SC's review of the decade: turbulent times for information security
Ten years that began with the Y2K bug finished in the credit crunch. With malware and botnets, it's been a hell of a ride, says Mark Mayne.
The 2000s have indeed been turbulent times for us all – and for the IT security industry in particular. From the bursting of the first dotcom bubble in 2000, through to the credit crunch of 2009, financial constraints have been to the fore. Regulation has also appeared on the scene, and is one of the factors that have driven the business importance of IT security right up to board level.
Technology has of course advanced, for good and ill. At the start of the decade, malware was an innocent (albeit expensive and inconvenient) joke perpetrated by coders with too much time on their hands. It's now a serious criminal enterprise worth many millions worldwide. The past decade has seen the development of phishing, DDoS and Trojans, to name but a few, while terms such as polymorphic, fast-flux, bullet-proof hosting and SQL injection have become common currency. From highs to lows, winners to losers, here's a snapshot of IT security since 2000.
2000: Panic stations
As 1999 drew to a close, one of the greatest security issues of our time stepped into the limelight – the millennium bug, aka Y2K. The bug was supposedly set to destroy any technology when the clocks struck midnight at the New Year. This was apparently due to the fact that most systems built before the 80s used two digits to represent a year instead of four, to save disk and memory space. However, when the year flipped from '99 to '00, the theory went, systems would behave as if it were 1900, causing major problems for finance applications and nuclear power plants, among others.
Little happened in the UK on the day – some claim this was down to a multi-billion mitigation strategy, with Gartner estimating the cost of fixing the bug at between $300bn and $600bn. Countries such as Italy spent far less, yet experienced little disruption. The tone for the next decade was set.
It has been speculated that intense preparation for and expenditure on Y2K were contributory factors for the ‘dotcom bust', which began in March 2000 as stock markets plunged. Only two months before, dial-up ISP America Online had staged one of the era's greatest coups, by acquiring the world's largest media company, Time Warner, for $164 billion.
This was also the year in which legislation began to impinge on the brave new digital world, as the Regulation of Investigatory Powers Act 2000 (RIPA) was announced. Then-home secretary Jack Straw announced that the new law would combat terrorists and paedophiles by forcing them to hand over encryption passwords to police. The resulting backlash ensured that the bill was split into several parts, allowing the controversial seizure powers to be delayed until 2007. The law has retained its notoriety, with a regular stream of tabloid revelations about its surveillance powers being misused by council jobsworths.
Finally, 2000 witnessed the birth of one of the most powerful forces on the internet – Google AdWords, launched with a mere 350 customers in October.
2001: Terror strikes
As the digital economy licked its dotcom wounds, Microsoft launched a slew of products to bolster the market. Windows XP – short for eXPerience – began its reign of dominancy, which it still maintains today, with an estimated market share of more than 60 per cent of the total OS installed base. Later in the year, Redmond released IE 6, its last standalone browser. Many speculate that the move was due to anti-trust judgments against Microsoft's bundling activities, a theory the company has always denied.
Another launch of note was Wikipedia, which contained 20,000 articles in 18 languages by the end of its first year.
The black hats were also busy on the development side, and in July released the Code Red worm. This was followed swiftly by the Code Red II worm, and Nimda (admin spelt backwards). This took advantage of multiple vulnerabilities, as Howard Schmidt, Information Security Forum president, explained: “The fact that this attacked multiple vulnerabilities really hammered home the fact that reactive, post-infection patching was dead. Patching became a regular function from this point on.”
Another critical moment online was the closure of Napster, a move that opened the file-sharing floodgates, sparking a content revolution that traditional media rights owners are still trying to get a handle on. The age of content piracy had begun, and the development of more powerful peer-to-peer sharing technology has resisted enforcement efforts to date.
Later that year came the massive destruction that was September 11, as a series of hijacked planes were crashed into US landmarks, which led to the collapse of the World Trade Center and more than 2,700 deaths.
The attacks triggered a series of responses from the US, resulting in the wars in Afghanistan and Iraq, as well as tightened airline security and a raft of legislation increasing surveillance and arrest powers in anti-terror investigations.
2002: Bankruptcy beckons
2002 got off to an exciting start, as the US Department of Justice launched a criminal investigation into stock market darling, Enron. The move rocked global stocks, as the failure of such a large business was unthinkable. Barely six months later, telecoms giant Worldcom filed for bankruptcy, gaining the dubious distinction of becoming the largest in US history. The collapse of Enron was widely ascribed to a failure by regulatory bodies to conduct sufficient checks into publicly-listed companies.
The US Congress rushed through the Sarbanes-Oxley Act (SOX), creating the strongest regulation of publicly-listed companies to date. Schmidt commented: “SOX was a sea change, as a whole lot of non-listed companies played along, just to make themselves more attractive to acquisition by listed enterprises.” Mike Maddison, director of UK security and privacy services, Deloitte, agreed: “SOX shouldn't be underestimated as a mechanism of change. It had a lot to do with triggering CEO-level interest in IT security, and it was definitely needed – the integrity piece had been neglected.”
In tune with this, President Bush created the hugely-powerful US Department of Homeland Security (DHS).
2003: Homeland strikes
The importance of the DHS became apparent when the following year it became tasked with analysing tactical and strategic cyberattacks. The blueprint unveiled by the US, the National Strategy to Secure Cyberspace, stood as one of the first publicly-acknowledged government-level efforts to confront the issue.
When the Slammer worm hit in January, it reportedly infected more than 90 per cent of vulnerable hosts within ten minutes. Before Slammer, large worm attacks were dealt with reactively, but the speed at which Slammer attacked forced perceptions to change forever.
The year also saw the last stand of once-mighty Baltimore Technologies. The PKI vendor was a stock market favourite during the dotcom boom, but suffered badly after charismatic CEO Fran Rooney resigned in 2001.
The various business units were gradually sold off, including household names such as the MIMEsweeper brand, acquired by Clearswift, until eventually Betrusted acquired the PKI business, and there were no operating businesses left.
A more successful venture also launched this year: the open source Metasploit framework. The first version was written by HD Moore using Perl, and rapidly became an industry byword for pen testers and script kiddies alike.
2004: Malware attacks
January marked another doom-laden milestone in IT security, as the mass-mailing worm Mydoom created the first wide-scale botnet. By February, an estimated one million computers infected with the malware began a huge DDoS attack on www.SCO.com.
However, the potency of the malware was demonstrated when code borrowed from it was used in 2009 to launch a series of DDoS attacks against big name targets, including the White House, Department of Homeland Security and the US Secret Service.
Maddison said: “Before 2004, most malware was designed to cause disruption to IT systems, but this year marked the turning point. It was really the beginning of concerted attempts to harvest information. Trojans became de rigueur, and this was a real wake-up call for the industry.”
Another wake-up call was the IPO of Google, one of the largest in history, which aimed to raise $2.7 billion. The flotation of the six-year-old search engine opened the doors to a wave of acquisitions and spin-offs that have made it one of the dominant companies of the decade.
2005: Breach beginnings
While malware had been driving much of the insecurity so far in the 2000s, it was time for the human element to step up. Atlanta-based payment processor CardSystems suffered one of the largest data breaches of all time when 40 million Visa and Mastercard holders were exposed to fraud. As many as 13.9 million Mastercard-branded credit cards may have been affected. Mastercard helpfully quantified the sheer scale of the breach, pointing out that the issue potentially affected one out of every seven credit cards issued in the US.
Although the decade has been marked by increasing rationalisation and merger activity, the July 2005 merger between Symantec and storage management specialist Veritas was particularly notable. Valued at $13.5 billion, it was one of the largest software industry mergers to date. Deloitte's Mike Maddison later commented: “This was a particularly interesting merger, as it marked one of the continuing rationalisation trends in the industry. The merging of storage security capability to endpoint security stood as an interesting development in the end-to-end business model.”
The UK was hit by a series of coordinated suicide bombings during the morning rush hour in central London on July 7. The four blasts killed 56, and injured more than 650 people.
2006: Vista visions
Microsoft was becoming increasingly concerned at negative feedback about its software. Although a near global monopoly made XP the most obvious attack point, increasing levels of organised criminal attacks made it necessary to be at least seen to be fighting back. The launch of Windows Vista in November was billed as a body-blow to hackers, with the new OS pitched as an ultra-secure option that would defeat the burgeoning botnets. However, its complexity, size and multitude of alerts made it an unpopular enterprise upgrade.
Elsewhere, virtualisation fever was taking hold. Seamus Reilly, director IT risk assurance, Ernst & Young, said: “Although virtualisation has now become a standard tool in the armoury of most ISPs and hosting companies, 2006 was when the movement really gathered pace. The cost savings have driven demand, but there are still security considerations that need to be ironed out.”
Elsewhere online, a small social networking site called Facebook had opened its doors to anyone 13 and older with a valid email address. Mere days later, the creators of Twitter launched their micro-blogging service. Both startups were set for a meteoric rise over the next 12 months. Finally, a bemused broadband population was treated to the first days of YouTube, sparking the beginning of a long-promised but unfulfilled online video revolution.
2007: Skies darken
Although the importance of data security had been broadly recognised after 2005, the events of 2007 were to make it a byword. The year began with the gradual exposure of the PR disaster that was the TJX data breach. Via an unsecured wireless LAN, criminals had been able to siphon off around 45.6 million credit and debit card records over a 17-month period between July 2005 and January 2007. The company had to set aside $118 million to cover costs and potential liability arising from the lapse.
Distraction was supplied by the Storm worm, a sophisticated piece of malware that originally arrived in an email with the subject line “230 dead as storm batters Europe”. By the end of the year, estimates of the size of the Storm botnet ranged from one to ten million computers.
The dust and recriminations had barely settled at TJX before, on 21 November, prime minister Gordon Brown reported that the personal records of 25 million individuals had been lost in the post by HMRC. The records, which related to the payment of child benefit, included the individuals' and their children's names, addresses, date of birth, child benefit numbers and bank and building society numbers. Ernst & Young's Reilly was scathing: “This was the year of privacy, or a lack of it. Data loss became a public issue, and it seemed that a new failure was announced each week.”
It wasn't all about accidents though, as in July German-based technology giant SAP admitted to “inappropriate downloads” from key rival Oracle.
On the lighter side, the now ubiquitous iPhone was released to universal excitement in June, prompting rocketing interest in mobile app development. At the close of the first weekend, half a million had been sold. A survey by Frost and Sullivan for the period 2008-2009 found that nearly twice as many European CXOs now own a smartphone.
2008: Société Générale and the crunch
Misfortunes often come in threes, and as if to prove this, 2008 was barely under way when French bank Société Générale was forced to admit it had discovered a “massive” fraud, leaving it with a claimed loss of £3.5 billion. Trader Jérôme Kerviel had managed to side-step checks and balances and create a mountain of faked transactions to offset huge losses he had been sustaining. He was accused of breach of trust, fabricating documents and illegally accessing computers – but not fraud. However, the bank was forced into a cut-price share issue to restore liquidity.
Liquidity was in short supply all round in 2008, as the global credit crunch took hold. What had been a cunning plan to attractively market sub-prime home loans by packaging them into CDOs (collateralised debt obligations) backfired spectacularly, creating global panic over the value of all property-based investments. Major finance corporations were forced to write down billions in bad debts, in a far-reaching disaster that is yet to be fully played out.
Lending requirements for businesses and consumers alike are still the toughest they have been since the 1990s. The panic claimed some household names, with Bear Stearns agreeing a fire sale acquisition, Merrill Lynch taken over by Bank of America, and finally Lehman Brothers collapsing entirely and filing for bankruptcy, at $600bn the world's largest.
In spite of the financial disaster, SIEM vendor ArcSight floated, raising $62 million, in stark contrast to the general bear market. Other positive news included the FBI's successful sting operation via its DarkMarket cybercrime forum, which has netted 56 arrests and prevented millions of dollars in economic losses, according to officials.
2009: A tale of two elections
The year started quietly, as post-crunch budgets were tight. Microsoft stepped in to help SMEs and consumers with its free Security Essentials AV tool, a move that was met with dismay in some vendor circles.
Although the US presidential elections of 2008 had cemented the importance of digital campaigning in politics, the Iranian elections showed the darker side of the internet. After opposition figures contested the official results, the Iranian government attempted to shut down online communications to suppress the dissent. However, campaigners took to Twitter, broadcasting their messages globally with little censorship.
Unified threat management vendor Fortinet decided to buck the general trend and IPO, setting a price of $12.50 a share in a move to raise $156 million. Fortinet shares began trading on Nasdaq on 18 November under the ticker symbol FTNT, as part of the first information security flotation since Sourcefire in 2007. A bellwether for the sector?