How the Movie ‘300’ Applies to Information Security
This is officially blog number 300! Just to have some fun and learn a few lessons, let’s look at the movie ‘300’ and see if there are any lessons learned we can apply to information security. While this is more of a fun blog than anything else, there a few nuggets we can take away to make our organizations more secure.
Lesson 1: Limit your Attack Surface
In the movie and the actual battle it represents, King Leonidas chose the Hot Gates as their final stand against the Persians. If you remember, the Hot Gates were basically a canyon with a narrow alley, and no way to go around. This limited the attack vectors available to the Persians. They had to go straight through the 300 soldiers without the ability to flank or find another path. Similarly in enterprises, limiting the attack surface we expose to the Internet is one of our best defenses. If we can reduce the available avenues for attack to the fewest ports/services necessary for business operations, that forces attackers to go through one of these (well-defended) entry points and they cannot simply go around.
Lesson 2: A Handful of Well-Trained Soldiers Can Out-Perform 1000s of Weaker Ones
One of the reasons the Spartans prevailed was because they were experts at their craft. They were the best trained and most well-equipped soldiers in the world. As a result, they outperformed their enemy. Similarly in information security, there are thousands of products and advertisements out there for ‘silver bullets’ that will protect your organization using AI and machine learning. However, as security professionals, we are working within a finite and often limited budget. As such, we have to realize that choosing the right investments based on risk analysis and understanding how a particular product minimizes helps reduce that risk is vital. A few well placed tools, or even free, open source resources, can outperform thousands of buzz-word products.
Lesson 3: A Soldier Culture
The reason the Spartans were the best soldiers in the world is because their culture was built around being a soldier. Little kids were trained from the time they could hold a wooden sword on fighting tactics and defense postures. Similarly in information security, the better your company culture embraces a security-first mindset, the better your organization will be able to prevent, detect, and contain an attack. As such, it is imperative to not only include security awareness training in your security program, but also to really take the time to use that awareness training to teach your employees what attacks will look like, how to protect themselves, how attackers steal passwords, what to do if they notice a breach, etc.
Lesson 4: Adapting is Key to Survival
When the Persians were having trouble breaking through, they changed their tactics several times to try to overcome the Spartans. They tried Rhinos and elephants, arrows, and different formations. The only way the Spartans prevailed is by adapting to the attacks they were seeing. Similarly in information security, the attack methods we see are constantly changing. New vulnerabilities are published daily. Technology for both attackers and defenders is constantly evolving. As such, as information security professionals, we need to be ready to adapt constantly. While certain truths and security principles are constant, the tactics and tools we employ change and being in this industry requires an attitude of life-long learning.
Summary
In summary, while it is fun to talk about the movie ‘300’ and the Spartans triumphant victory, there are a few lessons we can learn that apply to securing our organizations. We need to keep our attack surface as small as possible and limit the avenues of attack. Additionally, we need to choose the best tools for our organizations with the limited budget we have. Moreover, a culture of security can be more beneficial than any tool you can buy. Finally, adapting to change and adopting a posture of learning is one of the most important things we can do as security professionals. If you have any questions or want to discuss further, shoot us a quick message.