- In various parts of the movie, criminals pose as consultants, employees, and other experts to gain access to the inner workings of the casino. This is analogous to credential theft or a compromise of your trusted insiders.
- The surveillance system is compromised to make the casino operators believe everything is normal. Ocean’s crew tamper with the video feed so the casino ends up watching fake camera footage instead of what’s really happening. This is the equivalent of cyber criminals tampering with logs and other traces to cover their tracks.
- There are also several instances in which the casino owner and law enforcement personnel are fed bogus information that sends them on wild good chases with the goal of luring them away from the location where the real crime was occurring. We’ve seen DDOS attacks, cyber vandalism, and other tactics in the infosec world used in a similar way to distract organizations from the real attack (often fraud, or data exfiltration in some other area of the business).
Think Like Hollywood
These examples provide mental models that can help us think about information security in a different way. If your data security strategy were featured in a Hollywood blockbuster, how would you be fooled? Where are the weak spots that criminals could take advantage to get at your company’s ‘crown jewels?’
Thinking like Hollywood is a fun and useful way to find weaknesses in your security posture. I think you’ll find that most of the opportunities for improvement center around weak or sloppy handoffs; the lack of a clear picture of what “normal” looks like; the inability to notice small changes in your environment; the tendency to trust without verifying; and a bias to focus on the biggest, latest, and loudest incident you encounter.
In Hollywood heist movies, the bad guys often win. In real life, you have the power to make sure they don’t – imaging you’re in a Hollywood movie can help, and it’s a lot more fun than a pen test.