In Episode IV of Star Wars, Han Solo, Luke Skywalker, Obi-Wan and Chewbacca are trapped on the Death Star after their jump from hyperspace.
The Storm Troopers are quickly overwhelmed, and our heroes are able to access a physical terminal. R2D2 is then able to plug into computer systems of the Death Star.
R2D2 is able to quickly access all of the information, including schematics and prisoner information.
In the post-mortem on Coruscant, I can just imagine the dialogue:
Palpatine: How were they able to access all of the information?
CISO for the fleet: Well, the Grand Moff decided that the cost of adding firewalls and security systems to partition the network was too costly. He chose to rely on a big ass external firewall. His priority was the ability for his teams to access the information not to protect it.
Palpatine: A single droid was able to quickly and trivially get all of our operational information … Because we had no firewall?
CISO for the fleet: visibly sweating Well it’s more complicated than that. A firewall would have delayed the attack, and at the very least made it harder but nothing could have protected us against a determined attack.
Palpatine: A single bot that was put behind our firewall was able to get everything…
CISO for the fleet: Grand Moff Tarkin felt that it was impossible for a bot to escape the station or communicate externally…
Palpatine: Grand Moff is dead?
CISO for the fleet: Yes, Grand Moff is dead.
Palpatine: Pity. At least we won’t need to replace the commander of our space station. I suppose we’ll need a new CISO for the fleet.
Blue lightning crackles from the Emperor’s hand. The CISO for the fleet crumbles. His second in command steps forward…
New CISO for the fleet: Emperor, we’ll re-organize our security protocols immediately.
At Zynga, our security team was – actually – ahead of the curve. Our strategy was not to rely just on a hard shell. We also created internal segmentation of our systems. Basically we created firewalls around each of our games and each of our systems. This kind of internal segmentation was a layer of protection that I thought was standard practice. More honestly, I thought this kind of protection was unnecessary. The recent disasters show that it is not. Too many people rely on a single external hard shell … unfortunately once you get through the hard shell everything is available.
This kind of internal segmentation is not as yet standard practice across the industry nor was it standard in a galaxy far far away…
And in all cases, the results were not that pretty…