And I'm sure you believe Iran should've taken more reasonable measures to prevent Stuxnet? Securing yourself against script kiddies is one thing, but against a nation? Good luck.
Use secure devices, development practices, and so on. They've all existed since the 1980's on the market. IBM itself invented some of it in form of Fagan Inspections, VDM methodology, Cleanroom Software Engineering for low-defect development, a CPU that blocked leaks that violated a security policy, and a smartcard OS (Caernarvon) done by Karger et al to high-assurance standards. They could've afforded to use Ada, SPARK, and/or static analysis for protection by default from tons of 0-days. They had their own language, PL/S, with some protections. They instead of McAfee could've acquired Secure Computing Corporation or some other company if they wanted this expertise early plus some products with it. Boeings SNS server, which has no public hacks in 20-30 years, used the LOCK platform from SCC. There's small, new companies using lightweight, formal methods on kernels, protocols, and VPN's. One to four people groups in CompSci do the same thing regularly. IBM has even more developers.
You mentioned Cisco in another comment. Why buy Cisco if their stuff is known to be insecure or not proven secure? If not knowing high-security, I'd consider genua just cuz they use OpenBSD at the core. There were two others using INTEGRITY RTOS, one Sentinel's HYDRA and another discontinued, with both having few buyers. There's still going to be attacks but way less of them choking attackers further year after year. Hell, even leaks in CPU's were found from 1992-1995 using these same methods as LOCK et al in VAX VMM. We knew then with companies and security folks just ignoring them because those high-performance, lower-cost CPU's let us do some awesome stuff, right?
We're not getting hit because of ridiculous resources opponents put into 0-days: we're getting hit because of ridiculous resources put into known-insecure components and methods after people with those resources ignore stuff that works, often letting it die off. Totally, different problem. When phrased that way, one starts thinking maybe they should be regulated to use what works or liable for some of these decisions for ignoring what works using what's high-risk. I favor regulation after seeing positive results in TCSEC and DO-178B markets in terms of assurance activities.
Well done. You've solved the security challenge of our generation.
And all it took was meaningless buzzwords which almost all enterprise companies at least do already. It doesn't make one iota of difference when your vendor equipment or services are compromised.
Limit the attack surface all you want, there's still an attack surface, and state based actors are highly motivated to put extreme pressure on these. It's nearly axiomatic that there is no perfect security, and to expect a company to defend against all attacks from organizations whose cyber warfare budget exceeds the company's gross revenue is unreasonable.
Agreed. Financial institutions I've worked at have blocked unapproved USB devices at a domain level. Want that special keyboard or mouse? Got to have approval. Want to connect your iPod/phone for anything beyond charging? Hell no. Attach a USB mass storage device? Likely be ealked out the door fired before you get approval.
Not sure this is true. Every company at scale I've worked at has had policies banning unapproved USB devices since the early 2000s. It's usually smaller companies that are more susceptible to this, because they dont have the infrastructure.
Maybe it is selection bias. Most of my career has been spent in industries sensitive to trade theft (finance, industrial manufacturing). Not sure how difficult it is to do on Linux, but if you're administering a windows domain, disabling unapproved USB devices can easily be done via group policies.
That's well and good, but existing and future clients should still be aware. The clients might decide that other service providers would be just as vulnerable, but they should not be kept in the dark.
Not sure how on earth people expect companies to defend against that.