Unless you have been living under a rock for the past few days, you probably have heard about some big changes Google has made regarding an attack on its infrastructure. Here is what we know:First, the Who and What: Google detected a coordinated attempt by Chinese entities to compromise the accounts of Chinese dissidents. David Drummond, Google\u2019s chief counsel, said, \u201cA primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.\u201d According to George Kurtz at McAfee, the attacks were part of a\u00a0large-scale, well-organized operation called Aurora. As a result,\u00a0Google has\u00a0stopped censoring its search results\u00a0in China, and has considered pulling out of the country entirely.\u00a0Second, the How: as this story has played out, a second wave of stories emerged about the attack vectors. Microsoft has released a bulletin stating that a zero-day exploit in Internet Explorer 6 and higher\u00a0was the attack vector. McAfee's George Kurtz confirms that IE 7 and 8\u00a0vulnerabilities were used. iDefense speculated that PDF-phishing may have been a vector too. But it has not been shown definitively to be an attack vector yet.Third,\u00a0the attacks were not just about dissidents. The attacks appeared to be part of a coordinated campaign that targeted the intellectual property of a wide swath\u00a0of the US industrial base, including Dow Chemical, Symantec, Yahoo!, Northrop Grumman, and Juniper Networks.\u00a0Fourth, many affected parties are collaborating on the investigation and post-mortem analysis. Google, Adobe, Microsoft, McAfee, and others are all sharing information about the attack. No doubt the FBI and agencies are in the mix, too.There are many things we still do not know, and many details are still emerging. The identities of the balance of the 30+ companies that were attacked remain a mystery, although I have some calls in with some companies I think might have been hit. That said, we know enough to form some conclusions. Here is "What It Means" for enterprises:The threat landscape has not changed; but our perception of it has.Mikko Hypponen \u2014 who never misses an opportunity to chase an ambulance when he hears one coming\u00a0\u2014\u00a0gets it right when he says that \u201cThis wasn\u2019t in my opinion ground-breaking as an attack.\u00a0We see this fairly regularly.\u201d Targeted zero-day attacks are routine, particularly against government agencies and in the aerospace and defense sectors. What is new is that we are now seeing headlines about it. Companies were spilling credit card numbers and SSNs long before it became headline fodder. And so it is with this class of attack, too.The attack will spur more collaboration between the US private and public sectors. Dispassionate observers will recall reports in the news from last year about large-scale industrial attacks against the US government and critical infrastructure. If these more recent attacks against private companies are also felt to be coming from similar sources (the PRC government, PLA red teams etc.), it won't take a genius to start connecting the dots. A formal public\/private attack data sharing program, with generous safe-harbor exemptions, would be a good start. Re-invigorating the ISACs would be another.Multinationals will see the need to pay more attention to protecting their secrets,not the just \u201ctoxic data\u201d like PII or PHI. Our most recent annual IT security survey, which we are busy analyzing, shows that \u201ccompliance\u201d (big-C compliance like PCI and HIPAA, and little-C compliance with security policies) is the motor that drives security budgets in large corporations. Enterprises have gotten used to the idea that they need full-disk encryption and DLP to keep toxic customer and payment data from spilling. But two-thirds of the value of the information enterprises protect resides in the secrets they keep that confers long-term competitive advantage. Google\u2019s admission that they lost some of their secrets in this hack shows that securing trade secrets deserves just as much attention as the toxic stuff.Relying on one browser is a liability.As we have seen, this attack succeeded because of flaws in Internet Explorer. Browsers are complex pieces of software. By one measure, Firefox is\u00a02.5 million lines of code. By contrast, the Apache web server is just one-tenth of the size, at less than 300,000 lines of code. Who knows how big IE is? Certainly, it is several million lines of code at least. Complex systems fail complexly, which is why browsers continue to be favored targets for zero-days. In this day and age, it is shameful that I still see many corporations (including Forrester) whose business processes rely on web page formats and ActiveX controls that chain them to a specific browser. It should not be that way. Enterprises should strive to deploy web-based applications that are browser-independent; when one browser is targeted, enterprises can mitigate their risk by switching.Humans remain the weak link.I spoke with a contact at an aerospace company who knew something about the Adobe PDF attacks. He was surprised that good old fashioned phishing attacks still work. \u201cThis kind of stuff is driving the defense contractors nuts. They should know better, and yet, they are still affected.\u201d\u00a0It bears repeating, one more time: attachments from strangers are bad. CISOs should dust off their social engineering playbooks and do some internal phishing testing on their employees to make sure their staffs get the message.The best thing enterprises can do now is examine their security program to make sure that it includes healthy balanced diet of controls that protect both toxic data and secrets. I describe what enterprises should consider in my recent report Selecting Data Protection Technologies.\u00a0As always, I welcome your comments.