Security | Research & Encyclopedia Articles

Computer security has been a consideration of computer designers, software developers, and users for virtually as long as the computer has existed. As any Internet user knows, computer security is a critical factor in the web-connected e-world. It is also important in business, industry, and government, where internally networked computers create an environment in which confidential or proprietary data must be protected from unauthorized access.

Computer security measures can be broken into three basic components and functions:

• Identification: "Who are you?"
• Authentication: "OK, I know who you are, but prove it."
• Authorization: "Now that I know you are you, here's what you can do in my system."

Computer security attempts to ensure that "the good guys" (authorized users) are able to access the systems and data they desire, and that "the bad guys" (unauthorized users) do not gain access. Although this is a simple idea, the implementation and maintenance of strong computer security is not easy. Multiple vendor equipment, different operating system environments, ease-of-access requirements, and (not the least) difficult users all make for hurdles in the continued operation of effective security measures.

The history of computer security starts, of course, with the earliest computers. The UNIVAC (Universal Automatic Computer) and ENIAC (Electronic Numerical Integrator and Computer) were each relatively secure due largely to the fact that the machines were housed in locked buildings or complexes and had few, if any, additional computers connected to them. However, it was not long before the power and capabilities of the computer expanded the number of connected users. As a result, computer designers and programmers had to consider computer security.

The development of computer security has mirrored the evolution of the computer itself and its expanding capabilities. As more and more computer devices—primarily personal computers (PCs)—have been linked together, the need for computer security has grown. Possibly the most significant impact on computer security has been the Internet. With the advent of worldwide connectivity and around-the-clock access to computer systems and data, computer security experts have struggled to keep pace.

Here is a brief timeline of significant computer security events. Notice that as computer network capabilities have grown, so have the security concerns.

Since the late 1950s most computers contain special registers to define partitions of memory for use by separate programs and ensure that a running program cannot access the partition of another program. Virtual memory extended this by allowing each object to be separately protected as if it werein its own partition. Partitioning and virtual memory capabilities provided one of the first security protection measures in early multi-user environments.

Beginning in the early 1960s, time sharing systems provided files for individual users to store personal or private information. The systems were secured using file access controls to allow the owners to specify who else, if anyone, could access their files and under what circumstances. The Massachusetts Institute of Technology (MIT) Compatible Time Sharing System and the University of Cambridge's Multiple Access System were the first examples of this kind of security.

Password protection was the first user-centered security feature. The authentication system used during login stores enciphered images of user passwords but not the actual passwords. This protects passwords from being divulged if an attacker happens to read the file.

The Multics system at MIT made security and privacy one of its central design principles. The designers paid very careful attention to identifying a small kernel of system operations which, if correct, would guarantee that all security policies of the system would be followed. This design signified the importance of security to the computer's basic programming.

The ARPANET (Advanced Research Projects Agency Network) was the first wide-area computer network. It started in 1969 with four nodes and became the model for today's Internet. This inter-connectedness increased the risk of unauthorized user access from outsiders and raised awareness of security issues to network administrators and owners.

UUCP allowed users on one UNIX machine to execute commands on a second UNIX system. This enabled electronic mail and files to be transferred automatically between systems. It also enabled attackers to erase or overwrite configuration files if the software programs were not correctly configured. Since there was no central administration of UUCP networks, the ARPANET command-and-control approach to controlling security problems did not apply here. By 2000, the Internet had many of the same characteristics.

Cryptography is the ability to scramble messages based on a "secret," prearranged code. Public-key cryptography enables two people to communicate confidentially, or to authenticate each other, without a prearranged exchange of shared cryptographic keys. Although cryptography had been around for many years, this was the point at which it was integrated into the development of computer security.

This study demonstrated that password guessing is far more effective than deciphering password images. It found that a very high percentage of passwords could be guessed from user names, addresses, social security numbers, phones, and other information stored in the user identification files. Password guessing remains a major threat today.

The RSA public-key cryptosystem is the oldest unbroken one of its kind that provides both confidentiality and authentication. It is based on the difficulty of determining the prime factors of a very large number as used in the secret code. RSA provided a quasi-standard in the emerging field of computer cryptography.

As businesses moved onto the Internet, the means to pay for services or goods did as well. Electronic cash is one way to accomplish this. It cannot be easily created, it is anonymous, and it cannot be duplicated without detection. The protection and security of "e-cash" became yet another concern of security professionals; it continues to be a major issue.

As the ARPANET grew, the number of computer devices became large enough to make maintaining and distributing a file of their addresses unwieldy, and the network maintainers developed a system to enable quick, simple name lookups. The Directory Name Server (DNS) dynamically updated its database of name and address associations, and became yet another target for hackers and "spoofers."

Computer viruses are deceptive software programs that can cause damage to a computer device, most notably an individual PC. The challenges of such malicious code were first formally recognized in a study published in 1984. Coupled with growing network capabilities, viruses became a serious threat to computer security practitioners and individual users.

By the mid-1980s, many alternatives to reusable user passwords were being explored in order to circumvent the weakness of easily guessed configurations. Callback modems relied on the authentic user being at a fixed location. Challenge-response systems allowed the authentic user to generate personalized responses to challenges issued by the system. Password tokens are smart cards that generate a new password with each use. Each of these alternatives attempted to strengthen the basic password scheme.

Authentication servers are computer devices that allow users and system processes to authenticate themselves on any system using one set of data. The data can be updated globally, and the server can pass proof of identity back to the user or process. This proof can be passed to other servers and clients and used as a basis for access control or authorization. Given the advance in distributing computing power both geographically and across platforms (servers), this advancement allowed security to keep pace with these new configurations.

The Internet worm was the first large-scale attack against computers connected to the Internet. Unlike a virus, it transmitted itself actively through Internet connections. Within hours, it invaded between 3,000 and 6,000 hosts, between five percent and ten percent of the Internet at the time, taking them out of service for several days. It caused much consternation and anger, and highlighted a vulnerability of large networks.

Electronic mail lacks protection against forgery, alteration, and interception. Privacy-enhanced Electronic Mail (PEM) and Pretty Good Privacy (PGP) provide all these services. As the Internet grew, so did the demand for these security services to help ensure user authentication and protection.

These computer servers obscure the identity of the poster or sender by substituting a random string for the sender's name. Some retain the association between sender and random string internally to facilitate reply messages. These services make tracing the original user nearly impossible.

An attacker (hacker) intruded into computers at Lawrence Berkeley Laboratory, apparently looking for secret information. Cliff Stoll, an astronomer turned system administrator, detected the attacker from a seventy-five cent accounting discrepancy. Using a variety of techniques, Stoll helped authorities arrest the attacker, who was being paid by a foreign government. This event helped highlight the vulnerability of all systems and the need for widespread computer security.

Internet protocols were designed on the assumption that no one could access the actual wires and listen to the packets of data. In recent years, attackers have hooked up computers to do just that. These methods of "sniffing" have been used to detect passwords. The attackers also engage in "spoofing," or using the same computers to transmit their own packets, with false identification fields, as a way of gaining access to systems. Firewalls are routers that attempt to filter out these "spoofed" packets. Sniffing and spoofing became key security concerns as the Internet grew.

Java is a language for writing small applications, called applets, that can be downloaded from an Internet server and executed locally by a Java interpreter attached to the browser. The design goal is that the interpreter be highly confined so that Trojan horses and viruses cannot be transmitted; that goal has yet to be met. Java has had several security problems related to malicious applet designers reading, altering, and deleting information supposedly outside the constrained environment.

Concerns about computer security will grow as computer system capabilities increase. Hackers eager to beat a new security challenge, as well as unauthorized users intent on accessing data for criminal or malicious purposes, will continue trying to circumvent security protocols designed to protect data, equipment, and users from their efforts.

Association for Computing Machinery; Ethics; Privacy.

Hutt, Arthur E., Seymour Bosworth, and Douglas B. Hoyt, eds. Computer Security Handbook, 3rd ed. New York: Wiley, 1995.

Parker, Donn B. Fighting Computer Crime: A New Framework for Protecting Information. New York: Wiley, 1998.

Russell, Deborah, and G. T. Gangemi Sr. Computer Security Basics, rev. ed. Sebastopol, CA: O'Reilly & Associates, 1992.

This is the complete article, containing 1,820 words (approx. 6 pages at 300 words per page).