October is Cybersecurity Awareness Month, a great reminder that keeping your systems safe doesn’t have to be complicated or intimidating. Whether you’re managing a business or simply trying to protect your personal information, everyone can benefit from brushing up on cybersecurity basics.
To make this topic more engaging, Jameel Ur Rahman, Staff Software Engineer, and Nathan Hartzell, Principal Security Architect at ExpressVPN, share a story that’s both fun and insightful. It’s about Henry, a bright computer science student, and Morty, a mischievous hacker, who wants to have some fun at Henry’s expense.
Through Henry and Morty’s journey, you’ll pick up key cybersecurity lessons, but don’t worry—this story keeps things light while offering tips that anyone can follow.
Meet Henry and Morty
Henry is a bright new student who’s just joined the most prestigious computer science program on Earth. Like many students, Henry was looking for a way to earn some extra income. He jumped at the opportunity to help two seniors build an e-commerce site.
Using Amazon Web Services (AWS), Henry set up a web application that allowed customers to browse products and make purchases online. Everything was going well for Henry—until Morty came along.
Morty is a hacker who spends his time scanning the internet, searching for vulnerabilities and new friends to make. Unfortunately for Henry, his system had a weak spot. He finds an open SSH port—basically, an unlocked front door to Henry’s servers. This is exactly the opportunity Morty has been looking for.
Morty’s first break-in
Once inside, Morty started messing with Henry’s website. In security terms, this is called a defacement attack—where the attacker modifies a site’s content with their own messages. In Morty’s case, he left a cheeky note, but the real damage came when the site became unusable for customers. This is also a Denial of Service (DoS) attack, where the hacker makes the site unable to function as intended.
Lesson 1: Security starts with the basics
Henry’s first mistake is a common one—he didn’t start with the basics. It’s like leaving your front door unlocked, hoping no one will notice. To avoid a situation like Henry’s, always ensure that the simplest entry points are protected. Here’s how:
- Use strong authentication, like keys or complex passwords, to secure your servers.
- Set up firewalls to block any unauthorized access.
- Implement access controls to make sure only the right people can get into the system.
These foundational security measures could have stopped Morty before he even got in.
Escalation of privilege
But Morty wasn’t satisfied with just getting in the front door. He wanted more control. So, while snooping around inside Henry’s servers, he found something even better—admin access, the equivalent of finding a key to the whole house. This is called an escalation of privilege, where the hacker gains more access than they should have.
With these newfound powers, Morty didn’t need to rely on the front door anymore. He opened a window in the back—also known as creating a backdoor—giving him an easy way back in anytime he wanted.
Lesson 2: Defense in depth
Henry thought locking the front door would be enough, but Morty had already opened that backdoor. This is why relying on just one layer of security isn’t enough. Instead, you need Defense in depth—multiple layers of protection. If one fails, the others can still keep attackers like Morty out.
Here’s what Henry should have done:
- Two-factor authentication (2FA): Even if Morty had the password, 2FA would have stopped him from logging in.
- Encryption: Any sensitive data, like login details, should have been encrypted. This way, even if Morty found it, he couldn’t read it.
- Access controls: Henry could have limited what Morty could do inside the system, even if he got in.
What happens when the hacker doesn’t give up?
Henry thought he had kicked Morty out for good after locking down the system and fixing the front door. But not all hackers give up that easily—especially one like Morty, who had already found a way in. Morty was no longer just a random hacker; he had evolved into a more persistent and advanced threat.
Even after being locked out, Morty kept looking for ways back into Henry’s system. He knew where Henry’s weak spots were and wasn’t about to let go of this “friendship.” This kind of persistence is what makes advanced attackers, like those backed by nation-states, much more dangerous. They can spend months, even years, trying to get back into a system once they’ve found a way in.
Lesson 3: Persistence is dangerous; keep monitoring
“What’s worse than being hacked? Being hacked and not knowing about it.”
Henry’s security efforts were strong, but Morty kept finding and exploiting the smallest weaknesses. Without monitoring, even if you’ve secured your system, a hacker could remain inside undetected, quietly collecting information or waiting for the right moment to strike.
Here’s what Henry did next, and what you should do too:
- Set up logging systems that track every action within your environment and send those logs to a secure, external location where they can’t be tampered with.
- Use real-time monitoring to detect any unusual activity and respond quickly to potential threats.
- Implement alerts for suspicious behavior, such as failed login attempts or unauthorized access to sensitive areas.
Why nation-state actors are different
While Henry thought he had handled Morty, the situation became far more complicated. Morty wasn’t just interested in causing chaos for fun anymore—he had evolved into a much more dangerous attacker. Now, Morty resembled what security experts call a nation-state actor, someone with the resources, patience, and determination to keep trying even when the obvious entry points are blocked.
“Morty is not going to give up just because Henry has a good firewall and 2FA”
These types of attackers don’t just rely on breaking through technological defenses. They also exploit human vulnerabilities. Morty knew that Henry had secured his system, but he began targeting Henry’s e-commerce colleagues instead—using tactics like phishing and social engineering to trick them into handing over sensitive information.
Lesson 4: It’s not just about the tech, it’s about people too
Henry’s firewalls, encryption, and multi-factor authentication were top-notch, but Morty knew the weakest link in any system is often the people behind it. By using tactics like phishing, Morty could bypass Henry’s technical defenses without ever having to break through.
Here’s what Henry should have done to protect against human vulnerabilities:
- Educate employees regularly about phishing and other social engineering tactics. Even the most advanced firewalls won’t stop an attacker if someone is tricked into handing over their credentials.
- Implement phishing simulations to test and strengthen your team’s ability to recognize threats.
- Ensure that access to sensitive data is tightly controlled and monitored. Just because someone has the technical ability to access a system doesn’t mean they should have full access to sensitive data.
The importance of knowing your limits
After all the effort Henry put into locking down his system, adding layers of security, and educating his colleagues, he started to notice a problem. While his system was now secure, it had become so complex that it was difficult to manage and use. Morty had driven Henry to build an impenetrable fortress, but it came at the cost of usability.
Henry realized that no matter how many layers of security he added, no system could ever be 100% secure. There would always be vulnerabilities somewhere, and the key was to strike a balance—one that protected his system but kept it functional for everyday use.
Lesson 5: Secure enough is still secure
Henry’s final lesson was that chasing perfection in security can lead to frustration and complexity. Instead of trying to build an impenetrable fortress, Henry needed to focus on making his system secure enough. By addressing the most critical areas—like strong authentication, encryption, and monitoring—he could reduce the risk of a successful attack without making the system unusable.
Here’s how Henry could have found that balance:
- Strengthen core elements: Focus on the basics like authentication, encryption, and access control. These are the foundations of a secure system.
- Maintain continuous monitoring: Instead of adding endless layers of security, prioritize monitoring and responding to threats in real time.
- Keep things practical: Avoid overcomplicating your security setup. A system that’s too difficult to use can be just as risky as one that isn’t secure enough.
“At the end of the day, it’s about finding the right balance. You don’t need to lock every door and window to the point where no one, including yourself, can get in. But you do need to make it hard enough for attackers like Morty to stay out.”
A secure future starts now
After everything Henry went through, he finally managed to gain control over his system. But it wasn’t just one big move that did the trick. It was the combination of learning from his mistakes, adapting his defenses, and realizing that security is an ongoing process, not a one-time fix.
Henry came to understand that securing his system wasn’t about creating a perfect fortress—it was about staying proactive, using smart defenses, and keeping an eye out for new threats. By reinforcing the most important areas, adding layers of protection, and continuously monitoring his system, Henry built a defense strong enough to withstand even the most persistent attacks.
So, what’s next?
Start by securing the basics—set up strong passwords, use 2FA, and keep everything updated. Then, go a step further. Layer your defenses with encryption, access controls, and continuous monitoring to catch anything that might slip through the cracks.
Remember, security is a continuous journey. You need to constantly work at building something strong and maintaining it over time. Just like Henry, you don’t need to do everything at once, but you do need to get started.
“Start with the basics, stay proactive, and keep building. Security is an ongoing process, and the sooner you commit to it, the stronger your defenses will be.”