In 2013, a sophisticated Trojan known as “Shylock” was unleashed on millions of unsuspecting online banking customers. Its modus operandi was to stealthily install itself onto a computer and await banking transactions, upon which it drained the funds out of its victim’s accounts. Not only was this Trojan highly intelligent, but it also had strong self-preservation instincts. It could pretend to have been quarantined by antivirus software, fooling users to believe it had been removed, only to reappear later.
Embedded in Shylock’s code were excerpts from Shakespeare’s play The Merchant of Venice. This brought back memories of analysing the Bard in my teenage years (a long time ago, I confess). I was an avid student of his work and have recently started musing over some quotes and how they could relate to the cyber (and information security) industry and my own experiences. These include:
As you all know, Security Is Mortals’ chiefest Enemy. (III.v.32-33)
When organisations believe their IT systems are secure or their data is not of interest to hackers is precisely when they are likely to be attacked (possibly without even realising it).
To beguile the time, Look like the time. Bear welcome in your eye, Your hand, your tongue. Look like th' innocent flower, But be the serpent under ’t. (I.v.62-66)
Protecting complex and globally connected infrastructure is extremely difficult when attackers are intelligent, patient and well-funded. They know how to stay undetected and deceive users and network administrators alike.
Misery acquaints a man with strange bedfellows. (II.ii.39-41)
Building an educated, honest and informed team is important when establishing a successful security function; this includes the entire supply chain. There are many suppliers, vendors, and third parties that sell products and services that the business neither wants nor needs. Choosing the right partners and team is critical to the security of an organisation's information and reputation.
O brave new world, That has such people in’t! (V.i.182-183)
I have seen the cyber/information security industry change dramatically over the past 13 years. The shift in mentality and awareness of cyber/information risks has progressed (slowly in some cases). This holds equally true for those wanting to safeguard data and conversely those wanting to steal or defame.
The world is grown so bad, that wrens make prey where eagles dare not perch. (I.iii.535)
The way attackers target organisations and individuals has dramatically evolved - lone hackers or small hacking groups with the right skills and technology can (and do) prey upon global corporate powerhouses. Hackers should no longer be thought of as the bespectacled kind sat in darkened rooms – they are now also highly organised criminal enterprises with workers operating shifts; taking coffee breaks, lunch and annual vacations!
Out of my sight! Thou dost infect mine eyes. (I.ii.159)
I have heard C-Level and senior IT leadership dismiss or underplay the cyber/information risks their business faces and turn a blind eye to them. Finally, some are waking up to the reality that no matter how small or large the organisation is there will be someone interested in using weaknesses in IT systems for their benefit.
The Merchant of Venice
The quality of mercy is not strain'd. (IV.i.173)
Shakespeare’s works often portray mercy and forgiveness as qualities used by respectable elements of society. Cyber attackers do not show mercy and can be ruthless, as demonstrated by the recent Ashley Madison hack.
All that glisters is not gold. (II.vii.69)
Many organisations do not truly understand what their most valuable data (and people) assets are. They may invest heavily in the protection of IT systems whilst ignoring the risks of data theft through physical or social engineering attacks. Examples include laptops left in taxis/pubs, printed confidential documents at printers or on unattended desks.
Et tu, Brute? (III.i.77)
Those closest to you may betray you (albeit not directly), and third parties with weak security controls may be used by attackers to infiltrate an organisation. Also, unsuspecting insiders falling foul of phishing attacks or social engineering may lead to sensitive information being stolen.
Cry Havoc, and let slip the dogs of war.(III.i.288)
Nation states are covertly battling each other on a global scale, largely hidden from unsuspecting public. The Stuxnet worm is one of the prominent examples (purportedly a coalition between the USA and Israel) on the Iranian nuclear programme. More recently, the OPM attack has (allegedly) highlighted China’s hacking prowess.
To mourn a mischief that is past and gone is the next way to draw new mischief on.(I.iii.205-205)
Too much procrastination about cyber attacks or incidents in past can lead to an organisation taking its eye off the rest of the business. The Sony cyber attacks come to mind here after back-to-back attacks on the organisation.
Knavery's plain face is never seen till us'd.(II.i.299)
Are there other examples where Shakespeare (or other poetry/literature) can be applied to cyber security? I would be keen to hear from others on their views.
Indy Dhami possesses over 14 years’ experience, having worked in both operational and consulting positions at FTSE100 and Fortune 500 organisations including AXA, Deutsche Bank, PwC, Accenture, Mercedes-Benz, Jaguar Land Rover and many other world-leading organisations.
His experience includes leadership positions in information/ cybersecurity transformation, risk assurance, crisis management (pre and post incident), assurance, audit, governance, risk and compliance programmes.