Someone recently ask me how often an enterprise might expect to be attacked.
Attacks are no longer something that happens now and then, they are constant. An hour without an attack is an hour your network connection was down. This is sometimes known as the "Advanced Persistent Threat". Shortly after APT was declassified someone gave a lecture about it at Usenix LISA. You can watch it here. (Note: I found some of what he revealed to be disturbing).
I think the person meant how often an enterprise might expect a successful attack.
That's an entirely different matter.
Knowing about APT is one thing. What does it mean to you and me? To me it means that the following things are no longer "would be nice" but are required:
- virus scanners on all machines (even servers)
- virus scanners must automatically, silently, update. No user confirmation.
- a way to verify that virus scanners aren't disabled and/or flag any machines that haven't updated in X days.
- OS patches must be automated and, for critical security fixes, performed without user confirmation. (If you admin Mac OS X, try Munki)
- email filters (anti-virus, anti-spam) centralized; you can't trust each individual machine to filter on their own. Do it on the server or before it gets to your server.
- firewalls in front of external servers, not just in front of the enterprise
Lastly, the belief that "I won't be attacked, I don't have anything valuable" has to come to an end (and has been for a while). The fact that you have CPU to exploit or bandwidth to consume is valuable to attackers.
My 6-point list seems long but I bet it isn't long enough. What would you add?