Let us look first at external intrusion, that is, unauthorized penetration by perpetrators through devices to which they have free access. We will devote separate attention to threats from personnel within a given system on the supposition that the necessary organizational and other security measures have been put in place.

In the early 1980s, intrusion received a certain amount of attention in systems where state and corporate secrets were stored. Here, the focus was primarily on limiting the access of end users to information stored in a system. The question of security for physical data carriers was handled rather simply, mainly through organizational measures.

Information security was based on the principle of creating conditions in which the user has no physical opportunity to make any changes in the software programs—nonprogrammability. It was implemented by means of so-called dumb terminals and classical operating systems (IBM, DEC, and others), the architecture of which involved the separation of programs and data and the physical protection of systems software from applied programs and other elements. Furthermore, communications technologies were systems oriented and did not permit outsiders to log on. Exchange protocols for the telecommunications components did not allow perpetrators to penetrate the network.

The level of security provided by the architectural characteristics of computers and communications devices was sharply reduced with the appearance and accelerated introduction of new technologies, of which the following deserve special attention:

• personal computers, especially IBMs using Microsoft operating systems

• local networks with personal computer (PC) workstations

• the transmission control protocol/Internet protocol (TCP/IP) family of protocols and the creation of the Internet on their basis

A keen struggle began among the various means of protection and attack. The first applications for PCs were for home use. Within a few years, PCs began to be used in almost all spheres of human activity. IBM-compatible PCs using Microsoft software established a dominating position. With their simplicity of use and relatively low cost, they made it substantially easier and less expensive to create small systems for various applications than did computers with different architectures. The local nature of their installation made it easy to handle security matters.

This initial period saw the appearance of the first danger signals—computer viruses. At first, the intrusions were destructive in nature. The thesis was advanced that “he who takes careful precautions will not be affected.” Therefore, most of the efforts were focused on the correct use of antivirus software and the proper way to use diskettes. From a security standpoint, it is unforgivable that very little attention was devoted to the operating system architecture and floppy