Information Security History

Pre-Web Computing (1960s-'90s)

Users and Technologies Before the Web

From the 1950s until the early 1990s, computers ("electronic brains") were introduced and gradually propagated outside corporate machine rooms and offices. Personal computers (PCs) became available to experimenters in the 1970s, and to a more general population in the 1980s. At first, these systems enabled interested hobbyists and other individuals to perform local tasks and to play local games. Some office workers had timesharing terminals or PCs to perform tasks like spreadsheet analysis and word processing.

Some hobbyists dialed into bulletin board systems (BBSs) or early commercial on-line services like Compuserve and America Online (AOL). Early dial-up service was adequate for command line interaction, but didn't enable more powerful graphical user interfaces (GUIs). A small community of ARPAnet and Internet researchers developed foundational networking technologies within a generally friendly and mutually trusting environment.

Key Technologies

Personal Computers

Personal computers started to become available in the 1970s, sometimes in the form of kits to be assembled by enthusiastic hobbyists. The preassembled Apple II was offered in 1977, followed by more refined, capable, and user-friendly successors like the IBM PC and Apple Macintosh in the 1980s.

Dial-up Modems

During this era, most remote service access took place over telephone lines at limited speeds. At first, acoustic couplers clamped onto handsets, avoiding direct electrical connection to the Bell System network, but this approach only reached speeds up to 1200 baud (bits per second). Later dial-up modems connected to phone lines directly and achieved speeds in the 56,000 bit/second range.

Office Local Area Networks (LANs)

In some offices, computers, file stores, and printers were linked together via local networks (LANs), commonly via proprietary methods like Novell's NetWare and Digital Equipment Corporation (DEC)'s DECnet rather than via emerging cross-vendor Internet standards.

Email

Email was a primary application of early interest within and beyond the emerging Internet. It was the first computer-based method that enabled users to communicate across closed system boundaries, and became perhaps the first "killer" networking application. Email gateways converted messages, formats, and headers to satisfy the diverse requirements of different systems and networks.

---

Source: John Linn, https://isechist.linndom.net/
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.

Threats and Concerns Before the Web

Before the open web, the evolving Internet was a relatively friendly and benign environment for its participants. Its end-to-end design principle, described in an influential 1981 conference paper by Saltzer, Reed, and Clark, encouraged its early users to build emerging services in ways that avoided specific dependencies on how and where their data was transmitted. Nonetheless, there was still concern about threats, whether from pranks or wiretappers.

What were the threats and concerns?

Wiretapping

Even in the early days of networking, data transmitted between mutually friendly sites needed to traverse complex and unpredictable sets of routers and communications lines. While there was some interest in end-to-end encryption of potentially sensitive data, implementation was limited.

Unauthorized Access to Services and Data

Even in the early Internet's collaborative environment, it was important to identify and distinguish users, so that data and costly processing resources could be protected and conserved. While many data objects were published for general access via anonymous File Transfer Protocol (FTP), access to others required registration with individual usernames and passwords.

PC viruses

Before widespread use of networks, viruses were the primary security concern for most PC users. Virus infections spread from the early days of PCs, initially accompanying programs shared on floppy disks and subsequently carried via communications facilities.

Morris Worm

The Morris Worm (1988) was the first publicized example of a worm spreading via the Internet, and led to the first conviction under the US Computer Fraud and Abuse Act. It exploited vulnerabilities present in thousands of connected Unix systems, consuming their processing resources.

Security Techniques Before the Web

Security Techniques Before the Web Many of the fundamental security techniques that are still used today were first developed in the pre-Web era. New cryptographic algorithms became available, and pilot Internet research projects investigated their use for networking purposes.

What security techniques were important?

Multi-User Operating Systems

In the pre-Web era, computers were large and expensive, and were usually shared by multiple users. As a result, methods to keep users and their data protected from one another within such systems were important, and Government contracts supported extensive research and development in this area. The Multics time-sharing system was an important example, and served as a precursor to the smaller Unix and Linux systems that are widely used to this day. The US National Security Agency (NSA)'s National Computer Security Center (NCSC) created the Trusted Computer System Evaluation Criteria (TCSEC, more commonly known as the "Orange Book"), which specified system requirements ranging up to levels intended for use with classified military data.

Data Encryption Standard (DES)

The Data Encryption Standard was developed during the 1970s and standardized by the U.S. National Bureau of Standards in 1977 as Federal Information Processing Standard (FIPS) 46, and provided the first widely-used method for computer-based encryption. It was a symmetric algorithm, encrypting and decrypting 64-bit data blocks with 56-bit keys, performing steps including those shown in the attached diagram. Given the speed of computers at the time, special hardware was often needed to run DES with sufficient performance.

Public-Key Cryptography and the RSA Algorithm

With public-key cryptography, keys are used in pairs, where one member of a pair (the public key) is used to encrypt messages or check their signatures, and the other member (the private key) is used to decrypt or sign messages. In most usage, public keys can be circulated freely, while private keys are carefully protected. Public-key algorithms are usually applied in combination with symmetric algorithms, helping to manage trust between parties in an effective manner. In 1977, MIT professors Rivest, Shamir, and Adleman published RSA, the first practical public-key encryption algorithm.

Kerberos

The Kerberos authentication system, developed in the late 1980s at MIT's Project Athena, authenticates users to services using symmetric cryptography and an authentication server. Kerberos technology is still used today, particularly in Microsoft domains.

Privacy-Enhanced Mail (PEM) and early Public-Key Infrastructure (PKI)

Email was a primary application of early interest within and beyond the Internet, and motivated early interest in security. The Privacy-Enhanced Mail (PEM) project, initiated in the 1980s, prototyped methods for email encryption and provided a pilot example for use of public-key certificates and an associated Public-Key Infrastructure (PKI) in the Internet context. It provided a proof of concept for the subsequent Secure/Multipurpose Internet Mail Extensions (S/MIME) messaging security protocols, which have been widely implemented in email clients though have been less widely used.

The Open Web (1990s-2000s)

Users and Technologies in the Open Web

The World-Wide Web grew quickly starting in the early 1990s, based on researchers' development of the Hypertext Transfer Protocol (HTTP) and the Mosaic graphical web browser (1993). The Web's availability drove popular demand for access beyond closed services. Businesses rushed to build web sites and establish their Internet presence to avoid being overtaken by competitors. More office workers began using computers on an everyday basis, and the numbers of home users grew. Computer literacy and access became popular concerns, as traffic grew on the "Information Superhighway".

Early in the era, desktop PCs were the primary platforms through which users gained access to Internet services. Sometimes, whole families would share a single PC and its modem connection. Subsequently, laptops became increasingly powerful and popular, giving users mobility and convenience when they travelled, commuted, or decided that it was worth the effort of carrying a machine in order to perform some activity. Still, however, access to a computer and the Internet was ordinarily occasional, selective, or frequent, but not continuous.

Key Technologies

Desktops and Laptops

Threats and Concerns

Threats and Concerns in the Open Web

As the Web opened its doors for eCommerce, one motivating security concern was whether and how users could safely provide credit card numbers and related information to sites across the Internet. As users connected to this new resource, they were also concerned about malware infiltrating their computers.

What were the threats and concerns?

Malware: Viruses, Trojan Horses, and Botnets

Malware proliferated, and it became expected practice (at least on Microsoft Windows platforms) that scanning programs with current signature subscriptions should be installed and running on users' machines as a defensive measure. Later in the era, it became increasingly common for attackers to infect users' machines with malware that enabled the attackers to control the infected systems, not only compromising their sensitive information but also assembling victims into botnets to attack other targets.

Identity Theft

Users became concerned that their financial or other personal information would be stolen from them, enabling miscreants to impersonate them. Beginning in 2002, U.S. states enact laws requiring detected security breaches to be disclosed.

Phishing and Social Engineering

Users were misled into accessing impostor sites that appear like legitimate sites but are actually malicious. Initially, this was most commonly achieved via links sent in email messages. Site names may confuse users by appearing similar to those of sites they intend to access.

Government Control of Cryptography

In the security community, there were major debates through the 1990s about use, strength, and export of cryptography, a fundamental building block for distributed security, as the campaign button suggests. Participants included Government officials, technology developers, and an emerging cypherpunk movement. In 2000, US restrictions on export of cryptographic technology were relaxed significantly.

Remote Command Security

The Internet's early Telnet protocol was widely used for login sessions to remote systems, but transferred passwords and other data without encryption. Increasingly, and particularly for remote server management, the newer Secure Shell (SSH) protocol supplanted its use.

Security Techniques

Security Techniques in the Open Web

As the Web and its user community grew, a range of security technologies were developed and implemented in browsers and servers. Much of the focus concerned protection of web traffic from interception or tampering while in transit across the Internet.

What security techniques and developments were important?

Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

Early browser developer Netscape Communications created the cryptographic Secure Sockets Layer (SSL) protocol, subsequently standardized as Transport Layer Security (TLS). SSL applied cryptography to help make the Web safe for customers' credit card transactions. It was soon adopted and implemented within browsers to authenticate web sites to users, triggering display of the familiar but sometimes confusing lock icons.

Public Key Infrastructure (PKI) and certificates

PKI was a hot and hyped technology in the Internet bubble of the late 1990s, launching companies and high expectations. In actual practice, sites registered public-key certificates to authenticate themselves to users, but SSL's capabilities to authenticate users with their own certificates didn't replace many passwords.

IP-layer security (IPsec)

Many companies used IPsec-protected tunnels to allow remote employee access into corporate networks, or to link their distributed sites across the Internet. Most Web-facing business sites used the higher SSL/TLS protocol layer with its browser-level support to protect their customers' sessions, however.

Firewalls

As Internet-based attacks became more common, firewalls became a standard tool that organizations applied to restrict traffic into and out of their networks. Host-based firewalls also became common, filtering communications into and out of individual computers. The fact that many networks became effectively reachable only via the Web's http and https protocols served as one motivation for layering other functions on top of them, leading to the creation of web services.

Passwords and authenticator devices

Most users authenticated to most of their sites with passwords, leading either to user inconvenience in managing them or to user vulnerability by sharing the same password across multiple sites. Some companies issued two-factor authentication devices to their employees, avoiding many risks associated with passwords.

Malware scanning

Virus infections became common, and subscriptions to anti-virus packages (providing updated malware signatures as new malware modules were circulated and detected) became a prerequisite for safe use of Windows PCs. Research cited in this 2004 article found that it was likely for a new PC, once connected to the open Internet, to become infected within 20 minutes, likely before protective updates and anti-malware software would be installed. Early in the era, most malware could be detected using static signatures, but it became more difficult for these techniques to keep up as malware became increasingly sophisticated and dynamic.

Federated authentication

Significant effort went into development of federated authentication technologies like the Security Assertion Markup Language (SAML), which enabled receiving sites (relying parties (RPs)) to accept user authentications performed by others (identity providers (IdPs)), but early adoption was limited partly because prospective relying parties hesitated to support and rely on independent identity providers.

Mobile and Cloud (2000s-future)

Users and Technologies in the Mobile and Cloud Era

In the 2000s, computing became increasingly pervasive, personal, and "cloudy". For individuals and corporations alike, data storage and processing is moving increasingly away from machines and media under the data owner's immediate control and towards Web-based cloud services. This direction offers economies of scale, and simplifies remote and mobile access, but also introduces new risks.

Usage and Trends

Computer-based social interaction

Many people began to use computer-based methods as their primary means for social interaction, particularly from mobile devices. Rather than logging in and out of discrete sessions and hanging up afterwards, they maintained ongoing interactions through social media and responded to incoming notifications as they arrived.

Blurring of personal vs. work boundaries

As individuals moved more of their identities and activities online, and did more of their work outside offices or office hours, boundaries between personal and work lives became less clear. Increasingly, personal and business data coexisted on the same computers and devices, as users were unwilling to use and carry distinct devices for different purposes.

Loss of IT control

Employees brought their own devices (a trend known by its acronym, BYOD) and demanded to connect them to corporate networks rather than using systems provided and controlled by IT departments. Corporate interest grew in technologies designed to separate different types of data and applications within user-owned devices, but users were often reluctant to grant employers control over them.

Key Technologies

Smartphones and tablets

Powerful mobile computing devices provide more processing power than the room-size machines of earlier eras were able to offer. They can store large amounts of data, can access Internet-based resources, and can host local applications.

Affordable cellular networks

Cellular network data costs dropped substantially, making their use practical for the general public. Cost-effective cellular networks enable "always-on" connectivity even when outside WiFi hotspot range, and allow new types of location-based services.

Mobile-based applications

Smartphones and tablets store data and run local apps, making it important to consider them not only as means to access remote resources but also as computers in themselves.

Social websites

Rather than just displaying content to visitors, or supporting particular interactions like ordering a product, many newer websites provide platforms for their users to provide their own content and interact with one another.

Threats and Concerns

Threats and Concerns in the Mobile and Cloud Era

As computing and communications power grows for users, it grows for adversaries as well. Security and privacy are subject to increasingly powerful and sophisticated attacks. As users store and share more of their personal information online, it becomes an increasingly valuable and attractive target. WiFi hotspots and public networks become subject to attacks causing users' communications to be diverted to malicious sites.

What are the threats and concerns?

Surveillance, privacy, and data mining

As data and metadata about individuals is collected and analyzed, can individuals maintain their privacy? Does the fact of increasingly powerful, valuable, and compelling services necessarily mean that privacy must be lost in order to take advantage of them?

Cloud data control and ownership

What systems and operators should be trusted, and for what properties? Can an individual retain meaningful control over use of his or her data if it is stored and processed elsewhere? What data will providers process, and what data will be encrypted to protect against undesired use and access by the providers that store it?

Loss, theft, or failure of devices

With a valuable and powerful mobile device holding the keys to an individual's digital identity, what happens if the device is lost or stolen, or breaks down? It's necessary to provide users with means for users to recover their information and access rights easily and effectively, without providing attackers with shortcuts that enable them to take over identities.

Malware as an economy

Malware has evolved from the realm of pranks into a monetized economy supporting widespread cybercrime, and extends to government-level attackers perpetrating sophisticated Advanced Persistent Threats (APTs). Attackers provide and sell attack components and supporting services to other attackers.

Malware controls lose effectiveness

As attacks become more dynamic, static malware controls like antivirus signature checks become less effective. Some organizations start to emphasize responses to successful attacks rather than expecting to prevent them.

Influential Security Events

Heartbleed (2014)

Exposed shortly before this site's preparation, Heartbleed took advantage of an implementation flaw in the OpenSSL library's implementation of the TLS heartbeat function. It enabled attackers to obtain sensitive data from a server's memory, beyond the boundaries of a message buffer.

US National Security Agency (NSA) surveillance disclosures (2013)

Documents disclosed by Edward Snowden revealed Internet surveillance programs operated by the US National Security Agency (NSA) and other intelligence agencies.

CryptoLocker malware (2013)

This ransomware infects computers, typically via downloaded email attachments. It encrypts accessible copies of a user's data files in local and networked storage, and releases the key needed to decrypt the data only after an an anonymous payment is made.

DigiNotar and PKI vulnerabilities (2011)

DigiNotar was a PKI Certification Authority (CA) based in the Netherlands. An attacker penetrated DigiNotar's systems and was able to generate fraudulent certificates enabling many prominent sites to be impersonated.

Heartland Payment Systems (2009) and TJ Maxx (2007) credit card data breaches

Attackers stole credit card data from a payment processor, potentially exposing up to 100 million credit cards. This event was thought to be the largest exposure of credit card information to that time, more than twice the earlier breach at retailer TJ Maxx that had been considered as the prior record.

Security Techniques

Security Techniques in the Mobile and Cloud Era

As more and more of users' personal information moves online and beyond their physical control, it becomes important to advance and provide technical controls over its access and use. Users' possession and use of powerful mobile devices introduces potential for strong protection capabilities along with risk of new vulnerabilities.

Key Technologies

Secure connections

Cryptographic security protects information from wiretapping in transit, but endpoints can still be vulnerable. A TLS-secured connection isn't sufficient to protect a user's sensitive information if the server at the other end of that connection is impersonating the system the user wants to reach, or if a legitimate system has been hacked.

Mobile-aided authentication

A mobile device can empower its user to authenticate to Web-based services using methods stronger than simple passwords. It can generate one-time passwords for display and entry by its user, or can perform key-based cryptographic operations to demonstrate a user's identity within a protocol.

Federated identity technologies

Federated identity and related protocols, such as SAML, OpenID, and the eXtensible Access Control Markup Language (XACML) can serve new and valuable roles now that mobile devices are powerful enough to operate as service providers in themselves and as users' data is dispersed across numerous cloud-based platforms.

Mobile app protections and permissions

Many mobile apps communicate data back to sites operated by the organizations that provide the apps. The apps can provide valuable services for their users, but may also serve their providers by collecting information. To maintain an individual's security and privacy, especially as mobile devices accumulate apps from multiple sources, it's important to constrain what data each app can access within a device.