- THREATS: What Every Engineer Should Learn from Star Wars (Wiley, 352 pp., $25)
How does R2-D2 decide to show a hologram of Princess Leia, who has vital information about the Death Star, to Obi-Wan Kenobi but not Luke Skywalker? For Star Wars fans who know their cyber stuff, the answer is authentication.
That’s how Adam Shostack (at right) kicks off his new book aiming to make the complex topic of threat hunts and threat modeling more accessible.
Threats: What Every Engineer Should Learn from Star Wars – and don’t be scared off by the title; it’s also instructive for chief information security officers (CISOs) pitching the board for more funding – explains how computers authenticate people, and how people authenticate computers, the specific threats from each, and what to do about them.
In his opening example, Shostack draws on a key scene from the first Star Wars film, likening R2-D2 and other droids to our own real-life computers. Luke may be our brazen hero in the film but to R2, at this point, he’s an unauthorized user who hacks into a computer system that contains sensitive data about a massive space station. R2’s cybersecurity protocols provide access only to legitimate users of this system, like Leia and the Jedi Knight-turned-hermit Obi-Wan.
“R2-D2 only wants to play the video for the real, authentic Obi-Wan, not anyone who walks up and asks for it,” he writes.
These characters are more than pop culture icons. To Shostack, they serve as useful tools for teaching about spoofing threats, passwords, phishing, vishing, sensitive data monitoring and a host of other cyber strategies.
Focal Point met with Shostack to discuss the motivations behind the book, the feedback he’s received, and the role of Star Wars as an accessible analogy for some of the complex aspects of cybersecurity.
[The following interview has been edited for clarity and length.]
Why Star Wars beats Star Trek when it comes to cybersecurity
Focal Point (FP): Let’s start with the basics. What inspired you to write a book that fuses engineering insights with Star Wars analogies?
Adam Shostack (AS): I’ve been using Star Wars as a thing to talk about security for like 15 years. Two things I’ve found: One is that if you don’t have a passion for the thing, you can’t do this well; it comes across as forced. And I am a Star Wars fan, so I can do it.
Star Wars, the original movie, is about a data breach.
But more important, I think that Star Wars – and I don’t mean this in a critical way—but in Star Wars the technology matters. By contrast, in the TV series Star Trek, characters are often saying things like, “The engine is broke, or “We can’t do this,” and it’s all really focused on the human beings. Whereas Star Wars, the original movie, is about a data breach where individuals stole a data tape with some plans and Princess Leia and her allies are running around trying to take advantage of this.
And so I’ve been using it as a thing, a way in. And I finally decided I should do more than just the thing; I should turn it into a full-on book.
FP: Fair. If we were trying to explain to someone the concept of a zero-day exploit, we could say, “You know how Luke was able to blow up the entire Death Star with one shot in the original Star Wars movie? That’s because he knew about a zero-day vulnerability that the Empire wasn’t aware of.”
That makes sense. Tech writers have to explain things like that all the time, and CISOs are finding that if they really want to make an impact, and get more funding next year, they need to do this more in the boardroom – use analogies to explain things in terms the audience can relate to.
AS: The essence of communication is meeting your audience. It’s something I think we undervalue in security. I think a lot of people like to say things like, “The code was hard to write, so it should be hard to read,” or, “It was hard for me to learn this. I don’t want to make it easy for you.” I’m just gonna be direct: That burns me. We don’t need to make this work any harder than it is.
What CISOs can learn from this book
FP: When I think about a book like this, Star Wars analogies or not, for a lot of the concepts in here, you need to be at a certain technical level to understand.
AS: You’re absolutely right. The book is titled What Every Engineer Should Learn From Star Wars, not What Everybody Should Learn.
FP: But it also has broader value, right? What can CISOs or IT security managers get from reading this book?
AS: The first value is breadth. Many people come to security from different paths, and those paths don’t always teach them the same things. So the book can fill in gaps.
The second is consistent language. We in security love our jargon and TLAs, but frankly, no one else does.
The third is the chapter on kill chains, which advances the state of the art, and shows (among other things) how to resolve tension between graph thinking and chain thinking.
On the Star Wars canon and accessibility
FP: You’ve mentioned that your book mostly focuses on the core three movies in the Star Wars series. Can you elaborate on why you took that approach?
AS: My book, very intentionally, almost only talks about the core three movies. It doesn’t rely on the prequels or the more recent trilogy.
I intentionally stuck to the original trilogy because it has a more universally understood canon. There’s an extensive extended universe out there with animated series, books, and other movies. However, the core three films are what most people are familiar with, so it makes the content more relatable to a wider audience.
FP: So you’re saying it’s a matter of general accessibility?
AS: Exactly. Star Wars has a clear, well-defined canon with the original trilogy. This makes it easier to draw analogies that most people will understand.
The evolution of threat modeling and sensitive data
FP: The attack surface expands and the threat landscape evolves continuously, putting more and more of an enterprise’s sensitive data at risk. And yet, at its core, the fundamentals are the fundamentals. A lot of it hasn’t really changed. Do you feel the way companies need to do threat modeling, or your approach to threat modeling, has changed? Or are the fundamentals just the fundamentals?
AS: The way I like to think about this is like in music, we have genres like rock ‘n’ roll and jazz. There’s a new song every day, every hour, right? And some of the new music is awesome, and some of it isn’t so awesome, but the fundamentals don’t move that quickly.
We need to recognize that threats have a lot of similarities, one to the next.
So, when I think about threat modeling, I hope my Four-Question Framework…
- “What are we working on?
- “What’s going wrong?”
- “What are we going to do about it?”
- “Did we do a good job?”
…is timeless. We can and should ask those questions.
The answers, of course, will vary, depending on the situation and the people asking. It’s the way we answer them, and the details of the answers – microservice architectures are different than iPhones are different than traditional Linux systems – that matters. The way we think about what can go wrong, and I think this is the fundamental point of the book, is key. We need to recognize that threats have a lot of similarities, one to the next.
If we get every engineer to think about those things, they can start to ask, “What are we going to do about it, in this system that I’m working on right now?” The goal of the fun part of the book – the Star Wars part – is to pull people in. And then I hope you see it goes quickly from being a little silly to pretty serious about here’s what you need to know.