[TheColorYellow]

I don't think this is relevant. Even on-prem "air gapped" networks get breached. I would say it happens on as frequent a basis as any other network tbh. Microsoft hacks get headlines because Microsoft is a public company; there are lots of undisclosed breaches happening out there.

Security vulnerabilities come from the same place they always have. Where IO happens, where transactions happen, and where an operating system does a lot of work. How attackers get to these points, what happens when they do, and then how the system reacts when a malicious event occurs are the factors that matter.

In today's world of complex technologies, I have yet to meet a single organization that is invulnerable to these threats. I've seen a lot of organizations limit damage, patch vulnerabilities, and generally manage their risk profile effectively - but losses are a part of the business.

IMO, the only thing that will really make a difference is when we have technologies that are sufficient enough to male the user more resilient. Only then can we have a truly safer web.

[hobs]

Citation extremely needed.

I have worked at 20+ companies and the ones that had little to no security got ransomwared at LEAST yearly (with 50m+ in revenues) and the ones that had basic and standard security practices got zero network wide intrusions (at least at lower then say, a nation state level.)

Now, COULD they have been exploited with an 0day? Sure, in theory these networks could be both exploited with the same technology or by a dedicated actor likely without an issue - they're internet connected corporate networks mostly with probably out of date tech; and in practice most attacks corporations need to mitigate are the drive by trash that consumers also face.

[Wowfunhappy]

> I would say it happens on as frequent a basis as any other network tbh.

...really?

I find this extremely hard to believe on its face. Sure an attacker can infect a system via a USB drive, but they need to get physically close to the victim (at least at one point in time). That both dramatically decreases the number of possible attackers and increases their personal risk.

It also becomes far more difficult for an attacker to exfiltrate any data.

[TeMPOraL]

Exfil may be tricky if the system is actually airgapped - I take GP's use of scare quotes to mean that most systems are "airgapped" by means of software-enforced security policies, which should correctly be referred to as "not airgapped".

As for the attack method, there's always the good ol' "flash drive found on a parking lot" vector.

[Wowfunhappy]

> As for the attack method, there's always the good ol' "flash drive found on a parking lot" vector.

Right, which requires the attacker to be physically near the parking lot at some point! That decreases the number of possible attackers by several orders of magnitude at least.

> Exfil may be tricky if the system is actually airgapped - I take GP's use of scare quotes to mean that most systems are "airgapped" by means of software-enforced security policies, which should correctly be referred to as "not airgapped".

Ah, that makes more sense! I do think tpmoney was quite clearly talking about truly airgapped systems, however.

[tpmoney]

> Ah, that makes more sense! I do think tpmoney was quite clearly talking about truly airgapped systems, however.

Very much so. My point being that a truly air gapped system is objectively more secure than one that is networked, and yet, a bank or social network company that only operates with truly air gapped systems will be strictly worse off than their competitors in their actual business of banking or social networking. And so since their actual job is not objectively better cyber security, but banking or social networking, then they are inherently at a disadvantage compared to Attackers whose business IS attacking (or at one step removed, selling the resources obtained from attacking). In the name of making their business better, Defenders will chose weaker security, and attackers will chose stronger attacks.

[cutemonster]

Yeah, GP is sort of saying that seat belts are pointless since traffic fatalities can happen anyway

[tpmoney]

My point is that the vulnerable points, regardless of where they come from, are ultimately there because the purpose of the Defender is not to have perfect cyber security, but to use computers and technology to enable business. Or as you said, "losses are a part of the business"; and that's so because "the business" isn't cyber security.

[awkward]

If this is true, big if, it’s because air gapping doesn’t happen without a specific threat model in mind. Think of the airplane with red dots.

[lifeisstillgood]

I’m sorry but I really really really want some citations here - a network that has VPNs, LANs at multiple locations is as vulnerable as a single location that uses air-gapped computers passing say usb sticks around to share say git repos.

I am not sure I would enjoy working at the second place but I would really hope we weren’t an easy target

[chalst]

Viruses that infect USB devices can compromise systems based on air gaps.

Cf. eg., https://www.schneier.com/blog/archives/2013/10/air_gaps.html and https://www.schneier.com/blog/archives/2020/05/ramsey_malwar...

[t-3]

It's been shown many times that people will pick up random USB devices from anywhere and plug them into any computer without thinking. Airgapping just stops the automated scans and stuff that was already being stopped. Defence is reactive, so the momentum and advantage is always on the attacker side, and stopping the lazy ones doesn't do anything to stop the real threats.

[cutemonster]

People die in car crashes although they have seat belts, it's been shown many times, so seat belts doesn't do anything to stop the real danger.

[t-3]

The costs of seatbelts are already built in to the car. The cost of airgapping is not. The sheer inconvenience and limiting of the potential employee pool would put it far out of budget for anyone but governments or very large corporations doing very sensitive work, and even in those cases it would be on a site-by-site basis, not org-wide.

[cutemonster]

> The cost of ... far out of budget ...

Yes maybe, but now you changed the topic and started talking about money and how expensive things are. Have a nice day anyway