[thorwasdfasdf]

I've never understood people who say: "No amount of controls will stop someone truly motivated and skilled". I don't think that's true.

Correct me if I'm wrong, but If there's no holes in the application/web stack to be exploited, then there's no getting in. Right? It's not about hacker/pirate skill. It's about whether or not the target has plugged all their holes or not.

[mcpherrinm]

How secure is the source integrity of all your dependencies?

All your software vendors?

How likely are you to get malware on an employee laptop?

Phish employee credentials?

Have somebody sneak into your office late at night and install keyloggers on everyone's keyboards?

Kidnap an employee's family and blackmail them into giving you access?

Go through your recruiting pipeline and join as an employee with the motive to steal your data?

Get two people to do the same and bypass peer review controls?

Of course those are getting outlandish and unlikely, but that depends how "motivated and skilled" your attacker is.

[sprafa]

If you’re going against a three letter agency, Israeli or Chinese intelligence, you also have to consider all of your hardware sourcing. They don’t even need to compromise vendors, they just need to intercept a package en route.

Not sure where OP was coming from. It’s virtually impossible to protect yourself against a dedicated advanced persistent threat group.

[no-dr-onboard]

In the purest, most academic sense of the conversation; yes, it is impossible to comprehensively defend against 0-days, APTs and nation states.

If we want to be pragmatic about the discussion, then it’s all about your threat model. In that sense, OP is right. If you’re a mom and pop shop selling a catalog of hardware, your LAMP stack isn’t going to face the same scrutiny as a “GooFacePayZon”. According to how he defines his threat model, he can call himself ‘secure’.

[graylights]

Software is only one part. Do you trust your hardware, your people, your supply chain, your physical security. "Truly motivated" can mean extreme resources and willingness to cross all boundaries.

Are you secure if your admin's child is kidnapped and the ransom demand is for network access? Are you secure from the Secret Police wanting to hijack your service for their purposes?

Once you accept you CAN'T stop truly all attacks you can be comfortable with acceptable risk and work to mitigate realistic risks.

[btown]

Yep - this is why you might try to limit pivoting based on an assumption that everything is compromised, you can require coordination from multiple geographies to unlock access to certain highly sensitive resources, you ensure that these protocols aren't published, and above all you follow the New York Times Test: don't type anything that you wouldn't want to see on the front page of the NYT. This requires pride in security at all levels of your organization, and it's something that few organizations outside of the military get right.

[yifanl]

It boils down to this: if you can access secured data, then someone following the same steps can also access it.

So unless you advocate for no secured data, you are vulnerable to a sufficiently sophisticated attack (I.e. hypnodrones hijack your mind)

[newman314]

I’ve bypassed the man trap for a DC by accident before so I guess I’m good? :)

Can’t remember how I did it but my former coworkers still tell stories about it. Lol.

[CyberBank]

I am referring to a CIA (confidentiality, integrity, availability) related incident. Less so the availability. If an attack was truly motivated, the web stack / application stack is not how you compromise the system. The user is how you compromise the system. Do you have proper physical security to prevent unauthorized access? Do you have proper password and 2 factor auth configured? Do you educate your employees on how to identify phishing? There are numerous other ways to compromise a system than remotely via the web or application stack :)

[kerng]

Read up on Microsoft's Assume Breach strategy. A mature organization has to embrace thinking beyond prevention.

https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837...

[fuzz4lyfe]

>Correct me if I'm wrong, but If there's no holes in the application/web stack to be exploited, then there's no getting in. Right? It's not about hacker/pirate skill. It's about whether or not the target has plugged all their holes or not.

Similarly if a ship is unsinkable the passengers will never drown. Easier said than done.

[csours]

I think you may be imagining a comprehensive numbered list of exploits. Some products are sold that indicate things like this.

It may be possible to write a software component that is not vulnerable to exploits, but any non-trivial system built of many components will almost certainly be exploitable.

As much as people say they value security, they also value delivery of working software.

Additionally, as others have said, no system is invulnerable from the CIA, NSA, KGB, etc. Someone knows the passwords (or where the passwords are stored) for your system. They may be vulnerable to bribery, blackmail, torture, etc.

[neuralzen]

Unfortunately it is never that simple. Even if you have thing well plugged on your end, other software /services that interact may provide a path. I recall one instance a few years ago where a hacker chained password recovery services together to breach an apple account, by bouncing through Amazon. One of the password recovery methods for Apple at the time was providing the billing address, and at Amazon you could recover a password by providing the full CC# of a card on file. But Amazon also let you add a CC# for an account you weren't logged into, so the hacker got a Visa giftcard, added it to the Amazon account of the victim, reset the Amazon password with that CC#, and then used the shipping address in Amazon to recover the Apple account password.

Then there are the security holes that exist and are known about by select groups which they sit on and use for big plays...

[blincoln]

The computing stacks for a typical modern corporation are too complex to be able to say with certainty that all the holes are plugged.

[godelski]

> Correct me if I'm wrong, but If there's no holes in the application/web stack to be exploited, then there's no getting in. Right?

Right. But there's a saying. "Nothing in unhackable". There in lies the problem. If you can build an unhackable system you literally can get whatever salary you want. If you can convince someone that such a thing is possible. But I'm pretty sure that'd count as fraud.

[novok]

An unhackable system is like saying an invincible building.

They both will never exist with the proper 'adversary'.

[godelski]

I'm confused at your reply. Did you think I suggested something might be unhackable? Because I suggested that nothing is unhackable.

[thijsvandien]

> If you can build an unhackable system you literally can get whatever salary you want.

Does it have to be useful?

On a more serious note, similarly to being able to break RSA in ‘little’ time, having that kind of skill would not result in financial wealth but a huge risk to your physical and mental/emotional well-being. Imagine who would come knocking on your door (assuming they won’t straight out abduct you), and trying to tell them no.

[dreamcompiler]

> It's about whether or not the target has plugged all their holes or not.

You're not exactly wrong, but you're assuming something that's impossible. How do you know where all the holes are? You (I'm using the generic you here, as though speaking to a CIO) cannot even inventory all the net-connected software and hardware you own, and even if you could the list would be out of date in 24 hours. But let's say you had that fictional inventory. How do you find its vulnerabilities? You might be able to design an automated process to look at your source code and match against the CVE database. Whoops! You don't have source code for most of your resources because they're proprietary and came from outside vendors. So maybe you look at object code. There are tools that do that. Whoops! A lot of the code is in ROM and you cannot extract it. Even if you could extract all your object code and analyze it against CVEs (which you can't), that's only going to catch known vulnerabilities. What about the unknown ones?

Oh and now we have to talk about all the stuff that's not net-connected which is vulnerable to employees plugging in USB drives...

So no, you can't know where all the holes are so there's no way to patch them all. This doesn't mean security is impossible. It just means there's no such thing as perfect security and there are no magic bullets. Security is a necessary, expensive, and mostly boring part of any company's day-to-day business operations, like, say, accounting and the legal department. But that's not quite right, because most of your employees probably don't need to know much about accounting or the law. But they do need to understand the basics of safe computer use, so ongoing training should be a fat budget line item.

Anyway security is a process, not a thing you can just buy a little of from a vendor. You ignore the security process at your peril.

[meowface]

Good luck patching all the humans that work at, or with, your organization.

[staticassertion]

There is no plugging all of the holes. Not in a general case. It's like the halting problem (it's technically equivalent) - maybe you can say for one program there are no holes, but not for arbitrary programs, for arbitrary definitions of holes.

This is rice's theorem.

More practically, you can simply assume that for an arbitrary program of 'reasonable size' with a moving codebase there are effectively infinite exploitable vulnerabilities.

[scarejunba]

They'll just rubber-hose your teenage son until you give it up. I'd certainly give up a database password before I'd let my son get beaten by Bin Laden.

Or if they're not SuperMicro, then you'll buy hardware with a https://en.wikipedia.org/wiki/The_Thing_(listening_device) in it

[lawnchair_larry]

Two problems with that - knowing about all of your holes, and whether or not they are plugged, is impossible. Second, many breaches don’t even involve holes in your web app stack. Low tech attacks like phishing and malicious attachments are remarkably effective to get a foothold into a network.

[aidos]

I guess the stack itself is probably so deep and wide generally that the attack surface goes on and on. More than anything though, humans. Staff can be exploited easier than anything else in a lot of cases (I'd wager, not my area of expertise).

[spydum]

not right. there are ALWAYS holes - it's the nature of software, hardware, and humans.

[rodgerd]

Please, share with us your application stack that has no holes.

[guscost]

How about: “No amount of controls will stop someone truly motivated, skilled, and lucky.”

[bayesian_horse]

Yes, "someone truly motivated and skilled" is a useless statement.

The bar can be raised quite high.

[buboard]

a hacker needs only one hole. The security pro has to plug all of them. it s a rigged game that inevitably costs disproportionally

[burpsnard]

hereabouts, banks adopted new procedures after some incidents involving staff's families being kidnapped.