IT security professionals often cringe in amusement when cybercrime-themed novels appear on bestseller lists, as recently did “The President is Missing”, written by former US President Bill Clinton and prolific thriller-fiction author James Patterson. Its plot centers on a “devastating stealth wiper virus” called Dark Ages, doubtless a nod to real-world ransomware outbreaks like 2017’s global WannaCry and NotPetya epidemics.
As this is a popular entertainment, not a serious work of scholarship, there are inevitable inaccuracies in tech language and usage that will prompt eye-rolls from pedantic security geeks. In our field, mocking tweedy novelists and slick Hollywood filmmakers for fumbling the details large and small about hacking is old sport.
An entertaining movie-plot threat drives this fun beach read, but don’t mistake its thrills for the real thing.
Spoiler (and Plausibility) Alert
You could also fault the novel for implausibilities like the title character ditching his White House handlers to go undercover and take on the cyber-threat himself, [spoiler alert] helping defuse the mega-virus before it can electronically wipe out America’s financial, legal and medical records and crash the power and transportation grids. (In the eventual film adaptation, this presumably will happen with only seconds to go on a red-LED digital countdown clock.)
The silly President-as-action-hero trope has been around at least since the days of late-90s movies like “Independence Day” and “Air Force One”. But as long as it’s well-written, entertaining hogwash (which according to many reviewers, “The President Is Missing” is), we don’t mind how far off from reality it is. We buy such books to pass idle hours on a sunny beach or long trip, not to educate ourselves.
Fact from Fiction
But such flights of fancy can present problems in the real world, notably when business leaders and politicians treat “movie-plot threats” -- security guru Bruce Schneier’s coinage for this novel’s kind of farfetched but imaginatively gripping attack -- as far more plausible and likely than they actually are.
Yes, there are real malware threats to our critical infrastructure, vital business data, and private personal information, with sources ranging from hostile nation-states to organized criminal gangs to malicious insiders within your company. Government institutions, businesses and consumers alike need to defend themselves against likely attacks on the safety of their persons and their data.
But humans have a natural tendency to worry unduly about highly specific threats, often to the detriment of their overall security posture and quality of life.
Life Imitating Art
Consider, for instance, the New Yorkers who earlier this year opposed a plan to add elevators to subway stations near the World Trade Center. Some neighbors objected, suggesting these would make it easier for terrorists to transport bombs into the area. Police and counterterrorism experts discounted these as the understandable but unrealistic fears of Manhattanites, many of whom are still smarting from the 9/11 attacks. Plans to build the elevators are still moving forward, a boon to the disabled.
But human nature, that thoughtlessly reactive, lizard portion of our brains, compels us to worry about improbable threats we encounter in the press and popular culture, rather than workaday threats that are so commonplace that they no longer qualify as breaking news.
Security professionals should always resist the urge to react narrowly and fearfully to the headline-driven threat du jour. As Schneier wrote in his prescient 2008 essay on post-9/11 airport security theater:
“We ban guns and knives, and terrorists use box-cutters. We take away box-cutters and corkscrews, so they put explosives in their shoes. We screen shoes, so they use liquids. We take away liquids, and they're going to do something else. Or they'll ignore airplanes entirely and attack a school, church, theater, stadium, shopping mall, airport terminal outside the security area, or any of the other places where people pack together tightly.”
This is equally true of the security of sensitive business and personal data.
An Easy-to-Follow Plot
The goal, therefore, should be prioritizing attention on defenses that address a broad range of everyday threats, not the fanciful ones dreamed up by novelists, screenwriters and civilians.
If you recognize, for instance, that a diligent backup regimen will save you from most malware attacks because you can restore your systems to a point in time prior to the infection, you may decide to focus more heavily in ways to achieve fresher recovery points and shorter recovery times. The more recent your last backup and the quicker you can restore from it, the easier it is to make the restoral decision and the less data you lose in rolling back the clock.
This is a sensible best practice: choosing technology and policies that defend your data regardless of the threat type.
A Sense of Realism
Nevertheless, some attacks with high success probabilities deserve special consideration. For example, ransomware has been widely identified as the most pervasive and fastest-growing malware strain in the world, most recently by Verizon’s 2018 Data Breach Investigations Report.
With that in mind, you may want to invest in technology (like Acronis Backup and Acronis True Image with Active Protection) that uses machine learning to detect, terminate and instantly recover from ransomware infections, and is hardened against attacks on the backup agent and archives (a common ransomware tactic designed to thwart backup-based recovery).
This choice also reflects sound risk assessment and mitigation-tactic deployment in response to a high-priority threat, a practice that is foundational to good security strategy.
In the meantime, if you are worrying about a cyberattack that can only be stopped by a superhero of a President operating in disguise outside of the White House, you hopefully are reclined in a chaise lounge sipping a piña colada, in the grip of a pulpy page-turner you picked up at the airport, not thinking about actual IT security strategy.
In the real world, those of us charged with protecting our companies’ and families’ data need to stop chasing the headline-news security nightmare of the moment: it’s an endless, fruitless game of Whack-a-Mole. Leave that fever dream at the beach, and back at work and at home, build strategic defenses that generally work regardless of the threat, buttressed with countermeasures to neutralize the most dangerous attacks.
Movie-plot threats like the one that drives “The President Is Missing” may be entertaining diversions, but we must remember to treat their adrenaline-inducing charms only as such.
For more information about Acronis Active Protection, you can find details here.