The Story So Far: IT Security and Disaster Recovery

Computerworld - A lock on the door was state-of-the-art security for data centers 40 years ago. Programs were run in batch mode with no remote terminals, so the greatest risk to data security was that a mainframe printout might be retrieved from a trash bin. And disaster recovery largely consisted of making sure that, should there be a power outage, reels of tape were carefully removed from tape drives; the tapes could be damaged if the power suddenly came back on.

That was the last time security would be so simple.

By November 1961, developers at MIT were demonstrating their experimental Compatible Time-Sharing System, which allowed four users working at terminals to run programs at the same time. Time-sharing meant users could intentionally interfere with other users' programs - and by the late 1960s, terminals connected by modem meant that an outsider could learn a password and log in. But there was little risk of that at first, since a remote terminal cost as much as a new car.

Mainframes and minicomputers offered little protection against malicious behavior by internal users. Prank programs that created copies of themselves on a computer until it crashed, and "trapdoor" codes that gave one user access to another's work, were in use by 1972. The first desktop computers hit the market in 1975, and, along with rapidly falling prices for modems, they helped set the stage for what would later become an epidemic of hacking aimed at corporate systems.

Encryption was the way to protect data from prying eyes as it moved through modems or networks. In 1976, the U.S. government officially approved its Data Encryption Standard (DES), which became widely used for financial information sent electronically. That same year, three researchers - Ronald Rivest, Adi Shamir and Leonard Adelman - developed a practical version of public-key encryption, which had been invented in 1976 by Whitfield Diffie and Martin Hellman as a way to easily encrypt communications of all kinds.

But encryption wouldn't solve all security problems. In 1982, the first computer virus was infecting Apple II computers. IBM PCs had viruses of their own by 1986; commercial antivirus software was available by 1988.

And hostile hackers learned to use the Internet. In 1986, astronomer Clifford Stoll tracked down a 75-cent accounting discrepancy and helped catch five German hackers who had broken into 450 computers. Other hacker hunters were at work too - but there were far more hackers.

Preparing for Disaster

The Internet had problems of its own. On Nov. 2, 1988, Cornell University student Robert Morris released a "worm" program onto the Internet that infected 6,000 host computers - 10% of all Internet hosts - and crippled the Net for days.

Meanwhile, disaster recovery had come into its own. By 1980, Comdisco Inc. and other companies had begun providing disaster recovery services. By the end of the decade, more than 40% of businesses had disaster recovery plans. And they needed them, what with Hurricane Hugo and the San Francisco earthquake in 1989, flooding of underground tunnels in Chicago and Hurricane Andrew in 1992, the bombing of New York's World Trade Center in 1993, and another big quake in Los Angeles in 1994, along with a steady stream of smaller catastrophes that threatened ever more business-critical IT shops.

Mother Nature wasn't the only threat, as some hackers became ambitious cybercrooks. In 1994, a group of Russian hackers siphoned $10 million from customer accounts at Citibank; they were caught the next year. Other hackers attacked Internet businesses to steal credit card and Social Security numbers.

Encryption was under attack too - by its supporters. In June 1997, a project called Deschall linked tens of thousands of computers on the Internet to crack the 20-year-old DES algorithm in 96 days. Less than a year later, the Electronic Frontier Foundation used a custom, $250,000 computer to crack DES in only 56 hours. The U.S. government began to relax restrictions on exporting stronger encryption systems and officially approved its Advanced Encryption Standard in May 2002.

In the aftermath of the Sept. 11 attacks, security is a bigger issue for IT than ever before, with new efforts to protect systems and close software holes - and use technology to track down terrorists.

And now, on with the story. . . .

1965: Cars try to leave New York during the Northeast blackout, the first major regional disaster affecting corporate data centers. Photo Credit: Associated Press 1988: Robert Morris releases his "worm" program, which infects 10% of the Internet and cripples it for days. 1965: Cars try to leave New York during the Northeast blackout, the first major regional disaster affecting corporate data centers. 1976: Whitfield Diffie and Martin Hellman invent public-key cryptography. 1980: Comdisco gets into the disaster recovery business. 1982: First computer virus in the wild infects Apple II computers. 1988: Software vendors offer first antivirus products. 1988: Robert Morris releases his “worm” program, which infects 10% of the Internet and cripples it for days. 1991: Philip Zimmermann releases his free Pretty Good Privacy public-key encryption system. 1994: Russian hackers steal $10 million from Citibank accounts. 1997: DES encryption is cracked in 96 days. 2000: First denial-of-service attacks cripple Web servers. 1991: Philip Zimmermann releases his free Pretty Good Privacy public-key encryption system.