Once upon a information security

Let me tell you a story, the story of information security

Once there were mainframes that were standalone systems, fed by punch cards and teletypewriters. They had tight roles, based on access control models, often externalised to the operating system and application.

Everyone wanted access to them so the teletypewriters were extended with serial connections and then modems to allow remote access.

Eventually minicomputers were connected to public networks the precursors to the internet and network services were written and exposed like send mail.

One of the first network worms, ironically released by the son of a computer security researcher knocked a good portion of the internet offline.

Now the first bolt on security product was released - the firewall.

Essentially it was a clever kludge, to the problem of too many publicly accessible computers with default installs that had insecure network services to manage.

Now personal computers blossomed also with the rise of personal productivity software and a thriving shareware culture.

Some clever idiots started mixing in malicious software with legitimate software and we had the rise of computer viruses - malicious software that required user interaction to replicate.

The second bolt on security product was born - antivirus.

Antivirus checked files you opened against a database of known malicious software. This again was just a kludge for the problems of poor user awareness, users running with administrative privileges due to undercooked operating systems and a lack of a mechanism for easily identifying if software was trustworthy before executing it.

Attackers started digging into the network services for vulnerabilities as default passwords and debug functions started getting turned off, and found a soft underbelly in web server software. Web site defacements rose and another product arose - Intrusion Detection - essentially a networked version of antivirus looking at packets rather than files.

This helped operations teams get a bit ahead of the game and respond to compromises of internet facing services in a, timely manner.

Big outages, due to network worms on internal networks affecting the dominant server and desktop operating system, drove Microsoft's boss Bill Gates to issue the Trustworthy Computing memo, essentially telling the company that security needed to be a top priority for the success of the company.

Microsoft started turning the supertanker in the right direction, by introducing security into their SDLC, assisting law enforcement, pushing security fixes via a security bulletin process.

The company also delivered operating systems in which there wasn’t excessive network services running as part of default installs. The user ran under reduced privileges, had cryptographic signing of operating system components and started to address the root causes of poor operating system security.

But now the threat environment had changed, the threat was no longer computer enthusiasts "hackers" being a bit too curious or "crackers" being too destructive, it was starting to become organised criminals.

Criminals figured out that serious money was starting to move through computer systems, and that malware called remote access Trojans, could help them steal credit card numbers and internet banking credentials facilitating fraud.

Now finally spies got on the Internet too, as the majority of the world's information got stored in computer systems.

So here we are at a pretty interesting time in information security. The latest operating systems have got more easy to manage security wise and more security is "built in", but most organisations aren't running them yet.

The threat landscape has changed, with the attackers motivated by financial gain.

Vulnerabilities are no longer being publicly disclosed, but instead sold to the highest bidder.

Often it's the application software like Java and Flash which is now being targeted on the desktop.

Information security professionals now have to worry about nation state backed threat actors as well as organised crime backed cyber criminals.

The bolt on security controls have become less effective, as the threat actors have learned to hide from them, or tunnel through them.

Now we have to chase emerging technologies to stay ahead of the threat actors, as traditional security vendors haven't innovated quickly enough.

Additionally information technology is again re-inventing itself with "cloud" and "mobility" "BYOD" "flexible working" "off shoring" and a handful of other disruptive ideas.

Just as the better operating systems are arriving we are swapping out windows desktops connected too wired networks, with laptops connected to wireless networks.

Executives demand email and apps on their iPads and iPhones, introducing new operating systems and new ways of managing them.

Businesses want "instant on" software as a service applications rather than taking the risk to develop or deploy in house solutions.

It's a rapidly changing battlefield in terms of threat landscape and the availability and effectiveness of security controls.

Information security is having to step up a level and think differently about enabling users and also third parties to secure themselves and securing the data we share with them.

As we lose the ability to enforce security controls ourselves at the operating system layer. Infosec - never a dull moment if you're doing it right.

Join the CSO newsletter!

Error: Please check your email address.

Tags information security

More about BillIntrusionMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matt Hackling

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts