Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly
E-Mail vvv

5 Reasons You 'Better Call Saul' To Protect Corporate Data

These pop-culture lessons from the entertaining Breaking Bad spinoff will make security awareness training both fun and effective.

HELPDESK GUY: I was a highly respected IT help desk analyst until my boss got infected by some nasty ransomware.

AVERAGE CIO: I thought I knew where my company’s important data was, but then it got stolen.

SOCCER MOM: I was minding my own business, responding to a Nigerian diplomat’s email when my bank account was suddenly drained.


Who’s the first person who comes to mind when you’re thinking of protecting networks and digital data? Why it’s surely a shady, fast-talking, strip mall criminal attorney in Albuquerque, New Mexico… right?

No? Well, I’m writing this blog to convince you that even a nutty lawyer on a popular TV show can teach you a few new things about information security. At the same time, we can make security learning a whole lot more fun (and effective) by mixing it with pop culture. To prove it, consider these five security scenarios inspired by the popular Breaking Bad spin-off Better Call Saul.

Scenario 1: Scareware. Early in the season, we follow Saul, whose real name is “Jimmy” McGill, driving to his office/home (which is located in the back of a hair salon). Out of nowhere, a skater lands on his windshield claiming broken bones and demanding $500. Good thing Jimmy can spot scammers (likely because he was one himself) and recognizes this as a typical scare extortion tactic.

This trick lives on in the digital age with scareware and “police” ransomware. One tries to convince users that their computer is infected in hopes of tricking them into buying a fake security product. The other tells them that the authorities (usually the FBI) have detected that they’ve done something illegal, but can pay a small fine to get out of it.

Luckily, these sorts of scams are relatively easy for users to recognize. In the same way a real accident victim wouldn’t normally ask for a cash payment, the police wouldn’t be asking anyone to pay a fine by changing the message on your computer’s background. Like Jimmy, if users watch for these basic scare tactics, they will avoid many cyber scams and malware.

Scenario 2: Social Engineering. Jimmy and his partner leave a bar and stumble upon a wallet full of cash. After grabbing the cash, they notice a man passed out in that alley—presumably the owner of the wallet. After looking over the drunken guy, Jimmy quietly takes his watch, while also trying to avoid his partner’s attention. Of course, the greedy partner notices, recognizes the watch as a Rolex, and forces Jimmy to trade the cash, plus a little extra, for the Rolex.

This was a classic example of social engineering. Jimmy’s “partner” was actually the mark, the drunk was his real partner, and the Rolex was a fake. The mark was duped into giving up his own cash for a worthless knock-off watch. Social engineering, the act of deceiving or manipulating someone into doing something they shouldn’t, is a very common practice among digital criminals. InfoSec professionals often focus on the technical nature of cyber attacks and less on the human, psychological aspects of digital crime. This is a mistake! Even if we had perfect technical defenses that could block every attack (we don’t), smart attackers could still become cyber shrinks, and trick users into doing dumb things. Make sure you mitigate social engineering by training your users well.

Senario 3: Insider attacks. Mike, who we first meet as an ornery parking lot attendant, is actually an important character with much history in the Breaking Bad world. In this new series, we learn his son was killed, and he followed his daughter-in-law to Albuquerque. I won’t reveal all the details, but we eventually learn Mike and his son were cops, and some fellow officers killed Mike’s son.

This simple storyline reminds me of insider attacks. Nowadays, statistics tell us that most network attacks originate from external actors. However, that doesn’t mean we should drop our guard against inside attackers. When malicious insiders do attack (and they do) the consequences can be much more devastating, simply because the insider has so much access to our network. Although the majority of insider leaks or breaches are accidental, be sure to have controls in place to catch malicious insiders. Otherwise, you might lose your favorite son (metaphorically).

Scenario 4: Metadata. During episode 3, Jimmy is trying to track down a family that is accused of embezzlement. The police think the family was kidnapped, but Jimmy suspects they have skipped town and might be hiding closer than one might think. He searches their house finding no obvious clues, until he serendipitously notices a stick-figure sticker of a camping family on their minivan. What does that have to do with information security? That sticker is metadata!

The Snowden leaks have revealed to the world that government agencies have performed mass surveillance and gathered petabytes of digital data. The authorities have told us not to worry. They aren’t targeting us specifically, and what they gather is just metadata; it’s not important and doesn’t sacrifice our privacy. Unfortunately, metadata is important and can tell others a lot about you. That simple car sticker told Jimmy that the Kettlemans were campers, which lead him to the insight that they might be camping close by. Likewise, user phone calls and Internet browsing habits tell anyone watching a lot about you.

Scenario 5: Disposal of Sensitive Data. In episode 8, Jimmy found an elder care facility engaged in fraud. In the course of his forensic investigation, Jimmy dove into a dumpster, recovered the paper shreds, and painstakingly remade the incriminating documents. As his brother said, if only the facility had used cross-cut shredding, the case could never go forward.

Network professionals can learn from this. If you or your users handle sensitive data and want to dispose of it, it better be done securely. Cyber criminals dumpster dive for data, too. There have been many cases where companies haven’t properly wiped the hard drives they throw out, or didn't even wipe them at all. Be a “cross-cut shredder” and dispose of your digital data properly.

Okay, so I probably haven’t convinced you that Better Call Saul is all about computer security. But I hope I have at least persuaded you that there are fun ways to pull security awareness lessons from just about anything. Let’s share some more Better Call Saul – or other pop culture -- security awareness tips in the comments.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/8/2015 | 3:27:04 PM
I'll call Saul
Great idea for user ed! Particularly love your metadata explanation. 
User Rank: Author
4/8/2015 | 6:41:49 PM
Re: I'll call Saul
Thanks Marilyn. That one was my favorites too... Being that Better Call Saul is already about con men and scammers, the other angles were pretty obvious, but I tend to like the less obvious metaphors. ^_^
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/9/2015 | 11:04:59 AM
Re: I'll call Saul
It's a good one, that I will use to explain the concept of metadata to family and friends!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-07
An issue was discovered in PassMark BurnInTest through 9.1, OSForensics through 7.1, and PerformanceTest through 10. The driver's IOCTL request handler attempts to copy the input buffer onto the stack without checking its size and can cause a buffer overflow. This could lead to arbitrary Ring-0 code...
PUBLISHED: 2020-08-07
An issue was discovered in PassMark BurnInTest through 9.1, OSForensics through 7.1, and PerformanceTest through 10. The kernel driver exposes IOCTL functionality that allows low-privilege users to map arbitrary physical memory into the address space of the calling process. This could lead to arbitr...
PUBLISHED: 2020-08-07
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can se...
PUBLISHED: 2020-08-07
SecurEnvoy SecurMail 9.3.503 allows attackers to upload executable files and achieve OS command execution via a crafted SecurEnvoyReply cookie.
PUBLISHED: 2020-08-07
In Mahara 19.04 before 19.04.6, 19.10 before 19.10.4, and 20.04 before 20.04.1, certain places could execute file or folder names containing JavaScript.