If you've been to the airport a few times over the last decade and your mind thinks in that slightly different way mine does you have undoubtedly noticed something curious. Right after the tragic events of September 11th, 2001 things got a little crazy at the airports. Over the next decade or so the fall-off of hype and fear mongering didn't drop off as expected, instead, orange (alert level) became the standard for the next 10 years or so as best as I can remember. The problem with this is, of course, that when you constantly live in “heightened fear” that becomes the new normal and the baseline adjusts. When the baseline adjusts the general population adjusts to the new normal quickly, and that fear dissipates.
This was not the intended consequence, but it is human nature.
Consequently, this is also happening in the Information Security space…although it may be a good thing.
For the Information Security (or Cyber Security if you prefer) world, I would propose we've never been at condition green… it’s been all orange all the time but our ability to see that is just now maturing. I won’t try and argue that the threat has been as great in 1998 as it is now, but then again the level of technical capability and integration was significantly less. The threat to technology from the attacker has grown proportionally with the increase of technology in our daily lives. This shouldn't surprise anyone. More opportunity for the bad guys means more attacks, simple.
So what does this mean, for those of you working on defending your enterprise networks, systems, applications and critical intellectual property from the attackers and thieves? It means that orange is the new green… and we actually do live in what one executive has called a “post-breach” world.
Starting your day with the assumption that the enemy is likely among you already is not something most people, even hardened Information Security veterans, are comfortable with. That being said, this isn't a completely new concept and it shouldn't be that revolutionary. Except that it is. The problem is enterprises have collectively spent hundreds of millions of dollars (just a SWAG) on prevention and when that approach didn't work they spent even more. So now we’re at the same place we've been for a long time: condition orange. The enemy is inside the infrastructure, is watching us and waiting to strike when we’re not paying attention. They know what you're doing (probably better than you), and know how to exploit you.
How will you adjust?
This is a wake-up call. How will your organization adjust to the acknowledged state of heightened risk – permanently? This is not a drill.
I’m kicking off a series of posts on this topic that I’ll address over the next few weeks, with some thoughts on how to actually live in an era where orange is the new green, and we have to assume we've been breached.