have taken place, and the Death Star would have gone on to destroy countless other planets.
While it’s easy to point out the shortcomings of the Empire, the lack of controls are all too prevalent in the real world. There are plenty of reasons these controls might not have been implemented. The Death Star was a massive undertaking. It is possible that all resources were diverted to its construction and any budget for controls were denied. Perhaps in a galaxy far, far away there exists an InfoSec skill shortage. Lastly, it could be the culture of arrogance that was prevalent throughout the Empire. After all, who could hack the all powerful Galactic Empire?
*** This is a Security Bloggers Network syndicated blog from SecurityRamblings.com authored by Steven Maske. Read the original post at: http://www.securityramblings.com/2016/12/defeating-rebellion-with-security.html