I know very little about cyber security in the wild - little Bobby Tables is about my level.
Are these hacks unavoidable, or are they indicative of shoddy IT on the victim's side? There has been a sleugh of cyberattacks recently and I don't know what to make of it.
If it's kind of like getting burgled - get good home security but a determined burglar will get in anyway - then it's a systemic problem we have to somehow tackle as a society. And if it's shoddy workmanship, again, it would appear so widespread that we have to do something about it.
I'm not passing judgment, just trying to understand.
IMO it's shoddy. Anybody can get hacked, that's true. But a modern corp that has tried to defend itself should have multiple layers of defenses against complete pwnage.
If you've paid attention in the last 10 (or even 5) years as a company, and did some pentests and redteams, you've seen how you could be breached, and you took appropriate steps years ago.
A non-shoddy company will have:
- hardened their user endpoints with some sort of modern EDR/detection suite.
- Removed credentials from the network shares (really).
- Made sure random employees are not highly privileged.
- Made sure admin privileges are scoped to admin business
roles (DBA admin is not admin on webservers, and vice-versa).
- Made sure everyone is using MFA for truly critical actions and resource access.
- Patched their servers.
- Done some pentests.
This won't stop the random tier 2 breach on some workstation or forgotten server still hooked up on prod/testing, but it will stop the compromise _after_ that first step. So sure, hackers will still shitpost some slack channel dumps, but they won't ransomware your whole workstation fleet...
I guess you forgot the most important part: making sure your security and devops teams and people in company management follow exactly the same protocol as everyone else with no exception.
Because big bosses hate it when their PC don't just let them run whatever they want and they are not allowed to VPN into network from their home or their grandma desktop because they like her very much.
Also any Linux nerd sysadmin dude (like me) who know better is another type of person who hate following rules.
There is no system in use by a commercial entity in the world that can stop criminals with ~10 M$ from completely bypassing all of their security and doing arbitrary amounts of damage. If the attackers can on average derive more than 10 M$ of return, then you are guaranteed profitable to hit.
For instance, in the 2023 casino hacks of MGM and Caesars, Caesar paid a random of ~15 M$, making them profitable. In the JLR hack, JLR has incurred ~500 M$ of damage to date. These attacks cost less than 10 M$ to create and deploy guaranteed.
However, most commercial systems are vastly easier to hit than even 10 M$. I would venture that most of these high profile attacks are on the order of merely ~10-100 K$ to actually create and deploy making them wildly profitable with a ROI in the 10-1000(!) range. And, if you have the choice of spending 100K to get 15 M$ or 10 M$ to get 15 M$, it is pretty obvious who you would prioritize.
It is like the story of two people and the hungry bear. Even if you can not outrun the bear, if you can outrun the other person then the bear will tear you apart second.
So it is both. Everything is shoddy. Some are dramatically more shoddy than others. And the hungry bears are breeding so they can eat all the dodos.
No doubt there are some professional cyber criminal groups like ones from North Korea, but I seriously doubt that most of high-profile attacks even cost $10-100k. I mean you could say that if salary of random black hat researcher from Turkey, ex-USSR or Nigeria was $100,000 / year. But they obviously have no salary whatsoever and just trying and trying until they finally find suitable target.
Most likely all that was used is $50 / month server for nmap and other tools, bunch of $3 / month VPNs. Or might be everything that was needed is $10 for a eSim and one scam call.
And of course a lot of time of a person who can't get properly paid job anyway. Obviously might be only few people succeed, but in the end each particular attack cost peanuts.
> Are these hacks unavoidable, or are they indicative of shoddy IT on the victim's side?
That's a really good question and one that I've asked (myself) many times. What I can't understand is that on one side you have an IT division that (probably) has a substantial budget, security hardware and software layers, security strategies and probably hundreds of personnel. On the other side you have a group of hackers/crackers who have none of the above, but often succeed. How does that work? Srsly!
Are these hacks unavoidable, or are they indicative of shoddy IT on the victim's side? There has been a sleugh of cyberattacks recently and I don't know what to make of it.
If it's kind of like getting burgled - get good home security but a determined burglar will get in anyway - then it's a systemic problem we have to somehow tackle as a society. And if it's shoddy workmanship, again, it would appear so widespread that we have to do something about it.
I'm not passing judgment, just trying to understand.