Imagine a tin can telephone system; that's our network analogy. There's a sending point, a point of reception and a communications route (encrypted tunnel, in our properly configured case). The tunnel is where the people that assume secure states are right. That encryption will prove really hard to crack. While anything can be defeated in theory, modern big-key systems will approach absolute uncrackability at current levels of technology.
But the tunnel is the middle point of this three-point system. There's also the transmission and reception points (the cans), being with the sender and the reciever of the message. The devices at those two points are where almost all questions of maintenance reside. In banking, the reception end is most often the institution, where InfoTech people are hired specifically to keep the nodes, servers, systems, switches, etc. properly configured, patched and monitored. You'd naturally assume a problem at the other end of this financial communication: the customer doing his banking (and personal social media stuff, email, shopping, census response, tax filing, etc.) on the same desktop on which his son plays online gaming. Antivirus? Too expensive! All bets are off where that PC is concerned.
And if there's a transaction involving a very careful user (you or me, maybe using a sacrifice VM on which to communicate in a paranoid mood) but a questionable recieving end (a local or county/tribal government agency), then there's either a management issue, a budgetary problem or something else to consider. So the two endpoints can be a problem even in the era of easy encryption. BUT there are two additional considerations beyond the current state of the endpoints.
First, there's the future state of the endpoints. Even if all config checks, patching, firewalling etc. have been checked, what about tomorrow? Zero day hits? New patches? New knowledge base releases prior to patches? New releases of software keys or default passwords on the dark channels? What if the cracker doesn't enter the network via the PC we're scrutinizing but via the router or a webcam or a web-enabled Barbie or GIJoe toy? Or the smart TV? Or audio streaming section of the stereo receiver? According to Leftronic, 127 new IOT devices connect to the web every second, meaning that load on networks increases steadily.
And second, there's data creation. If previous data, copies, emails, messages, other communications, login states or something is piling up on one end of the pipe regarding the person or organization at the other end of the pipe, then I (as a nasty actor) might be very interested in sneaking into some storage location and dd'ing all that stuff for later analysis. And it could be a relatively slow and quiet hack, since any Intrusion Detection regime would probably be more interested in the live network than in HDDs sitting around half-idle. And speculatively, perhaps I could use the stolen items now... or sell them later.
So there are various points about which to consider issues: sending point, tunnel (transmission point), receiving point, patching/monitoring/version issues for all points and data creation.
Oh. I forgot backup... and encryption for the backups - and to park the backups at a location NOT ON THE PRIMARY NETWORK WITH EVERYTHING ELSE. But then everybody forgets all that.
