If IT was actually good and tried to give us good solutions that would enable us to have standard and secure systems AND still be able to work at the same time, most people would happily comply. But that's not the case. IT support employees sometimes can barely even speak English...
1. Basically a startup with no security whatsoever
2. Security prevents you from doing your job, so people have no choice but to actively work around it
3. Security integrates seamlessly with developers workflow
1 and 2 were the most common. 3 was rarest. If you want good security, you also have to care enough about UX so people don't work around the security.
The answer is that bad security gets in the way of peoples jobs, and people have no choice but to work around it. Good security is effortless and cares about the UX. Frankly, that's hard, so many companies don't do it very well.
Capability based security[1] is the best choice, but isn't widely available outside of very specialized environments. *Like java/javascript - Capability Based Security is NOT the same as "capabilities" on your smartphone for "Allow Location Services" in your phone, etc.
Unidirectional Networks[2] are a product you can buy right now. Quite simple and un-hackable, they only allow data to flow in the direction desired. There are often a pair of servers set up on either side to act as a proxy compatible with normal network services such as tcp/ip, ftp, www, file stores, etc.
With these two tools, you can build systems that only allow desired data flows required for the desired behavior and inhibit external injection of control.
As such, it doesn't make sense to invest that much in security. Security protects your users, but the privacy and safety of users has zero impact on most companies' bottom line.
The situation will continue until compensation of victims (i.e. users) is mandatory by law.
So essentially no one is safe once you are big enough to fall into the bullseye. Even for individuals and smaller business there are times that cyber criminals seek to extract value. For example to "promote" antivirus or cloud shield products.
I'm very curious if anyone has been in the dark side and are willing to share their knowledgr. I figured there must be a chain of criminals such as 1) people who care more about tech so they find exploits and build malware, and 2) people who wants profit so they purchase the products from group 1 and run operations, 3) people who are good at social engineering can probably shine too
I also have theory about end of season trends. End of summer,fall, end of holiday season,etc... is whem threat actors wrap up a campaign and move to another target or take a break. You hear about breaches now but keep in mid dwell time is typically in weeks and it takes a week or two minimum before the company is confident enough to make public disclosure. So start of campaign for anything I see now is early august (including pre-compromise activity) which is the end of summer in the US (at least end of summer break for kids, august-november is the pre-holiday season IMO).
Most simply, I think we're paying for our recent leaning-in on tech. The field and the people participating need time to mature.
More specifically, supply chain/distribution. I'm not sure I'm using the term correctly, but 'cargo culting' has picked up with the simplification of 'getting your code out there'
This has had the side-effect of getting code belonging to others out there as well -- with only some of it being intentional
The human element always counts too. We have more people doing the work now than ever. Social engineering is usually the start
"If you think the Twitter hack was bad, wait until you realize that back in March every company had to suddenly support remote access to their networks/tools virtually overnight"
Are you a security “expert”? It is just like a lay person to have no idea the true complexity of security.
Where ever there is an interface (any contact point what-so-ever) there is an opportunity for exploit, be it technology or people or things!
Data breach is only the subset where data is copied out, though this principle applies throughout, and always has in every kind of system!