One article that mentions version 2-KNOW and Kevin is this December 2014 Ars Technica article titled “Unprecedented” cyberattack no excuse for Sony breach, pros say. However, as far as I could find, Kevin did not use the "two companies" language. The very beginning of Mr Mueller's quote is surely a play on Kevin Mandia's long-term commitment to the inevitability of compromise. He also introduced a third variant - "companies that have been hacked and will be hacked again." Let's call this version 2-AGAIN. Here we see Mr Mueller morphing Dmitri's quote, 2-KNOW, into the second, 2-BE. I am convinced that there are only two types of companies: those that have been hacked and those that will be.Īnd even they are converging into one category: companies that have been hacked and will be hacked again.
#INTO THE DEAD 2 HACKED PLUS#
He delivered a speech at RSA on 1 March 2012 that introduced question 2-BE into the lexicon, plus a little more:įor it is no longer a question of “if,” but “when” and “how often.” No doubt former FBI Director Mueller read this report (and probably spoke with Dmitri). If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised.” So widespread are the attacks that Dmitri Alperovitch, McAfee Vice President of Threat Research, said that the only companies not at risk are those who have nothing worth taking, and that of the world's biggest firms, there are just two kinds: those that know they've been compromised, and those that still haven't realized they've been compromised.ĭmitri used slightly different language in this popular Vanity Fair article from September 2011, titled Enter the Cyber-Dragon:ĭmitri Alperovitch, who discovered Operation Shady rat, draws a stark lesson: “ There are only two types of companies-those that know they’ve been compromised, and those that don’t know. For example, this 3 August 2011 story by Ars Technica, Operation Shady RAT: five-year hack attack hit 14 countries, quotes Dmitri in the following: He stated this proposition as part of the publicity around his Shady RAT report, written while he worked at McAfee. The first version, 2-KNOW, can be easily traced and credited to Dmitri Alperovitch. We see that the first is a version of what Mr Chambers said. As noted in this October 2015 article by Frank Johnson titled Are there really only “two kinds of enterprises”?, there are really (at least) two versions of this quote:Ī popular meme in the information security industry is, “There are only two types of companies: those that know they’ve been compromised, and those that don’t know.”Īnd the second is like unto it: “There are only two kinds of companies: those that have been hacked, and those that will be.” John Chambers did indeed offer the previous quote, in a January 2015 post for the World Economic Forum titled What does the Internet of Everything mean for security? Unfortunately, neither Mr Chambers nor the person who likely wrote the article for him decided to credit the author of this quote.īefore providing proper credit for this quote, we need to decide what the quote actually says. I confirmed my memory and would like to present what I found here. I could think of two possible antecedents. He credited Cisco CEO John Chambers but didn't provide any source. There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked. While listening to a webcast this morning, I heard the speaker mention