Just a few months ago, a remake of the old horror movie featuring the infamous “killer doll” Chucky entitled “Child’s Play” was released. Although the big line of the story is basically the same with its predecessor, it was delivered in a much simpler ideas that is easy to be imagined as a realistic scenario that might happen in our life. It was about a big company called Kaslan that produces a lot of embedded-system technology and IoT-based technology, they launched their new product which is a doll called Buddi that has artificial intelligence and is claimed to be the long-life friend of its owner. However, during the manufacture process that is located in Vietnam, one of its employees was fired which triggered him to disable all safety protocols within the one of the doll’s system before committing suicide. The doll was eventually packed for international delivery and made it way to its owner, Andy, a 13-year-old boy from Chicago, USA. When Andy activated the doll, it called himself as Chucky. Chucky is finally attached to Andy as his ‘long-life friend’.
Everything was fine until one day, Andy brought Chucky to watch a thriller movie that seemed like The Texas Chainsaw Massacre part 2. This is when something odds started to occur. Chucky, that has no safety protocols, with his machine-learning ability, started mimicking the violence from the movie by bringing a knife and approached Andy and his friends until Andy disarmed him. The next day, Andy found his cat was killed and Chucky admitted to have killed the cat because the cat scratched Andy, his owner, the day before, and he didn’t want to see his owner being hurt. Since then, Chucky was getting more violent. By the end of the movie, Chucky that was integrated to every Kaslan’s product, begun a killing spree that caused a huge chaos in the city of Chicago before being destroyed by Andy and his friends. If you want to have the goose bumps from a modern horror movie, you can go watch it! Because we won’t go into the details about its storyline and now let’s delve into the discussion.
What interesting about this version of Chucky doll is, unlike the earlier version of the movie that involved supernatural entities, it is a technology that is actually existed in our life today. That’s why in the beginning, we stated that this movie is being delivered in a much simpler ideas, because the technology that is featured in the movie and the possibility that such a catastrophic event might happen is realistic. The focus that we’re going to discuss is at the beginning of the movie when a disgruntled employee who got fired expressed his anger by disabling all safety protocols from the doll’s system.
In the realms of Information Security, this is what the Information Security expert referred as ‘Insider Threat’, which is formally defined by CERT as the potential for an individual who has or had access to an organization’s assets and use this access, either maliciously or unintentionally, that could negatively impact the organization. Henceforth, there are two types of insider threat, the malicious and the unintentional. From the movie, we can classify the action that was conducted by the Kaslan’s disgruntled employee as a malicious insider threat. The employee who worked in the assembly stage of the doll had access to the doll’s source code. Therefore, he had the ability to set the doll into whatsoever he intended to. Although at some point this ability is highly useful for the company’s production, this can be a big threat for the company if something goes south. This threat was triggered by the employee’s boss who fired him unkindly, which made him expressed his anger by using his ability in a negative way, turning the doll into a malicious toy. However, for some reason, the company let him continue his work for the last time. This is a big mistake in the context of information security, either Kaslan doesn’t have any countermeasure to mitigate malicious insider, or it wasn’t enforced properly, but the employee was successful to retaliate and left a ‘surprise’ to the company.
So is there any method to prevent such a thing happening in our real life? We don’t want to hear our Siri or Google Assistant spat out some bad words because an insider is messing with the system right?
According to Certified Information System Security Professional (CISSP) Exam Guide written by Shon Harris and Fernando Maym, Access Management is required for an organization to maintain its business run properly and to give its employee an authorization based on their job, or some people called it as the principle of least privilege. Therefore, with the enforcement of Access Management to a company Security Protocols, someone who works with the raw material doesn’t have the right access to someone who works in the quality checking. With this separation of work, everybody will be focused on finishing their task and therefore, it will limit the space of somebody who has malicious intent because he only has access to one particular area. If we link it to the movie, when the company enforced this concept, the employee shouldn’t have any access to modify the doll’s configuration without authorization. Even when he is finally able to do so, the company will also have a quality control guy to check the product before going into the shipment process.
Furthermore, when the company decide to fire one of its employee, they should already have a way to update the access control and immediately eliminate all access for the fired employee, as an example, by changing all passwords that is previously known by him. Therefore, he wouldn’t be able to reconfigure the doll’s system.
But, sir, is there any method to find out how high is the possibility of someone being an insider threat?
In 2014, the National Cybersecurity and Communications Integration Center of the US Department of Homeland Security published an article entitled ‘Combating Insider Threat’. In the article, there are some characteristics that increase the likelihood of becoming a threat, namely:
- Greed/ financial need
- Vulnerability to blackmail
- Compulsive and destructive behavior
- Rebellious, passive aggressive
- Ethical ’flexibility’
- Reduced loyalty
- Minimizing their mistake or faults
- Inability to assume responsibility for their actions
- Intolerance of criticism
- Self-perceived value exceeds performance
- Lack of empathy
- Predisposition towards Law enforcement
- Pattern of frustration and disappointment
- History of managing crises ineffectively.
From the movie, we can see how the employee shows a sign of disappointment and frustration after being fired. Furthermore, because he knew that he was fired, his loyalty to the company is reduced which is expressed by doing a malicious act under his conscious decision. Those two characteristics were enough to make the employee become an insider threat.