Right, I'm familiar with the hack. My point is Target almost certainly didn't decide that the HVAC firm could be trusted to have access to the credit terminals - the fact that they had access was the result of poor security design, not Target's threat model.

I've often found poor security designs justified by many of the arguments in this thread that it's unreasonable to treat everything as a threat.

They know it's a bad design but doesn't matter because the threat is too improbable. Until it isn't :p

It's the everything always part of the argument that's unreasonable. You realise that that's impossible? You can't vet and control the whole stack. And, if you could, it would be prohibitively expensive.

For certain use cases, it is not cost prohibitive. Take defense or banking…

I’ve been in meetings where executives have said precisely this and I have tried to gently nudge them towards defense in depth.

Ok fair. I see the lack of simple things like segmented vlans as a lack of a threat model entirely. They trusted them implicitly, not explicitly, through their clear incompetence. Perhaps that’s better?

I think we are mostly in agreement.