Ready Player One: A Synopsis on Terrible Password Management in a Dystopian Future
Last week I was on a plane alongside my fellow brethren of cloud poindexters and developer geeks (with the occasional C-level exec mixed in) to attend the annual AWS re:Invent conference. After browsing the in-flight entertainment, I came across the trailer for “Ready Player One” and couldn’t resist a Steven Spielberg science fiction movie chock-full of ‘80s pop culture references.
A Quick Movie Recap (Spoiler Alert)
The setting of the film is in a dystopian future where fossil fuels have been exhausted, the world has become overpopulated, every country has gone to war and the effects of global warming have finally taken their toll on the planet (totally unrealistic right?!). As a means to escape this grim existence, a group of developers created a virtual reality known as ‘the OASIS,’ allowing users to create an avatar and interact in this new world via ‘kinesthetic communication.’ The OASIS provides a virtual refuge and the ultimate freedom of choice for users to “be” and “do” whatever they desire.
Fast forward and one of the founding developers passes away, but just prior to doing so he creates a three-part challenge whereby the winner inherits not only an absurd amount of money, but more importantly, complete and total control over the world’s most important economic resource – the OASIS.
The hero of the story, Wade Watts (avatar name: Parzival) devotes all of his time trying to complete the challenge as his only hope to escape the clutches of poverty. Wade isn’t the only one trying to get the keys to the OASIS. Innovative Online Industries (IOI) and its CEO, Nolan Sorrento, stop at nothing to win the challenge.
Parzival successfully completes the first challenge and is almost immediately summoned and propositioned by Sorrento to work for IOI to win the remaining two. Sorrento makes a crucial privileged access security mistake by showcasing his fancy gaming rig and inadvertently revealing his password (hidden in plain sight, written on a post-it note) used to log into the OASIS.
Greasing the tracks again on the storyline, the second challenge is completed and shortly after that, the sidekick and love interest of our hero, Samantha Cook (avatar name: Artemis) is apprehended, held captive and forced to work for IOI. In an effort to save Artemis, Parzival and his clan ingeniously execute a man-in-the-middle (MITM) attack by remotely intercepting Sorrento’s attempts to access the OASIS with the credentials they’ve obtained from his rig. They successfully tap into Nolan’s feed, get the location and specifications of Artemis’ cell and instruct her how to escape.
Quoting directly from the movie:
“How much of Sorrento’s rig do you remember?”…“Pretty much everything”
“A fixed rig is easy to locate and hard to hack”…“unless he’s (Nolan Sorrento) stupid enough to leave his password lying around”
Once freed, Artemis casually walks over to Sorrento’s rig and with the same stolen credential, becomes the ultimate insider threat by impersonating him as a privileged user and steals confidential information that ultimately helps win the final challenge, granting total control over the OASIS to Parzival and his clan. Important note: Multi-factor Authentication (MFA), retinal scanning or any futuristic equivalent of validating and authenticating users had also not been implemented, proving IOI to have arguably the worst futuristic security posture of all time.
Don’t Leave Your Passwords Lying Around
The heroes in this story would not have been successful if foundational credential security and management had been in place. It goes without saying that leaving privileged passwords lying around in plain text is a terrible security practice, and when credentials are left to be managed manually, it can become extremely costly. Even in the year 2018, some IT teams are still tasked with manually rotating and updating privileged credentials to comply with internal policy or industry regulatory compliance. These processes are extremely time-consuming and prone to human error. Without tools in place to automate and synchronize credential changes across systems, organizations can face high operational costs as well as lost productivity caused by accidental account lockouts.
The CyberArk Privileged Access Security Solution automatically stores and rotates credentials based on whatever policy you set. The solution can perform automatic credential invalidation to prevent malicious users from escalating privileges and performing reconnaissance inside the environment. Taking it one step further, the solution provides both anomalous and high-risk detection and alerting capabilities. These capabilities would have certainly helped Sorrento protect his rig and mitigate the risk of both initial compromise and privileged data exfiltration. The alerts produced by CyberArk contain detailed, user-level intelligence including the number of compromised machines, the date and time of the malicious activity, and the IP address being used; which would’ve enabled IOI’s security team to be able to quickly respond to the numerous attacks from Parzival and his clan.
CyberArk is not in the business of protecting villains or evil enterprises, but we are committed to protecting the keys to the IT kingdom. Again, quoting the movie directly:
“The keys are invisible, hidden in a dark room at the center of a maze.”
At the climax of the story, the IOI team was so close to completing the third and final challenge. They successfully won ‘Adventure’ on the Atari 2600 but failed to understand that in order to win the competition, they needed to locate the key located in the heart of a sealed chamber, which provided access to a highly sought after ‘privileged secret’ within the game – the keys to the kingdom.
Protect your keys – whether SSH keys, AWS key pairs, passwords, secrets or any other privileged credential. Take the first step and discover your “keys” with a CyberArk DNA scan or request a live demo to see how CyberArk can keep you safe from the cyber attacks of today and tomorrow.