How Cyber Security principles could have stopped the destruction of the Death Star

As we all know when the Death Star was fully operational it was most advanced battle station in the universe. The immortal words utter by the Generals, Admirals and Captains that “any attack on the Death Star would be futile” would probably have remained true, had they not be so focused on their operational objectives and applied sound Cyber Security principles.

In the first instance, we know that the ‘Death Star IP’ had already been stolen, and the ‘board’ exhausted huge amounts of manpower and resource trying to find the perpetrator and achieving operational superiority rather than ensuring basic ‘role based access’ and ‘information classification’ had been applied to the IP in the first place. We will give them the benefit of the doubt on these points, but what cannot be excused is the following sequence of events that any aspiring empire should pay close attention to:

TOO SHORT TO BE A STORM TROOPER?

You have just seen something very suspicious looking, turn up in your loading bay and you don’t think this is cause to question or raise the alarm? Clearly, the ‘Darkside hadn’t established a security conscious culture within their personnel. Surely this could have been avoided with a well-placed Security Awareness Training programme and Physical Penetration Test? Shame on you TK 421.

OPEN USB PORTS ANYONE

Not only have they allowed a ‘droid’ to insert a pen drive into their systems, but no network segregation. Why don’t you just allow him into the Death Star mainframe! Oh wait they did.

Applying some simple security controls (USB lockdown), conducting an internal penetration test and VLAN’ing the network would have stopped them identifying the critical data assets (the tractor beam). If R2 had wanted to a well-placed piece of malware here would have saved quite a X-Wing pilots lives.

CRITICAL DATA ASSETS, ITS OK THEY DONT NEED MONITORING

I mean having a tractor beam to ensure you can pull in ‘traffic’ into your Battle Station feels like it should be important and fairly mission critical. Yet the Empire decided that no CCTV, access control and system monitoring is the way forward here. I don’t know who the CISO is in this place, but someone needs to have a word.

INCIDENT RESPONSE PROCESS, OF COURSE WE HAVE ONE!

By this point, the Empire knew there was a confirmed incident taking place and decided well formatted lines of storms troopers running around was the best approach. Interesting Incident response process! maybe containment around the Millennium Falcon would have been a better approach. Or at the very least testing their response process annually.

CRITICAL VULNERABILITY YOUR SAY? PFFFT!

And finally, the most unforgivable oversight in the history of the Empire, a critical vulnerability that is not mitigated. It wasn’t even flagged on the risk register and probably ignored in the develop lifecycle, all to hit the Emperor’s deadlines. Maybe a well placed external infrastructure test would have flagged this up earlier? At the very least they could have put in compensating controls like extra turbo lasers, may be close the port to incoming traffic.

I mean it’s not like Proton Torpedo’s constitute as a zero day!

In summary, timely adoption of good security practice could have led the Empire to victory, but it would seem the leaders of the Death Star were focused on their objectives rather than considering they could become the target of a well-placed attack. I can only assume all of these Vulnerabilities were acceptable to Sith, or they had transferred the risk by taking out expensive Cyber Assurance!