[fjfbsufhdvfy]

Seeing these huge companies with practically infinite resources get owned one after another sure makes me wonder if we even have any chance at all to do this correctly in our small business.

Perhaps they just don't care about security?

[hotpotamus]

You know, the longer I'm at this, I see more and more effort thrown at developing security and one thing remains the same - you've got a user sitting at a machine with network access and the ability to execute code, and sometimes you can trick that user into executing code. I guess the bigger the company, the more users which means more targets/chances.

For decades I've been told that security through obscurity is no security at all, but in the back of my mind, I think it might be the best thing I've got going for me working at a small place. Though I should say, that's far from being our only security - we do work at it too.

[notakio]

Obscurity, by itself, may be an ineffective security strategy, but it does provide an additional layer on top of other layers of security to improve things, overall. There's a Spafford quote on this, but I'm failing to find it. Let's just pretend it's like what I said, but more eloquent.

[_Adam]

The best approach is to assume there's a renegade employee constantly trying to screw the company over. Granularity of permissions should be set to minimize the blast radius to the absolute minimum they need to do their job.

[bombcar]

Hell, you should offer an internal bounty to any employee who reports “I got access to something I shouldn’t need”.

[notakio]

Part of what I do first at any new employer is ask myself the question, "if I wanted to burn all of this to the ground, how would I do it?" I generally don't share the fact that I'm going through this little thought experiment with my management, but it helps triage what's currently "broken", and gives me a clearer focus on what needs to be fixed.

If I'm thinking about it, I can be assured that someone with differing motivations likely already has, or soon will be thinking about the same.

[UncleMeat]

This approach is possible but increases the complexity of your problem by enormous amounts. I know of only a very tiny number of companies that have an active goal of preventing rogue insider threats in a serious way. And the solutions do meaningfully inhibit developer productivity.

[Kalium]

The thing about security is that it's perfectly fine to not have it most days. Suddenly, all at once, it's not fine at all. A very large company has an exceptionally bad time and a lot of people are affected.

Small startups and businesses can absolutely get it right. It's usually much easier, with a small number of people and systems involved. You just have to approach it knowing it will take work every day. Some things will be harder than you want them to be. It will be worth it to avoid this kind of stuff.

[paxys]

It's the weakest link problem. Uber can have near perfect security but all it takes is a single one out of 20K+ employees to click on the wrong link, install the wrong app or trust the wrong person and suddenly the entire system is compromised. So in that sense your small business is more secure since there are way fewer possible targets.

[marcinzm]

>Uber can have near perfect security but all it takes is a single one out of 20K+ employees to click on the wrong link, install the wrong app or trust the wrong person and suddenly the entire system is compromised.

In a well run organization it takes a lot more than that. There were a dozen steps in this exploit chain where it could have been detected and blocked. Likely Uber didn't care about security and their security team lacked both political power and resources.

[Phlarp]

In this case it took both the one employee out of 20k+ getting tricked and the entire (supposedly world class) engineering org that allowed admin authentication credentials to get hardcoded into a globally accessible power shell script exposed on the intranet.

[julianlam]

You'll always have one extra layer of security that those companies can't buy... obscurity.

Just don't rely on only that layer, and watch out for oddly quiet individuals named Sam Sepiol.

[insanitybit]

Yes, you're correct. They don't. And it's pervasive - it's not just Uber, it's the developers of the software Uber writes. Shake out the tree of any Uber service and you'll find that maybe 0.1% of the code is written by someone who cares about security, and maybe 10% of that code was written by someone who knows about security.

Developers do not give a shit. Security is not something they're trained in, interested in, or competent in (though they often think they are).

Security is a couple of people trying to bucket out the water as fast as they can from every sinking ship while developers are taking a piss on the floor and poking holes in the hull.

I think the bar for devs is extraordinarily low and we'll keep seeing this sort of thing until it we collectively raise it. Thankfully it seems like, very recently, this is starting to maybe happen. Packages requiring 2FA is the first thing I've seen that seems to indicate that developers are going to have to do the bare minimum for security in order to participate.

[icare_1er]

Being big means more money and resources, yes, but this also means having more employees, and more assets, ie. a much bigger attack surface.

Believe it or not, it's much easier to successfully phish a big company where you have unlimited pool of emails to tap into.

[indymike]

It may be easier for a smaller company to be secure. Usually people are the weakest link.