Cloud adoption is trending—and it is an inevitable choice for any enterprise that wants to stay relevant in today’s interconnected world.
The security of storing and processing critical data outside of the enterprise’s control is a central factor to the analysis of cloud adoption.
So whether your organization employs a cloud-first strategy or is still sitting on the sidelines of the cloud game, there are three key steps to understanding what risks the cloud poses to your data.
Assess your current cloud usage. What cloud services are your users already using to do their jobs? Security leaders should sponsor a project to inspect all network traffic using a web proxy server or cloud access security broker (CASB) to fully identify your enterprise’s app consumption. The next step is differentiation between enterprise-sanctioned apps and rogue shadow IT apps. The prevalence of shadow IT is either unknown or underestimated by the IT departments at most enterprises. The mounting risks from decentralized and uncontrolled cloud service adoptions for the gamut of enterprise applications has left CIOs wondering how to best assess the extent of shadow IT services that have migrated to the cloud without any adequate control measures or oversight from IT. While these shadow IT systems may have served as a quick win to the business when implemented, the legacy impact of these cloud solutions is redundancy and an increased attack surface throughout the enterprise. As surveillance and data leakage concerns continue to haunt consumers and businesses alike, security due diligence of cloud solutions is paramount.
Adjust your strategy to reduce cloud risk. There may be significant cost and efficiency gains possible by moving select services to the cloud. Risk reduction measures should be evaluated concurrently to securely scale your cloud adoption. Consider cloud identity management solutions for single sign-on to enable centralized access controls, including multifactor authentication options. Further, automated user provisioning will inject security into your application portfolio management. Another recommendation to security leaders is to leverage a layer 7 next-gen firewall for web traffic classification and control. This visibility will allow you to block risky, nonbusiness apps, such as peer-to-peer sharing, or restrict quasi-business apps, such as file sharing services, to only privileged users/groups with a demonstrated need.
Plan your future cloud model. Whether your business users want to consume Software as a Service (SaaS) solutions or your IT infrastructure teams see value in Infrastructure as a Service (IaaS) offerings, there are many ways to mitigate your risks while satisfying both sides. Advanced security analytics, data context and application auditing made available by CASBs can enable deep integration into many foundational enterprise apps (Office 365, Google Apps, AWS, Azure). It is also imperative to formalize your application risk assessment when choosing between cloud-based SaaS and increasingly available on-premise SaaS solutions for those critical services that your risk managers cannot bless to the cloud. Some niche cloud service providers (e.g., Github, JIRA) also offer on-premise options to customers, and new Docker container technologies (Replicated) are now allowing vendors to offer the same SaaS experience, but delivered on-premise, in an effort to keep a better handle on enterprise data and security. In the ultimate decision of cloud adoption, your future cloud model may well be sitting behind your own firewall.
Gary Miller, CISSP, CISA, CIA, CRMA, CCSA, ITILv3 Senior Director of Information Security at TaskUs
Note: Gary Miller will present on shadow IT risk and cloud governance at ISACA’s 2016 North America CACS conference in New Orleans, 2-4 May 2016. To learn more from him and other expert presenters, register here.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
The Illusion of Due Diligence: Notes from the CISO Underground introduces the complicated and challenging career experiences of Chief Intelligence Officer and sometime Chief Information Security Officer, Jeffery Bardin. The Illusion of Due Diligence highlights the relationship between executive risk tolerance and its intersection with the professional standards of information security professionals. Bardin suggests that these interactions often intersect in ways that are ethically questionable and even unhealthy for the business.
While I hesitate to advocate The Illusion of Due Diligence as a candidate for the Cybersecurity Canon, the book provides a variety of examples illustrating the complexity of acting as an information security professional. This book provides a powerful reminder that not all of the obstacles to information security reside outside of the organization. Bardin posits that the battle to maintain the confidentiality, integrity, and availability of systems may be lost easily in the day-to-day political contests fought in organizations of all sizes. Bardin’s work reflects an easy style reminiscent of peers commiserating over coffee, trading anecdotes about the internal challenges they face, but, in relying upon what are effectively parables, never quite gets to the lessons that today’s information security professionals require for maximum effectiveness.
Review
The Illusion of Due Diligence confronts the moral, ethical, personal and professional challenges associated with the field of information security. Using a narrative style, Bardin walks us through the day-to-day experiences confronting many security professionals. Beginning with an executive manager who not only failed to understand the role of information security but then actively interfered with the security officer’s function, Bardin relates a story that is common to many information security professionals. Using examples of specific CIO actions to evade compliance, disabling of critical controls to protect revenue, and competing information technology objectives, Bardin illustrates the challenges that leading information security executives are confronted with. Bardin’s treatment of these challenges places a bull’s-eye squarely on the back of the information security executive who is tasked with delivering and maintaining a secure environment at a level that reflects the enterprise’s risk tolerance but where enterprise risk management decisions may either be made informally or in such a way that the success or the failure of the program won’t rest with the executives making the decisions.
Adequate authority, resources, and reporting structures are the challenges Bardin alludes to amid the technical and political adversaries today’s information security professional must confront. And with this observation – that each of these adversaries may be just as daunting as battling nation-state actors – hackers and organized crime represent an important contribution to the literature. Although ultimately, while the explicit articulation that managing up and across represents one of the most pressing challenges in information security today is useful, The Illusion of Due Diligence never quite gets to the techniques and strategies to doing so and is, therefore, likely to leave some readers’ thirst for solutions unsatisfied.
The book is organized into a series of non-fiction, short stories based on actual experiences of the author. While Bardin makes some attempts at masking the sources of his narrative, it remains clear that we are seeing experiences from particular government agencies, contractors, and other personalities. While the tell-all, behind-the-curtain format offers some limitations, Bardin reels in the reader, creating a shared sense of struggle that is quite relatable.
Bardin writes:
“Being a security professional is a formidable career choice. To do it right you must take an oath of allegiance to your craft that is not welcome in the corporate world that ultimately employs you. The very credentials that make you marketable are, in the end, the very thing that can put you in the job market, again, and again. Taking ethical stands to live up to the code of the CISSP and the CISM takes courage, tenacity, thick skin and the willingness to walk away from an employer.”
The challenges facing security executives are nothing new to those who have been in the industry for many years. Bardin, however, creates a narrative that offers an opportunity for many professionals, especially those climbing the corporate ladder, to learn important lessons by observation rather than experience – an opportunity that many would say is the preferred route for those seeking to remain in their position and navigate these challenges.
While the war stories aspect of the book is endearing, the work is sometimes difficult to follow and, like many works featuring technical authors, leaves some room for greater accessibility and clarity. In particular, the level of granularity, coupled with strained attempts to obfuscate the identities of the parties sometimes creates an impression of sour grapes and detracts from the key insight of the book: that managing up and across is among the most important obstacles to success for information security leaders. For example, Bardin relates the story of a wayward business partner, “Ariel,” focusing on character development but never fully embraces or explores the moral, ethical or related challenges confronting the situation or how such issues might be addressed pragmatically. Ultimately, it is this missed opportunity for greater depth and exploration of the lessons growing out of each of these mini-case studies that limits what this book might have been, which is a business school-like series of mini-case studies that could prepare executives for what remains a recurring series of challenges as the security function and profession matures.
While the book highlights the ethical imperatives confronting many organizations, Bardin sometimes seemingly too easily conflates differences of business judgment and risk tolerance with potentially unethical behavior. At its core, information security represents a risk-focused discipline, and accepting the risks remains a very difficult practice for many information security professionals to stomach. That’s okay because our perspective is often juxtaposed with many other competing business needs. In the end, we cannot fire all of the employees, or shut down the enterprise, even thought the result of those efforts would often be near “perfect” security. In this regard, Bardin could have identified additional tools or techniques to address the relationship between policy and reality. For example, developing and maintaining policy exception processes that create executive accountability represents an important tool to drive accountability while maintaining opportunities to manage and accept risk purposefully. Similarly,The Illusion of Due Diligence never quite highlights the importance of drawing distinctions between and organizational consequences of failing to adhere fully to policies or contractual obligations as compared with legal obligations. Complaining about the former can often place the information security professional in the role of Chicken Little or an adult in Charles Schultz’s Peanuts cartoon. Sound the alarm too early or too often and management eventually stops listening.
Conclusion
At the core, Bardin seems to identify one of the most pressing challenges facing information security executives: how and when should issues be escalated when multiple business objectives compete with the enterprise’s security objectives? Unfortunately, the book provides little guidance on structures, tools and techniques that might be utilized or relied upon to confront these challenges. While consistency across the application of policies, procedures, guidelines and technical controls, and the subsequent transparency to management remains critical, perhaps more important is the recognition that many CISOs would benefit from a broader business perspective. Such a perspective would help navigate avoiding being labeled as myopic and obstructionist while remaining true to the role, function and responsibilities within the organization. Although the detail of the narrative provides for some juicy storytelling that keeps the reader’s attention, beyond cataloging many common scenarios that can challenge security professionals, The Illusion of Due Diligence does not quite accomplish Bardin’s objective to help the information security professional forge better outcomes, including securing their existing position.
Here are three ways to think about public cloud security as we head into 2016.
“Cloud First” Will Acclerate Public Cloud Adoption
I believe that customers have concluded that the public cloud is ready to support their business requirements and they have accepted — and hopefully understand — the shared security model for protecting their applications and data. With that in mind, I predict that 2016 will see a rapid acceleration of public cloud adoption, driven by an application development mindset that is geared towards cloud first and cloud native. Cloud first and cloud native means that the applications are developed with the agility, scalability, and resiliency of the public cloud in mind; and using (reusing) smaller components that are a combination of open-source and internally developed.
Public cloud initiative success may hinge upon security
Gartner predicts that by 2020, a staggering 95 percent of public cloud failures will be the customer’s fault. We can only hope this prediction never comes true. Undoubtedly, some of the public cloud failures will be the direct result of poor security, resulting in the loss of customer data. One could argue that security in the public cloud should be tighter than network security because the public cloud is more “exposed”, be it real or perceived. Traditional IT will be challenged to secure these assets as the architecture in public cloud evolves and increases in complexity, forcing them to look beyond the basic visibility and security features offered by the cloud providers. Enterprises should treat their public cloud deployment as a greenfield opportunity to implement the tightest security possible, encompassing better SOC tools for improved visibility and control over the applications, users and traffic across their various “cloud islands”.
Prevention alliances will expand beyond networking and security
Our interaction with customers has shown that public cloud projects are driven by groups that fall outside of traditionally-defined networking and security teams. Examples we have seen include Cloud, DevOps, Infrastructure, and Virtualization. As public cloud initiatives accelerate, the concept of security first will expand beyond the security team into the other groups, thereby expanding the working relationships and resources focused on the task of network and data protection. This particular prediction is critical to the protection of cloud-based apps and data and, possibly, the success of the public cloud deployments as a whole. In fact, many public (and private) cloud projects have been successful because of the close working relationship between security and cloud teams. In some cases, the groups have been combined under the same management “roof.” I expect to see more of that happening next year.
Want to explore more of our top 2016 cybersecurity predictions? Register now for Ignite 2016.
Palo Alto Networks recently identified a new campaign targeting the transportation sector in Europe with ties to the Dark Seoul and Operation Troy campaigns that took place in 2013. This new campaign used updated instances of the Tdrop malware family discovered in the Operation Troy campaign. For more information on the new campaign discovered by Unit 42, please refer to our recent blog post.
In this attack, attackers embedded the TDrop2 malware inside a legitimate video software package hosted on the software distributor’s website. By doing this, they were able to target organizations that relied on the distributor’s security camera solution and infect their systems with malware. They created a true Trojan horse, which sneaks into a network as a gift, but when opened, the attacker’s army leaps out.
Trojanized Video Player (Stage 1)
The malware used for the attempted infection purported to be a legitimate video player, providing viewing software for security camera solutions. The following two unique file names were involved in the attack.
[redacted]Player_full.exe
[redacted]Player_light.exe
The difference between the files involves the specific video player that was dropped and executed during runtime. Each file would drop and execute the full or light version of the legitimate video player respective to the file name.
Both the legitimate copy of the video player, as well as a malicious executable were bundled into a single executable. These files were added to the end of the Trojan executable, as seen below.
Figure 1 Layout of Trojan video player
When initially run, the malware checks to see if its parent process is either explorer.exe or cmd.exe. In the event the malware is not running in the context of either of these processes, it will exit. This check exists in a number of the subsequent processes/executables used by the TDrop2 malware variant.
Figure 2 Function identifying and checking parent process
Subsequently, the malware proceeds to extract both the video player and the embedded malware using a series of calls to CreateFile, CreateFileMapping, GetFileSize, andMapViewOfFile. Once extracted, the file writes it to a new file on disk prior to executing it. The video player is written to one of the following locations, based on the original filename:
%TEMP%\[redacted]Player_full.exe
%TEMP%\[redacted]Player_light.exe
The malware itself is written to the %TEMP% directory as well. The filename is derived by randomly choosing an executable name from the system32 directory. The randomly chosen executable must not contain any of the following strings:
setup
install
update
Dropped Malware (Stage 2)
This dropped malware begins by performing the same parent process check witnessed in the original sample. In the event the malware is not running within the parent process of cmd.exe or explorer.exe, it will exit immediately. This malware sample will also dynamically load a number of functions and libraries. After the kernel32.dll and ntdll.dll libraries are loaded via calls toGetModuleHandle, the following process takes place:
Create a char array containing the desired function name and store this array to a variable
Figure 3 Malware dynamically loading functions at runtime
In total, the following 14 functions are loaded during runtime:
CreateFileA
GetFileSize
CloseHandle
VirtualAlloc
GetModuleFileNameA
CreateProcessA
NtUnmapViewOfSection
VirtualAllocEx
WriteProcessMemory
GetThreadContext
SetThreadContext
ResumeThread
TerminateProcess
TerminateThread
After these functions are loaded, the malware will randomly select an executable from the system32 using the same routine witnessed in the earlier sample. The malware proceeds to spawn a new process of the selected executable and performs a technique called process hollowing to hide itself inside a legitimate executable. This leads us to the next stage of our malware
Injected Malware (Stage 3)
This particular stage of malware acts as a downloader. The parent process check is not used in this particular sample. The malware initially attempts to download a file from the following location:
The downloaded file has the first two bytes of the PE file format replaced with the characters ‘DW’, instead of the usual ‘MZ’. After the download occurs, the malware immediately corrects the first two bytes with the ‘MZ’ characters prior to writing the file to disk.
Figure 5 Malware overwriting first two bytes of downloaded file
The downloaded file is dropped to the system32 folder. The malware selects a randomly chosen DLL from this directory. The base name of this DLL is used to write the downloaded file. As an example, in the event apcups.dll was selected, the malware would write the downloaded file to apcups.exe in the same folder. The downloader then proceeds to execute this downloaded file in a new process.
JPG Executable (Stage 4)
As we’ve seen in previous samples, this executable file begins by checking the parent process for the presence of ‘cmd.exe’ or ‘explorer.exe’. It proceeds to randomly select an executable file in the system32 folder, and performs process hollowing against it. The injected executable contains the last stage of the TDrop2 malware variant.
Final Payload (Stage 5)
Upon execution, we once again see the parent process check to determine if the malware is running within the ‘cmd.exe’ or ‘explorer.exe’ parent process. It continues to dynamically load a number of libraries and functions for later use. A feature that has yet to be seen is that of string encryption. Strings are encrypted using the following function, represented in Python:
1
2
3
4
5
6
7
8
def decrypt(data):
length=len(data)
c=1
o=“”
whilec<length:
o+=chr(ord(data[0])^ord(data[c]))
c+=1
returno
After dynamically loading functions and libraries, the malware iterates through the running processes and attempts to determine if the ‘V3lite.exe’ process is running. This process name is associated with the South Korean-based AhnLab security software provider. In the event this process is running, the malware will attempt to kill the process’ class window.
The final payload proceeds to generate the following mutex to ensure only one copy of the malware is running concurrently:
Global\SPPLMUTEX
The payload then spawns two threads—one to maintain persistence and another to gather victim information and perform command and control operations. Persistence is achieved by setting the following registry key:
The name of the registry key in the above instances is derived from the basename of the supplied argument. In the event the supplied argument was C:\malware.exe, the registry key would be named ‘malware’, and the path for this key would be ‘C:\malware.exe’.
The persistence thread runs in a loop where the registry keys are set every 60 seconds, ensuring persistence even in the event an administrator manually deletes the registry keys.
The other thread begins by collecting information about the victim, such as the following:
Computer Name
IP Address
Registered Owner
Registered Organization
Installation Date
These data points are used to generate a unique victim ID, which is stored in the following registry key:
HKCU\SOFTWARE\Microsoft\HY08A\Build
The malware will continue to decrypt and store embedded C2 URLs. The following URLs have been identified:
The final payload proceeds to enter its command and control loop. It initially performs a DNS check against microsoft.com to ensure it has Internet connectivity. After this check is performed, it enters an infinite loop, with a sleep interval set at a default of 30 minutes. The malware will periodically poll the C2 server and determine if any commands are received. The initial POST request contains a unique victim identifier that was previously generated.
Figure 6 Malware connecting to C2 server
The optional response by the C2 server is both encoded and encrypted.
Figure 7 C2 server response to malware request
The data is first encrypted using an unidentified algorithm. The two keys used for this encryption are generated using another unidentified algorithm. The following Python script can be used to generate the keys. A default salt of ‘FFFFFFFF’ is used.
When the previously mentioned C2 response is both decoded and decrypted, we are presented with the following data:
1
2
3
4
def key_generation(rounds=8,buf=FFFFFFFF“):
tick 7880
systeminfo & net view & netstat -naop tcp & tasklist & dir /a “%userprofile%\AppData\Local\Microsoft\Outlook” & dir /a “%temp%\*.exe” & dir “%ProgramFiles%” & dir “%ProgramFiles%\Microsoft Office“
1018;60
The command structure of the C2 response always begins with the string ‘tick’. The number following this string is most likely a unique command identifier. The malware will store these command identifiers in the following files:
%TEMP%\MSI2001.LOG
%TEMP%\MSI2002.LOG
In the event the number after the tick was previously witnessed, the command from the C2 will be ignored. The remaining lines are then parsed. The following commands are supported:
Command
Description
1001
Modify C2 URLs
1003
Download
1013
Download/execute malware in other process
1018
Modify wait interval time
1025
Download/execute and return response
Default
Execute command and return results
Once again, using the previous example, the malware will first ensure that the command was not previously parsed/executed. In the event it is new, it will proceed to execute the various reconnaissance commands found on line #2. The results of these commands are uploaded to the C2 server.
Figure 8 Malware uploading command results to C2 server
As we can see in the above network traffic, the malware attempts to disguise the data as a .gif image. Finally, the malware will parse the third line, which instructs the malware to modify the wait interval to a value of ‘60’. This interval value is set in the following registry key:
HKCU\Software\Microsoft\HY08A\Policy
Additionally, in the event the C2 response instructs the malware to update C2 URLs, it will be in the following format:
1001; [unique_identifier] [url]
The malware will encrypt the URL string with a 4-byte XOR key of “\x01\x02\x03\x04” and store this data in the following registry key:
HKCU\Software\Microsoft\HY08A\[unique_identifier]
Conclusion
The TDrop2 malware family that was witnessed in a recent attack against a European transportation company provided a minimal set of commands to the attackers. It was most likely used to establish a foothold, perform reconnaissance and deploy further malware into the victim’s network. While the malware lacked a large set of capabilities, it had a wealth of interesting and advanced features, such as the custom encryption/encoding witnessed in the network traffic, the use of process hollowing against a randomly selected Microsoft Windows binary, and the downloading component that attempted to bypass network security measures by modifying the executable header.
We created the AutoFocus tag TDrop2 to identify samples of this new variant and added known C2 domains and hash values to the Threat Prevention product set. At this time, WildFire is able to correctly identify the samples associated with this campaign as malicious.
In last week’s post, I covered the methodologies Mark Watney used to stay alive on the surface of Mars and how those lessons can be adapted for better cyber security back on Earth. As usual, this post will contain spoilers for The Martian, so close it now if you haven’t yet read the book or seen the movie.
This week I’ll discuss the mentalities and interpersonal skills that allowed the Ares 3 crew to successfully rescue Watney after he was stranded for more than a year on a foreign planet. Whether it is the launch of a manned space probe or defending against advanced cyber threats, these lessons can be used to pull the best possible outcome out of impossible odds.
The Power of a Cross-functional Team In space travel, every supply and gram of weight is invaluable, much like the limited resources available to most security teams. To help cope with these limitations, every member of the Ares 3 crew served multiple functions. Watney, for instance, was both a botanist and mechanical engineer. This knowledge allowed Watney to recognize that food would be his scarcest resource, find the chemical components necessary to create arable land inside his living quarters and modify the various life support systems to make the environment suitable to plant life.
When a cyber-attack hits, you may be the only one available to address it. To be able to adequately assess and respond to the event, you need to have a working knowledge of the various tools and processes at your disposal. In addition, understanding how different systems work and how different user roles interact with the network allows you to see the security weak points and understand how an attacker may operate in your environment.
Always remember to laugh Tense situations can have a mental toll on responders, and it is important to keep a sound state of mind to make good decisions. Watney was a serial jokester, frequently laughing at the ridiculousness of his own situation and making wisecracks about what his fellow astronauts left behind on Mars. He particularly hated disco.
Though responders are in the middle of extreme circumstances, it is important not to take yourself too seriously. Laughter helps you keep a level head and can help relieve stress, both in you and your coworkers. Then you are in a better position to make sound decisions and not to give up.
Leadership is not an option, it is a necessity Watney never faulted his fellow astronauts for leaving him on Mars. They thought he was dead, and leaving immediately was imperative to getting the others out alive. More importantly, Commander Lewis is regretful when she finds out Watney was left alive on Mars, but instead of getting too down to do anything, she focuses on what the next course of action is.
Tough situations need leaders who will make hard calls and live with it. CISOs and other security leaders are responsible for choosing which tools to implement and what practices to employ. When a cyber-attack occurs, they need to be ready to use those tools instead of wishing they had something else.
Communication makes your job easier One of Watney’s largest challenges throughout The Martian is his inability to communicate with mission command or his own crew. Watney goes on a cross-country trip to find the Pathfinder probe just so he can use it to establish communication. It works but only until he accidentally fries the machinery a few pages later. Fortunately, we do not have this problem, but many cyber security professionals still fail to communicate effectively in the event of an attack.
It makes sense. After all, we are usually busy investigating the attack and trying to prevent data loss. But don’t forget that good communication in an attack helps prevent duplication of efforts and generally helps the entire security team respond effectively.
In a more general sense, the security team needs to be visible to the rest of the organization. Keeping all employees abreast of ongoing security issues reminds them to be vigilant against phishing and other forms of social engineering. Remember, they may know their area of the network better than you, and might be able to identify something abnormal there before you do. Of course, there are some exceptions to this mode of communication. For instance, if an insider threat is suspected, it is likely better to keep that information to a small number of individuals until actions are taken, but for the most part, regular communication with the larger organization is a good thing.
Roles are important While versatility is a modern virtue, it is important to understand what your role is in a given scenario, even if it changes often. The crew members of Ares 3 had specializations that enabled them to perform specific duties, but they were also general enough that they could fulfill whatever role was needed in a time of emergency. While Watney was forced to rely on his own ingenuity to survive on Mars, his rescue was left almost entirely in the hands of his fellow crewmates. Each had to perform a duty in the rescue, and several had to suddenly change that role when the rescue attempt started to go south. The important thing is they were able to shift responsibilities quickly but with a clear understanding of who was best suited to perform each role, and it was all organized with a clear order of command.
In the world of cyber security, where organizations often deploy varied tools for detection, mitigation and policy enforcement, it is essential to utilize people to their greatest strengths. Investigators, operations and management all have a role to play, and while they should be flexible according to needs, they work best with what they know.
Personal connections matter Massive amount of money, resources, time and energy went into rescuing Watney from Mars. His struggle became a weekly news segment on Earth and no expense was spared to retrieve him alive because people feared for him, hoped for him and wanted to keep him safe. Never forget that there are real victims to data breaches. Customers, clients and employees can be deeply hurt for the simple act of doing business with your organization, so keep that in mind when you are rushing through those last few reports on Friday afternoon.
The bonds between the Ares 3 crew were unshakable, as is expected when six people spend months together traveling across the solar system to a new planet. This type of relationship should be encouraged among security practitioners because it facilitates smoother operations in the event of an emergency and reduces blaming. When a team cares about each other and their mission, attacks can be stopped and catastrophes can be salvaged.
The Martian contains many lessons that can be adapted to cyber security, but in the end it is still a work of fiction. Reality is more complex and difficult to grapple with, but we need these basic driving forces to properly prepare for disaster and to operate well under pressure. Mark Watney may not be our CISO, but we can take what he learned on Mars and use it to beat an advantaged enemy and difficult odds.
