What is currently driving corporate security practices is insurance. As attacks become more common and more devastating insurance becomes both more necessary and harder to get. Insurance companies are demanding ever greater audits and measures in order to get insured.
The market is actually doing what it's supposed to in this case even if it is reactionary. All hope is not lost.
The insurance side isn’t preventing or mitigating these attacks though. The audits and compliance requirements are convoluted systems focused on establishing fault and blame, presumably so claims may be denied.
Even in these “secure” environments the bar is still remarkably low.
I listened to a podcast recently (most likely planet money) talking about essentially malpractice insurance for police departments. For those municipalities that are too small to self insure for cases that go to court for things like wrongful death, they need to get a policy. What was interesting is that it followed one of these municipalities with a chief that was trying to turn around the department in terms of over aggressive policing and was having a really hard time of it. Then a neighboring municipality got hit with a major judgement against it and their insurance went through the roof. Suddenly there was very strong monetary incentive to not end up like them and it became easier to get officers to change their behavior.
To your point, one if the things they talked about was that it was also in the insurance company’s interest to give tips to help lower risk of major litigation. I tend to be similarly cynical in terms of fault and blame but I wonder if policies related to cyber security will have similar incentives to help secure things as judgements get bigger in this soace too.
The Cylons sent a humanoid sleeper agent to seduce the designer of their new intelligent battle software for their spaceships , he gave her root access since she demonstrated remarkable coding skills (she was a Cylon) and she inserted the necessary backdoors.
Indeed, I think the BSG analogy is a good sci-fi warning about the outcomes of moving away from heterogenous systems.
Environments engineered with multiple failsafes, defense in depth, avoidance of SPOFs (including hardware models, manufacturers, chipsets, OSes, web servers, etc.) will be very difficult to fully penetrate and should be able to survive attacks.
Of course none of the above is cheap or fast to do, so it usually doesn't get done.
I've been reading her since her book "Twitter and Teargas" and I don't think there's a journalist alive today who synthesizes information across such a broad range and with such clarity and attention nuance as Zeynep.
"Currently, only about one fourth of gas stations in North Carolina (where I am) are reporting that they have any gas." But this was mainly because of panic buying. The pipeline shutdown alone didn't suffice to cause the shortage.
But there are a lot of average persons. If a whole bunch of average persons starts buying up gas, toilet paper or withdraw money from the bank all at the same time ( the key point being at the same time relatively speaking ), the gas station, store or bank will be out of product/service very soon. I'd imagine, on a given day, only a small fraction of car owners in a particular vicinity fill their tanks.
Supposing that the average person has half a tank of gas, is there enough supply for everyone to fill up on the same day? It doesn't seem unreasonable for the situation to be a combination of reduced supply and increased demand.
Also consider where the shortages are occurring: in sprawling, rural and exurban areas where the last-mile infrastructure is likely exceptionally thin; that is, much less able to handle surges. It's not just computer and car manufacturers that optimize for "on-demand inventory"--i.e. cut carry costs to the bone, sacrificing volatility resilience.
In hindsight, I'm starting to think that fixing the Y2K bugs was a mistake. Or maybe we shouldn't have fixed all of them. Let a few ATMs and electric plants shutdown, remind us what could have happened. As it is, we ended up complacent because nothing happened when those Chicken Littles said Y2K was going to cause problems.
One of my clients was hit with a ransomware attack on their website.
It was a WordPress website, and I got an email that the website was down. I visited the website and saw the ransom, something something pay us in bitcoin.
I had been using their backup services for a long time, so it took me three minutes to create a new server and import the data and the site was down for no longer than 10 minutes.
I changed the users passwords and had virtually forgotten about it for a few weeks. When I was reminded about it a few weeks later, when a user asked why the password was changed.
Hugely interconnected IT systems are a little more complicated to restore from backup than a wordpress site. Especially since you need to disconnect everything, restore and ensure _nothing_ has been missed, then reconnect everything otherwise any remaining infected devices could just lead to it all happening again. This is all more complicated when those systems are driving actual real world mechanisms and business processes.
As far as I know they have backups and are working on restoring from them.
Keeping spare parts (backups) is good. But there's a difference between pulling your bicycle in the garage and replacing the inner tube and trying to rebuild your car from scratch while you're doing 60mph down the freeway.
The market is actually doing what it's supposed to in this case even if it is reactionary. All hope is not lost.