As a teenager, I needed money to get my first car, a beautiful dark red 1990 Toyota Camry complete with power windows and a tape deck. So I put in an application at Hollywood Video, a video rental store that I could walk to from my house. The picture above is the actual store I worked at for minimum wage, which at the time was $5.15 an hour (ouch). I even had to wear a tuxedo shirt, fake bow tie, and cummerbund for the uniform, which was as goofy as it sounds. Maybe you are more familiar with other video rental chains, like Blockbuster Video (our fierce rival down the street). Or maybe you are young enough that you just didn’t go to video stores, so I’ll paint a picture for you.
At the time I worked at Hollywood Video in the year 2000, we rented VHS tapes, DVDs (at the time not the dominant media) and video games. We also sold various video accessories like blank tapes, candy, popcorn, ice cream, sodas and other movie adjacent products. Most customers would rent a couple tapes and maybe a video game which they would return in the slot by the door or the big metal bin in the parking lot on the side by the due date, otherwise they would be subject to late fees the next time they came in the store and used their membership card. Yes, you had to bring a plastic card to the store for me to rent you a tape.
“But Ben, even though it’s amusing to think of you as an awkward teenager renting tapes to angry people who forgot their membership cards, what does this have to do with hacking”, you might be thinking. Easy. At Hollywood Video, theft was rampant. It was a sieve. We ran inventories regularly and always had lots of missing items from our inventory. We all knew why. The security controls were so weak that anybody could take anything. I didn’t know it at the time, but I was learning quite a bit about security, both when it comes to breaking it and creating a secure environment. I’ll go through a few of the lessons I picked up along the way, and maybe you’ll give it some thought the next time you consider whether your assets are properly secured.
When people don’t care, nothing is secure
In my view, this was the biggest problem my Hollywood Video had when it came to security. Nobody really cared about what left the store. To begin with, everyone in charge of making sure product was secure was making practically no money. Was I going to confront someone who was acting suspicious in the store? Of course not. It’s not worth it. Even in our training sent from corporate, they told us not to intervene aggressively with thieves, which was appropriate.
But the lack of care went beyond just stopping the average thief, especially because the thieves were among us. Managers routinely would tell employees mid-shift to feel free to take a soda or ice cream out of the fridge, even though that was inventory. I suspect this was because it was easy to get away with and was seen as a way to get more out of employees from managers who were more concerned with cleaning up the store or keeping the lines short than protecting snacks.
What was the message I heard? Inventory isn’t all that important. This kind of attitude trickles throughout staff. If ice cream doesn’t matter, who cares about a single tape?
What does this mean for Cybersecurity?
No security product will be truly effective when the people surrounding it don’t care or are oblivious. Here’s a few tips to make your team effective:
- Basic Cybersecurity Awareness Training should be given to all staff. This should include clear messages about what matters to the organization, how to report and respond to incidents, and things to look out for on a day-to-day basis that are common threats.[1]
- Management must be accountable for security. Even staff who have a different primary responsibility cannot pass the buck on their basic security responsibilities. Violations of security policy must be taken seriously.
Assets that are poorly tracked will eventually disappear
The staff, usually two people working on a shift, were responsible for protecting thousands of unique items in inventory. When we would run inventory, we had to scan every last product in the store during limited off hours with that same limited staff. From a 9 AM-5 PM inventory shift, two people would have to walk around with scanners (which were antiquated even at the time) and scan every item before the inventory shift was done. If that sounds difficult, that’s because it was. I don’t think I was ever involved with an inventory where we managed to get through everything before opening the store back up to customers. Extra tasks had to occur during other shifts to catch up, or shortcuts would be taken, leading inevitably to less accurate counts on inventory.
It was very common as a result to have a customer call in asking about a tape’s availability for rental, the system saying it was there, only to discover that it wasn’t found on the shelf. To top it off, the system of just putting tapes where they belong on the shelf was completely flawed, because these products would move all around the store. A tape you thought was lost might appear six months later because it was put in the Horror section instead of the Children’s section.
I never really felt comfortable telling someone we had a tape unless it was so overstocked that I knew we had inventory, or if I had the item in my physical presence. So much for their inventory tracking system…
What does this mean for Cybersecurity?
Just like physical goods, digital assets need proper tracking too. At the store, we didn’t really know what was stolen at the time, but that’s not much different than many data breaches. Here’s some tips to properly track and manage assets of all kinds:
- Implement a logging and monitoring solution for assets that are particularly sensitive or valuable.
- Make sure your review process for logs is robust and manageable. Most times, logs are captured but not effectively reviewed.
- Look into deploying Data Loss Prevention (DLP) tools that will help prevent data leaks from happening as they occur.
- Engage with a security partner to make sure that these solutions are effectively implemented and maintained.[2]
Shortcuts and poor resource management will create more risk and loss
One day working at Hollywood, I did my normal shift until around 5 PM before logging out of my register, clocking out, notifying my manager, and going home for the night. As a typical employee, I didn’t have access to the safe nor could I open or close out a register. Only the managers could do that. They were also responsible for ensuring cash and receipts were correct. From my perspective that day, I did what I was supposed to as the shift manager told me to clock out and go home.
The next shift I worked, the store’s general manager came to speak with me. They told me my register was short and I was going to be written up. They asked me why my register was left running for the second shift and not completely closed out by my shift manager. I explained I did what I was told to do, which was work, log out, and then the shift manager was to count it all up. As you might expect, I wasn’t pleased… I did what I was told to do and I didn’t steal any money. Ultimately, they decided to give me a pass and not write me up, since they couldn’t prove I was responsible for the loss.
Turns out my shift manager decided after I left that evening to keep working on my register because we were short a person, which wasn’t complying with company policy. He didn’t have enough resources, so he violated policy, which ultimately led to loss of money from the register, whether he took it, or the money was lost, or if there was just perhaps some confusion and someone was given too much change. If we had the right number of people, the policy would have been followed, and any mistakes would have been tracked and corrected appropriately.
What does this mean for Cybersecurity?
You can’t have caviar Cybersecurity on a fish egg budget. The resources you invest in security must match the value of the assets you protect. You should use Threat Modeling to identify assets and risks so that your security strategy is appropriate.[3]
- Come up with an approach to “value” your assets. Consider not only financial costs, but things like reputation, business interruption, and other less tangible areas.
- Identify areas where your assets could be compromised, the impact of the compromise, and how likely that risk could be realized.
- Implement security that matches the value of the asset to the risk of compromise. The more expensive and riskier the asset is, the more we need to focus on protecting it.
Trust without verification leads to loss
Especially in the late 90s, it wasn’t that unrealistic to see a tape get eaten by a VCR, or a PlayStation game get damaged so much it wouldn’t boot up anymore. Hollywood Video was good with their customers about this. If someone came in and said they had an issue, I took the media back and issued a credit for a free rental. Then the broken media would go into a drawer for adjustment to future inventory.
You might have noticed in that last paragraph that at no point did we verify that any of this stuff was broken. The customers and the employees both knew this. Imagine all the free rentals I gave out just because someone told me they had a broken tape that I just took their word on. Some customers definitely took advantage of this.
During one of the inventories, my manager had me go through the broken video game drawer and told me to dump all of the media in the dumpster unless I thought I could fix it. He even said I could take it home to test on my personal consoles. By now, you probably realize that a lot of these games I was told to throw in the garbage worked perfectly fine, often times with no effort to repair or clean them at all.
So customers (of good and bad faith) got free rentals while perfectly good inventory was getting trashed or given away, simply because we just trusted everything since that was the easy thing to do.
What does this mean for Cybersecurity?
While maybe it wasn’t worth it for me to check every last broken tape, systems should not just accept information at face value.
- Consider all of the times people in your organization connect to your digital assets from foreign countries, or ask to transmit sensitive information via email, or other potentially risky behavior. Make sure you have systems in place that verify that validate users, level of access, and so on. We don’t want to find out we had unauthorized access after the fact.
- Any time information is sent into a system, especially from the outside like in a web form, there must be some kind of input validation to make sure the system is not being given malicious information that can cause damage.
- Whenever possible, systems should be designed to establish their own trust, rather than accept the validation from an unknown third party.
It’s fun to look back on this stuff in retrospect and laugh at it, but it’s representative of how many organizations operate. You don’t have to have minimum wage employees working at a video store to have staff who are careless with assets, have too much trust, and weak controls. These kinds of mistakes happen up and down the business landscape. How do I know? I was performing a security review about 10 years ago at a medical office, and was able to walk up to a machine, identify the password based on clues on the desk, and log in easily. This issue was identified alongside a number of technical vulnerabilities from what most people might associate with a security assessment.
These lessons are not exhaustive, and properly securing any environment requires layer upon layer of security, as well as unique design based on the organization’s specific needs. Everyone involved at Hollywood Video, from the low paid staff to the higher ups at corporate, probably knew that they could do only so much to prevent me from getting free ice cream and video games, because they didn’t have the real security in place to stop anyone. Don’t let your organization get caught making these same kinds of mistakes when the assets you are trying to protect aren’t VHS copies of “The Sixth Sense”.
If you are in need of a security assessment within your organization, let us know! Book a meeting with our team of experts today.
[1] Check out our blog about The Elements of a Strong Security Awareness Training Program
[2] If you want to find what NOT to look for in a security partner, check out this blog about The Nightmare Security Partner
[3] In Hackable, author Ted Harrington discusses in Chapters 7 and 8 how to spend wisely and threat model properly.