Masters of Science in Information Security

A Brief History of Information Security

At the dawn of the computer era, computer hardware came in the form of mainframe computers, large machines that occupied entire rooms. Scientists intereacted with these machines by rewiring their circuits to perform various functions, and later through punchcards. Computer networks did not exist at this time. Each mainframe was an isolated machine. The only way to communicate information between mainframes was by mailing magnetic tapes that stored their information. Thus, at this time, information security was merely an issue of securing the physical computer and its media, making sure the equipment was not stolen, damaged, or modified.

During the 1960s, more and more mainframes came on line, mostly in support of the military expansion conducted for the Cold War. The work performed by these computers started to become time-critical and began to require the use of data and processes housed at separate sites. Communicating data and programs via magnetic tapes sent through the mail was no longer sufficient. Recognizing this, the Department of Defense's Advanced Research Project Agency (ARPA) funded a project called ARPANET, whose goal was to produce a redundant, reliable network remote mainframes could use to communicate data. ARPANET is the precursor of the modern Internet, and it enabled computer users to be able to work with data stores and processes remotely for the first time.

The reality of remote access signaled an end to the era of thinking of information security purely in terms of how to safeguard the physical machines. As use of ARPANET grew, it became apparent that it had a number of security weaknesses. Policies for protecting data at remote sites were insconistent and sometimes nonexistent. Passwords were easy to crack because of weak enforcement of standards and formats. Telephone access to remote sites was hard to police as the access numbers would often be left unprotected. Attacks on computer systems started to become more commonplace, including well-publicized system break-ins in the early and middle 1980s into Los Alamos National Laboratory, the Memorial Sloan-Kettering Cancer Center, AT& T, and the Department of Defense. One of the biggest attacks during this error was a network worm that traversed the network, exploiting security holes in UNIX and replicating itself for re-transmission. It spread to more than 6,000 systems, which was about 1/10th of the total number of machines on the network at that time.

The response to these growing problems came from a number of circles and took many forms. In the early 1970s, the Department of Defense issued a report entitled Security Controls for Computer Systems, also known as Rand Report R-609. Many regard this paper as the seminal work in the study of computer security, for it explicitly called for a shift away from thinking of information security purely in terms of hardware protection to conceiving of it more in terms of data, users, and infrastructure. It called for a recognition that data is the commidity of interest, that the credentials of users must be reliably verified to keep that commidity safe, and that ensuring that this is done correctly requires not ad-hoc reaction but rather a comprehensive, multi-level, institutional plan. The Rand Report still shapes the philosophy of the discipline today.

In addition to changes in perspective on security came changes in implementation. For example, the first operating system explicity designed to treat security as its primary concern was introduced in the late 1960s. It was called Multiplexed Information and Computer Service, or MULTICS, and it featured, for the first time, robust password protection and authentication into multiple security levels. Interestingly, the UNIX operating system, which grew from work by several key people involved in the MULTICS project, did not possess such features when it wsa introduced in the early 1970s. It gradually added them over time. Even with its long history of refinement, however, UNIX is not immune to attack, as the famous Satan virus of 1996 demonstrated.

Increased use of personal computers during the 1980s made the issue of security ever more important. The personal computer started to appear on people's desktops at work and even at home. These were sometimes integrated into small local area networks, which were then tied to the global Internet. What emerged was a labyrinth of networks boasting various degrees of security (or insecurity) attempting to access and share data with each other either openly or clandestinely. The weaknesses became easier to exploit as access to the Internet's resources became easier. The graphical web browser, easy-to-use network utilities, and the increased use of graphical user interfaces to operating systems, all of which were popular movements of the early 1990s, enabled novice users to access information all over the world and gave interested hackers plenty of tools with which to gain experience. These tools and the ubiquity of unprotected or poorly protected systems and networks of systems made it easy to exploit the basic underlying security problems that have characterized the Internet since the days of ARPANET, when security was not yet a pressing, popular concern.

To top