Updated: Feb 26
We use the internet everyday, it's transformed our lives: shopping arrives at your door, applications can be made online, a sea of information at your fingertips, teaching, learning and so much more. But when it was created, it was not designed with security in mind...
a brief history lesson
For most people of my generation we were introduced to the internet at quite an early age: disconnecting the phone line to get online, signing up for Myspace, MSN, AOL, waiting hours and hours to download a movie to watch, and have seen it's rapid expansion grow to fill almost all aspects of our lives. Younger generations are introduced to it even earlier, and for them it's second nature - many have never even experienced life without being connected in some way or another. But what happened before, how was this thing created? And what is it exactly? Hint: it's not a mystical 'cloud' floating in the sky :)
The internet as we know it was around 40 years in the making, it began in the 1960's, and contrary to popular belief it was not 'created' by the US military, although the Department of Defense did funnel major funding into it to find ways to use it*. It was the result of a series of research projects happening in various parts of the world (notably CERN in Switzerland, France, United Kingdom, as well as the USA) with the goal of sharing computer power and allowing messages (or data) to be sent from one computer to another. It gradually evolved from a few computers connected together to a 'network of networks' aka: the internet. This technology was released to the public domain in the early 1980's - not that long ago in the grand scheme of things. Then in the early 1990's it was widely commercialized and many companies started using it, and ordinary users (i.e non computer scientists) starting using email.
What many of us refer to as the internet (which is the connection of computer networks globally) is actually the World Wide Web (the means of accessing the data on those computers, eg. your browser ) which was invented in 1989 by a British scientist working at CERN in Switzerland.
* this is potentially one of the reasons it took so long for people to realize that the internet is not secure, since you would think something created by a Defense Department would have security at the core... not the case with the internet - as it was just an ongoing side project that the military invested heavily in, hoping to find ways to use it.
so what is the internet?
It's actually in the name, although we don't necessarily think of it immediately. It's a gigantic network, or net, made up of millions (and now billions) of smaller networks. Each network is made up of connected computers and devices that communicate through routers (which are also computers) to other networks in order to send messages and give / receive access to files of others - sharing data from one place to another without having to physically go to each machine. Each network is essentially connecting to, or allowing access to, a file system to facilitate the sharing of data. You can think of it as a gigantic library of computer files, where you can hop on a browser (ie. using the World Wide Web to find information from the internet) and access someone else's files that they made publicly available (eg. a website).
Of course, it's much more than just files, and a lot more is happening behind the scenes, but it's important to understand that most things you use in your day to day on the web are just files. If you press F12 on your browser - and then click 'sources' - you can see the actual location of the files on the server that you are reading just now - and the same on any website or web application.
And that's basically what the internet is: a massive spider web of devices connected to each other to share information. Now read that again: "to share information". This is why the internet is, from the ground up, fundamentally not secure. It was built, designed, and optimized to share data.
In the beginning it was an exciting and revolutionary technology - and it's use was limited to a few geeky scientists who shared files with each other's work. Then it became apparent that it could be used for so much more. In the beginning only a few people were using the network, so by default only a few people could access the data. But as it expanded, there became a need to restrict access to data (or messages, files etc). So internet security was actually implemented as an afterthought to the original project.
what this means from a security standpoint
So with this background knowledge, it makes sense that in the beginning, most computer security threats were local from insiders reading things they shouldn't. Very few people had access to a computer network, so most security practices involved some sort of physical access policy to the data, (as a simple example: protecting a computer with a password). This can be seen in very old hacking movies, where the attacker always has some sort of physical access to the network.
As you can imagine, once the network grew, more and more people could access the internet, and so ways had to be found to restrict access within each network. So in the beginning, there were some astronomical hacks that caused havoc, as there was hardly any security at all, other than a few policy's in place (I'll return to this point later - having a 'policy' or 'compliance' is one of the reasons the internet is still so insecure - hackers don't tend to read them funnily enough...). Because the use of computers as a mainstream tool was so new, most people had no idea what was happening. You can read about some early hacks here if you're interested - in today's terms they would cause far more damage.
The first real 'external' threats were worms and viruses - programs that could be sent from computer to computer causing damage, the first one was in 1971. As these became more common, it prompted the use of anti-virus (AV) software in 1987 (I think we all remember those... constantly crashing our computers!) and while they did help, they were clumsy and heavy on CPU usage. The main disadvantage of anti-virus software is that it is basically a program that matches binary data to known malicious programs (malware), in order to detect and disable them. And that's the catch, they must be known viruses. So AV software is only good in hindsight - it only protects you from viruses that have been discovered. While they do offer some protection, they are only good for protecting from older threats, as new viruses and malicious programs are being written faster and faster and new ones appear every day. So all in all, an anti-virus will not stop you from being hacked. That doesn't mean you shouldn't use one, it just means you shouldn't expect too much from it.
The other big security invention, in 1989, was the firewall, based on how doors are sealed in isolation to help stop fires in buildings. Firewalls can be very effective at blocking unwanted traffic, and remain a very good form of defenses against attacks, but as is the case with anti-virus software, they can be cumbersome and prevent 'good' internet traffic from flowing if not configured properly, which can be a complex task. There are a few types of firewalls and you can read more about them in my article here. A firewall essentially monitors data packets arriving and checks if it's allowed. They can also be configured to block unused ports (see article here) and isolate the network by creating an additional 'layer' of access - meaning outside traffic connects to the firewall and only the traffic that it is set to allow can connect to the devices inside your network. Unfortunately, there are also many ways to circumvent them, such as using a VPN or proxy, or disguising the data being sent. So these will not save you on their own either, but they are an important part of network security.
In 1995, Netscape introduced SSL - the secure version of HTTP (which was the first internet protocol for the world wide web, read more about it here), and this remains one of the biggest steps towards a safer internet. The current version of SSL has been replaced by TLS, and most browsers now flag websites using only HTTP as 'not secure' (anyone can see the data transferred in a HTTP connection as it is not encrypted). You can check if the site you're on is encrypted by looking for the lock icon next to the address bar.
From the 2000's onwards, more and more personal data was put online, credit card payments and online banking became widespread, dating sites, social media, and government administrations, etc. have all moved to online platforms. With it came the beginning of far more targeted attacks, and companies started to take cyber security more seriously, particularly since the TJX hack in 2005. In this decade, awareness of the risks of being online started to be more widespread - one of the key factors in increasing security, and led to an increase in Endpoint Detection teams and software.
In the next decade, especially after the WannaCry attack* in 2017, cyber security became a real focus, and companies spend large amounts of money into forming big security teams, and much more sophisticated tools were developed for detecting and preventing hacks. While this has led to some huge advances in protecting data, its largely big companies who can afford employing a cyber security team full time, meaning there is still a huge gap for the average user, and they still get hacked.
* Interestingly enough, while most people have heard about the WannaCry attack, not many people know that is was stopped in it's tracks by one guy - Marcus Hutchins, a hacker turned security analyst.
In the same decade, many governments and associations around the world started implementing regulations and framework to force companies to be held accountable for rubbish security practices, (for example GDPR in the EU and FISMA in the USA, although there are many others) and to help protect user data. These mandatory guidelines provide a legal basis for dealing with data theft and computer crime. But most of these are very new, and have yet to have a real impact on events. These regulations are not to be confused with 'Policy' and 'Compliance' which are set by companies for how you can use / access their data (as well as vice-versa of course). Many companies and users wrongly assume that a policy will protect them in case of a problem - but they are utterly useless outside of a court room - and will not stop a hacker from accessing the data! It's like putting a big sign on the door saying 'Do Not Enter!' - and leaving the door unlocked. Hackers don't give a damn about compliance or policy as it's only there to save the companies ass in case of a legal dispute.
It is positive to see that steps are being taken though, and eventually we will probably arrive at some worldwide consensus for internet safety, in the same way as (most) countries now recognize the need to wear a seat belt in a car. Like with HTTPS - most people have a vague idea that it's something about security, but it's only now that browsers warn you when you access HTTP, that it's really become effective. And that came about from consensus - different companies and associations decided they should all enforce HTTPS as much as possible. I'm quite certain at some point their will be a sort of 'highway code' for the regular internet user, simply to be aware of common dangers.
so how do you stay safe online?
Now we arrive at the beginning of a new decade in 2020, after a even worse year for the world of internet security - due to a non-digital kind of virus - 2019 has highlighted how much we rely on the internet, and how dangerous it can be. But I think overall this will have a positive effect in the long term. It's necessary for the average user to start to get a picture of what needs to be done. The internet is no longer the wild west it once was, and there are in fact a multitude of tools you can use to communicate securely, store your data safely, and continue to work productively. Everyday security teams are developing more and more tools to make it harder and harder for hackers to access data, and hackers must turn to more sophisticated attacks - or attack only weaker targets. Where the problem lies, is in user education.
And that's the next big challenge of securing the internet, training everyone who uses it to adopt safe practices (and also one of the reasons we started this blog!) Many, many hacks are only possible because of user error or ignorance (such as choosing a weak password, or using a HTTP website) and this is what hackers look for.
We have an article here on "Security best practices" which I highly recommend you to read, now you have an idea what you're up against!