It's to a degree orthogonal to devs your hire as well resourced APT will be able to penetrate any org regardless of quality of developers an org hires.
Any org? Would, for example, openai be included in your definition of "any org"?
Look, "in principle" stuff is not how the real world works. AFAIK, hacks happen mostly because of carelessness. No one cares because no one cares if they care (and the compensations etc reflect that). I know enough such cases in fintech (forget about other verticals), which are mostly stupid like wrong RBAC, open firewall, AWS keys taken by roommate etc and not public of course.
Foreign governments are almost certainly trying to insert intelligence agents as employees in OpenAI, and other high profile technology companies. We already know that Saudi intelligence infiltrated Twitter. There are likely many other such agents in other companies.
There are certain security measures which can minimize insider threats. But ultimately it's just hard to guard against agents who are willing to commit felonies in order to carry out their missions. Even defense industry companies which have tight security over classified information have been repeatedly penetrated.
Yes. Any org. A few million dollars guarantees you unrestricted access to any network-connected system.
The upper bound of security is unable to make attacks with a 10 M$ return unprofitable. Raising the lower bar just raises the barrier to entry for new participants, it does not stop existing ones.
Most attacks do use basic techniques since a 10 M$ payout on 10 K$ cost is still better than 10 M$ payout on 1 M$ cost. No point wasting the good stuff when the basic and cheap stuff works just as well. But if you get rid of all the cheap ways in they will still attack using the more expensive stuff since the payout is still wildly profitable.
I’d like to see evidence if this. Because it seems unrealistic, even a well protected org? Ok, say the employees are the weak chain. What about those with zero trust access policies?
My knowledge derives from personal experience, but if you want digestible evidence you can go read the books: “Click Here to Kill Everybody” by well known cryptographer Bruce Schneier or “This Is How They Tell Me The World Ends” by the lead cybersecurity reporter of the New York Times, Nicole Perlroth.
Almost 90% of breaches start with an email so code your developers write have very little to do with primary attack vector. You have to realize that well resourced APT like say APT-29 actually run research labs where among other things they test their exploits against all top tier Endpoint security solutions. So if you are a target of well resourced group they are going to get in.
70% of security vulnerabilities in code are memory safety issues. However the vast majority of in then wild attacks were not against security vulnerabilities but against people. No technology can protect you from someone giving out the secret keys to the attacker.
just false, if you look at most of the ransomware cases for example. This whole fixation of "human layer security" has done more harm to cybersecurity than many actually malicious things. Wasting your money and resources on training Karen from HR to spot 20% more phishing emails yields exactly the results you'd think it does.
I hope we can get out of that nonsense and tackle cyber issues with actual technological investments as it should and can be done.
The only part of what you said that disagrees with me is the words "just false". I don't know how to ensure "Karen from HR" doesn't fall for those things, but training is clearly not enough (or at least current training, I'm not hopeful for future efforts but...). Either way, since the attack wasn't against something a programing language can protect against no amount of fixing programming languages will help.
We need come up with answers that work despite humans not being perfect. This is a hard problem. (what gets hard is sometimes someone will lose/forget a key and so you need to issue a replacement but only to the correct person)
The technology solution here is not allowing Karen from HR to have a password at all and instead using something like Yubikey + FIDO, which can't be phished.
Which is great until someone who might or might not really be "Karen from HR" says they lost their Yubikey and needs a new one. This workflow must exist, but it is generally easy for an attacker to get authenticated by that system.
There's no evidence that this attack was due to poor UHG developer quality. It appears to have been an infrastructure security vulnerability in the Change Healthcare business unit, which UHG acquired just last year.
I would bet my life savings UHG developers pleaded with management for years to get the resources they desperately need to resolve these problems, but management ignored every request because it didn't have any external impact.
Management in healthcare tech is comprised entirely by some of the most mind boggling idiots on Earth, whose only qualification might be being an adult, since their ability to read, write, and comprehend information is universally worse than a child. This is without exception, in my experience.
The systems built were designed for a business that evolved, and the assumptions and constraints changed in a way that sometimes requires redoing things. This can be as simple as an assumption about how sales will be acquiring new clients, and how those new clients affect overall system scalability. If there's a long pipeline of feature requests and sales supersedes product managers on roadmaps, doing the necessary work to scale the systems is going to be deprioritized to a point where anything other than downtime is acceptable from a business standpoint. Sales are made on features being built, not on an impending doom that has yet to happen. This extends to other aspects of systems, like security.
No, developers aren't responsible for infrastructure. Most large enterprises have separate specialized positions for sysadmin, networking, storage, firewalls, etc.
Money saved can be paid to these providers. That way, the money stays in the us. A 10k IQ move that no one will understand.
/s ov course