[threeseed]

As someone who has been involved in corporate security where we had a state sponsored attack your position is simply uninformed.

Almost all companies simply do not have the capabilities to defend against state sponsored attacks and are already taking reasonable measures to prevent and mitigate. When you have undisclosed exploits being used against third party vendor hardware to attack the company what can you reasonably do ?

[dnbgfher]

Mm. Perhaps I should have been a little more explicit. I never meant to imply any business should be able to handle a nation-state attack. That's not feasible.

It doesn't mean they get to clean their hands of the whole thing either. They failed, and that's fine as long as they weren't being negligent. But they are still responsible for doing what they can to minimize the damage. That means, for one, informing those impacted about what is known.

So, just to be super explicit. I don't expect a business to withstand a nation-state attack. I do however expect them to do what they can to minimize the damage afterwards.

[viraptor]

There's possibility to decide what could be done by the company without saying they're completely responsible, or couldn't do anything.

In this case it was spearphishing infected .docs. If corp security can't deal with that, they've got bigger problems.

[reirob]

Is it really so that even a company cannot protect itself against a state sponsored attack? I am asking sincerely, is it really the state of IT security today? I mean, it is somewhat clear that since Snowden we all know that we could not even dream up in our nightmares how far NSA is going. But I was thinking, that since then at least companies with strategic data started to work on protection.

If, what you are saying is reality, what consequences can it have and what legal recourse can a client (corporation or private) expect in such cases? Who can be hold as responsible if sensitive data disappears? Does it need a new type of contracts when subscribing to a service?

[jammygit]

Imagine an undeclared cyber war broke out. Out of curiosity, how 'far' from being able to defend themselves are most serious companies? If they had 3 months to prepare, do they save themselves from getting breached without going offline?

[nradov]

I don't believe you. Some companies may not have the capabilities to defend against state-sponsored attacks today, but that's only because their executives have chosen to be willfully ignorant and not devote sufficient resources to the problem. There's a whole industry of consultants and outsourcing services which provide exactly this capability. All you have to do is write a check.

[threeseed]

Show me who I need to write a check to defend against a 0-day exploit that was used against Cisco networking equipment. Which in turn was used to compromise security mechanisms within the company.

Oh wait you can't. Which is why we had to turn to our government intelligence services to provide assistance.

So stop pretending like companies can defend against state sponsors who are buying 0-days for $100k+ like it's candy.

[nickpsecurity]

The NSA certified the Boeing SNS Server and BAE Systems XTS-400 as stuff they couldn't hack at that point. They're used as guards to protect secrets on classified site from attacks on Internet side. There's been no published hacks of those systems for almost 30 years. You could try to see if you can buy them. I linked to descriptions of some of those products here:

https://lobste.rs/s/o6x9b3/tech_s_masturbatory_historiograph...

I described what I learned about how high-assurance security builds stuff here:

https://pastebin.com/y3PufJ0V

As I often said, compare anything from security market advertised as secure against stuff on that list. If they're missing something, they're probably insecure. Now, I'm still not saying you can stop nation states and all 0-days. I am saying that most of the $100k 0-days are preventable with architectures like above with apps in safe languages with guards separating trusted things from untrusted things. Ada has also been around a long time with Rust getting popular now.

What makes most companies not use stuff like that isn't that level of security being unachievable: they just don't want to for management's reasons which range from arbitrary to sound practices in a profit-focused environment.

[Terr_]

> All you have to do is write a check.

"I don't believe you." You can't just change the organization, culture, and procedures of a company just by throwing money at consultants.

That's like saying a big family can solve their feuds and mental illnesses just by writing a check to team of group therapists and lawyers.

[guelo]

Defense from foreign attacks is one of the main reasons for the federal government to even exist. You can blame the victims all you want but diplomatic and military defense is still the government's responsibility.

[jacquesm]

Even small nation states have a hard time defending against the larger ones, it is as you correctly identify merely a matter of writing a larger check but the amount on that check is so much larger than what is feasible that even the largest nation states find themselves routinely hacked.

Security is hard. So hard that no matter what amount of money you spend you will still be vulnerable, but maybe a bit less so. There are no absolutes in this.