Receive the latest technology news and information.

	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10
	Cloud Computing

View all newsletters

E-mail Address:

Industry:

Job Title:

Company Size:

Country:

State:

I would like to receive offers via e-mail from Computerworld partners.

Security: Tips From Security Pros

The Story So Far: IT Security

An all-too-successful computer experiment eventually spawns the antivirus software industry.

Frank Hayes Today’s Top Stories

or Other Security Stories

July 14, 2003 (Computerworld) -- Fred Cohen already knew about worms, Trojan horses and hackers in November 1983. But as a graduate student participating in a weekly seminar on computer security, Cohen was interested in a new class of security threats: a program that reproduced itself by attaching to other programs. It took eight hours for Cohen to create his virus and nearly a week to get permission to test it on a large Unix computer at the University of Southern California.

And the virus worked frighteningly well. During each of five tests, the virus infected files and gained full system rights on the machine in less than an hour—in one test, it took less than five minutes. After that, USC systems administrators banned all further security experiments on their computers.

Other computer security threats had been around for two decades, since the early days of time-sharing. Defenses against them were mostly ad hoc and used on systems only after they had been attacked. But viruses, which spread largely through desktop PCs, would prove to be the threat that turned computer security into an industry.

By 1986, viruses were attacking IBM PCs and Apple II computers. In 1988, the first Macintosh virus appeared, and so did the first commercial antivirus software.

But in 1989, the problem was large enough that IBM sent antivirus software it had developed for internal use to large customers, along with a letter explaining what it was for. Suddenly, large companies were thinking about computer security—and antivirus software became big business.

But viruses weren't the only threat. In November 1988, a worm program released on the Internet infected 6,000 servers—10% of Internet host machines at the time—and crippled the network for days.

In the wake of the worm, the U.S. Department of Defense set up the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University in Pittsburgh to improve communication about future incidents. In 1989, the Department of Energy set up its own Computer Incident Advisory Capability at Lawrence Livermore National Laboratory.

In 1990, security researcher Eugene Spafford at Purdue University coined the term firewall for a system that would protect individual networks from threats such as worms. One of Spafford's students, Daniel Farmer, developed the Computer Oracle and Password System (COPS), the first publicly available security scanner.

And in 1991, the first commercial security firewall was set up for Du Pont Co. by Digital Equipment Corp. Digital adapted its own corporate firewall to create the product.

But by the mid-1990s, protection from outside threats was no longer enough. E-commerce required protection while information was traveling across the Internet. Netscape Communications Corp. developed the Secure Sockets Layer (SSL) standard in 1994 to add automatic encryption and authentication to TCP/IP.

The same year, two developers at Enterprise Integration Technologies, Eric Rescorla and Allan M. Schiffman, created the Secure Hypertext Transfer Protocol, which allowed individual HTTP messages to be encrypted, signed or authenticated.

In 1998, attacks on Web sites and other government systems spurred the Department of Justice and the FBI to create the National Infrastructure Protection Center (NIPC), a joint effort by the government and private sector to prevent both physical and cyber attacks on computer networks.

Security concerns soared as the year 2000 approached, and "chief security officer" became an executive title at as many as half of large companies (though CSOs had been around as early as 1996). Microsoft Corp. appointed its own CSO in 2002, and after an embarrassing string of security holes in its products, stopped all new programming for a month to retrain its programmers and examine old code for security problems.

In the nearly two years since the terrorist attacks of Sept. 11, 2001, security has been a top IT priority—at a time when budgets are tighter than ever. And corporate IT security people will need to use existing resources, tap existing knowledge and, most of all, avoid reinventing the wheel if they want to squeeze the most out of every dollar.

And now, on with the story. ...

1988: After Robert Morris' worm program cripples the Internet for days, the Defense Department sets up the CERT Coordination Center at Carnegie Mellon.

1983: Security researcher Fred Cohen demonstrates the first documented experimental virus at the University of Southern California.

1983: Security researcher Fred Cohen demonstrates the first documented experimental virus at the University of Southern California.

1988: Dr. Alan Solomon creates the first widely used antivirus software.

1988: After Robert Morris’ worm program cripples the Internet for days, the Defense Department sets up the CERT Coordination Center at Carnegie Mellon.

1990: Daniel Farmer develops COPS, the first publicly available security scanner.

1990: Eugene Spafford coins the term firewall.

1991: Du Pont installs the first commercial security firewall.

1994: The SSL standard developed by Netscape adds encryption and authentication to TCP/IP.

1998: The government establishes the NIPC to counter physical and cyberattacks against the Internet.

1999: Chief security officers are appointed at nearly half of companies with more than $1 billion in revenue.

2002: Microsoft stops all coding for a month to retrain programmers and examine old code for security problems.