It used to be said “It’s not a matter of if you will be hacked.  It’s when.”  But, now it has progressed to “What?”

In other words it was not a question of whether or not you would be hacked, it was given you would be.  The real question was just when was it going to happen.  But, now that question is no longer operative.  The information security community is generally conceding that you have been hacked whether you know it or not.

NOT IF, BUT WHAT!
They now are most concerned about answering what.  Critical enterprise @ risk questions arise:

• What has been lost?
• What information has been exfiltrated?
• What was the vulnerability that led to the breach?
• What was done to maintain access in the event that the breach was discovered?
• What needs to be done to eliminate the vulnerability that allowed for entry?
• What needs to be done to clean up any backdoor entry points that may have been installed?

MANDIANT THREAT TRENDS REPORT
Mandiant had some startling and depressing statistics in their 2013 Threat Trends Report.  Their report is based on data gathered from their clients that used Mandiant to respond to security breaches in 2012.  Here’s some of the frightening statistics:

• 37% of those breaches were discovered by their clients.  That means that companies learned from others about breaches to their systems twice as often as they detected it themselves.
• 42% of the companies found out about the breach when a law enforcement agency notified them.  That means that cops detected their breaches more often than they did.
• Mean time to discover a breach was 243 days.  That’s a lot of time for the attackers to do their damage undetected and unimpeded.  Mandiant also found that once you are a target you will remain a target.
• 38% of their clients for 2012 were the victims of repeat attacks.

SO WHAT DOES THIS MEAN TO YOU?
What does this mean for your enterprise?  Simply, access rights management, constant intrusion detection and rapid incident response are mandatory to ensure the security of its information assets.  Traditionally, information security has been focused on maintaining a strong security parimeter.  But, that is no longer sufficient.  There are too many ways past a firewall no matter how well it is configured or strong its rule set.

SO WHAT SHOULD YOU DO?
First:  Properly classify your information assets and establish appropriate access controls.  This means more than just protecting your intellectual property or your customer’s confidential information.  It means protecting the information that allows an attacker to traverse your networks as well as you.  These include network documentation, organization charts, systems documentation and VPN configuration files.

Second:  Strengthen your intrusion detection capabilities with the target of being able to detect an attack in real time.  Can you detect the simple things such as when an individual connects from two different IP addresses at the same time?  Or from a region of the world they never travel to?  If not, you probably will not be able to detect the more sophisticated attacks either.

Third:  Finally, put in place an effective incident response program.  Preparing for a breach is vital for an effective response.  Know what you are going to do before you have to do it.  Are you going to prosecute the hacker?  Are you going to notify any law enforcement agencies?  Do you even know who to contact?  Will you have to make a public announcement of the breach?  Will you immediately shut down the breach or will you watch it to determine the full extent of the access including hidden backdoors that the attacker has?  These are just a few of a raft of questions that you need to ask and have answers for in order to be well prepared for the inevitable breach.

Hard Lesson Learned:  It’s not if.  It’s not when.  The question is what?  What is the intrusion’s impact and what will you do in response to ensure your organization’s security?