When You Gotta Go, You Gotta Go: Cybersecurity Lessons Learned from Jurassic Park
Maybe you’re from the Cretaceous Period and not familiar with the Steven Speilberg directed 1993 classic film Jurassic Park (Universal Studios). In the briefest of brief synopses, a multimillionaire businessman learns the secrets of cloning long extinct dinosaurs and builds an amusement park to show them off. Disaster ensues and the dinosaurs get loose, creating havoc across the park. Our heroes evade the dinos and survive to escape the island resort. There are many cybersecurity lessons learned from the film (and even more from the original novel). In this series, When You Gotta, Go You Gotta Go, Cybersecurity Lessons Learned from Jurassic Park, we will explore the many cybersecurity mistakes and how they could have been avoided. We may even point to a cybersecurity framework or two. Let’s get to digging!
Volume 1: The Original Insider
The movie presents Dennis Nedry, the head computer programmer/system architect/computer wiz extraordinaire, as the main reason the dinosaurs got loose in the first place. He is presented as a disgruntled employee who went out of his way to “get back” at John Hammond (the park’s owner) and his park of dinosaurs. Nedry drops some hints throughout the movie about being underpaid and it is easy enough to assume that this is his motivation for his actions. Let’s break it down.
We would classify Dennis Nedry as a Malicious Insider threat actor. One we like to call “The Collaborator”. For those that aren’t in the know, “The Collaborator” is an insider threat actor who works with an outside entity such as a nation-state or a competitor company. In Nedry’s case he is working with the competition and has a handler (“Dodgson, Dodgson, we have Dodgson here!”). The competition is paying Nedry to steal dinosaur embryos, aka the intellectual property and secret sauce of InGen, Hammond’s company. This is a classic scenario of an insider threat.
So how does Nedry actually steal the dinosaur embryos? He is the main system architect and programmer. He is essentially God within the Jurassic Park network. It turns out that when he was building the network he put in a couple of backdoors that allowed him to discretely manipulate the physical security systems. He also obfuscated certain artifacts and turned off event logging so nobody would be able to see what he was doing.
What kind of indicators would have tipped other JP personnel off that something was amiss? We saw that Nedry was acting erratically, in a confrontational way towards his employer, Mr. Hammond. He was also standoffish towards Mr. Arnold, the main system engineer. Although not shown directly in the movie, we can assume that he probably made some big purchases with his newfound fortune. In today’s world it would be entirely possible that Nedry would brag about buying a new supercar or a lake house on social media, but way back in the early 90s social media didn’t exist.
There should also be technology and process level controls that should be in place to detect certain actions that would tip someone off of a potential insider threat event. Process level controls such as access reviews, code reviews, and event log reviews could indicate something was not right. While technology controls like logging, monitoring, and alerting could have been used to catch him in the act. Unfortunately, none of these controls were shown in the movie and given the timeframe that the movie takes place it is unclear if these fundamental controls would have even been present.
If Jurassic Park was adhering to a cybersecurity framework would they have found out? If we are talking about Insider Threats directly, then NERC CIP would be out of the picture. Unfortunately, NERC CIP does not have any direct requirements or standards (at the time of this blog) that speaks directly to insider threats. Of course certain standards like CIP-010 R1/R2 (change and configuration management) or CIP-007 R4 (event logging) might have tipped a SOC or other security analysts off. Various NIST families do speak directly to insider threats and indicators of insider threats so it is entirely possible that this event, at least the insider threat aspect, could have been avoided. But in the world of the movie (and in real life in 1993) these frameworks weren’t even a glimmer in the eye of the most astute security analyst.
In the end, Nedry got his comeuppance and was foiled by a dinosaur. If only dinosaurs were an available form of physical security and data loss prevention we might see far fewer cases of “The Collaborator”.
