Over the years of discussing vulnerable conditions and risks, I've come up with three assumptions which help ground the risk assessment in reality:
- If the threat actor has superuser privilege, they can realize the risk. (This one has some caveats, however exceptions to this rule are so rarely implemented they are likely to not matter in any practical cases.)
- This might not apply if you have immutable files
- Off-host logging may detect the threat actor
- If the threat actor has physical access, they can deny availability.
- If the threat actor has unlimited physical access, they can gain superuser. (see Assumption 1)
This could probably be summed up with a single concept: the Chain of Trust. In this case we are implying that the system's security is based on superuser's security and the system and superuser are based on the physical security. If you haven't secured this chain of trust, any security established farther on in the chain is moot.
I believe Dan Kaminsky's take is, "If you have root, you can get root" (paraphrased). So when doing risk assessments, if at any point you assume the threat actor has compromised something farther back in the Chain of Trust, the rest of the line of reasoning is at issue.
As an example: "If the threat actor pushes the power button on the computer, they could turn it off and shut everything down. Therefore we should lock the power button." This assumes the threat has physical access in which they could pull the cables out of the computer, hit the emergency power off, or do any number of other things.
Alternately: "The bad guy can run code that can read all memory, so lets encrypt the data in memory." This implies the threat already has superuser privileges and so could simply prevent the encryption, read prior to encryption, or copy the encryption key and decrypt.