Editing Penetration test (section)

== History ==

By the mid 1960s, growing popularity of [[time-sharing]] computer systems that made resources accessible over communication lines created new security concerns. As the scholars Deborah Russell and G. T. Gangemi Sr. explain, "The 1960s marked the true beginning of the age of computer security."<ref name="Russell">{{cite book |last1=Russell |first1=Deborah |last2=Gangemi | first2=G.T.|publisher=O'Reilly Media Inc.|date=1991 |title=Computer Security Basics |url= https://archive.org/details/computersecurity00russ|url-access=registration |isbn=9780937175712 }}</ref>{{rp|27}}

In June 1965, for example, several of the U.S.'s leading computer security experts held one of the first major conferences on system security—hosted by the government contractor, the [[System Development Corporation]] (SDC). During the conference, someone noted that one SDC employee had been able to easily undermine various system safeguards added to SDC's [[AN/FSQ-32]] time-sharing computer system. In hopes that further system security study would be useful, attendees requested "...studies to be conducted in such areas as breaking security protection in the time-shared system." In other words, the conference participants initiated one of the first formal requests to use computer penetration as a tool for studying system security.<ref name="Hunt">{{cite journal |last1=Hunt |first1=Edward |year=2012 |title=US Government Computer Penetration Programs and the Implications for Cyberwar |journal=[[IEEE Annals of the History of Computing]] |volume=34 |issue= 3|pages=4–21 |doi=10.1109/MAHC.2011.82 |s2cid=16367311 }}</ref>{{rp|7–8}}

At the Spring 1968 Joint Computer Conference, many leading computer specialists again met to discuss system security concerns. During this conference, the computer security experts [[Willis Ware]], Harold Petersen, and Rein Turn, all of the [[RAND Corporation]], and Bernard Peters of the [[National Security Agency]] (NSA), all used the phrase "penetration" to describe an attack against a computer system. In a paper, Ware referred to the military's remotely accessible time-sharing systems, warning that "Deliberate attempts to penetrate such computer systems must be anticipated." His colleagues Petersen and Turn shared the same concerns, observing that online communication systems "...are vulnerable to threats to privacy," including "deliberate penetration." Bernard Peters of the NSA made the same point, insisting that computer input and output "...could provide large amounts of information to a penetrating program." During the conference, computer penetration would become formally identified as a major threat to online computer systems.<ref name="Hunt" />{{rp|8}}

The threat that computer penetration posed was next outlined in a major report organized by the [[United States Department of Defense]] (DoD) in late 1967. Essentially, DoD officials turned to Willis Ware to lead a task force of experts from NSA, [[CIA]], DoD, academia, and industry to formally assess the security of time-sharing computer systems. By relying on many papers presented during the Spring 1967 Joint Computer Conference, the task force largely confirmed the threat to system security that computer penetration posed. Ware's report was initially classified, but many of the country's leading computer experts quickly identified the study as the definitive document on computer security.<ref name="Hunt" /> Jeffrey R. Yost of the [[Charles Babbage Institute]] has more recently described the Ware report as "...by far the most important and thorough study on technical and operational issues regarding secure computing systems of its time period."<ref name="Yost">{{cite book |last=Yost |first=Jeffrey R. |publisher= Elsevier|date=2007 |title=''A History of Computer Security Standards'', in The History of Information Security: A Comprehensive Handbook |pages=601–602 |editor1-last=de Leeuw |editor1-first=Karl |editor2-last= Bergstra|editor2-first= Jan}}</ref> In effect, the Ware report reaffirmed the major threat posed by computer penetration to the new online time-sharing computer systems.

To better understand system weaknesses, the federal government and its contractors soon began organizing teams of penetrators, known as ''[[tiger teams]],'' to use computer penetration to test system security. Deborah Russell and G. T. Gangemi Sr. stated that during the 1970s "...'tiger teams' first emerged on the computer scene. Tiger teams were government and industry-sponsored teams of crackers who attempted to break down the defenses of computer systems in an effort to uncover, and eventually patch, security holes."<ref name="Russell"/>{{rp|29}}

A leading scholar on the history of computer security, Donald MacKenzie, similarly points out that, "RAND had done some penetration studies (experiments in circumventing computer security controls) of early time-sharing systems on behalf of the government."<ref name="Mackenzie1997">{{cite journal |last1=Mackenzie |first1= Donald|last2=Pottinger |first2= Garrel|year=1997 |title= Mathematics, Technology, and Trust: Formal Verification, Computer Security, and the U.S. Military| url=https://www.computer.org/csdl/mags/an/1997/03/man1997030041-abs.html |journal= [[IEEE Annals of the History of Computing]]|volume=19|issue=3 |pages=41–59 |doi= 10.1109/85.601735|url-access=subscription}}</ref><ref name="Mackenzie2001">{{cite book |last=Mackenzie |first=Donald A. |title=Mechanizing Proof: Computing, Risk, and Trust |url= https://books.google.com/books?id=QiMS8t4V_0cC|publisher= [[Massachusetts Institute of Technology]]|page= 156|isbn=978-0-262-13393-7 |year=2004 }}</ref> Jeffrey R. Yost of the Charles Babbage Institute, in his own work on the history of computer security, also acknowledges that both the RAND Corporation and the SDC had "engaged in some of the first so-called 'penetration studies' to try to infiltrate time-sharing systems in order to test their vulnerability."<ref name= "Yost" /> In virtually all these early studies, tiger teams successfully broke into all targeted computer systems, as the country's time-sharing systems had poor defenses.

Of early tiger team actions, efforts at the RAND Corporation demonstrated the usefulness of penetration as a tool for assessing system security. At the time, one RAND analyst noted that the tests had "...demonstrated the practicality of system-penetration as a tool for evaluating the effectiveness and adequacy of implemented data security safeguards." In addition, a number of the RAND analysts insisted that the penetration test exercises all offered several benefits that justified its continued use. As they noted in one paper, "A penetrator seems to develop a diabolical frame of mind in his search for operating system weaknesses and incompleteness, which is difficult to emulate." For these reasons and others, many analysts at RAND recommended the continued study of penetration techniques for their usefulness in assessing system security.<ref name="Hunt" />{{rp|9}}

Presumably the leading computer penetration expert during these formative years was James P. Anderson, who had worked with the NSA, RAND, and other government agencies to study system security. In the early 1971, the U.S. Air Force contracted Anderson's private company to study the security of its time-sharing system at the Pentagon. In his study, Anderson outlined a number of major factors involved in computer penetration. Anderson described a general attack sequence in steps:

# Find an exploitable vulnerability.
# Design an attack around it.
# Test the attack.
# Seize a line in use.
# Enter the attack.
# Exploit the entry for information recovery.

Over time, Anderson's description of general computer penetration steps helped guide many other security experts, who relied on this technique to assess time-sharing computer system security.<ref name="Hunt" />{{rp|9}}

In the following years, computer penetration as a tool for security assessment became more refined and sophisticated. In the early 1980s, the journalist [[William Broad]] briefly summarized the ongoing efforts of tiger teams to assess system security. As Broad reported, the DoD-sponsored report by Willis Ware "...showed how spies could actively penetrate computers, steal or copy electronic files and subvert the devices that normally guard top-secret information. The study touched off more than a decade of quiet activity by elite groups of computer scientists working for the Government who tried to break into sensitive computers. They succeeded in every attempt."<ref>Broad, William J. (September 25, 1983). "Computer Security Worries Military Experts", ''The New York Times''</ref>

While these various studies may have suggested that computer security in the U.S. remained a major problem, the scholar Edward Hunt has more recently made a broader point about the extensive study of computer penetration as a security tool. Hunt suggests in a recent paper on the history of penetration testing that the defense establishment ultimately "...created many of the tools used in modern day cyberwarfare," as it carefully defined and researched the many ways that computer penetrators could hack into targeted systems.<ref name="Hunt" />{{rp|5}}