Security Mavens' Reviews of Firewall

We invited some of our friends in the security field to review the new movie about a heroic CISO of a midmarket Seattle bank. Stars Harrison Ford. What could be wrong?

The annals of popular culture are rife with depictions of security professionals as villainous lackeys in the service of unscrupulous corporate leaders. Think "Silkwood," "The Firm," "The China Syndrome," and last year's season of the Fox Network hit show, "24," in which the CSO of an L.A. high-tech business seeks to protect the corporate reputation by deploying his own private SWAT team to kill counterterrorist agent Jack Bauer. That's a pretty harsh job description!

So when we heard that the new movie "Firewall" would star Harrison Ford as Jack Stanfield, the heroic CISO of a midmarket Seattle bank, we were eager to see this presumptively positive portrayal of a security executive. We also invited some of our friends in the business to see the movie on its opening weekend and send us their reviews.

Firewall Reviews

IRA WINKLER

I went to "Firewall" with really low expectations. The reviews kind of sucked, and most movies that focus on security and computers are filled with complicated technological terms that make no sense to the average person, the idea being to make the hero sound like a technological genius. At the same time, real technological geniuses are confused, because it's actually a bunch of random acronyms the writers have stuck together. Of course, it usually ends up being some obscure technological genius who saves the world from an evil corporation.

Since I couldn't be disappointed, I actually liked this movie. I know that CSO wanted me to focus on how "real" the movie is with regard to security, computer crime, and the job of a security manager. I also assume that many readers might know that I perform penetration tests against banks, investigate crimes against banks, and help to develop security programs for banks. That said, "Firewall" is about as real for banking security as XXX was for the NSA and the Star Wars movies were for space travel.

In "Firewall", the criminals basically develop a software program that will clean out bank accounts automatically, and they need the hero to identify large accounts and execute the program to actually clean out the accounts. As you can anticipate, the hero, bank security manager Harrison Ford, does this to save his family (held hostage by the bad guys) but then steals it back tio turn the tables. While the movie gives you the impression that the bad guys are super villains, in the real world of banking criminals, they would rank slightly above Wile E. Coyote.

In the real world, $100,000,000, sent to five specific accounts in a 4 minute time frame, would be easily tracked and retrieved. The bad guys left tracks all over the place, including in people's memory, but make it seem trivial to delete them. The reality is that organized criminals regularly steal millions of dollars from banks and get away with it. They don't have to resort to exposing themselves to charges of murder, extortion and blackmail.

However the most unbelievable aspect of the whole movie, that approaches science fiction standards, is that all of the techies in the Seattle area wear suits to work. Harrison Ford doesn't even take his tie off throughout the entire movie, despite chasing the bad guys all over Washington state.

I could pick this movie apart point by point from a technical perspective. However, the movie is a movie and should be seen as intended, for entertainment. There is a slight mention about a firewall at the beginning of the movie, but it is really just a movie title. The film was originally titled, The Wrong Element, but I guess that didn't sound cool enough. Overall, this is a really good movie.

Despite the lack of reality, it's easy to buy into the suspense and the action. Hey, if you can believe that Indiana Jones is a real archeologist, you can believe that Harrison Ford's character is a real bank security manager. If you are a fan of the TV show "24," you might think, from time to time, that you are actually watching that show—Mary Lynn Rajskub, who plays Chloe, CTU's most gifted geek, co-stars as Ford's executive assistant.

At the very least, your friends who see "Firewall" might start to think you're cool!

BIO: Ira Winkler is an information security consultant and author (most recently of the book Spies Among Us, a call to action over the alarming vulnerabilities in security and intelligence systems). He often speaks and writes on infosecurity topics, but still finds time to go to movies.

PAMELA FUSCO:

All in all, Firewall isn't bad. Come on, Harrison Ford was it in, so it couldn't be a bomb.

But is it a reality? Well, if you take out the made-for-movie drama (exploding car, guns and ammo, and a fabulous house that a VP of Information Security could never afford), yes it could happen. But not easily.

To pull off a caper such as this, the majority of the security OSI stack has to be violated: 1.) physical; 2.) personal; 3.) logical (hackers, identity theft, etc.); 4.) social engineering; 5.) friends and family; 6.) the human-habit element (ordering pizza every X night of the week); and 7.) surveillance.

Harrison Ford portrays "Jack Stanfield," a bank CISO with true grit. Many of us who have had the honor and privilege of developing, designing, implementing and managing a security operations team, take great pride in what we do. We believe in the work and the people who are part of our teams. This movie hits that part of it straight on. Because of Jack's dedication to his corporation, team, customers and family, he becomes a target of ruthless thieves. I could project myself into the middle of this since I, too, have great pride and integrity when it comes to my profession. Fiction is fast becoming a reality. Biometrics, federated identity badges, the piecing together of shredded documents, etc. This is all real.

Perhaps the next mandatory level of defense that security professionals should undertake and learn is "self defense." Having security and using security are two different things, and you must do both. For instance, the Stanfield family's home security system was disabled when the fake pizza delivery (really the bad guys) arrived; logging onto the bank's systems with a single badge (true corporations do have this level of access, but it's usually coupled with another level of authentication, such as a PIN or fingerprint scanner). This just shows that even the most intelligent and paranoid security professionals can let their guards down when their organizations and operations begin to flow smoothly.

Security is and always will be a 24/7 activity, and it will always require human intervention. Therefore, it will never be 100 percent assured!

BIO: Pamela Fusco is executive vice president and head of global information security for Citigroup. She has formerly held infosecurity leadership positions with the pharmaceutical giant Merck and with Digex, an Internet service and hosting provider now a part of MCI.

DENNIS TREECE:

Bottom line up front: The research the crooks did on Jack failed to turn up that in the Thirties, he went by the name Indiana Jones!

"Firewall" is a moderately entertaining movie that treats the bank's head geek with a truckload of respect while falling into the standard movie "appearance" of computer genius, probably because the real thing would never appeal to movie audiences.

"Firewall" drags a bit in the middle, like most movies, but overall I was entertained and pleased with the death of the bad guys and the relatively happy ending. There's nothing like virtue being rewarded after a battle between good and evil.

That said, it did ring hollow in a number of areas, both social and technical.

The first things that don't ring true are Jack's incredible house (as Pam Fusco also notes), his obvious money, and his seniority in the bank. We just don't see network security chiefs with this lifestyle. If we did, we'd have them under intense investigation!

Another "Hollywoodism," aside from the perfect life and family, was how everyone interacted with computers. While most interaction these days is by GUI, Hollywood insists on everything being typed, the faster the better. When was the last time you saw a hacker movie that even showed a mouse? Remember "Swordfish?" Enough said.

And let's assume for a moment that it was the modem card he pulled out of the fax machine, that he was able to cobble together with his daughter's iPod and some cabling, then plug into the network down in a server room, and have it instantly recognized and talking on the network. Yeah, that'd happen!

Later, Jack apparently takes the SIM card out of a cell phone and plugs it into his secretary's laptop and—Whoa, Nelly!—not only did that guy's cell phone take 20-mega pixel-quality pictures off a monitor (at an angle yet) but Jack is back on the bank network again, reversing the bank's losses at $20M a pop. This guy is good! And he has the requisite blindingly fast and error-free typing skills, without even looking at the keyboard, which Hollywood demands of its geek heroes. Once again, nah, I don't think so.

Then there's an early scene where Jack establishes his bona fides as a White Hat computer genius. He looks at a screen for a few seconds, the guy at the terminal tells him that some hacker is cruising through modest accounts. Jack tells the tech to move aside. He proceeds to, according to the dialogue, "change a few of the rules to slow him down." My experience with banking networks, slim as it is, reminds me that nobody changes rule sets on a live bank network. Such changes have to be vetted off-line, by a team dedicated to that task, lest some unintended consequence kill your ATMs in Norway or freeze mortgage accounts in Boston.

The most remarkable thing of all, however, is the way Jack can go a day and a half in the same suit, through several complete soakings in Seattle rain, multiple bloody fights, roll around in the dirt while dispatching Bad Guy Numero Uno, and still manage to look like Harrison Ford, who maybe took a nap in the suit and loosened his tie in the process!

BIO: Dennis Treece is director of corporate security for the Massachusetts Port Authority, which is responsible for Boston's Logan Airport and other regional shipping and transportation facilities. He is a former Army colonel with more than 30 years' experience in a variety of security roles, both domestically and internationally.

Copyright © 2006 IDG Communications, Inc.

The 10 most powerful cybersecurity companies