Defining Moments in the History of Cyber-Security and the Rise of Incident Response

From worms and viruses to DDoS and APTs, in the past quarter of a century the sophistication, impact and scale of cyber-attacks have evolved significantly. However, as cybercrime has become more sophisticated, so has the security against it. These milestone incidents from the past 25 years typify the way in which the threat landscape has evolved and how security has developed in response.

The First Computer Worm (Late 1980s-Early 1990s)

In 1989, Robert Morris created what is now widely acknowledged as the first computer worm. This self-propagating virus spread so aggressively and rapidly that it succeeded in closing down much of the internet. While other subsequent attacks have gained far more notoriety, the Morris worm was a landmark incident in that it was the first widespread instance of a denial-of-service (DoS) attack. Due to the infancy of the internet at the time, the impact was nowhere near as devastating as it would be today. However, it laid the groundwork for the kinds of security issues that we've seen ever since.

The Morris worm and the early nuisance attacks that followed were early instances of having to deal with, and respond to, cyber-security attacks. They ultimately led to the security industry as we know it – including the establishment of CERTs (Computer Emergency Response Teams) as a central point for co-ordinating responses to these kinds of emergencies. The initial reaction from the industry followed the old adage ‘prevention is better than a cure’, giving rise to what has become a litany of preventative and detective security products.

The First Viruses (1990s)

From here on viruses went, well, viral and dominated the headlines. The Melissa and ILOVEYOU viruses infected tens of millions of PCs, causing email systems around the globe to fail, all with little strategic objective or clear financial motivation. These threats led to the development of antivirus technology in order to spot the signature of the virus and prevent it from executing. Equally as important, these threats also played a huge role in driving the awareness of computer users of the risks of reading emails from untrusted sources and opening their attachments. This realization was not lost on companies, as it became clear that if viruses were to spread from corporate email accounts, questions about the security and integrity of the company could be brought into the public eye.

Credit Cards Under Attack (Late 2000s)

As we moved into the new millennium things changed radically as cyber-attacks became more targeted, most notably with the first serial data breach of credit card numbers. Between 2005 and 2007, Albert Gonzalez masterminded a criminal ring that stole information from at least 45.7 million payment cards used by customers of US retailer TJX, which owns TJ Maxx, and UK outlet TK Maxx. This was a massive compromise of security on a scale which was previously unheard of and underlined the huge impact that such breaches can have, reportedly costing the company some $256 million.

This is where things became more serious. The data involved in these breaches was regulated and therefore incidents required the notification of authorities and for funds to be set aside to compensate victims. Companies found out the hard way the dire consequences of being unprotected and began to arm themselves with more sophisticated security systems specifically designed to cope with this new reality.

The Target Breach and the Threat Tsunami (The Modern Day)

Fast forward to recent times and the staggering scale of the Target breach – involving the theft of 40 million credit and debit cards – has come to encapsulate the current threat landscape for a number of reasons.

Firstly, from a technical point of view, this attack was far more sophisticated than the TJX incident – and perpetrated by criminals who understood that, in order to reach their goals, they would need to take an indirect route, in this case via a third party heating and ventilation supplier to Target. Using code specifically developed for point-of-sale (PoS) systems, the attack grabbed credit card numbers at the precise moment when they were present in the memory of the system and not encrypted.

Secondly, the fallout of the attack illustrated the widespread impact that a breach of this scale could have, not only for customers, but right across the organization. Ultimately, it led to the resignation of the CEO himself, indicative of the fact that cyber breaches are now board-level issues. The public response has therefore become a critical consideration in dealing with cybercrime incidents. Companies can no longer take an ad hoc approach to response. It is imperative that all levels of the organization understand the risk of cybercrime and have committed all the appropriate resources to preventing breaches, detecting them when they do occur, and responding in the appropriate fashion.

The Future of Incident Response

Today, we have reached the position in which cybercrime is so sophisticated it seems almost impossible to prevent. The emphasis is now on how an organization responds once it has been breached. While we can't prevent every incident, we can control how we manage the aftermath so that we are prepared and practiced in the process of response. In doing so, we can develop organizational resilience such that these incidents are gracefully managed as just another part of the business. 

About the Author

CMO at Co3 Systems, Ted is a well-known, highly regarded figure in the security and compliance markets. Over the last 12 years, he has conceived and launched multiple successful security start-ups across software, hardware and professional services including Application Security and Arbor Networks. Ted got his start in high-tech as an industry analyst at International Data Corporation (IDC) and Forrester Research and he continues to be a sought-after industry expert.

What’s Hot on Infosecurity Magazine?