10 breakthroughs in IT security

Big ideas that altered the course of information security

From encryption to intrusion detection to teamwork organization. In chronological order from the 1970's on, here are 10 security breakthroughs that matter.

Whitfield Diffie coined the term "public key" in 1975 to describe the encryption method he came up with that freed users from having to share a secret key to encrypt and decrypt data. Today, the mathematical magic of public-key is also used to verify sender identity and validate the integrity of data.

Whit Diffie on encryption and PKI

The origins of high-tech's made-up lingo

Diffie: Privacy laws could hurt the little guy

Dorothy Denning and Peter Neumann at SRI International came up with the IDES model in 1984, building a prototype for DEC's TOPS-20 operating system shortly thereafter. The IDES model proposed a correlation between unusual activity and misuse, an assumption many others have used since in IDS products.

Dorothy Denning, curriculum vitae

Peter Neumann, curriculum vitae

Graveyard for old computers produces nostalgia

Founded in 1990, FIRST brought together the government, enterprise and vendor incident-response groups from around the world at a time all were coping with massive worm outbreaks and wanted to share information, but struggled with language and time-zone differences. Today FIRST has 180 member organizations from all around the world that coordinate in good faith to share knowledge about security threats.

Alphabetical list of FIRST member organizations

Cisco, IBM, Intel, Juniper and others fight cyber-terror together

CIRT Management: Share the Knowledge

The pattern of the iris in the human eye is as unique as a fingerprint, and British scientist John Daugman, teaching at Harvard at the time, in 1991 invented the "algorithm for iris recognition," which remains, with his further refinements, the basis for all automated iris-scanning systems in use today among 30 million people enrolled worldwide using them to prove identity.

Biometrics helps U.S. soldiers in Iraq fight terrorism

U.K. airport gets iris recognition program

Pentagon awards $15.7 million for advanced research

As the Internet grew in the late 80's, it became ever clearer that organizations connecting to it needed a way to close the door to it as well, and only let in the wanted visitors. Thus the notion of the firewall took shape, and several visionaries played a role developing today's varieties, either foundation concepts or products, including William Cheswick, Steve Bellovin, Marcus Ranum, Nir Zuk, David Presotto and Fred Avolio. Ironically, today there is growing sentiment against the firewall, with some labeling it an impediment to e-commerce.

Firewall pioneer wants a super-secure blogging service, so he built his own

Perimeter security vs. inside security

From firewall to 'firebox' for the data center

Unleashed as freeware in 1995, SATAN was developed by Dan Farmer and Wietse Venema as a tool to help systems administrators automate testing for known vulnerabilities. Controversial because this very effective scanner could be used by either the good guys or the bad guys -- the uproar got Farmer fired from his job at SGI --SATAN's still out there, though no longer in development. As one of the earliest vulnerability scanners, SATAN hugely influenced the evolution of vulnerability assessment.

The coming of SATAN could make network manager's life hell

System administrators conjure up SATAN

Winn Schwartau: Figuring out SATAN

Egyptian-born cryptographer Taher Elgamal, chief scientist at Netscape Communications in the mid-nineties, devised SSL to provide privacy by encrypting communications between Web browsers and servers, promoting confidence in Web e-commerce. SSL also represents the first time that arcane encryption technologies based on crypto algorithms and certificates achieved popular, mass-market use by the general public.

Twenty people who changed the industry

State of security: good for now

How DLP will evolve: Taher Elgamal

The Common Criteria effort took shape in the 1990's as friendly nations sought a common methodology and accreditation process for evaluating security in computer systems to eliminate expensive duplication of product testing. That breakthrough came in 1998 when Canada, France, Germany, the United Kingdom and the U.S. signed the Common Criteria recognition agreement for test methods and labs. Today, many governments required Common Criteria-evaluated products, and while the process has its critics, over 25 countries today are counted as Common Criteria members.

HP earns Common Criteria certification for Linux

Common Criteria information page

Common Criteria members

This open-source intrusion-detection system software, the invention of Martin Roesch who first released it in 1998, sparked a worldwide enthusiasm for IDS, inspiring open-source contributions that helped develop it into a full-blown open-source intrusion-prevention system.

IDS vs. IPS

Sourcefire releases Daemonlogger open-source tool

Interpreting recent open-source IPO buzz

How could one California state law for dealing with a data breach that took effect in 2003 only in California radically change attitudes of businesses all over the U.S.? The California law requires public disclosure of the loss of personal and financial data related just to California residents. But the impact was immediately much wider, and companies began disclosing data breaches since figuring out if someone was a California resident wasn't feasible. With SB-1386, the American public has found out how bad the data-breach situation really is, and companies are working harder to not make the front page.

California data breach law passed

Reglatory compliance puts companies on the spot

Business unprepared for Senate Bill 1386

California Senate Bill 1386

Any other BREAKTHROUGHS that should be on this list?