Timeline of the History of Information Security

Site: Saylor Academy
Course: CS406: Information Security
Book: Timeline of the History of Information Security
Printed by: Guest user
Date: Tuesday, February 7, 2023, 12:13 AM

Description

To begin, review this timeline on the history and development of information security. What was the role of the US Department of Defense (DoD) in the evolution of information security? Who or what were the influencers in the development of the confidentiality, availability, and integrity (CIA) triad?

Summary

Information can be private or public, personal or generic, valuable or commonplace, online or offline. Like any other asset, it has to be protected. This is more important online where hackers can steal or misuse information remotely even without any physical access to where that information resides.

In line with evolving technology, data security practices have evolved from high-level principles into more detailed set of practices and checklists. In practice, there's no single list of principles that everyone agrees on. Many lists exist, each one customized for its context.


Source: sangeetha-prabhu and arvindpdmn, https://devopedia.org/information-security-principles
Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.

Milestones

1950

Information Security or InfoSec doesn't exist in the 1950s or even in the 1960s. Security is all about physically securing access to expensive machines. Reliability of computers is the main concern. As hardware and software becomes standardized and cheaper, it's only in the 1970s that there's a shift from computer security towards information security.


1970


In the early years of the ARPANET, the US Department of Defense commissions a study that's published by the Rand Corporation as Security Controls for Computer Systems. It identifies many potential threats and possible security measures. The task force was chaired by Willis H. Ware. In time, this report becomes influential and is known as the Ware Report.


1972

James P. Anderson authors Computer Security Technology Planning Study for the USAF. This is published in two volumes. In time, this comes to be called the Anderson Report.


1973

Multics was a timesharing operating system that started in 1965 as a MIT research project. In the summer of 1973, researchers at MIT look at the security aspects of Multics running on a Honeywell 6180 computer system. They come up with broad security design principles. They categorize these into three categories with due credit to J. Anderson: unauthorized release, unauthorized modification, unauthorized denial.


1980

Prior to the 1980s, security was influenced by the defence sector. In the 1980s focus shifts from Confidentiality to commercial concerns such as costs and business risks. Among these is the idea of Integritysince it's important for banks and businesses that data is not modified by unauthorized entities.


1988

Morris Worm becomes the first DoS attack on the Internet. Thus, Availability is recognized as an essential aspect of information security.


1989

In the JSC – NASA Information Security Plan document we find the use of the term CIA Triad. However, the term could have been coined as early as 1986.


1998

To complement InfoSec, Information Assurance (IA) emerges as a discipline. This is more about securing information systems rather than information alone. With the growth of networks and Internet, Non – Repudiation and Authentication become important concerns. Non – repudiation means that parties can't deny having sent or received a piece of information.


2001



NIST publishes Underlying Technical Models for Information Technology Security. It identifies five security objectives: Availability, Integrity, Confidentiality, Accountability and Assurance. It points out that these are interdependent. For example, if confidentiality is compromised (eg. superuser password), then integrity is likely to be lost as well.


2002

Donn B. Parker expands on the CIA Triad by adding three more items: authenticity, possession or control, and utility. Parker also states that it's best to understand these six principles in pairs: confidentiality and possession, integrity and authenticity, and availability and utility. In time, these six principles have come to be called Parkerian Hexad.

Discussion

Which are the three main information security principles?

The three main security principles include:


  • Confidentiality: Protect against unauthorized access to information.
  • Integrity: Protect against unauthorized modification of information. Even if an adversary can't read your data, they can either corrupt it or selectively modify it to cause further damage later on.
  • Availability: Protect against denial of access to information. Even if an adversary can't access or modify your data, they can prevent you from accessing it or using it. For example, they can destroy or congest communication lines, or bring down the data server.

These principles have also been called security goals, objectives, properties or pillars. More commonly, they are known as the CIA Triad.

Security practitioners consider these principles important but vague. This is because they're about the "what" but not the "how". They have to be translated into clear practices based on context. They have been applied to IT infrastructure, cloud systems, IoT systems, web/mobile apps, databases, and so on. Actual practices may differ but can be related to the CIA triad.


What are some variations of CIA?

It's been said that the CIA Triad is focused on technology and ignores the human element. The Parkerian Hexad therefore addresses the human element with three more principles:



  • Possession/Control: It's possible to possess or control information without breaching confidentiality.
  • Authenticity: This is about proof of identity. We should have an assurance that the information is from a trusted source.
  • Utility: Information may be available but is it in a usable state or form?

Another variation is the McCumber Cube. It includes the CIA Triad but also adds three states of information (transmission, storage, processing) and three security measures (training, policy, technology).

Other published security principles have come from OECD, NIST, ISO, COBIT, Mozilla, and OWASP.


What are some means of achieving the CIA security goals?

Authorization, authentication and the use of cryptography are some techniques to achieve the CIA security goals. These have been sometimes called Security


Mechanisms. These mechanisms are designed to protect assets and mitigate risks. However, they may have vulnerabilities that threats will attempt to exploit.

Confidentiality is often achieved via encryption. Hackers in possession of encrypted data can't read it without the requisite decryption keys. File permissions and access control lists also ensure confidentiality. For integrity, a hash of the original data can be used but this hash must itself be provided securely. Alternatively, digital certificates that use public-key cryptography can be used. For availability, there should be redundancy built into the system. Backups should be in place to restore services quickly. Systems should have recent security updates. Provide sufficient bandwidth to avoid bottlenecks.

People must be trained to use strong passwords, recognize possible threats and get familiar with social engineering methods.


What are some common approaches to enhancing information security?

Complex systems are hard to secure. Keep the design simple. This also minimizes the attack surface. For example, a search box is vulnerable to SQL injections but a better search UI will remove this risk. Use secure defaults such as preventing trivial passwords. Give users or programs the least privilege to perform their function. When failures occur, ensure they're handled with correct privileges.

There's better defence in depth. This means that multiple levels of control are better than a single one. Security at application layer alone is not enough. Secure server access, network communications, wireless access, user interface, and so on. Don't trust third-party services. Have a clear separation of duties to prevent fraud. For example, admin users shouldn't be allowed to login to the frontend with same privileges and make purchases on behalf of others.

Avoid security by obscurity. This means that we shouldn't rely on hidden secrets. For example, even if source code is leaked or encryption algorithms are known, the system should remain secure.

Prefer decentralized systems with replication to centralized ones.


Could you mention some threats or attacks by which hackers can compromise the security principles?

Sniffing data communications, particularly when it's not encrypted, is an example of breach of confidentiality. ARP spoofing is an example of sending false ARP messages so that traffic is directed to the wrong computer. Phishing is a breach of integrity since the hacker's website tricks a visitor into thinking it's the genuine website.

Repeatedly sending a request to a service will overload the server. Server will become progressively slower to response to requests and even crash. This Denial-of-Service (DoS) attack make the service unavailable.

For databases, SQL injection is a big threat allowing hackers access to sensitive data or extra privileges. Buffer overflow vulnerabilities can be exploited to modify data. DoS attacks are possible with databases and their servers.

In any case, record all transactions and events. This leads to better detection of intrusions and future preventions. Have a good recovery plan. Perform frequent security tests to discover vulnerabilities.