I was watching the TV series, La Casa De Papel (Money Heist) on Netflix, a few weeks ago. I realized that the story of the gang can reveal some best practices we should use while dealing with the security of the products we build.
Beware, the text contains spoilers. If you haven't seen the show till the end and you are planning to, please visit the article on a later day. Or proceed with your own responsibility :)
First of all, what is threat modeling?
Threat modeling, in layman terms, is an analytical process. In there, the engineers who build a product coordinate with the security team. They collaborate towards the security architecture of the product.
More specifically, the model, how someone can attack the product, and what is worth protecting (assets). They also model what they can be loose about. Being loose, not because they don't care. But because protecting it can be more costly than the asset itself.
Threat modeling can get you a long way and protect you from events, against the odds. What is threat modeling in our "Money Heist" case? It is Professor's (aka Sergio Marquina's) plan against all potential routes the plan will take. In having alternatives, even for the edgiest scenarios. The assets are clearly, the stolen money or his comrades in the heist.
Threat modeling might help you recover from many security problems that will arise. You can recover from a cyber-attack but things will never be the same. A crack in the security wall can have a domino effect.
Imagine a lake dam, with a few cracks around, going unnoticed and being exploited by nature. You can always fix it, but it might take time for the lake visitors to establish trust again.
Like the Professor, where he lost respect after the gold (temporarily) vanished. Even though his great problem-solving skills, helped resolve the issue, things got hairy very fast.
In the show, there are some provocative cases of luck. For example:
- Raquel renegading the police organization
- Police and army failing plans to invade the bank
- Failing to shoot to the target many times. From troops, that are supposed to be professional shooters.
Snitches and below-expectations defense might give you some extra time. to move with your plan or escape. But you have to take advantage of it. To either move with your plan or escape. Always think your luck might go away, any time soon.
This is not specific to cybersecurity but to life in general.
Pain is temporary, quitting lasts forever. Accept your mistakes, remediate them and learn from them. As long as your heart is pumping blood, you are not dead yet.
- Architectural mistake? Patch it immediately and re-architect the product (yeah, I know...delivery and business constraints)
- Below expectations monitoring? Fix it now. Add more people and see how they can be more effective
- Serious defects in the code? Train your team insecure practices and code review focused on security. Buy a license to a package like Snyk or Nessus. Plan some percentage of your capacity to patch the most severe ones
Imagine a ransomware attack. It is there, it is happening. Screaming over people's heads will not solve the problem.
When you cannot win against an attack, you still have to do your best, to at least not lose. For sure, don't panic. As the Stoics say, you have to be your best self on the things you control. And let the rest, just be. Accept them.
You cannot control the next stage of an attack. But you can do your best to prevent it, to not repeat the same mistakes, and to close the open doors that exist now.
Don't lose your temper and clear mind,. Like Tamayo lost it, when he realized the gang was blackmailing him for various reasons.
He got angry, he got blackmailed, he was even ridiculed in the eyes of the European Central Bank. And what was the result? He lost, hands down, even though he lied to the media about winning.
Top-notch cybersecurity is not a free lunch. And not everyone can do it, as the caveats are so many. But with some discipline, retrospection, and humility, you can do wonders. Also, the show is great, if you haven't seen it, please do.