5 minute read
HVCK : Issue 1 - 2022
The Privilege Access Control Case:
Darth Vader v Han Solo (1 ABY) Galactic SC 41
Advertisement
by Brenda van Rensburg
INTRODUCTION
Privilege Access is a term used to secure access to data by any person that is above a standard user. It can be associated with both human and non-human access such as applications and machine identities.
Some examples of privilege access accounts used by humans are ‘super users’, ‘local administrative’ and ‘privilege business user’. Examples of non-human access accounts are ‘application accounts’, ‘service accounts’ and ‘secret accounts.’ Arguably, there are many more examples, however the most familiar access accounts have been used as examples.
In the Essential 8 Maturity model, privilege access is considered as one of the controls to protect data from unauthorised access and/or disclosure. As such, entities are responsible to ensure necessary controls have been implemented to protect data from unauthorised access and/or disclosure.
Arguably, it is a criminal offence for any person who has accessed data without authorisation. Additionally, further penalties can be awarded if modification or impairment is caused because of this access.
To discuss this subject matter of unauthorised access, we will look at the case of Darth Vader v Han Solo where the plaintiff claimed that the defendant had unauthorised access to the Attack Room, which was the location of several servers that stored confidential data. As a result of this access, there was impairment to data. Additionally, the plaintiff further sought compensation for damage to property.
In the case of Darth Vader (plaintiff) v Han Solo (defendant), the plaintiff claimed that the defendant gained unauthorised access to the Attack Room where the defendant allegedly destroyed Imperial property, namely the intercom and surrounding hardware appliances. The Enhanced Security and Enforcement Act, 21 BBY (Gal) s 145 states that
Death Star CCTV Footage of the accused, Han Solo (Below)
THE CASE OF AUTHORISED ACCESS
a) A being or non-being is unauthorised if they are not entitled, within the ordinary meaning of the word, to cause that access, modification, or impairment.
b) will be taken to ’cause’ unauthorised access, modification, or impairment if your conduct substantially contributes to the same
According to the Galactic Supreme Court, the onus rests on the plaintiff to prove that the defendant caused unauthorised computer function; did so knowing it was unauthorised; and did that with the intention of committing or facilitating the commission of a serious indictable offence.
The plaintiff claimed that the defendant disguised himself as a stormtrooper which arguably, is intent to access the Attack Room without authorisation. As such, the defendant had knowledge that he accessed the Attack Room without consent. Therefore, the defendants’ actions could be argued as a serious indictable offence.
However, the defendant argued that the actions were justified. In his defence, he entered the Attack Room to save his, and his colleague’s life. He admitted to entering
the Death Star based on orders to save Princess Leia who was held hostage by the plaintiff. As such, the defendant had a lawful reason to access the Attack Room.
Death Star SOC Crew Team C (pictured above) were terminatedas a consequence of the Solo incident. The results of this case have triggered compensation claims from the families of the men.
ENTITIES RESPONSIBILITIES
Under Part C section 11 of the Enhanced Security and Enforcement Act, 21 BBY (Gal), it states that
An entity must take reasonable steps to protect confidential data it holds from misuse, interference, and loss, as well as unauthorised access, modification, or disclosure
In the investigation into the Imperial’s Starfleet conduct regarding the protection of confidential data, it was identified that the Death Star failed to implement necessary Privilege Access Controls. The court determined that the Attack Room was considered as a location that stored highly confidential information. It was the Imperial’s Starfleet responsibility to ensure the privilege access was implemented so that only specific beings, and non-beings, had access to the Attack Room. Failure to implement the privilege access controls meant that any Stormtrooper had access to this data.
Arguably, the Imperial Starfleet had implemented authentication steps inside of the Attack Room which aided in reducing the risk of access to other secure locations. However, despite this action, it was not considered effective and therefore failed as a control.
CONCLUSION
The Galactic Supreme Court concluded that Han Solo had accessed the Attack Room without authorisation.
However, the access was deemed lawful under the Galactic Constitution which states that beings and nonbeings may enter a ship for a lawful reason identified under Part A.
Additionally, the courts awarded Darth Vader $5,000 Galactic Credit Standards to repair the damage of the intercom inside of the Attack Room. While Han Solo stated in his defence that the damage was necessary, the court concluded that he could have turned off the intercom instead of destroying it with the BlasTech’s E-11 Blaster Rifle.
Lastly, the court fined the Imperial Starfleet with 2,000 Galactic Units for failure to implement necessary privilege access controls to secure the location and the data. Additionally, the Imperial Starfleet was to compensate all beings and non-beings for any damages as a result of the failure to secure personal and confidential data effectively.
