There are many quotes, and we have endured many breaches in the last year and a half:
FBI Director James Comey interview (from October 2014) http://www.cbsnews.com/news/fbi-director-james-comey-on-threat-of-isis-cybercrime/
“James Comey: When someone sends you an email, they are knocking on your door. And when you open the attachment, without looking through the peephole to see who it is, you just opened the door and let a stranger into your life, where everything you care about is.
Scott Pelley: And what might that attachment do?
James Comey: Well, take over the computer, lock the computer, and then demand a ransom payment before it would unlock. Steal images from your system of your children or your, you know, or steal your banking information, take your entire life.”
The obvious is: assume the wolf is in the chicken coop… or the hacker is already in your network.
And this is very likely as malware is easy to obtain and then contacts the control server (command and control = C^2)
So if you still have not updated to the latest NGFW (next gen firewall) then there is no excuse. How many breaches will it take for you to get the message? Do you actually have to get taken advantage of first before acting?
There are methods of testing network and systems to make sure there are no mistakes. You can’t afford _any_ mistakes we must have a Six Sigma network with regard to security.
I.e. Six sigma is where there are six 9’s .999999 accurate (essentially 100%) but in a .999999 fault free network there can be 1 error in 1 million (1000000 * .999999 = 999999 good so that means 1 fault)
http://oversitesentry.com/risk-management-does-not-work/ Risk management has failed us (Feb 4 post)
That is the level of accuracy we need now: a Six Sigma Security
(image from www.simplilearn.com)
And the only way to achieve it is with testing testing testing.