I went to see Mission Impossible 3 last night with my (very) pregnant wife. I don’t want to give away too much of the rather thin plot but rest assured that something really important hinged on a tech guy back at the office. A couple of security-related things really struck me:
The tech guy always has too much power. The tech guy says, “You know they’re going to be recording this call.” Ethan Hunt replies, “And you know that you can erase it.”
The tech guy was willing to break the rules because of his history with Ethan Hunt. If Ethan Hunt was a hacker, it would be classic social engineering. And don’t think social engineering within an organization is unlikely. Reports indicate that the majority of attacks come from within the organization.
Lessons to be learned from MI:3 are 1) only give tech guys the power/access they need and 2) have checks and balances to prevent abuse of power.
Reminds me of a story I heard recently from [name withheld to protect the innocent] about an organization where the developers were Domain Admins for the entire organization.