The vast majority of adversaries are incompetent or unmotivated. It's why breaches don't happen daily.
Look at it this way: If you get a pentest, you will immediately discover there were glaring security flaws that an attacker could have used to get into your network. This isn't true in every case, but for example I can count on one hand the number of companies I didn't get at least an XSS against.
I had no magic. I'm just a guy using Burp suite, working together with someone else using Burp suite. When two talented people work together to break your stuff, they pull out rabbits that nobody knew existed. Especially when they've been doing it full time every day for a year.
I'm sure black hats have talented people at their disposal. But they are selective. Launching a real operation against a US target is risky unless you live in Russia or work in China's army. And while it's valuable for Russian black hats to swipe Equifax's PII, other data troves typically aren't valuable enough to target.
To put it another way, if Russians got into Facebook, so what? They'd get everyone's sultry private messages. Yet Facebook cares more about security than almost anyone else. That's why it's almost impossible to swipe their data.
The vast majority of companies are in the "If Russians got in, it doesn't really matter; also we don't care" category. These are the mom and dad shops that use duct tape and glue for their payment processing. Above this are our companies: If Russians got in, it would be a minor disaster, but we care about preventing it. Except usually we don't care enough to put down $40k.
Then you have companies like Equifax. The worst of both worlds: They weren't careful enough with their security, and it was an unprecedented disaster when someone got in.
Yet even here, it's unclear how much this unprecedented disaster is going to materially harm people. Will those 140M SSNs show up on the black market for sale? Who will pay for them, and how much? (Hopefully it will be posted in full, in clear text, so we can all switch away from the stupid SSN system we've been relying on.)
So when it's a combination of not too valuable to attack you, very costly to improve your defenses, and not too harmful if you screw up, you get the present world: ~everybody is vulnerable, but few companies care enough to pay more than lip service. Why would they? Even if they lost everyone's data tomorrow, it would be little more than egg on their face.
This situation is changing, slowly. If the diff between 2008 and 2018 is like 2018 to 2028, we will be in excellent shape. But we have to avoid falling into traps like mandating regulation at every company, or sending people to prison. Those are tempting but misguided efforts: regulation would reduce the effectiveness of pentests, and sending people to prison will cause security breaches never to be reported.
It will be hard, particularly when the world reacts like this: https://i.imgur.com/g01f9vV.png But companies like Apple are paving the way forward. Even if they help no other companies, they are proof that security really can work at scale. The trick is to make it not cost Apple's resources to get remotely close to their security posture.
(I hate to pick on Russians specifically, but they have no extradition treaty with the US. It's uncontroversial to point out that many black hat attempts originate from there.)
Facebook cares about security because there is something else at stake. Their trade secrets to start with avoiding being front run. But people will still care if they believe Facebook was not safe even if it's for superficial things.
Look at it this way: If you get a pentest, you will immediately discover there were glaring security flaws that an attacker could have used to get into your network. This isn't true in every case, but for example I can count on one hand the number of companies I didn't get at least an XSS against.
I had no magic. I'm just a guy using Burp suite, working together with someone else using Burp suite. When two talented people work together to break your stuff, they pull out rabbits that nobody knew existed. Especially when they've been doing it full time every day for a year.
I'm sure black hats have talented people at their disposal. But they are selective. Launching a real operation against a US target is risky unless you live in Russia or work in China's army. And while it's valuable for Russian black hats to swipe Equifax's PII, other data troves typically aren't valuable enough to target.
To put it another way, if Russians got into Facebook, so what? They'd get everyone's sultry private messages. Yet Facebook cares more about security than almost anyone else. That's why it's almost impossible to swipe their data.
The vast majority of companies are in the "If Russians got in, it doesn't really matter; also we don't care" category. These are the mom and dad shops that use duct tape and glue for their payment processing. Above this are our companies: If Russians got in, it would be a minor disaster, but we care about preventing it. Except usually we don't care enough to put down $40k.
Then you have companies like Equifax. The worst of both worlds: They weren't careful enough with their security, and it was an unprecedented disaster when someone got in.
Yet even here, it's unclear how much this unprecedented disaster is going to materially harm people. Will those 140M SSNs show up on the black market for sale? Who will pay for them, and how much? (Hopefully it will be posted in full, in clear text, so we can all switch away from the stupid SSN system we've been relying on.)
So when it's a combination of not too valuable to attack you, very costly to improve your defenses, and not too harmful if you screw up, you get the present world: ~everybody is vulnerable, but few companies care enough to pay more than lip service. Why would they? Even if they lost everyone's data tomorrow, it would be little more than egg on their face.
This situation is changing, slowly. If the diff between 2008 and 2018 is like 2018 to 2028, we will be in excellent shape. But we have to avoid falling into traps like mandating regulation at every company, or sending people to prison. Those are tempting but misguided efforts: regulation would reduce the effectiveness of pentests, and sending people to prison will cause security breaches never to be reported.
It will be hard, particularly when the world reacts like this: https://i.imgur.com/g01f9vV.png But companies like Apple are paving the way forward. Even if they help no other companies, they are proof that security really can work at scale. The trick is to make it not cost Apple's resources to get remotely close to their security posture.
(I hate to pick on Russians specifically, but they have no extradition treaty with the US. It's uncontroversial to point out that many black hat attempts originate from there.)