Even if they put it near the top, it's still going to be reduced in effectiveness by the actual needs and goals of the organization. Any company that has a VPN and remote employees is objectively and inherently weaker from a cyber security standpoint than an otherwise equally equipped company with no external access to the network. But they do that because remote employee access means they can do their actual business better. Any company that uses networked computers in objectively and inherently weaker from a cyber security standpoint than one which requires physically moving data from one machine to another by way of personal handoffs between employees at the same physical location, but they do that because it means they can do their actual business better.
It does not matter if cyber security is at the top or the bottom of your budget list, if the choice is ever "better cyber security" or "do more business", cyber security is always going to lose that battle. You will never convince a company to use E2E encrypted email for all communications with all customers and vendors, no matter how high on the budget list cyber security is, because doing so would actively hinder the day to day operations of the business.
I don't think this is relevant. Even on-prem "air gapped" networks get breached. I would say it happens on as frequent a basis as any other network tbh. Microsoft hacks get headlines because Microsoft is a public company; there are lots of undisclosed breaches happening out there.
Security vulnerabilities come from the same place they always have. Where IO happens, where transactions happen, and where an operating system does a lot of work. How attackers get to these points, what happens when they do, and then how the system reacts when a malicious event occurs are the factors that matter.
In today's world of complex technologies, I have yet to meet a single organization that is invulnerable to these threats. I've seen a lot of organizations limit damage, patch vulnerabilities, and generally manage their risk profile effectively - but losses are a part of the business.
IMO, the only thing that will really make a difference is when we have technologies that are sufficient enough to male the user more resilient. Only then can we have a truly safer web.
I have worked at 20+ companies and the ones that had little to no security got ransomwared at LEAST yearly (with 50m+ in revenues) and the ones that had basic and standard security practices got zero network wide intrusions (at least at lower then say, a nation state level.)
Now, COULD they have been exploited with an 0day? Sure, in theory these networks could be both exploited with the same technology or by a dedicated actor likely without an issue - they're internet connected corporate networks mostly with probably out of date tech; and in practice most attacks corporations need to mitigate are the drive by trash that consumers also face.
> I would say it happens on as frequent a basis as any other network tbh.
...really?
I find this extremely hard to believe on its face. Sure an attacker can infect a system via a USB drive, but they need to get physically close to the victim (at least at one point in time). That both dramatically decreases the number of possible attackers and increases their personal risk.
It also becomes far more difficult for an attacker to exfiltrate any data.
Exfil may be tricky if the system is actually airgapped - I take GP's use of scare quotes to mean that most systems are "airgapped" by means of software-enforced security policies, which should correctly be referred to as "not airgapped".
As for the attack method, there's always the good ol' "flash drive found on a parking lot" vector.
> As for the attack method, there's always the good ol' "flash drive found on a parking lot" vector.
Right, which requires the attacker to be physically near the parking lot at some point! That decreases the number of possible attackers by several orders of magnitude at least.
> Exfil may be tricky if the system is actually airgapped - I take GP's use of scare quotes to mean that most systems are "airgapped" by means of software-enforced security policies, which should correctly be referred to as "not airgapped".
Ah, that makes more sense! I do think tpmoney was quite clearly talking about truly airgapped systems, however.
> Ah, that makes more sense! I do think tpmoney was quite clearly talking about truly airgapped systems, however.
Very much so. My point being that a truly air gapped system is objectively more secure than one that is networked, and yet, a bank or social network company that only operates with truly air gapped systems will be strictly worse off than their competitors in their actual business of banking or social networking. And so since their actual job is not objectively better cyber security, but banking or social networking, then they are inherently at a disadvantage compared to Attackers whose business IS attacking (or at one step removed, selling the resources obtained from attacking). In the name of making their business better, Defenders will chose weaker security, and attackers will chose stronger attacks.
My point is that the vulnerable points, regardless of where they come from, are ultimately there because the purpose of the Defender is not to have perfect cyber security, but to use computers and technology to enable business. Or as you said, "losses are a part of the business"; and that's so because "the business" isn't cyber security.
I’m sorry but I really really really want some citations here - a network that has VPNs, LANs at multiple locations is as vulnerable as a single location that uses air-gapped computers passing say usb sticks around to share say git repos.
I am not sure I would enjoy working at the second place but I would really hope we weren’t an easy target
It's been shown many times that people will pick up random USB devices from anywhere and plug them into any computer without thinking. Airgapping just stops the automated scans and stuff that was already being stopped. Defence is reactive, so the momentum and advantage is always on the attacker side, and stopping the lazy ones doesn't do anything to stop the real threats.
The costs of seatbelts are already built in to the car. The cost of airgapping is not. The sheer inconvenience and limiting of the potential employee pool would put it far out of budget for anyone but governments or very large corporations doing very sensitive work, and even in those cases it would be on a site-by-site basis, not org-wide.
The parent wrote that "most organizations put security at the end of the budget list", but he did not write that it should be put at the top of the budget list. Your criticism would only be valid if he had written the latter.
The parent wrote that the "main problem" was that they put the security at the end of the budget list. My argument is it doesn't matter where it is on the budget list, it will always be subservient to the actual business of the Defender. That is, my argument is the "main problem" is that perfect cyber security Defense isn't anyone's actual business.
It does not matter if cyber security is at the top or the bottom of your budget list, if the choice is ever "better cyber security" or "do more business", cyber security is always going to lose that battle. You will never convince a company to use E2E encrypted email for all communications with all customers and vendors, no matter how high on the budget list cyber security is, because doing so would actively hinder the day to day operations of the business.