What can the story Jurassic Park teach us about cyber security? is a question for Corey O’Connor, Director Product Marketing, at CyberArk.
Cyber attacks are something most organisations have become very familiar with, both from news headlines, and from having experienced them themselves. The nature of these attacks has evolved over the years, and the techniques used have become increasingly sophisticated. Attacks that involve an insider – an employee or third party with direct access to company systems – have also continued to rise. According to the Ponemon Institute’s 2020 Study, the frequency of insider threat incidents has risen by 47 per cent since 2018, and the average annual cost of such attacks to organisations increased by 31pc.
It’s important to remember that the majority of insider threats are still attributable to employee mistakes or negligence. However, this is why malicious insiders, or those employees and third parties who abuse legitimate access for to company systems for nefarious purposes, are often difficult to spot. They operate under the radar for long periods of time and, with the right resources, can take down organisations both large and small. While they’re increasing in number, insider threats are nothing new.
As we celebrate the 30th anniversary of the Jurassic Park book’s release this month – it was first published on November 20, 1990 – I wanted to re-visit and deconstruct the infamous Jurassic Park insider threat incident, as many of the lessons from the story still hold true for organisations, even today.
Defining
The lead computer programmer for Jurassic Park, Dennis Nedry, could not meet the profile of a malicious insider more perfectly. Nedry was extremely motivated to reduce John Hammond’s beloved park into extinction. He’s a disgruntled employee who feels under-appreciated in his work. His motivation was mainly driven by financial gain. It’s teased early on in the story that he’s in some sort of financial trouble, which likely drove him to sell out to Hammond’s biggest competitor for a payout of $1.5m. Nedry had approximately 18 minutes to shut down security systems, retrieve over a dozen healthy dinosaur embryos and make his way to the east dock to escape the island and collect his fee.
So how does he do it?
From the movie, we know the park’s control room is equipped with Macintosh Quadra 700s – best-in-class computers in the early 90s. In one scene, the camera zooms in on Nedry’s computer screen, providing a glimpse at three shells written in an object-based programming language developed by Apple. Believe it or not, someone has reviewed these shells by installing the appropriate OS on an emulator for older Apple systems. As it turns out, the shells are just sample code that came with Microsoft Programmer’s Workshop (WPM). Since these Hollywood theatrics can’t tell us anything, we’ll speculate on Nedry’s attack methodology based on how the movie plays out.
When chief engineer Ray Arnold tries to bring the systems back online, it becomes clear Nedry covered his tracks prior to installing the malicious code. By disabling keystroke logging from the computer, Nedry made it nearly impossible to find the code without manually reviewing two million lines of code. Making matters worse, Arnold can’t crack Nedry’s password to reactivate the security systems. His only remaining option is to perform a manual reboot, which in theory would bring the systems back online – and we all know how the rest of the movie goes.
Let’s dig in a bit deeper and try to break down Nedry’s attack methodology. From the dialogue, we know he is a skilled programmer. He initiated a command from his workstation, launching a backdoor attack through a piece of mislabelled code. Since the same privileged credentials were likely used throughout park systems, the malicious command propagated throughout the park. To inject this malicious code, Nedry had to do one of the following:
1. Transfer the code from an outside location via removable media, such as a USB drive. Without restricted access policies in place, he could execute malicious code from the Internet.
2. Write the code onsite, make it executable and run it in an administrative context from his workstation. With his over-provisioned administrative access rights and the park’s poor credential management practices including default password use and credential reuse, we can assume this is a likely scenario.
Privilege was everywhere in Jurassic Park. The central mainframe communicated with all operational technology components within the park. Because of this, Nedry had complete control over not only the digital environment, but the physical infrastructure of the facility including CCTV, doors and, of course, the fences to the dinosaur pens. Judging by personal photos on Nedry’s device, we can assume he is authenticated to all of these systems from his workstation, which has access to external networks and unrestricted removable media — a huge no-no in OT environments, even in the 1990s.
To summarise, there was little to no separation between Nedry’s device (an IT asset) and the critical OT systems in the park. Attackers with access to OT assets can corrupt or shut down critical systems and even put human health and safety in danger. It’s not just science fiction: many of today’s energy, utility and manufacturing facilities rely on these controls to protect their data, employees and customers.
Protect what matters, avoid extinction
With the right privileged access management controls in place, Jurassic Park could still be standing. Having them in place would firmly secure accounts with access to critical data and controls and restrict any parallel movement within the IT or OT infrastructure – in essence nipping the attack in the bud.
Beyond standard privileged account and credential management, the park would also have benefitted from basic cybersecurity best practices such as implementing the principle of least privilege and attestation for privileged tasks. These would have restricted Nedry’s unchecked privileges to the minimum levels of access, or permissions, required to do his job.
Privileged session management and threat detection capabilities would’ve enabled session suspension and termination when suspicious activities or commands were executed, while maintaining a full audit trail. Additionally, strong application control would’ve ‘deny-listed’ unknown applications and removable media from running, stopping the spread of malicious code throughout the environment. By enforcing these controls, Nedry would not have been able to access multiple systems via a single application and from the same terminal.
Even if Nedry did gain access legitimately using a privileged access security system, he would’ve had to enter commands in one at a time. With single, centralised access in place for all systems and endpoints, command restriction and analytics would’ve flagged early warning signs — or terminated his access outright.
Much like life finds a way in Jurassic Park, motivated attackers will more often than not find a way – and they are far from the comic relief that Nedry brought to the comparative levity of his actions. In today’s digital world, businesses should anticipate that malicious characters, both inside and outside their organisation, will gain some level of access into IT, OT and even cloud environments. Strong privileged access controls must be put in place around critical resources to stop attackers from ever reaching their end target, and attacks spiralling and causing irreversible damage. Both in physical environments, as in Jurassic Park, and in digital ones.
Photo by Mark Rowe; Natural History Museum, South Kensington.
