When I look back on the last two decades of information security, I see some important developments that bear consideration. By taking a broad look at the last twenty years, we can perhaps gain some clues as to what we can expect in the coming decade.
Twenty years ago, the information security industry was still in its infancy. Security powerhouse McAfee was only two years old. It wasn’t until 1990 that Symantec even entered the security industry, with their purchase of Peter Norton Computing, the originators of Norton Anti-Virus. In those early days, the first computer viruses targeting PCs were spread by sharing floppy disks between computers. As computers became networked, viruses began to be spread by sharing files on bulletin boards.
Three years later, in 1993, CheckPoint Software was founded to create one of the first commercial firewall products. The Internet was beginning to be used by corporations, not just universities, and the main usage was email and file transfer. The founders of CheckPoint saw this growth, and the company has grown to be one of the leading firewall and VPN vendors.
You may not think of it as an important event in the history of information security, but I view the founding of Netscape Communications in 1994 as a seminal event. The World Wide Web made the Internet accessible to consumers and businesses, and has created an explosion in usage. Over a billion people have become Internet users, and there are now over 200 million Web servers. This is a major catalyst that has been instrumental in creating the information security industry as we know it, and the types of security threats that must be defended against.
The Netscape team had great foresight when it developed the Secure Sockets Layer (SSL) protocol. They also worked with a new startup at the time, a spinoff of RSA called VeriSign, to use public key cryptography and digital certificates to authenticate websites and link them to their domain names. This was an important development that led to the age of Internet electronic commerce, further fueling the growth of the Internet.
Data encryption, link encryption and public key cryptography had long been used in military and financial systems, but bringing those technologies to the mass market and the Internet was a real breakthrough in applied information security.
As the Internet has grown, the threat environment has escalated dramatically. The information security industry has responded by developing intrusion detection systems, intrusion prevention systems, content filters, and a variety of other solutions. This has resulted in the concept of layered defenses, and is now a core principle in network security. Despite widespread adoption of this model, nearly half of Web servers on the Internet are vulnerable to known security exploits. Many of these are due to Web application security compromises, and this is creating a new set of security countermeasures and best practices.
Perhaps the most significant change in information security in recent years has been the emergence of the criminal cyber underground, and the use of the Internet for serious electronic crime. This change has motivated social engineering against consumers in the form of phishing. It has also fueled a major wave of malicious software, and resulted in botnet armies infecting computers and becoming the new tools of the trade for online criminals.
The story of the last two decades of the information security industry, the changing nature of attacks, and the emergence of the criminal cyber underground tell a chilling tale. The next decade will be hard to predict, but it seems that we can expect increased sophistication and scale of attacks, focused attacks on the financial systems within companies, attacks on the routing infrastructure of the Internet, attacks on SCADA control networks, and the emergence of new bad actors such as nation states.