[BreachExchange] 3 characters from Jurassic Park that could’ve benefited from an IT disaster recovery plan

Destry Winant destry at riskbasedsecurity.com
Wed Aug 29 09:13:31 EDT 2018


https://www.csoonline.com/article/3301496/disaster-recovery/3-characters-from-jurassic-park-that-couldve-benefited-from-an-it-disaster-recovery-plan.html

Nothing can beat the pure terror you felt for Tim and Lex while you
watched them hide in a kitchen while raptors creaked open the door and
sniffed them out for their next meal. Hands gripping your chair, heart
beating fast, eyes refusing to blink...I get it all, every time.

Every time the Jurassic Park franchise releases a new film, I get
nostalgia for the original one. I went back and re-watched it recently
and, given my propensity to view things through an IT and
business-operations lens, this time around I noticed how significantly
the characters would’ve benefited from a robust an IT disaster
recovery (IT-DR) plan, integrated into a wider business continuity
plan. Three characters in the film stuck out to me as examples:

Robert Muldoon (game warden)

Under the guidance of the game warden, Robert Muldoon, the movie opens
with the park migrating a raptor between holding pens. Unfortunately,
the holding pen and cage aren’t lined up correctly and a person ends
up eaten—a disaster scenario if I’ve ever seen one. On seeing this
scene for another time, it’s somewhat similar to what can figuratively
happen when doing an infrastructure migration into the cloud, isn’t
it? If things aren’t lined up perfectly, then it can result in lost
data. Muldoon tries valiantly to save the situation, but ultimately
could not.

This disaster event at the film’s outset raises questions among
investors, which prompts them to demand a security review of the park.
This is no different from a real-life audit scenario, where clients or
stakeholders want reassurances for how well your business can actually
protect sensitive information. Unfortunately for Jurassic Park, they
had to prove the stability of the island within 48 hours – all while a
competitor of the park was secretly enlisting a disgruntled IT
cybersecurity professional, Dennis Nedry, to sabotage the park and
steal sample embryos (AKA intellectual property) for analysis.

Throughout the beginning of the film, the park touts the latest
technology, everything from virtual reality displays to machine
learning, automatic cars and touchscreens—all things that were a big
deal back in 1993 when the film came out. But without the park’s
technology systems up and running, the glamor quickly falls apart. The
downtime Nedry causes to steal the dinosaur embryos is only worsened
when a bad tropical storm rolls in.

All of these scenarios, however, don’t mean Muldoon isn’t a seasoned
veteran at what he does. In fact, his gruff demeanor says that he sees
a lot of these events coming but given the lack of buy-in from the
rest of the business, can do nothing. In other words, Muldoon
represents an IT security veteran who’s seen and survived through
multiple breaches and disaster events, but again and again must almost
single-handedly mitigate the fallout of a company that’s unwilling to
do a total refresh of its infrastructure. He knows how cybercriminals
(raptors in this case) think.

Muldoon is not confident in the park’s ability to keep the dinosaurs
at bay. Raptors, he says, are testing the electric fences for
weaknesses constantly, which is much like cybercriminals do when test
a business’s network for weaknesses.

Ray Arnold (computer expert)

Not only does an outage create the widespread disaster at Jurassic
Park; it leads to massive data loss – research that could have
transformed the world. Ray Arnold, the IT person that everyone turned
to after his co-worker had sabotaged the park’s IT infrastructure,
seems to be critical from the beginning that the park could actually
function in the first place. Perhaps he knew something management
didn’t? An IT individual might feel some affinity for Arnold, since
his repeated calls for concern go unnoticed among leadership. At one
point, he even references putting an item on “the glitch list” –
something that should never pile up.

Sabotage from a disgruntled employee could have been curbed if the
park had had a good risk management policy in place, along with
precautions such as change logs, two-factor authentication and a DR
backup plan to strengthen the IT systems. When the power outage forces
Ray Arnold to manually reboot the computer systems of the entire park,
even more animals escape, which pushes several people into further
danger. Here, a DR playbook would have provided some structure on how
to notify all affected parties of what to expect, as well as what to
avoid during the reboot process.

A cumbersome infrastructure at best, people must go outside to another
building to physically turn on the generators. This location, in the
heart of velociraptor territory, not only is poorly-planned but could
be avoided with an infrastructure upgrade. When velociraptors escape
and make it into the building where Arnold is trying to turn the power
back on, the situation ultimately leads to his demise.

John Hammond (the owner)

The disaster at Jurassic Park should act as a cautionary tale for any
executive leader or board member, where the owner, John Hammond,
should have invested in a robust IT strategy and significant insurance
coverage. He keeps saying throughout the movie, “Spared no expense,”
but apparently, he’s been focused on the wrong areas. Plus, leaving IT
systems entirely in the hands of an employee who is visibly
disgruntled with his pay and treatment is, well…poetic justice?

Hammond’s leadership during the crisis is integral to the smooth
execution of the recovery process, but he is more concerned at times
with the “product” (dinosaurs) than the lives of those involved.
Indeed, the personnel behind a solution are of paramount importance,
since every company is ultimately comprised of people, and the team
you employ will often be the team recovering your IT systems after a
disaster event. Talent retention is key to a successful business.
Hammond’s favored attention for the dinosaurs rather than of his own
employees does little to inspire their commitment during the crisis
and, I’m sure, ongoing employee retention.

Don’t let your theme park go without IT-DR

The original Jurassic Park film is a story that cautions against not
only genetically modifying dinosaurs, but also the practice of going
without a strong and regularly-tested IT-DR plan. Any business can
feel like a deranged theme park at times, especially when a disaster
event occurs. However, with a strong IT strategy in place to recover
from likely and unlikely scenarios, you can better prepare for
evolving threats – such as when dinosaurs escape across an island.

If we picture the film not in 1993 and instead, based in modern day,
really the park should have had at least a hybrid cloud-based model
where they could access data from an off-island location. Furthermore,
if they had a managed Disaster Recovery as a Service (DRaaS) solution,
a team of experts would have recognized when the island went silent
(no more replication coming into the cloud environment) and would have
tried to reach out to see what happened. If they couldn’t contact the
park’s IT team, the DR provider would have begun the declaration
process on their own to restore order and send help to save people on
the island.

A good IT-DR strategy begins with a conversation between IT and
business leaders about what are the most crucial assets to protect
during a disaster – then the conversation should shift to confirming
these goals with the rest of the business. It does no good to have an
IT-DR plan and not test it, since many untested plans are outdated,
and therefore, ineffective at the time of an actual event.

A lot can be learned from Jurassic Park in the way of what not to do.
Hindsight can be 20/20, and it’s easy to point fingers at characters
in a movie. The problem is that many of the issues in Jurassic Park
all too common in modern-day business, so it’s best to consider
whether you see inklings in your own company. If DRaaS sounds like
something that might facilitate a good DR plan at your business, then
check out this beginner’s resource.


More information about the BreachExchange mailing list