Evolution of Cybersecurity

Publication date: August 14, 2018

The history of Cybersecurity goes back to academic beginnings, when the “Creeper” program was designed by Bob Thomas in 1971, to move across a network and print the message “I’M THE CREEPER: CATCH ME IF YOU CAN.” Subsequently, in 1972 the inventor of email, Ray Tomlinson, modified the Creeper program to make it self-replicating, essentially the first computer worm. He then wrote another program Reaper, which would chase Creeper and delete it. This experimental program led to the development of the first antivirus software.

In the late 1980s, Robert Morris created the Morris Worm, and released it on the Internet. The program was designed to propagate across networks and then copy itself. Morris’ intent was to gauge the size of the Internet, but the self-propagating virus spread so aggressively it successfully brought the early Internet to a crawl. The Morris Worm inadvertently became the first widespread Denial-of-Service (DoS) attack, which resulted in Morris becoming the first person to be successfully charged under the Computer Fraud and Abuse Act. It also prompted the creation of the Computer Emergency Response Team (CERT) at the direction of the Defense Advanced Research Projects Agency (DARPA). Morris was convicted under the Act for causing damage and gaining unauthorized access to “federal interest” computers, which was estimated that the cost of removing the virus from each installation would be between $200 and $53,000.

In the 1990s, viruses such as “Melissa” and “ILOVEYOU” were widespread, infecting millions of computers and bringing down email systems, but with no strategic objective or financial motive. Indeed, viruses were often created by a programmer to demonstrate his/her prowess as a coder, or were meant merely to be a prank. These threats did however lead to the development of antivirus technology designed to identify a virus signature and prevent it from executing. It also led to user awareness of the risks associated with opening e-mail attachments from untrusted/unknown senders.

By the 2000s, cyber-attacks became ever more sophisticated and targeted.  Not only did attack methods and motives evolve, but new types of perpetrators began to merge: state sponsored hackers working to support political objectives of foreign governments and criminal gangs with significant technical and financial resources. The first major data breach occurred between 2005 and 2007 when credit card information for more than 45 million people was stolen from TJ Maxx.  This was the point when cyber-attacks reached a new level of severity, involving regulated data and requiring companies to notify authorities as well as establish funds to compensate victims. In the case of TJ Maxx, the company’s handling and response to the data breach was sloppy at best. This was mainly due to the fact that they did not know the full extent of the breach and that it was the first large scale data compromise of its kind, therefore the company was in uncharted territory.

By the 2010s, cyber-attacks became significantly more sophisticated, notably in the Target breach which involved the theft of 40 million credit and debit cards. The level of technical sophistication in the Target breach was far more advanced than the TJ Maxx incident which involved a direct breach of the local wireless network. The perpetrators understood that in order to obtain the data they wanted, they had to take an indirect route, which involved a third-party heating and ventilation supplier to Target, by taking a series of sophisticated methodical steps.

  1. By conducting reconnaissance on the internet the attackers were able to identify that Target had a vendor portal. In addition, a published Microsoft case study about Target, provided detailed specifics about Target’s network configuration and technology.
  2. By sending an email containing malware to Target’s HVAC vendor, the attackers were able to install a password-stealing bot program on the vendor computers. This then gave them access to Target’s vendor portal.
  3. Once inside the portal the attackers did extensive monitoring and reconnaissance to identify back doors within the network.
  4. They then discovered a misconfigured server which could be used to access the Point of Sale (PoS) system.
  5. Once the PoS was accessed a custom software was installed on the system which grabbed credit card numbers at the exact moment when they were in the system’s memory and unencrypted.
  6. The data was then sent back to drop locations and retrieved by the attackers and sold on the black market.

The Target breach was so high profile that it led to the resignation of its CEO. Subsequent high profile attacks, including Sony, OPM and Home Depot, have gained the attention of boards and have forced companies to better understand risks of cyber-attacks. They began to commit additional resources to prevent breaches before they occur, detect them when they do occur, and respond to them appropriately after a breach. In the case of Target, the company should have been the first to inform the news about the breach to its customers. Instead, the breach was discovered by investigative journalist who noticed credit card numbers on sale on the darknet, all with one thing in common that they were used at Target.

Written by: Payam Pourkhomami, President & CEO, OSIbeyond

Posted by Jason Firch