As someone who works in cyber security industry, I hear a lot of delusions:
“I’m not a target.”
“My CISO knows what he’s doing.”
“Phishing only works on idiots.”
“It doesn’t matter what my password is, I’m the only one who knows it.”
“What can a hacker do with my password? I work in accounting.”
We are all really smart in retrospect. We think that it will never happen to us, so we cut corners, adding multi-factor authentication to critical systems and keeping single-factor authentication for the rest.
This is a terrible idea.
Since the myriad technical articles out there explaining why haven’t seemed to sway people, I’m going to try a new approach. Let’s look at one of the greatest episodes of Rick and Morty, “The Rickshank Rickdemption” (if you haven’t seen it yet, STOP everything, and watch it), and use it as a teachable animated moment for why it is well past time to ramp up your security efforts.
In the episode, Rick gets captured, gets himself released, and destroys the galactic federation all using privilege escalation – in a very similar way to hackers:
1) Employ Phishing site and malware – The galactic federation has Rick in a Series 9000 mind controlling device, trying to trick rick to reveal his formula for interdimensional travel.
Rick creates a false memory and gives the galactic federation what they assume is the formula, which is actually giving Rick access to control the Series 9000 - Just like a hacker creating a false site to trick a visitor to think the site is legitimate.
2) Remote Access Trojan – Rick’s formula gives him control over the Series 9000. He transfers his mind to the mind of his captor, just like a remote access trojan, which leaves a backdoor open to a hacked system in order for the hacker to assume control.
3) Corporate Account Takeover (CATO) – Using his captor’s identity and body, Rick notes that the prison keeps both the galaxy’s most-wanted criminals, but also its most sensitive data, and casually asks those around him for the Level 9 bathroom code, which they give him without a thought.
“Is it cool if I use the level-nine bathroom? W-W-What's the level-nine master access code again?”
By leveraging his current authorization, he gains access to an additional resource by asking to use the bathrooms on level 9. In the same way, hackers can execute a Corporate AccountTakeover leading to Vertical privilege escalation, starting with even a small, low-level entree into an organization’s systems. The email password of a mailroom clerk can be used to send a phishing email to a sales rep to enter their password for a package. The password of a sales rep can be used to phish their managers, and so on, all the way to the top. Lesson here: don’t give out the bathroom code, and don’t rely on vulnerable passwords!
4) Vertical Privilege Escalation – Rick encounters “Seal Team Rick,” assumes the identity of one of the officers, takes a ship, and flies to the council of Ricks, his new authorized identity moving up the ladder.
He then uses this new identity and the Series 9000 to take over a high-ranking official in the council of Ricks, granting himself privileges usually reserved for higher-access users, including the teleportation room of the council. It’s like i said -> mailroom clerk to CEO in just a few little security hops.
5) Even More Privilege Escalation - Rick uses the privileges he got by assuming the identity of the high-ranking member to access the teleportation room, and then uses a design flaw to teleport the Council into the Galactic Federation facility. When a worker comments that it’s a restricted area because it can transport “the entire Citadel to somewhere else using only buttons and dials,” Rick rightly responds that “it's a bad idea to have it designed that way then, isn't it?”
6) The Breach – Rick has now created havoc in both the Galactic Federation and the Council of Ricks, and uses the diversion to access the mainframe of the federation and makes just one minor change, a 1 to a 0. Does it launch nukes? Does it obliterate their military? No, it makes the entire economy collapse, the federation along with it.
In other words, one fake email (Rick’s invented memory) led to one low-level access privilege (the bathroom code), which climbed and climbed until the entire economy collapsed.
There are a lot of absurd things about Rick and Morty, but this episode is surprisingly true-to-life. Just look at the casino that was hacked into.
So, unless you want your citadel teleported away with you inside it, or your customer records stolen out from under you after a receptionist opens a malicious email link, you’ll take a hard look at all of your authentication protocols, stat.
