Like others here are saying, you can never be 100% sure. But that doesn’t mean there’s nothing you can do.
If you’re worried about the impact to your broader organization (which is what most of the sophisticated threats tend to target), you should think about risk mitigation through the Swiss Cheese defense model. Each system is inevitably going to have holes, but layering them on top of one another will incrementally improve your coverage.
For instance:
- Your team should be trained about phishing attacks. But inevitably some will get through, so…
- You should implement 2FA in case a password is compromised. But a threat actor may be able to capture a 2FA-passed SSO session token, so…
- Production access should be limited to a small number of individuals. But even they might get compromised, so…
- You should programmatically rotate credentials to make old leaked credentials useless. But a newer one might be captured, so…
- Data should be sufficiently encrypted at rest and in transit, and…
- Your team should have an incident management system and culture in place to quickly respond to customer reported incidents and escalate it to the right level and…
- Audit logs should be tracked to understand the blast radius in case of compromise
- and so forth
When you look at incidents like CircleCI and LastPass, a good security organization will understand that there was more than just one point of failure and should talk in detail about how they are shoring up each level.
Exactly this. Security is more about about defense-in-depth, incident response and recovery planning.
Personally, I assume the hardware is already compromised and plan for recovery accordingly, starting with the worse case scenario. Then, I ask myself "If this thing isn't compromised yet, how can I help it stay so?", starting probably with the network access, through firmware, all the way to the browser.
If you’re worried about the impact to your broader organization (which is what most of the sophisticated threats tend to target), you should think about risk mitigation through the Swiss Cheese defense model. Each system is inevitably going to have holes, but layering them on top of one another will incrementally improve your coverage.
For instance:
- Your team should be trained about phishing attacks. But inevitably some will get through, so…
- You should implement 2FA in case a password is compromised. But a threat actor may be able to capture a 2FA-passed SSO session token, so…
- Production access should be limited to a small number of individuals. But even they might get compromised, so…
- You should programmatically rotate credentials to make old leaked credentials useless. But a newer one might be captured, so…
- Data should be sufficiently encrypted at rest and in transit, and…
- Your team should have an incident management system and culture in place to quickly respond to customer reported incidents and escalate it to the right level and…
- Audit logs should be tracked to understand the blast radius in case of compromise - and so forth
When you look at incidents like CircleCI and LastPass, a good security organization will understand that there was more than just one point of failure and should talk in detail about how they are shoring up each level.