The evolution of security

Before the advent of digital online technology, computer security was generally a lot more predictable, and not so different from what had been used for millennia. Something physically locked behind a door was safe. But as soon as computers gained a permanent public network connection, that all changed. In this feature, we are going to look at the beginnings of computer security, and how threats have now evolved into something continually changing – moving targets that require new approaches to protect against them.

The computer virus has a history almost as long as computing itself. In fact, one of the main early theorists of modern computing, John von Neumann, considered the possibilities of viruses as far back as the late 1940s. However, it wasn’t until 1971 that anything like the modern computer virus emerged, via the internet’s progenitor, ARPANET. Teletype machines were taken over by a “worm” called Creeper that displayed the phrase “I’m the creeper, catch me if you can!” This wasn’t a malicious program, however. It was an experiment in self-replicating code by Bob Thomas, a researcher at Raytheon BBN Technologies. A similar self-replicating application called Reaper, created by Ray Tomlinson (who invented email), then deleted Creeper from the ARPANET.

While Creeper wasn’t meant to do anything particularly nasty, just display a message, the possibilities were clearly there for something worse. The 15-year-old schoolkid Richard Skrenta is usually credited with creating the first virus to make it “in the wild” in 1992 called Elk Cloner. This also just displayed a message, in this case a poem about the Elk Cloner program itself. It spread via Apple floppy disk, taking advantage of early personal computer users’ culture of sharing software and files via removable media.

One of the first truly malicious computer viruses was Brain, initially released in 1986, which overwrote the boot sector of an MS-DOS floppy disk and prevented the host computer from booting, although even this was originally designed for copy protection. However, removable media did not provide an adequately fast exchange system to enable viruses to be a real threat to security at that time. It was also extremely easy for companies to guard against this kind of virus once personal computers no longer booted from removable media, by strictly controlling the use of removable media, or even specifying computers without the requisite drives.

Email and the web gave virus writers a much more fertile platform for viruses than floppy disk sharing. However, it wasn’t until the late 1990s that this really started to be taken advantage of. In 1999, the Melissa virus used a Word macro to distribute itself via email and send out passwords for adult websites. It didn’t damage the infected computer but could cause email servers to crash due to the volume of traffic it generated.

21st century threats

Like so many things in computing, however, the year 2000 was momentous for viruses, because this is when the email virus came of age with the paradoxically named iloveyou, created by 24-year-old Onel de Guzman from the Philippines. This email virus exploited our natural curiosity about being sent an anonymous love letter, which was in fact a Visual Basic script that overwrote a random selection of files including Office documents, images and MP3s and emailed itself to every contact in the victim’s Microsoft Outlook address book.

This classic virus, which the Smithsonian Institute considers the tenth-most virulent computer virus in history, was a harbinger of one of the most dangerous and prevalent forms of security threat nowadays: ransomware. Like iloveyou, this rewrites your files, but by encrypting them rather than just destructively overwriting them. It then delivers a message extorting a ransom, usually in cryptocurrency, which must be paid to decrypt the files again. This form came to the fore in 2012 with CryptoLocker-based malware, including Locky and the infamous WannaCry, which had a global impact including on public organisations such as the NHS and Germany’s Deutsche Bahn railway company.

Cybersecurity now faces a whole host of threats, which no longer just infect software, but are even attempting to exploit vulnerabilities in hardware, such as the processor’s microcode or by changing a computer’s UEFI BIOS. This latter technique is particularly effective because it can circumvent defences that load with the operating system by loading before they do. This can be mitigated against by providing hardware-level protection. The Intel vPro® Platform, for example, integrates Intel® Hardware Shield technology that locks down the BIOS memory against these kinds of firmware attack, enforcing a secure boot without vulnerability to exploitation.

Cryptomining attacks have been on the rise, too. These don’t directly assault the victim’s computer but install themselves parasitically to use the host hardware to mine cryptocurrency for the hacker’s benefit. The damage is indirect, causing the host system to slow down and use more power than it should for the tasks its user wants to perform. Another common form of attack now revolves around jump/call-oriented programming, which reuses chunks of already existing code ending in ret or jmp instructions to execute a payload. The Intel vPro Platform now integrates Intel® Control-flow Enforcement Technology (Intel CET) to mitigate against this.

All these threats have clear signatures once discovered and can be mitigated against by looking for those distinctive behaviour patterns. The problem is that as fast as virus signatures and other mitigating software patches can be rolled out, a new threat emerges, or a new way of disguising malware. This makes the traditional approach to providing security and combating viruses, malware and ransomware is like a dog chasing its tail, never quite able to catch up.

The power of AI

This is another area where the Intel vPro Platform is entirely ready for the new dangers, however. The 11th Generation of the Intel vPro Platform introduces Intel® Threat Detection Technology (Intel® TDT), which is the industry’s first silicon-enabled threat detection system to use Artificial Intelligence to help stop ransomware and cryptomining attacks. While clever writers of malicious code can constantly find new ways to hide their malevolent software wolves in seemingly innocuous sheep’s clothing, they can never fully obscure the end results.

A computer user will have a normal behaviour with a learnable pattern, and their machine will have certain characteristics during everyday operation. Ransomware and cryptomining malware will diverge from this behaviour, with the former attempting to encrypt files unexpectedly, and the latter drawing excessive load on the system’s processor and graphics. Once this behaviour is detected, the remote management capabilities of the Intel vPro Platform can be used to isolate and remediate the affected system. Intel® Active Management Technology or AMT allows for remote management beyond the firewall, so is an integral part of supporting workers even in their home offices.

Cyberthreats will continue to grow in sophistication and dealing with them retrospectively will increasingly be insufficient to prevent serious breaches. But with AI such as that provided by Intel® TDT, security and anti-virus software can evolve with learning and behavioural monitoring to combat these new threats as they emerge, providing resilience companies need to maintain their security.

Learn more about the Intel vPro platform and what it can do for your business