I just randomly took some episodes and just from the 4 or 5 I reviewed this is what I found:
- Captain Kirk gave access to a human from the past based on the fact that he stated he “used to be an engineer.” Based on those specifications, he was able to commandeer the ship and almost kill the bridge crew.
- Captain Kirk gave access (again!) to a crew member that was under the influence of alien powers, and this (again!) led to the commandeering of the ship and the possible destruction of the ship and crew.
- Captain Kirk gave access to medical personnel for the transporter room, which led to the unauthorized transport of one medical person down to a planet’s surface, consequently leading to the changing of the entire time space continuum (the medical person also stole a phaser while on his way to transport himself down)
- Captain Kirk, in another dimension, gave access to a computer security application that can silently kill other crew members to a crew member he was “friendly” with at the time. Don’t give friends more access than they are authorized!
These are just some of the issues in these episodes. Sure, it makes good entertainment, but really, it is not something that we, as computer security professionals, would want to emulate.
What type of advice would we, as security evangelists, propose to correct these problems?
- Have a full-time cyber security team on the crew of the Enterprise that could do “pen tests” and security reviews with all crew members and bridge crew, along with checking passwords and other access controls
- Ensure that weekly security reviews with the Captain are completed with a non-attribution focus so that the Captain can be aware of problems and help correct them
- Establish good solid computer policies that are done with each crew member and understand authorized vs unauthorized access
- Establish key card access (or biometric) to certain areas (such as the transporter room) that only certain crew members are authorized to obtain
- All crew quarter computers are immediately locked down upon exit of the crew member and are blocked from view of other crew members when activated
- Ensure all passwords are stronger than “A1-B2-C3” for destruction sequences. Even voice commands can be counterfeited.
- Phasers are not to be issued without access and authorization and biometrically controlled for access to fire
Just a few suggestions.
More on this in the next few articles.
Live Long and Prosper