10 breakthroughs in IT security

Big ideas that altered the course of information security

  • The "Intrusion Detection Expert System": Dorothy Denning and Peter Neumann at SRI International came up with the IDES model in 1984, building a prototype for DEC's TOPS-20 operating system shortly thereafter. The IDES model proposed a correlation between unusual activity and misuse, an assumption many others have used since in IDS products.

  • The Common Criteria: The Common Criteria effort took shape in the 1990's as friendly nations sought a common methodology and accreditation process for evaluating security in computer systems to eliminate expensive duplication of product testing. That breakthrough came in 1998 when Canada, France, Germany, the United Kingdom and the US signed the Common Criteria recognition agreement for test methods and labs. Today, many governments required Common Criteria-evaluated products, and while the process has its critics, over 25 countries today are counted as Common Criteria members.

  • Public-key encryption: Whitfield Diffie coined the term "public key" in 1975 to describe the encryption method he came up with that freed users from having to share a secret key to encrypt and decrypt data. Today, the mathematical magic of public-key is also used to verify sender identity and validate the integrity of data.

  • The Forum for Incident Response & Security Teams: Founded in 1990, FIRST brought together the government, enterprise and vendor incident-response groups from around the world at a time all were coping with massive worm outbreaks and wanted to share information, but struggled with language and time-zone differences. Today FIRST has 180 member organisations from all around the world that coordinate in good faith to share knowledge about security threats.

  • The Security Administrator Tool for Analyzing Networks (SATAN): Unleashed as freeware in 1995, SATAN was developed by Dan Farmer and Wietse Venema as a tool to help systems administrators automate testing for known vulnerabilities. Controversial because this very effective scanner could be used by either the good guys or the bad guys -- the uproar got Farmer fired from his job at SGI --SATAN's still out there, though no longer in development. As one of the earliest vulnerability scanners, SATAN hugely influenced the evolution of vulnerability assessment.

  • Biometric identification through iris scans: The pattern of the iris in the human eye is as unique as a fingerprint, and British scientist John Daugman, teaching at Harvard at the time, in 1991 invented the "algorithm for iris recognition," which remains, with his further refinements, the basis for all automated iris-scanning systems in use today among 30 million people enrolled worldwide using them to prove identity.

  • SNORT: This open-source intrusion-detection system software, the invention of Martin Roesch who first released it in 1998, sparked a worldwide enthusiasm for IDS, inspiring open-source contributions that helped develop it into a full-blown open-source intrusion-prevention system.

  • From encryption to intrusion detection to teamwork organisation. In chronological order from the 1970's on, here are 10 security breakthroughs that matter.

  • Secure Sockets Layer (SSL): Egyptian-born cryptographer Taher Elgamal, chief scientist at Netscape Communications in the mid-nineties, devised SSL to provide privacy by encrypting communications between Web browsers and servers, promoting confidence in Web e-commerce. SSL also represents the first time that arcane encryption technologies based on crypto algorithms and certificates achieved popular, mass-market use by the general public.

  • What do you think? Any other breakthroughs that should be on this list?

  • The Firewall: As the Internet grew in the late 80's, it became ever clearer that organisations connecting to it needed a way to close the door to it as well, and only let in the wanted visitors. Thus the notion of the firewall took shape, and several visionaries played a role developing today's varieties, either foundation concepts or products, including William Cheswick, Steve Bellovin, Marcus Ranum, Nir Zuk, David Presotto and Fred Avolio. Ironically, today there is growing sentiment against the firewall, with some labeling it an impediment to e-commerce.

  • California Senate Bill 1386: How could one California state law for dealing with a data breach that took effect in 2003 only in California radically change attitudes of businesses all over the US? The California law requires public disclosure of the loss of personal and financial data related just to California residents. But the impact was immediately much wider, and companies began disclosing data breaches since figuring out if someone was a California resident wasn't feasible. With SB-1386, the American public has found out how bad the data-breach situation really is, and companies are working harder to not make the front page.

Show Comments