Well, it's a bit complex. Some businesses, such as Home Depot, decided "We sell hammers" and out of ignorance, fell prey to criminals.
Other businesses calculate, with business rationale, their risks, exposure, loss expectancy per year, value of the information and other values to determine how much to spend to protect their data.
Occasionally, estimation of specific risk is misjudged and a breach occurs with data loss. Moderately often, the risk is properly judged, a breach occurs and it's down to incident response efficiency. Efficient incident response is key to halting the breach before significant harm has occurred.
This is largely science, still partially art. Way back in 1995, I told small - mid sized businesses, "You can't keep them out, they're 24/7/365, your office is not. You can only hope to slow them down enough to prevent major damage to your business". That is as true today as it was then.
To add fun to the mixture, the threats are varied. They range from the disgruntled employee, the script kiddie, the more knowledgeable hacker and the Voldemort of adversaries, the "Advanced Persistent Threat" (APT in the profession). Those range from well funded, experienced cyber-criminals to nation states that use the information for economic or potential military advantage.
Yeah, it gets thick quickly. I started my career in information assurance/information security after retiring from the military. As a reservist, I held down a full time job, plus my military duties. I've re-invented my career five times in my life outside of the military and several times within the military as injuries limited operational capabilities, earlier on, elimination of a specific missile system was eliminated by welcomed treaty and opportunity to experience new fields of operation.
On the civilian side, I've repaired consumer electronics to component level (TV's, VCR's, CD players, DVD players, CD/DVD recorders, etc). When those became essentially disposable, I moved into an area of interest, computing. I still retain an enterprise level network in my home. I'm intending as I relocate, to turn a relatively basic internet network that can "see" the internet into a multi-tiered TLA stack to protect my network as well as I've protected both DoD clients and corporate clients.
I entered into information assurance during DoD contracting time after retiring. I had lower level experience, wanted to advance, had a clearance and a DoD contractor wanted a body. They got a body that instinctively knows how to troubleshoot and learns very fast. I became the LAN/WAN shop's "Shell Answer Man", for those who recall that commercial of my youth. Over time, I assumed control of the antivirus server, patch server, web filter and e-mail filter. Shortly after that, an IA positions was created (finally, as DoD had that requirement for three years previous). I became the installation IASO (Information Assurance Security Officer), amusingly, a Major's slot in an Army centric environment. My career was exclusively enlisted, although I was offered a narrower Warrant Officer position, I declined due to disinterest. Besides, I made more on the civilian side. I still do. I'd continue, but I'd fear for my team, as I've had so many injuries and osteoarthritis advancing, I retired out of fear that the team would try to protect me.
So, what does it take to fully protect a computer? A network is always at risk, period. If one point sees another, there is risk.
Encasing it in concrete, after severing or removing all wires, then immerse it in a volcano, inside of a depleted uranium case around the concrete.
If it can be touched at any time, it is at risk.
Networks that cannot see or "talk" to the internet are still at risk, as PFC Manning. Oh wait, Manning is in prison, rightfully so. The Private First Class should've been joined by his company commander, his S2 officer and NCOIC, at a minimum, per US Army regulations. When a service member (or DoD civilian, contractor or government employee) is facing deleterious personnel action, access to classified information is to be immediately curtailed.
Yeah, a lot of people should be in cells next to Manning. But, the Army moves in self-protective ways and protects idiots under the Peter Principle.
Considering due to Manning and his command staff refusing to do their jobs, NIPRnet (unclassified network that is FOUO (For Official Use Only), SIPRnet (Secret data only, can't find anything that appears internet, let alone the internet) and JWICS (just suffice it to say, Top Secret and Special Compartmentalized Information, the shit of nightmares. Want to know how to build a modern thermonuclear device, there, how to find the POTUS during WWIII, there, informations what would start both WWII and WWIV, there. More common is really, really boring shit.
Like programming information about an APT malware program that tried to find out how many mens shirts were laundered or something equally boring, but interesting to an intelligence agency.
I'm going to use the term risk many, many times. What are risks, hackers?
Only in part.
There is insider risk, where an employee intentionally or unintentionally creates a vulnerability, steals information or even steals assets.
There is external risks, the "hackers", of which there are several varieties, the "script kiddie" of rather limited skills, the use tools that they download. There is the regular hacker type, who typically go for the low hanging fruits, information left easily obtainable, using well known vulnerabilities, lousy passwords, etc. Then, there is the "Advanced Persistent Threat", typically well funded criminal organizations, nation state actors, to really simplify things.
All capitalize upon vulnerabilities, an unpatched server with known vulnerabilities in its software, loose permissions on files and services, injecting specially crafted traffic into a vulnerable software platform can result in privileged access to the server. Phishing attacks, e-mails crafted to trick a user into clicking a malicious link, opening a malicious file that appears valid, etc. Spear phishing attacks, rather than widely spread attacks, personalized attacks for key personnel, Facebook is a goldmine for those actors. Watering hole attacks, such as a compromised website that is utilized heavily by those in the targeted industry of group.
As mentioned before, an inside user can also be a disgruntled employee or one soon to be departing the organization. Think PFC Manning, who knew discharge was pending and sought vengeance. It's an ancient motivation that is well known in the security community and US Army regulations were ignored, as when there is a pending deleterious personnel action, access to classified information is to be withdrawn. In that instance, around a half dozen enlisted and commissioned officers refused to do their jobs and bluntly, they should be in the cells around PFC Manning.
Vendors and contractors are a risk vector, Home Depot had a contractor in to work on equipment unrelated to the POS system, but the network was shared with the POS system. When the contractor's infected computer plugged into the network, the malware scanned, found and installed itself into the POS system. It is believed that the contractor received the malware via a spear phish attack.
Follow me below for a "goobered down" version that would likely get you to pass a Security Plus exam. The formulae are not required for the Security Plus exam, but key concepts are all included.
Read More