Batman is a superhero without super powers. He is a regular man who uses guile, gadgets, and deductive reasoning (plus lots of money) to fight crime in the decaying metropolis of Gotham. The villains he fights are "regular" humans as well, albeit ones dedicated to doing the city harm, seeking a profit at the populace’s expense. The comic’s dynamic is essentially a human-vs-human fight, with various pieces of technology (in form of weapons, gadgets, and vehicles) serving as the intermediary.
Sound familiar? That’s because Batman stories play out a lot like the fights for modern web security.
On the web, the villains are not faceless robots, but real people who want to extract profit from unsuspecting, innocent people. They use all available technology in the effort to compromise the security and peace of commerce, banking, and government. Their counterparts on the good side must, like Batman, be vigilant and resourceful, always a step ahead.
What Specific Security Lessons Can We Learn From the Dark Knight Himself?
1. Trust nothing, and no one
Batman never assumes that his plans are foolproof and has backups in place, even for himself. In the movie "Justice League: Doom" it is revealed that Batman has set up dossiers on all of the superheroes in the organization, just in case the members somehow become compromised. This shows that even your top performers can be vulnerable. Your website is far more likely to be infiltrated by an employee due to accidentally having their computer compromised than directly by an outsider with malicious intent. A process for every employee must include setting a proper permissions level, and determining what access should be terminated when they are no longer with the company.
2. Building multiple layers of defense.
In the movie, those superhero dossiers are stolen by a villain who breaks into the otherwise unbreakable computer using a novel tool, which allows him to bypass all of the security in place to protect against intrusion. Even with the files in hand, the bad guys find that the files are encrypted, adding another security layer that needs to be broken before they can gain access to the data. The security breach is ultimately discovered and Batman, while upset over the breach, admits he has yet another card up his sleeve: the data will "call home" when it’s opened.
The fact that multiple layers of defense had to be broken shows the importance of time and effort spent on a website protection plan. A lot of forethought should go into security, including how to properly store, transmit, and receive your data. Real world analogues to those fictional security methods include:
- Proper encryption of data at rest
- SSL security for data in transit
- Salting password hashes
- Transmitting form data in SSL instead of plaintext
3. Expect the unexpected
When the evil organization finally is able to read the information in the dossiers, it puts into place a plan to take out each hero with their own tailored assault, all of which are very effective. These attacks are like real-world "0-day exploits"–attacks on vulnerabilities that are not yet known to the victims. Every platform has some flaw that opens it up to attack. These undiscovered attack vectors are the perfect reason to conduct what are known as "red team" exercises where penetrations testers probe for weak points in your system, both known and unknown. Be sure you know your own weaknesses and implement mitigation techniques in advance.
4. Work together, and be honest in self-assessment
Ultimately, Batman and the Justice League come up with a plan to defeat the evil organization. While individually the members of the Justice League had been defeated in single combat, together they are able to overcome their adversaries. Just like the heroes, it’s important to have a team that you can call upon when you’re under attack. This team should ideally be in place before an attack so that they already understand where they can best help. Knowing your strengths and weaknesses ahead of time provides valuable information and time to shore up weaknesses and improve existing strengths.