Twenty-five years and counting:
The IBM PC did not exist in 1980. Information system security was strictly confined to the world of mainframes and in those days mainframes lived in a world of thier own. ccc which in turn lived in a the some ways it is very satisfying to look at the state of the information security profession.
1980: First involvement with computers, audit and fraud -- Appointed Chief Oil and Gas Tax Auditor of the tenth largest oil producing state. Led development of a computerized [mainframe] auditing program that collected millions of dollars in previously unpaid taxes in the first year of operation.
1982: First encounter with personal computers -- Encountered IBM PCs while auditing at the head offices of several major oil companies. Purchased a personal CP/M computer with spreadsheet.
1983: First adventures online -- Took a class in remote database searching (accessing Dialog via a 300 baud Texas Instruments thermal printer terminal). Bought a modem and joined The Source, a forerunner of commercial bbs, forum, and email services like CompuServe.
1984: First adventures in personal computer networking -- With the late great BBC Acorn
1985: First encounter with computer crime -- Hired to install backup system after a computer was stolen from a medical grant-writing office and the owners missed a crucial deadline.
1986: First encounter with IBM personal computer networks -- Under contract to IBM, began installing networks based on IBM's PC Network, a NetBIOS-based precursor to the company's Token Ring network. Realized that connectivity greatly multiplied risks to system security.
1987: Began first book on computer security -- The first book to provide comprehensive coverage (540-pages) of PC and LAN security from a business user perspective.
1992: First book on computer security published -- The book was completed almost a year before it appeared in print because Tab/McGraw-Hill didn't think many people would buy a book about PC security. They were right. My first book on Quattro Pro shipped 80,000 copies in the first quarter. The Stephen Cobb Complete Guide to PC & LAN Security sold less than 6,000 copies.
1994: First conference presentation on security -- Virus Bulletin '94 in Jersey, UK Channel Islands. Topic: Windows NT Security.
1995: Joined the National Computer Security Association as Director of Special Projects -- Ran the Florida office of NCSA that housed the anti-virus testing and certification lab. Responsible for the NCSA Firewall Policy Guide. (NCSA later became TruSecure and ICSA Labs.) Published a new edition of the original PC & LAN security book as The NCSA Guide to PC & LAN Security. part of a series of NCSA books that included the NCSA Guide to Enterprise Security by Mich Kabay.
1996: Became a CISSP -- One of the first 1,000 persons to pass the CISSP examination.
1997: Joined forces with fellow CISSPs Michael Miora and David Brussin -- Together with Vincent Schiavone we grew Miora Systems Consulting into InfoSec Labs, a highly respected 'boutique' security consultancy with blue ribbon clients like American Express, AT&T, Sprint, Xerox, Edward Jones, Merck-Medco. Here is some press coverage.
1997: Broke new ground in risk analysis -- While performing a risk assessment for one of the world's largest drug companies, showed that security breaches which expose personal data have the potential to cause far greater harm than breaches involving company financial data.
1997: Outed a major Internet vulnerability -- Helped identify the risks inherent in the prevalent HTML Hidden Form Field Vulnerability and distribute an remedy. Showed that even when a vulnerability is "known" to experts it may still be in need of outing to enterprises.
1998: Creating security awareness -- Developed an online security awareness training program for all 14,000 employees of AT&T Wireless.
1998: Went up against the big guys -- In a head-to-head Network Computing contest against other consultants that included Coopers & Lybrand and Price Waterhouse it was said that "Miora's training, security awareness and administrative design...blew the doors clean off the competition."
1999: Went public -- InfoSec Labs is acquired by Rainbow Technologies, a publicly traded company know for its encryption products, now part of SafeNet [NASDAQ: SFNT].
1999: Identified privacy as the new security driver -- In advice to clients and then an article published in early 2000.
2001: Started a privacy and anti-spam company -- Joined with Vincent Schiavone, David Brussin, and Michael Miora to create ePrivacy Group. The goal: offer privacy consulting and develop anti-spam technology to restore trust to email.
2001: The story continues -- Next installment to be posted shortly.
2006: Interp Moscow --
2007: 4th Annual Enterprise Security Asia Conference --
Outside the box:
The battle between those who seek to abuse information technology and those who strive to defend against them will continue for a long time, perhaps forever, and at great cost to the world. Information security is crucial to trust and trust is crucial to healthy, open, and prosperous societies. The root of information abuse is an over-abundance of people prepared to break the law. People feel less and less inclined to obey the law when the gap between rich and poor is growing ever wider and the 'haves' display a lack of moral character and social responsibility even as they berate the 'have nots' for a failure to display these same qualities. The last, best hope for information security may well be an improvement in the overall level of global lawfulness. That is unlikely to occur until there is a marked reduction in poverty and tyranny and a marked increase in economic and social equality.
Stephen Cobb