I cringe each time I hear the oft repeated declarations that “every company will be compromised” and that “it isn’t a matter of if, but when.” These statements are the basis of the FUD-driven (fear, uncertainty and doubt) cyber-sales machine. What is closer to the truth is that Internet connected systems have a high probability of being subject to a targeted or opportunistic attack, inadvertent exposure, or malicious subversion. However, it is (and I stress) not inevitable that the attacker will be successful. Motivation, work factor, evasion capabilities, resiliency, and sometimes, luck all play a part. Threat modeling can be used to understand these factors and influence the outcome.
Read More