Westworld of insecurity

Westworld is a TV show about the problems of corporate Information Security. Really.

Look, Delos Corporation actively uses legacy code, which was written 30 years ago. No one has an idea of how it works and it can not be just thrown away. Bugs, critical vulnerabilities and even backdoors appeared in core of the hosts regularly. They couldn’t be fixed and patched. In most cases only some compensatory measures were applied. And they were not applied systematically.

It will not be a spoiler to say that Asset Discovery is also a big problem. No one is particularly surprised to find unregistered hosts and hosts that behave strangely.

There are also serious problems with Access Control. Ordinary employees (not even developers!) can edit key parameters of the hosts and even their code. Even if this changes are logged somewhere, no one respond promptly to these critical events. Only when the fact is revealed you may hear: “Oh, and who did it?” And of course, users with administrative privileges are not accountable to anyone.

It seems that is not no dedicated Information Security function in the organization. Departments that was shown in the first season: QA is an obvious part of R&D, Behavioral performs “traditional security” and guarding functions.

They even have monitoring/SOC, but it can capture a very limited number of events related to the anomalies in hosts ans users behavior. Like new Gartner’s UEBA class solutions 😉 Other security events are out of scope.

And why all is that bad? Perhaps it is assumed that Top manager (founder and creative director) did exactly as he wanted, and was able to convince the shareholders that everything is fine. In fact last 30 years he was maximizing his access level and was hiding bugs in the product. The situation itself is quite believable.

Well, and if there was an effective Information Security department in Delos Corporation, TV series wouldn’t be so impressive. And I hope the second season in 2018 won’t be worse. =)

Leave a Reply

Your email address will not be published. Required fields are marked *