Mr. Robot is a drama-thriller television series about Elliot Anderson, a security engineer by day, and a hacker at night. He suffers from social anxiety disorder and clinical depression, only able to connect with people by hacking their personal lives. Eventually his talents capture the attention of a hacktivist group called fsociety. Pulled in by their cause, Anderson joins a team of hackers to take down mega-corporation E Corp.
Critics have praised the show for its accurate display of cybercrime in television. Mainstream media often depicts hacking as a magic trick with computers. In the show, it’s portrayed in realistic scenarios that businesses can actually learn from to help strengthen their IT security strategy.
When Elliot gets involved with fsociety, he is faced with bringing down the largest corporation in the world, which later on pushes him to bring down the cybersecurity firm he works in.
IT Security Lessons from Mr. Robot
Caution: Spoilers ahead.
The truth about hackers.
Large scale data breach is done by a group or organization, not the evil nerd that movies and TV shows often depict.
fsociety had to team up with, as stereotypical as this may sound at this point, a Chinese hack-for-pay group called The Dark Army. Eighty-nine percent of phishing attacks are done by crime syndicates and state-affiliated groups according to the Verizon Data Breach Report 2016.
Individual hackers are people like the rest of us, they have jobs and real lives. They can’t execute a perfect hack in minutes even if they typed faster.
The truth about hacking.
Speaking of hacking, they’re not executed in one sitting using a series of command lines that need to be typed at 190 words per minute such as these memorable moments.
fsociety’s first attempt didn’t go smoothly because Elliot backed out. Plan A was to cause an explosion at a gas plant to destroy the backup facility called Steel Mountain but he didn’t want to risk lives. He opted to infiltrate the facility instead which involved physical access. The group went back to the drawing board and devised a new plan — bypass security and implant a hacking device that enabled them to take over the climate control system.
Well you can say that this is just a clever storytelling because real life hacking is boring and tedious. However the plotline does reflect a realistic approach.
The fundamental basics of a hack are present—research, reconnaissance, execution, and clean-up. This can take weeks to months depending on the protocols, processes, and people in place by the target. Setbacks and timing could delay or derail the plans. There’s a combination of tactics that may not just involve computers. Probing attempts were made on Philippine banks to uncover vulnerabilities until the Bangladesh Heist occurred. In this extraordinary case, the money was used in casinos to buy chips or pay for losses—successfully laundering the money using an unregulated industry.
While this may become an isolated, one-time big time case, it shows that hacking isn’t that simple. Criminal hackers will exploit all vulnerabilities .
Your best defense is the also the best offence.
Here’s the thing about data breach, hackers can erase their tracks and companies wouldn’t even know it happened. E Corp didn’t until all their customers’ debt were wiped out by fsociety.
Case in point, the LinkedIn data breach. The incident wasn’t known until it was revealed that stolen credentials were being sold. More often mitigation is the best, and sometimes, the only option that businesses have.
E Corp as mentioned before had backup files in Steel Mountain based on a real data storage company called Iron Mountain. In today’s age where your information can be held hostage, it’s important to have a back-up, disaster recovery, and business continuity measures in place. Any business regardless of size that has valuable data can get hacked.
There is no anti-hacking tool for people.
Throughout season one there are a number of human exploits in different episodes. Ollie became a pawn until Angela sabotaged AllSafe using his computer. Elliot stopped the honeypot in the nick of time but had to steal his boss’ credentials. He was able to access Steel Mountain physically by taking advantage of an employee who was eager to please anyone. He too, became a victim, as he was forced to release Vera from prison to save Shayla.
Employees are cyber risks on two legs. In fact it has been reported that one-third of insiders are users with access to sensitive data as part of their job. Worse this incident takes the longest to discover. If the organization has fraud detection, employees who provided information that lead to fraud were identified within months. There were numerous incidences were a USB drive was used to transfer data before they left the company. Unfortunately for the rest who don’t have that protocol in place, detection could take years.
The Internet of Things is also the Internet of Vulnerabilities
Yes, it is plausible to hack a climate control system and a prison. Through the Internet of Things, which might as well be named as Internet of Vulnerabilities, everything that is connected can be hacked. Criminal hackers can either go after data stored in your linked devices or take control of the connected device while you’re using it.
A Jeep Cherokee was successfully hacked using the zero-day exploit. It was just a test but it proved that anything with internet connectivity capabilities was ripe for the picking, especially if manufacturers don’t have security in mind. Chrysler notified owners that a software update is available to get rid of the bug but it had to be manually implemented via a USB or a dealership mechanic. As a result, many vehicles will most likely stay vulnerable.
At this point a criminal hacker would just need creativity, patience, and timing to pull off a cybercrime. Mr. Robot has shown us this fact throughout the first season. Often it all boils down to that one mistake, weak link, or crack in the system to bring everything down. If they can’t get past your firewall, they will exploit employees to create their own back door.
Banality of Evil
There are different motivations for hacking, whether it’s to brag how weak your systems are (such as the Philippine Comelec Data Breach) or just plain money. A majority of the motivations still revolve around financial gain. The common denominator here is people whether it’s an internal or external attack. Elliot, White Rose, fsociety, and the Dark Army are all humans who just happen to have the right expertise.
Apart from hiring the right people, businesses should also consider a data breach from the hacker’s perspective. Most of the time, you wouldn’t know the weakest link unless you test it. An IT audit, risk assessment, and penetration testing could help in identifying the weak spots in your system before somebody else finds them.
All of these points are enough to make your IT guy paranoid as he should be. While Mr. Robot is complete fiction, it does present facts that business should keep in mind. Remember criminal hackers only need a single vulnerability to gain a foothold in your system. Implement an IT security strategy that covers your systems, network, and employees to reduce risks and prevent data breach.
The second season of Mr. Robot will debut in July 13, 2016.