Most recent

A History of Information Security and Compliance

By Eitan Bremler
information_securitytitle="" width="180" height="110">While the modern era of computing started in 1969, the first year that two computers were ever connected over a WAN, the era of information security didn't start until 1983.There had been incidents, prior to that year, that suggested the dangerous future that we now live in. In 1971, just two years after the dawn of the ARPANET, a computer researcher named Bob Thomas wrote the first computer virus. It was called Creeper. Creeper didn't damage anything, didn't cripple any software, and didn't steal any data. It just printed a taunting line of text across your monitor:

"I'm the creeper: catch me if you can."

Some did try to catch it. A program called Reaper, the first antivirus software, was created to chase Creeper across the primitive internet and delete it. Again, since no damage was ever done, this incident was never contextualized as representing any kind of incipient threat.

The Year that Changed It All

In 1983, a group of teenagers calling themselves the Inner Circle made headlines by hacking into the corporate networks of companies ranging from Coca Cola to Raytheon, as well as government agencies such as NASA. Via their actions, they exposed the fact that barely anyone—even in the world's wealthiest companies—had thought through the idea of information security up until that point.

Here's what some of those early hackers found:

  • Administrator accounts for whom the password was simply the capital letter A
  • Admin passwords printed in operating manuals—nobody changed the defaults
  • Zero network segmentation. Attacking a single network node provided access to all connected hosts on the Arpanet.

Using a mostly self-taught knowledge of computers, these early hackers, many of them children, were able to pull pranks like deleting email from executives, arranging face conference calls, and giving themselves free usage of early computer networks like Arpanet and Telenet. Because of this rampant manipulation of supposedly secure systems, plus the massive publicity that resulted once the FBI became involved, the first frameworks to enforce information security came into being.

<< Take this Quiz to find out if your company is GDPR compliant >>

From the Rainbow Series to HIPAA

Prior to 1983, there was no law to prosecute hackers—malefactors could only be sentenced using an extremely broad interpretation of wire fraud laws. After The Inner Circle was uncovered, however, the Computer Fraud and Abuse Act came into being, which allowed the government to go over individuals who breached secure systems. But what about the companies who left the door wide open into their secure networks?

For these organizations, a new system of regulations and requirements began to involve, beginning with the so-called "Rainbow Series" published by the US Department of Defense. These books, although obsolete today, began to set up criteria for establishing secure systems. Most notable was the "Orange Book," entitled, "Trusted Computer System Evaluation Criteria." This book set up standards that still hold today, such as access control rules, authentication processes, and evaluation standards. From this beginning, many additional compliance regimes began to flower.

The National Institute of Standards added Technology to its remit in the late 1980s, becoming the NIST. HIPAA was signed into law in 1996. In 1999, Visa introduced a Cardholder Information Security Program (CISP), which eventually morphed into PCI-DSS. These standards have a single goal: to give companies the tools they need to prevent unauthorized persons from making off with critical data.

There's one problem with this approach, of course. Even as far back as the early days of computer hacking, researchers noticed that the vast majority of all computer crimes were the result of insider theft or misuse. This number has barely declined—a 2009 report by the Ponemon Institute revealed that 59 percent of terminated employees will steal their employer's data when they go. Although information security compliance regimes attempt to protect companies against hackers, it seems that much of the real threat comes from within.

Want to lock down your business's critical data, prevent employee theft, and comply with new regulations? Safe-T can help—our flagship solution, Safe-T Box, will moderate access to the cloud in order to prevent employees from leaking documents, and automatically enforce policies in order to make compliance a snap. 

To learn how to ultimately protect your information, and your business, download Safe-T's White Paper: The Ins and Outs of Secure Data Exchange.

New Call-to-action

All posts