what problems of infosec can Barbieland show us?
It’s no secret that the film “Barbie,” which was sensational in cinemas and on torrents, left a lot of reasons to think about the layers of irony, as well as the political and ideological messages that are present there.
But, besides this, Barbieland is also a good example of how not to build information security. Below the cut, we’ll look at what classic information security problems can be found in the film and what we can learn from it.
In the article, Barbieland is presented as a large system that has certain problems inherent in information security in corporate architecture. I don’t pretend to cover every aspect of safety and the entire film, but will cover the main points that I found noteworthy.
Events are described in the order they appear in the film.
Attention! The text will SPOILERS.
User identification problem
At the beginning of the film, you can notice that all the characters (depending on their gender) have only one name: either Barbie or Ken. You can understand who exactly this or that character is addressing only by who he is looking at.
In the film this did not cause any funny things, but it could have led to them. In addition, in retrospect it will be difficult to describe who we are talking about, and you will have to use additional characteristics: hair color, height, distinctive features, and so on.
In information systems, a similar problem can be expressed in different ways:
in the same identifiers (however, this is unlikely, since in this case the authentication process will be controversial, since several authentication features, such as passwords, correspond to one identifier);
in anonymous/group accounts.
In its most common form, this is expressed in cases where several users use the same identifier to access a particular system. Accordingly, when problems arise, identifying the real attacker either becomes impossible or requires additional metadata (IP addresses, information about operating systems), which significantly complicates the identification process.
Just as in the world of Barbie a mistake is possible due to accessing the wrong doll, so in the world of digital technologies some actions (for example, breaking a session with a group user) may not lead to the results that are required, since it is not at all obvious who exactly is currently using the account.
Modern systems use simple practices to solve this problem: banning the use of group accounts (including standard ones like admin), issuing individual identifiers to each user, and building processes for creating, changing and deleting identifiers. In extreme cases, it may be necessary to implement additional mechanisms that reduce the likelihood of using other people’s accounts, such as two-factor authentication and/or PKI (public key infrastructure).
More information about the identification (and authentication) processes can be found here:
Within the framework of the film, the solution to this problem does not seem obvious. Unless you enter some additional identifiers like simplified serial numbers or, perhaps, even last names.
The problem of unpreparedness for incidents and emergency situations.
In one of the first scenes, the main character claims that everything will be fine today, tomorrow and always. However, this statement is refuted literally a couple of moments later, when an event occurs for which Barbie was not prepared and, accordingly, did not plan actions to normalize the situation.
In information systems, such confidence can also lead to undesirable consequences: loss of a large amount of data, leakage of personal data, and disruption of process availability. All this can result in financial losses, as well as legal problems (including criminal prosecution).
One of the fundamental principles of information security is preparedness for unforeseen situations and planning your actions in case of their occurrence (as far as possible). Here you can highlight events at various levels:
building procedures for monitoring and responding to deviations and incidents in the system;
preparing recovery plans in case of incidents, conducting tests for their implementation;
implementing programs to increase employee awareness of digital hygiene and information security;
studying the experience of other companies;
timely familiarization with current legal information;
coverage of information security issues at all stages of a company’s life, development processes, project implementation, etc.
More details on approaches to building comprehensive information protection (including proactive approaches) can be found here:
In a Barbie world, this situation could be helped by being prepared for these kinds of problems and moving away from blind optimism. However, the characters in the film prefer the blue pill, as we see in one of the scenes.
The problem of incorrectly built incident management processes
Already at the beginning of the film, it becomes clear that the main character is a deviant in the world of Barbie, revealing some human qualities and problems and thereby violating the principles of life in the pink world. Based on the fact that almost all of Barbieland is subject to certain rules, we can conclude that such deviations are undesirable behavior. This is confirmed in the dance scene, when the phrase suddenly spoken by the main character brought everyone around her to their feet.
Nevertheless, even after such a reaction, no one doubted the “puppetry” of the main character. It is possible that in the future no one would have discovered her deviant behavior if she herself had not revealed her cards the next day.
Potentially, all this could lead to the compromise of the entire Barbieland, since the deviant subject may have more dangerous intentions than Barbie, which we could later see with the example of Ken.
There are three main problems here:
at first no one detected the unusual behavior;
when found, it was considered correct;
there was no timely response, and Barbie had to deal with the problem herself.
In the world of information systems, this situation carries much more risks. An attacker could quietly compromise the system, spread, and cause serious damage by compromising the integrity, confidentiality, or availability of data.
Well-developed procedures for detecting anomalies, processes for responding to them, as well as analyzing false positives will help prevent this. They will reduce the likelihood of a successful attack and adverse outcomes caused by other factors (human factor, man-made problems, etc.).
More information about incident management processes can be found here:
In the context of the film, practices for detecting anomalies and helping the dolls would be useful, which would allow them to solve such problems more transparently and in a more acceptable time frame.
The challenge of infrastructure compromise in a world of mobility and remote work
When Barbie began to deal with her problem and reached out to Weird Barbie (the outcast character), she learned that a connection had arisen between her and the girl in real life, which is why the girl’s behavior influenced the main character.
This situation is similar to when a compromise in one system, such as a home network, allows unwanted code to penetrate another system, such as an organization. This can happen, for example, if attackers gain access to a workstation connected via VPN to the enterprise network.
To minimize such risks, you should both set up controls within the organization’s perimeter and take into account the vulnerabilities of system elements that are located outside the perimeter, for example, remote employees.
It is important to remember that remote work is always an entry point into the internal infrastructure from an untrusted environment, so you should not provide access to internal services without additional checks (firewalling, authentication and authorization, etc.) at the network perimeter. A well-designed architecture can significantly reduce risks in our work-from-anywhere reality.
More information about remote access protection can be found here:
As for the film, in this case it is unlikely that any protective measures are possible, except perhaps being prepared for such situations and developing an action plan in advance. For example, the characters would need a distressed suitcase with the necessary currency, devices and recommendations for survival in the cruel real world.
The problem of insufficient control of outgoing traffic at the enterprise network perimeter
Going to the real world, the main character (like other Barbies) missed Ken hiding in the car, which led to problems after his return to Barbieland.
The situation is similar to the problem of uncontrolled traffic and information flows beyond the perimeter of the enterprise. In this case, we are talking about monitoring both network packets and data transmission channels in principle.
Uncontrolled data flows can cause problems for several reasons (the list is not exhaustive):
they may be talking about leakage of sensitive information;
they may be a sign of bot/C&C activity (attackers gaining constant access to infected resources);
they may be part of requests going to potentially dangerous resources.
The first situation occurs when there is a data leak, either individually or on a massive scale, which can ultimately lead to, at best, small financial losses, and at worst, to huge fines, reputational losses, and compensation to those affected by the data leak.
The second situation is dangerous because, on the one hand, the organization’s resources are spent on illegitimate activity, and on the other hand, the company can become a participant in attacks, fall under legal sanctions, end up on blacklists of IP addresses, etc.
The last scenario occurs when system users access resources that are either potentially dangerous or do not meet their work needs (social networks, adult sites, torrent trackers, etc.). Such activity can simply distract employees from work, or it can become a channel for malware to penetrate. In addition, it loads the company’s network resources with unwanted traffic.
In each case, the problem should be solved in different ways: control outgoing traffic, implement proxying tools, firewalling, IDS/IPS to identify signs of compromise, and, as a last resort, deep traffic control (DPI) tools.
A global way to solve the problem is to take an inventory and build traffic control processes to understand what data is in the system, what ways to go beyond the infrastructure (including taking into account remote connections) are built into the architecture, and what can appear bypassing them. The main idea is to reduce the likelihood of illegitimate outgoing traffic that poses a threat in one form or another.
For Barbie, the simplest solution would be to check the back seat of the car and find an unwanted companion there. Although in this case the film would not be so interesting.
Malware detection problem
Upon returning from the real world, the main character discovered that the usual Barbieland had changed beyond recognition and the Kens with the symbolic logo in the form of a horse had become the dominant force. This power grab creates difficulties for both the main character and her real-world friends.
In today’s digital world, one of the big problems is malware. And one of his most famous forms is the Trojans, which echoes the symbol that Ken brought to Barbieland. It is worth noting that all Barbies accepted such a “gift” and did not object to it, which gives even more resemblance to the Trojan horse.
Malicious software can use authorized channels and means of information transmission for illegitimate activity. For example, attacks of the RAT (remote access Trojan) and Reverse Shell classes can be initiated from an infected PC and bypass blocking access to the infrastructure from the outside.
In corporate environments, various tools are used to prevent this:
simple antiviruses installed on user workstations and server environments;
more advanced solutions based on behavioral analysis / detection of zero-day vulnerabilities. An example is protection against malware at the endpoint and/or network level. In the case of Barbie, this could help get rid of the problem even on the border of Barbieland.
Separately, it is worth mentioning actions in case of incidents when malware is launched – from detecting infection to containing its spread and eliminating the consequences. Detection and response processes can help with this. At the same time, procedures for containing the spread of infection involve isolating infected resources from the rest of the infrastructure, and further actions include a deep scan of the rest of the network and analysis of the infrastructure/resources for residual signs of infection, as well as reinstalling operating system images if necessary.
More information about malware protection can be found here:
In Barbie’s case, one solution would be to continue traveling through the real world with Ken and prevent him from secretly returning to Barbieland.
Another way to avoid problems would be to work with other Barbies in advance to prepare them for such a situation and train them to identify such intrusions into the foundations of Barbieland.
The problem of insufficient control of incoming traffic at the enterprise network perimeter
Another unexpected event in the world of Barbie is the appearance of the managers of the Mattel company, who used the same entrance to Barbieland that other characters had previously used to move between worlds. Although this event did not lead to any problems in the film, in other circumstances it could have been destructive to the pink world.
In information security, insufficient security at the edge of the network can open the door to attackers. The problem is relevant both for classic corporate networks and for other environments: wireless networks, home networks, IoT devices, etc.
The second problem here is access control in principle, namely the lack of understanding of who and how should have legitimate access to the system (Barbyland).
It must be remembered that control of the network perimeter is one of the most important ways to protect against threats, including those from the global untrusted network (the Internet).
It is worth adhering to the principles of limiting network access (firewalling), assessing possible entry points into the infrastructure, and controlling incoming traffic. In situations that require an increased level of security, you can use more comprehensive solutions like IPS.
In addition, it may be relevant to define rules for access to protected resources, as well as implement measures to ensure control over the availability of elements of a corporate information system, such as those described above. You should remember about access logging for further investigation of controversial situations and incidents.
More information on ensuring the security of incoming traffic (in terms of firewalling) can be found here:
In Barbieland, the problem could be solved both by installing appropriate structures that restrict entry, and by allocating dolls to monitor borders. By the way, the new administration subsequently adopted the first decision from the previous proposal, but whether it was implemented after Barbie returned to power is a big question.
The Problem of Susceptibility to Defacement Attacks
One of the actions that Ken performed after returning to Barbieland was to change the appearance of everything and everyone, albeit with the tacit consent of the inhabitants of this world, but against its original rules. Among the changes we can highlight the appearance of horse symbols everywhere, a change in interior solutions, and the renaming of various objects.
In cybersecurity terms, one type of attack is deface. Its essence lies in illegitimately changing the “look” of a resource (for example, a website) with the publication there of content of an undesirable nature (political, provocative, etc.).
Protection against this is the control of access to internal resources in general and the complication of recording operations in particular with the issuance of appropriate privileges based on the principle of minimum necessary rights, as well as the building of the controls described above (incident management, traffic control, etc.).
Similarly, in the Barbie world, appropriate restrictions could be introduced that would not allow one to unilaterally change the appearance of the world without any stop factors, instantly turning it into something difficult to recognize.
The problem of detecting compromise
If we assume that after Barbieland passed into the power of the Kens, we should consider the situation from their perspective, then the first big problem is the failure to detect the camp of rebels who subsequently regained power by discussing similar initiatives with Strange Barbie.
In fact, the camp and its inhabitants are an element of the structure (Barbyland), and their efforts are aimed at destroying new foundations.
In cybersecurity, there is also a similar phenomenon – the problem of detecting compromise of system elements (workstations, servers), which are subsequently used either for external illegitimate activity (for example, bot farms) or for internal ones (for example, network scanning). Both simple solutions like antiviruses and more complex ones aimed at analyzing traffic at the level of end devices and/or network help to detect such actions in a timely manner.
Separately, it is worth mentioning complex compromise schemes, such as APT attacks. As a rule, they are aimed at large companies and consist of several steps, for example:
exploration and preparation of resources;
penetration into infrastructure;
escalation of privileges;
securing the attacker in the infrastructure;
attacker movement across the infrastructure;
causing damage.
I advise you to familiarize yourself with the MITER ATT&CK matrix, which outlines similar steps: https://attack.mitre.org/
Probably, the Kens in this situation could direct their efforts to eliminate potential rebels, which would allow them to gain a foothold in power and prevent a reverse coup.
The problem of vulnerability to social engineering attacks
When the Barbies decided to restore the old order, their main tool was to distract the Kens and forcibly return the Barbies to their own will after being brainwashed by the male population.
A similar phenomenon in the field of information security is attacks using social engineering, when mechanisms for working with human weaknesses are used to achieve illegitimate goals: intimidation, emphasis on the need for quick decision-making, promises of earnings and other methods that distract attention from the real danger.
To combat this, preventive technical and administrative and organizational measures are used.
The first include:
spam protection;
blocking untrusted sites at the proxy/DNS level;
double control when performing significant operations.
Examples of administrative and organizational measures:
training digital literacy and raising user awareness of current threats;
greater attention to detail when working with digital resources;
caution when interacting with intruders, for example over the phone.
Social engineering today is applicable not only to corporate environments and related threats, but also to attacks aimed at users of the digital world (with the aim of obtaining bank card data, logins and passwords, inducing transfers to the accounts of attackers, etc.). It is important to remember that humans are one of the main sources and conductors of threats, so this factor should not be neglected.
The Kens should be more attentive to what is happening and stop such attempts to deceive them, not allowing Barbie to unite and regain power.
The problem of uniformity of opinions
And the last thing that follows from the first point. The lack of identity and uniformity of opinions meant that everything happened very quickly, since there was no critical thinking and no character with an alternative opinion who could point out the problems of Barbieland).
In the context of information security, it is also important to have a diversity of opinions and the ability to see the situation from different sides: management, colleagues, business, information technology, regulators, auditors, etc.
Sometimes information about a critical problem comes from where you don’t expect it. And, perhaps, just being open to other people’s opinions can help resolve those issues that may not be visible due to tunnel vision.
As for Barbie, they should take a broader view of the situation and consider the possible consequences of their actions, pay attention to what is happening around them, and perhaps take off the rose-colored glasses and look at their world more realistically, which is partly what they came to closer to the end of the film.
Conclusion
Although the above points are just examples based on the plot of the film, it is useful to remember that negligence in information security in real life can lead to disastrous consequences.
