Security 101: What IS Security?

Life in the Glass House
The purpose of computer security is simple--to protect the data or information stored on computer systems. When done well, a secured system is one in which the data remains confidential so only authorized people with a high level of integrity can access it; thus, it is incorruptible, and available, so it can be accessed when needed. In practice, however, Information Technology (IT) security can be complex, especially when you look at it historically.

IT security, like other security precautions, has evolved according to socio-political events. When times were more trusting, security tended to be relaxed. When intrusions occurred, security was turned up a notch. Similarly, we look at the evolvement of security on automobiles. When roads were rough and maximum speeds lower, the perceived need for security measures was minimal. As those roads improved and technology under the hood improved, and accidents and road death became more apparent, so did the need to adopt seat belts, rubberized bumpers, air bags, and improved tires. Has it truly stopped death on the roads? No. But the higher the perceived risk, the greater the need for security.

Similarly, when IBM commercial mainframes were first adopted over three decades ago, they were placed in physically secured, environmentally controlled "Glass Houses." It was not unusual for these corporate jewels to be showcased through glass windows. Information security was relatively simple compared to today. There were no intelligent workstations but supersized dumb terminals occupied desktops. The computing environment was centralized, controlled, relatively easy to manage, and for some time, secure. Access to mainframes was via the simplest and most prevalent form of authentication, the user ID and password combination. A company-issued personal ID paired with a personally selected password formed the basis for the log-on. Unfortunately and as human nature would have it, users selected passwords that were easy to remember, personal initials, nicknames, a family name, or even the family pet. Oftentimes, people knew each other's passwords. The threat of destructive activity and hacking was low, and, accordingly, security was a low priority. To improve access to the mainframes, access control software programs were introduced where rules governing password length, password expiry, use of alphanumerics, were adopted. This gave security administrators added confidence that JaneL123 was indeed Jane Smith in the Accounting Department because only she knew the magic password.

Technology Marches On
During the next several decades, technological advancement in processors allowed computers to size downwards, jolting the mainly mainframe-centric model. First, 'departmental' computers called minicomputers became more widespread. Now, the Accounting Department could house their own computers and more cost effectively manage their software applications. When IBM introduced desktop personal computers in 1981, the computing model began to change rapidly to a more open, distributed network. In the latter 1980's and into the 1990's, it was not uncommon for major enterprises to have accumulated almost every major O/S. Each establishing its own domain, and as a result, its own brand of secure computing, or in many cases, very little security at all. Thus, the security needed to fortify the enterprise, was now scattered and fractured at best. When the menagerie of computers became interconnected in client/server fashion, security became only as strong as the weakest link in the chain. However, no company could be adequately prepared for the next technological phase--the Internet.

The Internet Boom
In 1962 the RAND Corp. is credited with laying the first elements of the Internet in their research for robust distributed communication networks designed for military use. Under the Department of the Defense's Advanced Research Project Agency (ARPA), a small network of research super-computers called ARPANET was born. ARPANET was presented in 1967. Several years later four universities, Stanford, UCLA, UC Santa Barbara and the University of Utah became the first hosts of ARPANET and by 1981 there were 213 hosts. In 1982, the term "Internet" was born, and, over the next five years, the Internet took the shape we know today. It is important to remember that at the same time, there was a boom in cost-effective and powerful mini-computers and personal computers that formed the new open network. It was this merging of these technologies that boosted the Internet for communications among companies and their customers. TCP/IP was the universal language of the Internet beginning in the early 1980s. In 1987 the number of hosts grew to 10,000, only to grow ten times that number a few short years later. The Internet explosion was beginning.

As previously stated, security programs are developed in response to perceived threats or risks. Concerns over the security and privacy of these new communications vehicles began to surface in the late 1980's. On November 1, 1988, a malicious program called the "Internet Worm" was released and disabled 6,000 of the then 60,000 Internet hosts.

These security problems, however, did not stop the rapid growth and popularity of the IP network. The World Wide Web (WWW) was born as the first graphical interface or Web browser (Mosaic) and it encouraged Internet use to the point where traffic grew by almost 350,000 percent annually! The Information Superhighway was launched and like a runaway freight train, there was no stopping it. Today, there are an estimated 80 million hosts on the Internet. As the Internet continues to swell to where companies decide to launch entire businesses or at least portions of their businesses on the Web, deep inside the Internet's underbelly is a nightmare waiting to happen. Under the best of scenarios, the WWW is friendly, far reaching, educational and a base for the new global village, but in a world where hatred, narrow-mindedness and deceit can also rein, the Internet can also become a tool to abuse and wreak havoc on others. At every technological phase, there have been compelling reasons to apply security but none more so vivid than in the closing months of 2001. Against the dark background of the events of Sept. 11, and the reliance on the Internet for so many individuals and companies, even a mild threat of cyber terrorism is something we must all take seriously.

Be sure to look for our second Security 101 class, "The Defense of the Enterprise," which we will post on Nov. 12.

*2001 Computer Associates International, Inc. (CA) All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.