Computer security: Difference between revisions

'''Computer security''' (also '''cybersecurity''', '''digital security''', or '''information technology (IT) security''') is a subdiscipline within the field of [[information security]]. It focuses on protecting [[computer software]], [[system]]s and [[computer network|networks]] from [[Threat (security)|threats]] that can lead to unauthorized information disclosure, theft or damage to [[computer hardware|hardware]], [[software]], or [[Data (computing)|data]], as well as from the disruption or misdirection of the [[Service (economics)|services]] they provide.<ref name=":2">{{Cite journal |last1=Schatz |first1=Daniel |last2=Bashroush |first2=Rabih |last3=Wall |first3=Julie |date=2017 |title=Towards a More Representative Definition of Cyber Security |url=https://commons.erau.edu/jdfsl/vol12/iss2/8/ |journal=Journal of Digital Forensics, Security and Law |language=en |volume=12 |issue=2 |issn=1558-7215}}</ref><ref>{{Britannica|130682}}</ref>

The significance of the field stems from the expanded reliance on [[computer systems]], the [[Internet]],<ref>{{Cite news |last=Tate |first=Nick|date=7 May 2013 |title=Reliance spells end of road for ICT amateurs |newspaper=The Australian |url=https://www.theaustralian.com.au/news/reliance-spells-end-of-road-for-ict-amateurs/news-story/6f84ad403b8721100f5957a472a945eb |url-access=subscription}}</ref> and [[wireless network standards]]. Its importance is further amplified by the growth of [[smart device]]s, including [[smartphone]]s, [[television]]s, and the various devices that constitute the [[Internet of things]] (IoT). Cybersecurity has emerged as one of the most significant new challenges facing the contemporary world, due to both the complexity of [[information systems]] and the societies they support. Security is particularly crucial for systems that govern large-scale systems with far-reaching physical effects, such as [[Electric power distribution|power distribution]], [[Election security|elections]], and [[finance]].<ref>{{cite journal |last1=Kianpour |first1=Mazaher |last2=Kowalski |first2=Stewart |last3=Øverby |first3=Harald |date=2021 |title=Systematically Understanding Cybersecurity Economics: A Survey |journal=Sustainability |volume=13 |issue=24 |page=13677 |doi=10.3390/su132413677 |doi-access=free|bibcode=2021Sust...1313677K |hdl=11250/2978306 |hdl-access=free | issn=2071-1050 }}</ref><ref>{{cite journal |last1=Stevens |first1=Tim |date=11 June 2018 |title=Global Cybersecurity: New Directions in Theory and Methods |url=https://kclpure.kcl.ac.uk/portal/files/97261726/PaG_6_2_Global_Cybersecurity_New_Directions_in_Theory_and_Methods.pdf |archive-url=https://web.archive.org/web/20190904151257/https://kclpure.kcl.ac.uk/portal/files/97261726/PaG_6_2_Global_Cybersecurity_New_Directions_in_Theory_and_Methods.pdf |archive-date=2019-09-04 |url-status=live |journal=Politics and Governance |volume=6 |issue=2 |pages=1–4 |doi=10.17645/pag.v6i2.1569 |doi-access=free}}</ref>

Although many aspects of computer security involve digital security, such as electronic [[passwords]] and [[encryption]], [[physical security]] measures such as [[Lock and key|metal locks]] are still used to prevent unauthorized tampering. IT security is not a perfect subset of [[information security]], therefore does not  completely align into the [[security convergence]] schema.

A vulnerability refers to a flaw in the structure, execution, functioning, or internal oversight of a computer or system that compromises its security. Most of the vulnerabilities that have been discovered are documented in the [[Common Vulnerabilities and Exposures]] (CVE) database.<ref>{{Cite web |title=About the CVE Program |url=https://www.cve.org/About/Overview |access-date=2023-04-12 |website=www.cve.org}}</ref> An ''exploitable'' vulnerability is one for which at least one working [[cyberattack|attack]] or ''[[Exploit (computer security)|exploit]]'' exists.<ref>{{cite conference | last=Zlatanov | first=Nikola |title=Computer Security and Mobile Security Challenges |url=https://www.researchgate.net/publication/298807979 |conference=Tech Security Conference At: San Francisco, CA  |date=3 December 2015 }}</ref> Actors maliciously seeking vulnerabilities are known as ''[[Threat (computer security)|threats]]''. Vulnerabilities can be researched, reverse-engineered, hunted, or exploited using [[Automated threat|automated tools]] or customized scripts.<ref>{{cite web |title=Ghidra |url=https://www.nsa.gov/resources/everyone/ghidra/ |access-date=17 August 2020 |archive-date=15 August 2020 |archive-url=https://web.archive.org/web/20200815201448/https://www.nsa.gov/resources/everyone/ghidra/ | website=nsa.gov | date=1 August 2018 }}</ref><ref>{{cite web |last=Larabel |first=Michael |date=2017-12-28 |title=Syzbot: Google Continuously Fuzzing The Linux Kernel |url=https://www.phoronix.com/scan.php?page=news_item&px=Syzbot-Linux-Kernel-Fuzzing/ |access-date=2021-03-25 |website=www.phoronix.com/ |language=en-US}}</ref>

Various people or parties are vulnerable to cyber attacks; however, different groups are likely to experience different types of attacks more than others.<ref name="crowdstrike.com">{{Cite web |title=Cyber attacks on SMBs: Current Stats and How to Prevent Them |url=https://www.crowdstrike.com/solutions/small-business/cyber-attacks-on-smbs/ |access-date=2023-11-30 |website=crowdstrike.com |language=en}}</ref>

In April 2023, the [[United Kingdom Government|United Kingdom]] Department for Science, Innovation & Technology released a report on cyber attacks over the previous 12 months.<ref name="Cyber breaches 2023">{{Cite web |title=Cyber security breaches survey 2023 |url=https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023 |access-date=2023-11-30 |website=GOV.UK |language=en}}</ref> They surveyed 2,263 UK businesses, 1,174 UK registered charities, and 554 education institutions. The research found that "32% of businesses and 24% of charities overall recall any breaches or attacks from the last 12 months." These figures were much higher for "medium businesses (59%), large businesses (69%), and high-income charities with £500,000 or more in annual income (56%)."<ref name="Cyber breaches 2023" /> Yet, although medium or large businesses are more often the victims, since larger companies have generally improved their security over the last decade, [[Small and medium-sized enterprises|small and midsize businesses]] (SMBs) have also become increasingly vulnerable as they often "do not have advanced tools to defend the business."<ref name="crowdstrike.com" /> SMBs are most likely to be affected by malware, ransomware, phishing, [[man-in-the-middle attack]]s, and Denial-of Service (DoS) Attacks.<ref name="crowdstrike.com" />

A [[Backdoor (computing)|backdoor]] in a computer system, a [[cryptosystem]], or an [[algorithm]] is any secret method of bypassing normal [[authentication]] or security controls. These weaknesses may exist for many reasons, including original design or poor configuration.<ref>{{Cite web |date=2023-11-30 |title=What is a backdoor attack? Definition and prevention {{!}} NordVPN |url=https://nordvpn.com/blog/backdoor-attack/ |access-date=2024-01-03 |website=nordvpn.com |language=en}}</ref> Due to the nature of backdoors, they are of greater concern to companies and databases as opposed to individuals.

Backdoors can be difficult to detect, as they often remain hidden within the source code or system firmware intimate knowledge of the [[operating system]] of the computer.

[[Denial-of-service attacks]] (DoS) are designed to make a machine or network resource unavailable to its intended users.<ref name="DoS guidance">{{Cite web |title=Denial of Service (DoS) guidance |url=https://www.ncsc.gov.uk/collection/denial-service-dos-guidance-collection |access-date=2023-12-04 |website=www.ncsc.gov.uk |language=en}}</ref> Attackers can deny service to individual victims, such as by deliberately entering a wrong password enough consecutive times to cause the victim's account to be locked, or they may overload the capabilities of a machine or network and block all users at once. While a network attack from a single [[IP address]] can be blocked by adding a new firewall rule, many forms of [[Denial-of-service attack#Distributed DoS|distributed denial-of-service]] (DDoS) attacks are possible, where the attack comes from a large number of points. In this case, defending against these attacks is much more difficult. Such attacks can originate from the [[zombie computer]]s of a [[botnet]] or from a range of other possible techniques, including [[Denial-of-service attack#Reflected attack|distributed reflective denial-of-service]] (DRDoS), where innocent systems are fooled into sending traffic to the victim.<ref name="DoS guidance" /> With such attacks, the amplification factor makes the attack easier for the attacker because they have to use little bandwidth themselves. To understand why attackers may carry out these attacks, see the 'attacker motivation' section.

A direct-access attack is when an unauthorized user (an attacker) gains physical access to a computer, most likely to directly copy data from it or steal information.<ref>{{Cite web |title=Computer Security |url=https://www.interelectronix.com/computer-security.html |access-date=2023-11-30 |website=www.interelectronix.com}}</ref> Attackers may also compromise security by making operating system modifications, installing [[Computer worm|software worms]], [[keystroke logging|keyloggers]], [[covert listening device]]s or using wireless microphones. Even when the system is protected by standard security measures, these may be bypassed by booting another operating system or tool from a [[CD-ROM]] or other bootable media. [[Disk encryption]] and the [[Trusted Platform Module]] standard are designed to prevent these attacks.

[[Eavesdropping]] is the act of surreptitiously listening to a private computer conversation (communication), usually between hosts on a network. It typically occurs when a user connects to a network where traffic is not secured or encrypted and sends sensitive business data to a colleague, which, when listened to by an attacker, could be exploited.<ref name="Fortinet">{{Cite web |title=What Are Eavesdropping Attacks? |url=https://www.fortinet.com/resources/cyberglossary/eavesdropping |access-date=2023-12-05 |website=Fortinet |language=en}}</ref> Data transmitted across an ''open network'' allows an attacker to exploit a vulnerability and intercept it via various methods.

Unlike [[malware]], direct-access attacks, or other forms of cyber attacks, eavesdropping attacks are unlikely to negatively affect the performance of networks or devices, making them difficult to notice.<ref name="Fortinet" /> In fact, "the attacker does not need to have any ongoing connection to the software at all. The attacker can insert the software onto a compromised device, perhaps by direct insertion or perhaps by a virus or other malware, and then come back some time later to retrieve any data that is found or trigger the software to send the data at some determined time."<ref>{{Citation |last=York |first=Dan |title=Chapter 3 – Eavesdropping and Modification |date=2010-01-01 |url=https://www.sciencedirect.com/science/article/pii/B978159749547900003X |work=Seven Deadliest Unified Communications Attacks |pages=41–69 |editor-last=York |editor-first=Dan |access-date=2023-12-05 |place=Boston |publisher=Syngress |isbn=978-1-59749-547-9}}</ref>

Programs such as [[Carnivore (FBI)|Carnivore]] and [[Narus (company)|NarusInSight]] have been used by the [[Federal Bureau of Investigation]] (FBI) and NSA to eavesdrop on the systems of [[internet service provider]]s. Even machines that operate as a closed system (i.e., with no contact with the outside world) can be eavesdropped upon by monitoring the faint [[electromagnetism|electromagnetic]] transmissions generated by the hardware. [[Tempest (codename)|TEMPEST]] is a specification by the NSA referring to these attacks.

* [[Computer virus|'''Viruses''']] are a specific type of malware, and are normally a malicious code that hijacks software with the intention to "do damage and spread copies of itself." Copies are made with the aim to spread to other programs on a computer.<ref name="Malware-IBM" />  

* '''[[Spyware]]''' is a type of malware that secretly gathers information from an infected computer and transmits the sensitive information back to the [[Hacker|attacker]]. One of the most common forms of spyware are [[Keystroke logging|keyloggers]], which record all of a user's keyboard inputs/keystrokes, to "allow hackers to harvest usernames, passwords, bank account and credit card numbers."<ref name="Malware-IBM" />

* '''[[Scareware]]''', as the name suggests, is a form of [[malware]] which uses [[Social engineering (security)|social engineering]] (manipulation) to scare, [[Acute stress reaction|shock]], trigger [[anxiety]], or suggest the perception of a threat in order to manipulate users into buying or installing [[Potentially unwanted program|unwanted software]]. These attacks often begin with a "sudden pop-up with an urgent message, usually warning the user that they've broken the law or their device has a virus."<ref name="Malware-IBM" />

* WiFi SSID spoofing is where the attacker simulates a WIFI base station SSID to capture and modify internet traffic and transactions. The attacker can also use local network addressing and reduced network defenses to penetrate the target's firewall by breaching known vulnerabilities. Sometimes known as a Pineapple attack thanks to a popular device. See also [[Wireless security#Malicious association|Malicious association]].

* SSL hijacking, typically coupled with another media-level MITM attack, is where the attacker spoofs the SSL authentication and encryption protocol by way of Certificate Authority injection in order to decrypt, surveil and modify traffic. See also [[Transport Layer Security#TLS interception|TLS interception]]<ref name="verizon-mitm">

{{Cite web |url=https://www.verizon.com/business/resources/articles/s/what-is-a-man-in-the-middle-attack-and-how-can-i-protect-my-organization/ |title=What is a man-in-the-middle attack and how can I protect my organization? |website=[[verizon|verizon.com]]}}

Surfacing in 2017, a new class of multi-vector,<ref>{{cite web | title=Multi-Vector Attacks Demand Multi-Vector Protection | website=MSSP Alert | date=24 July 2017 | url=https://www.msspalert.com/analysis/multi-vector-attacks-demand-multi-vector-protection }}</ref> polymorphic<ref>{{cite news |first=Renee |last=Millman |title=New polymorphic malware evades three-quarters of AV scanners |work=SC Magazine UK |date=15 December 2017 |url=https://www.scmagazineuk.com/new-polymorphic-malware-evades-three-quarters-of-av-scanners/article/718757/ }}</ref> cyber threats combine several types of attacks and change form to avoid cybersecurity controls as they spread.

Multi-vector polymorphic attacks, as the name describes, are both multi-vectored and polymorphic.<ref name="Tounsi-2019">{{Citation |last=Tounsi |first=Wiem |title=What is Cyber Threat Intelligence and How is it Evolving? |date=2019-05-15 |url=https://onlinelibrary.wiley.com/doi/10.1002/9781119618393.ch1 |work=Cyber-Vigilance and Digital Trust |pages=1–49 |editor-last=Tounsi |editor-first=Wiem |access-date=2023-12-06 |edition=1 |publisher=Wiley |language=en |doi=10.1002/9781119618393.ch1 |isbn=978-1-78630-448-3|s2cid=187294508 |url-access=subscription }}</ref> Firstly, they are a singular attack that involves multiple methods of attack. In this sense, they are "multi-vectored (i.e. the attack can use multiple means of propagation such as via the Web, email and applications." However, they are also multi-staged, meaning that "they can infiltrate networks and move laterally inside the network."<ref name="Tounsi-2019" /> The attacks can be polymorphic, meaning that the cyberattacks used such as viruses, worms or trojans "constantly change ("morph") making it nearly impossible to detect them using signature-based defences."<ref name="Tounsi-2019" />

[[File:PhishingTrustedBank.png|thumb|An example of a phishing email, disguised as an official [[email]] from a ([[fiction]]al) bank. The [[sender]] is attempting to trick the recipient into revealing [[Confidentiality|confidential]] information by confirming it at the phisher's website. Note the misspelling of the words ''received'' and ''discrepancy'' as {{typo|rec''ie''ved}} and {{typo|discrep''e''ncy}}, respectively. Although the [[URL]] of the bank's [[webpage]] appears to be legitimate, the hyperlink points at the phisher's webpage.|324x324px]]

[[Phishing]] is the attempt of acquiring sensitive information such as usernames, passwords, and credit card details directly from users by deceiving the users.<ref>{{cite web |url=https://www.case.edu/its/kba/its-kba-27196-phishing-attempt/ |title=Identifying Phishing Attempts |publisher=Case |archive-url=https://web.archive.org/web/20150913200707/http://www.case.edu/its/kba/its-kba-27196-phishing-attempt/ |archive-date=13 September 2015  |access-date=4 July 2016 }}</ref> Phishing is typically carried out by [[email spoofing]], [[instant messaging]], [[Text messaging|text message]], or on a [[Telephone call|phone]] call. They often direct users to enter details at a fake website whose [[look and feel]] are almost identical to the legitimate one.<ref>{{Cite web |title=Protect yourself from phishing – Microsoft Support |url=https://support.microsoft.com/en-us/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44 |access-date=2023-12-06 |website=support.microsoft.com}}</ref> The fake website often asks for personal information, such as login details and passwords. This information can then be used to gain access to the individual's real account on the real website.

[[Privilege escalation]] describes a situation where an attacker with some level of restricted access is able to, without authorization, elevate their privileges or access level.<ref name="Privilege escalation">{{Cite web |title=What is Privilege Escalation? – CrowdStrike |url=https://www.crowdstrike.com/cybersecurity-101/privilege-escalation/ |access-date=2023-12-07 |website=crowdstrike.com |language=en}}</ref> For example, a standard computer user may be able to exploit a [[Vulnerability (computing)|vulnerability]] in the system to gain access to restricted data; or even become ''[[superuser|root]]'' and have full unrestricted access to a system. The severity of attacks can range from attacks simply sending an unsolicited email to a [[Ransomware|ransomware attack]] on large amounts of data. Privilege escalation usually starts with [[Social engineering (security)|social engineering]] techniques, often [[phishing]].<ref name="Privilege escalation" />

* Vertical escalation however targets people higher up in a company and often with more administrative power, such as an employee in IT with a higher privilege. Using this privileged account will then enable the attacker to invade other accounts.<ref name="Privilege escalation" />

Any computational system affects its environment in some form. This effect it has on its environment can range from electromagnetic radiation, to residual effect on RAM cells which as a consequence make a [[Cold boot attack]] possible, to hardware implementation faults that allow for access or guessing of other values that normally should be inaccessible. In Side-channel attack scenarios, the attacker would gather such information about a system or network to guess its internal state and as a result access the information which is assumed by the victim to be secure. The target information in a side channel can be challenging to detect due to its low amplitude when combined with other signals <ref>{{Cite journal |last1=Spence |first1=Aaron |last2=Bangay |first2=Shaun |date=June 2022 |title=Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures |url=https://link.springer.com/10.1007/s10207-021-00563-6 |journal=International Journal of Information Security |language=en |volume=21 |issue=3 |pages=437–453 |doi=10.1007/s10207-021-00563-6 |issn=1615-5262|url-access=subscription }}</ref>

[[Social engineering (security)|Social engineering]], in the context of computer security, aims to convince a user to disclose secrets such as passwords, card numbers, etc. or grant physical access by, for example, impersonating a senior executive, bank, a contractor, or a customer.<ref>{{cite web |last=Arcos Sergio |title=Social Engineering |url=http://upcommons.upc.edu/pfc/bitstream/2099.1/12289/1/73827.pdf |url-status=live |archive-url=https://web.archive.org/web/20131203043630/http://upcommons.upc.edu/pfc/bitstream/2099.1/12289/1/73827.pdf |archive-date=3 December 2013 |access-date=2019-04-16 |website=upc.edu}}</ref> This generally involves exploiting people's trust, and relying on their [[cognitive bias]]es. A common scam involves emails sent to accounting and finance department personnel, impersonating their CEO and urgently requesting some action. One of the main techniques of social engineering are [[phishing]] attacks.

* [[Email spoofing]], is where an attacker forges the sending (''From'', or source) address of an email.

* [[Biometrics|Biometric]] spoofing, where an attacker produces a fake biometric sample to pose as another user.<ref>{{cite book|editor1-last=Marcel|editor1-first=Sébastien|editor2-last=Nixon|editor2-first=Mark|editor3-last=Li|editor3-first=Stan|year=2014|title=Handbook of Biometric Anti-Spoofing: Trusted Biometrics under Spoofing Attacks|language=en|location=London|publisher=Springer|doi=10.1007/978-1-4471-6524-8|isbn=978-1-4471-6524-8|issn=2191-6594|lccn=2014942635|series=Advances in Computer Vision and Pattern Recognition|s2cid=27594864}}</ref>

* [[Address Resolution Protocol]] (ARP) spoofing, where an attacker sends spoofed address resolution protocol onto a [[local area network]] to associate their [[MAC address|Media Access Control address]] with a different host's IP address. This causes data to be sent to the attacker rather than the intended host.

[[HTML]] smuggling allows an attacker to ''smuggle'' a malicious code inside a particular HTML or web page.<ref name="Intelligence-2021">{{Cite web |last=Intelligence |first=Microsoft Threat |date=2021-11-11 |title=HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks |url=https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/ |access-date=2023-12-07 |website=Microsoft Security Blog |language=en-US}}</ref> [[HTML]] files can carry payloads concealed as benign, inert data in order to defeat [[content filter]]s. These payloads can be reconstructed on the other side of the filter.<ref>{{Cite web |title=Obfuscated Files or Information: HTML Smuggling, Sub-technique T1027.006 – Enterprise {{!}} MITRE ATT&CK® |url=https://attack.mitre.org/techniques/T1027/006/ |access-date=2023-02-22 |website=attack.mitre.org}}</ref>

Employee behavior can have a big impact on [[information security]] in organizations. Cultural concepts can help different segments of the organization work effectively or work against effectiveness toward information security within an organization. Information security culture is the "...totality of patterns of behavior in an organization that contributes to the protection of information of all kinds."<ref>{{cite conference | last1=Lim | first1=Joo S. | last2=Chang | first2=Shanton | last3=Maynard | first3=Sean | last4=Ahmad | first4=Atif | title=Exploring the Relationship between Organizational Culture and Information Security Culture |book-title=Proceedings of the 7th Australian Information Security Management Conference | date=2009 | publisher=Security Research Institute (SRI), Edith Cowan University |doi=10.4225/75/57B4065130DEF |url=http://ro.ecu.edu.au/ism/12}}</ref>

* Strategic planning: To come up with a better awareness program, clear targets need to be set. Assembling a team of skilled professionals is helpful to achieve it.

* Operative planning: A good security culture can be established based on internal communication, management buy-in, security awareness and a training program.<ref name="Schlienger, Thomas 2003" />

* Cyber security awareness training to cope with cyber threats and attacks.<ref>{{Cite web |title=How to Increase Cybersecurity Awareness |url=https://www.isaca.org/resources/isaca-journal/issues/2019/volume-2/how-to-increase-cybersecurity-awareness |access-date=2023-02-25 |website=ISACA}}</ref>

In order to ensure adequate security, the confidentiality, integrity and availability of a network, better known as the CIA triad, must be protected and is considered the foundation to information security.<ref>{{cite web |last=Walkowski |first=Debbie |date=9 July 2019 |title=What Is The CIA Triad? |url=https://www.f5.com/labs/articles/education/what-is-the-cia-triad.html |access-date=25 February 2020 |website=F5 Labs |language=en}}</ref> To achieve those objectives, administrative, physical and technical security measures should be employed. The amount of security afforded to an asset can only be determined when its value is known.<ref>{{cite web |date=3 December 2018 |title=Knowing Value of Data Assets is Crucial to Cybersecurity Risk Management {{!}} SecurityWeek.Com |url=https://www.securityweek.com/knowing-value-data-assets-crucial-cybersecurity-risk-management |access-date=25 February 2020 |website=www.securityweek.com}}</ref>

Vulnerabilities can be discovered with a [[vulnerability scanner]], which analyzes a computer system in search of known vulnerabilities,<ref>{{Cite book |last=Johnson |first=A. |url=https://books.google.com/books?id=FxRbDwAAQBAJ&q=Vulnerabilities+can+be+discovered+with+a+vulnerability+scanner,+which+analyzes+a+computer+system+in+search+of+known+vulnerabilities&pg=SA5-PA83 |title=CCNA Cybersecurity Operations Companion Guide |date=2018 |publisher=Cisco Press |isbn=978-0-13-516624-6 |language=en}}</ref> such as [[open port]]s, insecure software configuration, and susceptibility to [[malware]].  In order for these tools to be effective, they must be kept up to date with every new update the vendor release.  Typically, these updates will scan for the new vulnerabilities that were introduced recently.

The act of assessing and reducing vulnerabilities to cyber attacks is commonly referred to as [[information technology security assessment]]s. They aim to assess systems for risk and to predict and test for their vulnerabilities. While [[formal verification]] of the correctness of computer systems is possible,<ref>{{cite conference |last1=Harrison |first1=J. |year=2003 |title=Formal verification at Intel |conference=18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings |pages=45–54 |doi=10.1109/LICS.2003.1210044 |isbn=978-0-7695-1884-8 |s2cid=44585546}}</ref><ref>{{cite conference |last1=Umrigar |first1=Zerksis D. |last2=Pitchumani |first2=Vijay |year=1983 |title=Formal verification of a real-time hardware design |url=http://portal.acm.org/citation.cfm?id=800667 |conference=Proceeding DAC '83 Proceedings of the 20th Design Automation Conference |publisher=IEEE Press |pages=221–227 |isbn=978-0-8186-0026-5}}</ref> it is not yet common. Operating systems formally verified include [[seL4]],<ref>{{cite web |title=Abstract Formal Specification of the seL4/ARMv6 API |url=https://sel4.systems/Docs/seL4-spec.pdf |archive-url=https://web.archive.org/web/20150521171234/https://sel4.systems/Docs/seL4-spec.pdf |archive-date=21 May 2015 |access-date=19 May 2015}}</ref> and [[SYSGO]]'s [[PikeOS]]<ref>{{cite conference |last1=Baumann |first1=Christoph |last2=Beckert |first2=Bernhard |last3=Blasum |first3=Holger |last4=Bormer |first4=Thorsten |title=Ingredients of Operating System Correctness? Lessons Learned in the Formal Verification of PikeOS |url=http://www-wjp.cs.uni-saarland.de/publikationen/Ba10EW.pdf |conference=Embedded World Conference, Nuremberg, Germany |archive-url=https://web.archive.org/web/20110719110932/http://www-wjp.cs.uni-saarland.de/publikationen/Ba10EW.pdf |archive-date=19 July 2011}}</ref><ref>{{cite web |last=Ganssle |first=Jack |title=Getting it Right |url=http://www.ganssle.com/rants/gettingitright.htm |archive-url=https://web.archive.org/web/20130504191958/http://www.ganssle.com/rants/gettingitright.htm |archive-date=4 May 2013}}</ref> – but these make up a very small percentage of the market.

Outside of formal assessments, there are various methods of reducing vulnerabilities. [[Two factor authentication]] is a method for mitigating unauthorized access to a system or sensitive information.<ref>{{Cite web |title=Turn on 2-step verification (2SV) |url=https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/activate-2-step-verification-on-your-email |access-date=2023-12-19 |website=www.ncsc.gov.uk |language=en}}</ref> It requires ''something you know:'' a password or PIN, and ''something you have'': a card, dongle, cellphone, or another piece of hardware. This increases security as an unauthorized person needs both of these to gain access.

Protecting against social engineering and direct computer access (physical) attacks can only happen by non-computer means, which can be difficult to enforce, relative to the sensitivity of the information. Training is often involved to help mitigate this risk by improving people's knowledge of how to protect themselves and by increasing people's awareness of threats.<ref>{{Cite web |title=NCSC's cyber security training for staff now available |url=https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available |access-date=2023-12-19 |website=www.ncsc.gov.uk |language=en}}</ref> However, even in highly disciplined environments (e.g. military organizations), social engineering attacks can still be difficult to foresee and prevent.

* Mobile-enabled access devices are growing in popularity due to the ubiquitous nature of cell phones.<ref>{{Cite web |date=2024-02-23 |title=Access Control Statistics: Trends & Insights |url=https://entrycare.com/access-control-statistics/ |access-date=2024-04-26 |language=en-US}}</ref> Built-in capabilities such as [[Bluetooth]], the newer [[Bluetooth low energy]] (LE), [[near-field communication]] (NFC) on non-iOS devices and [[biometrics|biometric]] validation such as thumbprint readers, as well as [[QR code]] reader software designed for mobile devices, offer new, secure ways for mobile phones to connect to access control systems. These control systems provide computer security and can also be used for controlling access to secure buildings.<ref>{{cite web |date=4 November 2013 |title=Forget IDs, use your phone as credentials |url=http://video.foxbusiness.com/v/2804966490001/forget-ids-use-your-phone-as-credentials/?playlist_id=937116503001#sp=show-clips |url-status=live |archive-url=https://web.archive.org/web/20140320215829/http://video.foxbusiness.com/v/2804966490001/forget-ids-use-your-phone-as-credentials/?playlist_id=937116503001#sp=show-clips |archive-date=20 March 2014 |access-date=20 March 2014 |publisher=[[Fox Business Network]]}}</ref>

* [[Physical unclonable function|Physical Unclonable Functions]] (PUFs) can be used as a digital fingerprint or a unique identifier to integrated circuits and hardware, providing users the ability to secure the hardware supply chains going into their systems.<ref>{{Cite journal |last1=Babaei |first1=Armin |last2=Schiele |first2=Gregor |last3=Zohner |first3=Michael |date=2022-07-26 |title=Reconfigurable Security Architecture (RESA) Based on PUF for FPGA-Based IoT Devices |journal=Sensors |language=en |volume=22 |issue=15 |page=5577 |bibcode=2022Senso..22.5577B |doi=10.3390/s22155577 |issn=1424-8220 |pmc=9331300 |pmid=35898079 |doi-access=free}}</ref><ref>{{Cite journal |last1=Hassija |first1=Vikas |last2=Chamola |first2=Vinay |last3=Gupta |first3=Vatsal |last4=Jain |first4=Sarthak |last5=Guizani |first5=Nadra |date=2021-04-15 |title=A Survey on Supply Chain Security: Application Areas, Security Threats, and Solution Architectures |url=https://ieeexplore.ieee.org/document/9203862 |journal=IEEE Internet of Things Journal |volume=8 |issue=8 |pages=6222–6246 |doi=10.1109/JIOT.2020.3025775 |issn=2327-4662 |s2cid=226767829|url-access=subscription }}</ref>

Role-based access control is an approach to restricting system access to authorized users,<ref>{{cite journal |author1=Ferraiolo, D.F. |author2=Kuhn, D.R. |name-list-style=amp |date=October 1992 |title=Role-Based Access Control |url=http://csrc.nist.gov/groups/SNS/rbac/documents/ferraiolo-kuhn-92.pdf |journal=15th National Computer Security Conference |pages=554–563}}</ref><ref>{{cite journal |last1=Sandhu |first1=R |last2=Coyne |first2=EJ |last3=Feinstein|first3=HL |last4=Youman |first4=CE |date=August 1996 |title=Role-Based Access Control Models |url=http://csrc.nist.gov/rbac/sandhu96.pdf |journal=IEEE Computer |volume=29 |issue=2 |pages=38–47 |citeseerx=10.1.1.50.7649 |doi=10.1109/2.485845 |s2cid=1958270}}</ref><ref>{{Cite conference |author1=Abreu, Vilmar |author2=Santin, Altair O. |author3=Viegas, Eduardo K. |author4=Stihler, Maicon |date=2017 |title=A multi-domain role activation model |url=https://secplab.ppgia.pucpr.br/files/papers/2017-1.pdf |conference=2017 IEEE International Conference on Communications (ICC) |publisher=IEEE Press |pages=1–6 |doi=10.1109/ICC.2017.7997247 |isbn=978-1-4673-8999-0 |s2cid=6185138}}</ref>  used by the majority of enterprises with more than 500 employees,<ref name="autogenerated2002">{{cite book |author1=A.C. O'Connor |url=http://csrc.nist.gov/groups/SNS/rbac/documents/20101219_RBAC2_Final_Report.pdf |title=Economic Analysis of Role-Based Access Control |author2=R.J. Loomis |date=2002 |publisher=Research Triangle Institute |page=145 |name-list-style=amp}}</ref> and can implement [[mandatory access control]] (MAC) or [[discretionary access control]] (DAC).

The end-user is widely recognized as the weakest link in the security chain<ref>{{cite web |date=22 January 2014 |title=Studies prove once again that users are the weakest link in the security chain |url=https://www.csoonline.com/article/2137210/security-awareness/studies-prove-once-again-that-users-are-the-weakest-link-in-the-security-chain.html |access-date=8 October 2018 |website=CSO Online}}</ref> and it is estimated that more than 90% of security incidents and breaches involve some kind of human error.<ref>{{cite web |date=2 September 2014 |title=The Role of Human Error in Successful Security Attacks |url=https://securityintelligence.com/the-role-of-human-error-in-successful-security-attacks/ |access-date=8 October 2018 |website=IBM Security Intelligence}}</ref><ref>{{cite web |date=15 April 2015 |title=90% of security incidents trace back to PEBKAC and ID10T errors |url=https://www.computerworld.com/article/2910316/90-of-security-incidents-trace-back-to-pebkac-and-id10t-errors.html |access-date=8 October 2018 |website=Computerworld}}</ref> Among the most commonly recorded forms of errors and misjudgment are poor password management, sending emails containing sensitive data and attachments to the wrong recipient, the inability to recognize misleading URLs and to identify fake websites and dangerous email attachments.  A common mistake that users make is saving their user id/password in their browsers to make it easier to log in to banking sites.  This is a gift to attackers who have obtained access to a machine by some means.  The risk may be mitigated by the use of two-factor authentication.<ref>{{cite web |date=7 October 2018 |title=Protect your online banking with 2FA |url=https://www.nzba.org.nz/2018/10/08/protect-your-online-banking-with-2fa/ |access-date=7 September 2019 |website=NZ Bankers Association}}</ref>

As the human component of cyber risk is particularly relevant in determining the global cyber risk<ref>{{cite web |year=2014 |title=IBM Security Services 2014 Cyber Security Intelligence Index |url=https://pcsite.co.uk/computer-security/IBM_Security_Services_2014_Cyber_Security_Intelligence_Index.pdf |access-date=9 October 2020 |website=PcSite}}</ref> an organization is facing, security awareness training, at all levels, not only provides formal compliance with regulatory and industry mandates but is considered essential<ref>{{cite news |last1=Caldwell |first1=Tracey |date=12 February 2013 |title=Risky business: why security awareness is crucial for employees |newspaper=The Guardian |url=https://www.theguardian.com/media-network/media-network-blog/2013/feb/12/business-cyber-security-risks-employees |access-date=8 October 2018}}</ref> in reducing cyber risk and protecting individuals and companies from the great majority of cyber threats.

The focus on the end-user represents a profound cultural change for many security practitioners, who have traditionally approached cybersecurity exclusively from a technical perspective, and moves along the lines suggested by major security centers<ref>{{cite web |title=Developing a Security Culture |url=https://www.cpni.gov.uk/developing-security-culture |archive-url=https://web.archive.org/web/20181009013120/https://www.cpni.gov.uk/developing-security-culture |archive-date=9 October 2018 |access-date=8 October 2018 |website=CPNI – Centre for the Protection of National Infrastructure}}</ref> to develop a culture of cyber awareness within the organization, recognizing that a security-aware user provides an important line of defense against cyber attacks.

Cyber hygiene relates to personal hygiene as computer viruses relate to biological viruses (or pathogens). However, while the term ''computer virus'' was coined almost simultaneously with the creation of the first working computer viruses,<ref>{{Cite news |date=1 November 2017 |title=Professor Len Adleman explains how he coined the term "computer virus" |language=en-US |work=WeLiveSecurity |url=https://www.welivesecurity.com/2017/11/01/professor-len-adleman-explains-computer-virus-term/ |access-date=28 September 2018}}</ref> the term ''cyber hygiene'' is a much later invention, perhaps as late as 2000<ref>{{cite web |title=Statement of Dr. Vinton G. Cerf |url=https://www.jec.senate.gov/archive/Documents/Hearings/cerf22300.htm |access-date=28 September 2018 |website=www.jec.senate.gov}}</ref> by Internet pioneer [[Vint Cerf]]. It has since been adopted by the [[United States Congress|Congress]]<ref>{{USBill|115|HR|3010|pipe=Promoting Good Cyber Hygiene Act of 2017|site=yes}}</ref> and [[United States Senate|Senate]] of the United States,<ref>{{cite news |title=Analysis {{!}} The Cybersecurity 202: Agencies struggling with basic cybersecurity despite Trump's pledge to prioritize it |language=en |newspaper=The Washington Post |url=https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/07/26/the-cybersecurity-202-agencies-struggling-with-basic-cybersecurity-despite-trump-s-pledge-to-prioritize-it/5b58a84e1b326b1e64695548/ |access-date=28 September 2018}}</ref> the FBI,<ref>{{cite web |title=Protected Voices |url=https://www.fbi.gov/investigate/counterintelligence/foreign-influence/protected-voices |access-date=28 September 2018 |website=Federal Bureau of Investigation |language=en-us}}</ref> [[European Union|EU]] institutions<ref name="Cyber Hygiene" /> and heads of state.<ref name="Kaljulaid-2017" />

* [[Vulnerability Management]]

The computer systems of financial regulators and financial institutions like the [[U.S. Securities and Exchange Commission]], SWIFT, investment banks, and commercial banks are prominent hacking targets for [[Cybercrime|cybercriminals]] interested in manipulating markets and making illicit gains.<ref>{{Cite journal|title=The New Market Manipulation|first=Tom C. W.|last=Lin|date=3 July 2017|ssrn=2996896|journal= Emory Law Journal |volume=66|page=1253 }}</ref> Websites and apps that accept or store [[credit card number]]s, brokerage accounts, and [[bank account]] information are also prominent hacking targets, because of the potential for immediate financial gain from transferring money, making purchases, or selling the information on the [[black market]].<ref>{{cite journal|title=Financial Weapons of War |journal=Minnesota Law Review|year= 2016|ssrn=2765010|last1=Lin|first1=Tom C. W.}}</ref> In-store payment systems and [[Automated teller machine|ATMs]] have also been tampered with in order to gather customer account data and [[Personal identification number|PINs]].

The most common web technologies for improving security between browsers and websites are named SSL (Secure Sockets Layer), and its successor TLS ([[Transport Layer Security]]), [[identity management]] and [[authentication]] services, and [[domain name]] services allow companies and consumers to engage in secure communications and commerce. Several versions of SSL and TLS are commonly used today in applications such as web browsing, e-mail, internet faxing, [[instant messaging]], and [[VoIP]] (voice-over-IP). There are various [[Interoperability|interoperable]] implementations of these technologies, including at least one implementation that is [[open source]]. Open source allows anyone to view the application's [[source code]], and look for and report vulnerabilities.

Computers control functions at many utilities, including coordination of [[telecommunications]], the [[power grid]], [[nuclear power plant]]s, and valve opening and closing in water and gas networks. The Internet is a potential attack vector for such machines if connected, but the [[Stuxnet]] worm demonstrated that even equipment controlled by computers not connected to the Internet can be vulnerable. In 2014, the [[Computer Emergency Readiness Team]], a division of the [[Department of Homeland Security]], investigated 79 hacking incidents at energy companies.<ref>{{cite web |last1=Pagliery |first1=Jose |title=Hackers attacked the U.S. energy grid 79 times this year |url=https://money.cnn.com/2014/11/18/technology/security/energy-grid-hack/ |website=CNN Money |publisher=Cable News Network |access-date=16 April 2015 |url-status=live |archive-url=https://web.archive.org/web/20150218070238/https://money.cnn.com/2014/11/18/technology/security/energy-grid-hack |archive-date=18 February 2015  |date=18 November 2014 }}</ref>

Many modern passports are now [[biometric passport]]s, containing an embedded [[Integrated circuit|microchip]] that stores a digitized photograph and personal information such as name, gender, and date of birth. In addition, more countries{{which|date=December 2012}} are introducing [[facial recognition technology]] to reduce [[identity fraud|identity-related fraud]]. The introduction of the ePassport has assisted border officials in verifying the identity of the passport holder, thus allowing for quick passenger processing.<ref>{{Cite web |title=e-Passports {{!}} Homeland Security |url=https://www.dhs.gov/e-passports |access-date=2023-02-03 |website=www.dhs.gov}}</ref> Plans are under way in the US, the [[UK]], and [[Australia]] to introduce SmartGate kiosks with both retina and [[fingerprint recognition]] technology.<ref>{{Cite web|url=http://www.dfat.gov.au/dept/passports/|title=The Australian ePassport. Australian Government Department of Foreign Affairs and Trade website|access-date=1 May 2023|archive-date=9 January 2015|archive-url=https://web.archive.org/web/20150109033115/http://www.dfat.gov.au/dept/passports/}}</ref> The airline industry is moving from the use of traditional paper tickets towards the use of [[electronic ticket]]s (e-tickets). These have been made possible by advances in online credit card transactions in partnership with the airlines. Long-distance bus companies{{which|date=December 2012}} are also switching over to e-ticketing transactions today.

Today many healthcare providers and [[health insurance]] companies use the internet to provide enhanced products and services. Examples are the use of [[Telehealth|tele-health]] to potentially offer better quality and access to healthcare, or fitness trackers to lower insurance premiums.{{citation needed|date=January 2025}} Patient records are increasingly being placed on secure in-house networks, alleviating the need for extra storage space.<ref>{{Cite journal |last1=Kruse |first1=CB |last2=Smith |first2=B |last3=Vanderlinden |first3=H |last4=Nealand |first4=A |date=July 21, 2017 |title=Security Techniques for the Electronic Health Records |journal=Journal of Medical Systems |volume=41 |issue=8 |page=127 |doi=10.1007/s10916-017-0778-4 |pmc=5522514 |pmid=28733949}}</ref>

Large corporations are common targets. In many cases attacks are aimed at financial gain through [[identity theft]] and involve [[data breach]]es. Examples include the loss of millions of clients' credit card and financial details by [[Home Depot]],<ref>{{cite news |first=Melvin |last=Backman |date=18 September 2014 |title=Home Depot: 56 million cards exposed in breach |publisher=[[CNNMoney]] |url=https://money.cnn.com/2014/09/18/technology/security/home-depot-hack/ |url-status=live |archive-url=https://web.archive.org/web/20141218221105/https://money.cnn.com/2014/09/18/technology/security/home-depot-hack/ |archive-date=18 December 2014  }}</ref> [[Staples Inc.|Staples]],<ref>{{cite magazine |url=http://fortune.com/2014/12/19/staples-cards-affected-breach/ |title=Staples: Breach may have affected 1.16 million customers' cards |magazine=Fortune.com |date=19 December 2014 |access-date=21 December 2014 |url-status=live |archive-url=https://web.archive.org/web/20141221160612/http://fortune.com/2014/12/19/staples-cards-affected-breach/ |archive-date=21 December 2014  }}</ref> [[Target Corporation]],<ref>{{cite news|author=<!--Not stated.-->|title=Target: 40 million credit cards compromised|url=https://money.cnn.com/2013/12/18/news/companies/target-credit-card/index.html|access-date=29 November 2017|work=CNN|date=19 December 2013|url-status=live|archive-url=https://web.archive.org/web/20171201035530/https://money.cnn.com/2013/12/18/news/companies/target-credit-card/index.html|archive-date=1 December 2017}}</ref> and [[Equifax]].<ref>{{cite news|last1=Cowley|first1=Stacy|title=2.5 Million More People Potentially Exposed in Equifax Breach|url=https://www.nytimes.com/2017/10/02/business/equifax-breach.html|access-date=29 November 2017|work=The New York Times|date=2 October 2017|url-status=live|archive-url=https://web.archive.org/web/20171201054900/https://www.nytimes.com/2017/10/02/business/equifax-breach.html|archive-date=1 December 2017}}</ref>

Not all attacks are financially motivated, however: security firm [[HBGary Federal]] had a serious series of attacks in 2011 from [[Hacktivism|hacktivist]] group [[Anonymous (group)|Anonymous]] in retaliation for the firm's CEO claiming to have infiltrated their group,<ref>{{cite web |last=Bright |first=Peter |url=https://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/ |title=Anonymous speaks: the inside story of the HBGary hack |publisher=Arstechnica.com |date=15 February 2011 |access-date=29 March 2011 |url-status=live |archive-url=https://web.archive.org/web/20110327045801/http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars |archive-date=27 March 2011  }}</ref><ref>{{cite web |last=Anderson |first=Nate |url=https://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars/ |title=How one man tracked down Anonymous{{snd}}and paid a heavy price |publisher=Arstechnica.com |date=9 February 2011 |access-date=29 March 2011 |url-status=live |archive-url=https://web.archive.org/web/20110329090824/http://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars |archive-date=29 March 2011  }}</ref> and [[Sony Pictures]] was [[Sony Pictures hack|hacked in 2014]] with the apparent dual motive of embarrassing the company through data leaks and crippling the company by wiping workstations and servers.<ref>{{cite web |url=https://money.cnn.com/2014/12/24/technology/security/sony-hack-facts/ |title=What caused Sony hack: What we know now |first=Jose |last=Palilery |website=[[CNN Money]] |date=24 December 2014 |access-date=4 January 2015 |url-status=live |archive-url=https://web.archive.org/web/20150104195455/https://money.cnn.com/2014/12/24/technology/security/sony-hack-facts/ |archive-date=4 January 2015  }}</ref><ref>{{cite news |first=James |last=Cook |date=16 December 2014 |url=http://www.businessinsider.com/the-sony-hackers-still-have-a-massive-amount-of-data-that-hasnt-been-leaked-yet-2014-12 |title=Sony Hackers Have Over 100 Terabytes Of Documents. Only Released 200 Gigabytes So Far |work=[[Business Insider]] |access-date=18 December 2014 |url-status=live |archive-url=https://web.archive.org/web/20141217204735/http://www.businessinsider.com/the-sony-hackers-still-have-a-massive-amount-of-data-that-hasnt-been-leaked-yet-2014-12 |archive-date=17 December 2014  }}</ref>

Vehicles are increasingly computerized, with engine timing, [[cruise control]], [[anti-lock brakes]], seat belt tensioners, door locks, [[airbag]]s and [[advanced driver-assistance systems]] on many models. Additionally, [[connected car]]s may use WiFi and Bluetooth to communicate with onboard consumer devices and the cell phone network.<ref name="vox" /> [[Self-driving car]]s are expected to be even more complex. All of these systems carry some security risks, and such issues have gained wide attention.<ref>{{cite report | url=http://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf | title=Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk | date=6 February 2015 | access-date=4 November 2016 | url-status=live | archive-url=https://web.archive.org/web/20161109040112/http://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf | archive-date=9 November 2016 | df=dmy-all }}</ref><ref>{{cite web|author=<!--Not stated.-->|title=Cybersecurity expert: It will take a 'major event' for companies to take this issue seriously|url=https://www.aol.com/article/news/2016/12/26/expert-warns-major-event-will-need-to-happen-for-cybersecurity/21632630/|website=AOL.com|date=5 January 2017 |access-date=22 January 2017|language=en|url-status=live|archive-url=https://web.archive.org/web/20170120180918/https://www.aol.com/article/news/2016/12/26/expert-warns-major-event-will-need-to-happen-for-cybersecurity/21632630/|archive-date=20 January 2017}}</ref><ref>{{cite news|title=The problem with self-driving cars: who controls the code?|url=https://www.theguardian.com/technology/2015/dec/23/the-problem-with-self-driving-cars-who-controls-the-code|newspaper=The Guardian|access-date=22 January 2017|date=23 December 2015|url-status=live|archive-url=https://web.archive.org/web/20170316152605/https://www.theguardian.com/technology/2015/dec/23/the-problem-with-self-driving-cars-who-controls-the-code|archive-date=16 March 2017}}</ref>

Manufacturers are reacting in numerous ways, with [[Tesla Motors|Tesla]] in 2016 pushing out some security fixes ''over the air'' into its cars' computer systems.<ref>{{cite news|title=Tesla fixes software bug that allowed Chinese hackers to control car remotely|url=https://www.telegraph.co.uk/technology/2016/09/21/tesla-fixes-software-bug-that-allowed-chinese-hackers-to-control/|newspaper=The Telegraph|access-date=22 January 2017|url-status=live|archive-url=https://web.archive.org/web/20170202014932/http://www.telegraph.co.uk/technology/2016/09/21/tesla-fixes-software-bug-that-allowed-chinese-hackers-to-control/|archive-date=2 February 2017|date=21 September 2016|author=<!--Not stated.-->}}</ref> In the area of autonomous vehicles, in September 2016 the [[United States Department of Transportation]] announced some initial safety standards, and called for states to come up with uniform policies.<ref>{{cite news|last1=Kang|first1=Cecilia|title=Self-Driving Cars Gain Powerful Ally: The Government|url=https://www.nytimes.com/2016/09/20/technology/self-driving-cars-guidelines.html|newspaper=The New York Times|access-date=22 January 2017|date=19 September 2016|url-status=live|archive-url=https://web.archive.org/web/20170214045032/https://www.nytimes.com/2016/09/20/technology/self-driving-cars-guidelines.html?_r=0|archive-date=14 February 2017}}</ref><ref>{{cite web|title=Federal Automated Vehicles Policy|url=https://www.transportation.gov/sites/dot.gov/files/docs/AV%20policy%20guidance%20PDF.pdf|access-date=22 January 2017|url-status=live|archive-url=https://web.archive.org/web/20170121161404/https://www.transportation.gov/sites/dot.gov/files/docs/AV%20policy%20guidance%20PDF.pdf|archive-date=21 January 2017}}</ref><ref>{{Cite web |title=Vehicle Cybersecurity |url=https://www.nhtsa.gov/technology-innovation/vehicle-cybersecurity |access-date=2022-11-25 |website=nhtsa.gov |language=en}}</ref>

Government and [[military]] computer systems are commonly attacked by activists<ref>{{cite news |url=https://www.telegraph.co.uk/news/worldnews/northamerica/usa/4320901/Gary-McKinnon-profile-Autistic-hacker-who-started-writing-computer-programs-at-14.html |location=London |work=The Daily Telegraph |title=Gary McKinnon profile: Autistic 'hacker' who started writing computer programs at 14 |date=23 January 2009 |url-status=live |archive-url=https://web.archive.org/web/20100602065423/http://www.telegraph.co.uk/news/worldnews/northamerica/usa/4320901/Gary-McKinnon-profile-Autistic-hacker-who-started-writing-computer-programs-at-14.html |archive-date=2 June 2010  }}</ref><ref>{{cite news |url=https://www.bbc.co.uk/news/uk-19506090 |title=Gary McKinnon extradition ruling due by 16 October |work=BBC News |date=6 September 2012 |access-date=25 September 2012 |url-status=live |archive-url=https://web.archive.org/web/20120906185731/http://www.bbc.co.uk/news/uk-19506090 |archive-date=6 September 2012  }}</ref><ref>{{cite court |url=https://publications.parliament.uk/pa/ld200708/ldjudgmt/jd080730/mckinn-1.htm |litigants=Mckinnon V Government of The United States of America and Another |court=House of Lords |date=16 June 2008 |quote=15. ... alleged to total over $700,000 |access-date=30 January 2010  }}</ref> and foreign powers.<ref>{{cite news | title=Fresh Leak on US Spying: NSA Accessed Mexican President's Email | website=SPIEGEL ONLINE | date=2013-10-20 | url=http://www.spiegel.de/international/world/nsa-hacked-email-account-of-mexican-president-a-928817.html | archive-url=https://web.archive.org/web/20151106193613/http://www.spiegel.de/international/world/nsa-hacked-email-account-of-mexican-president-a-928817.html | archive-date=2015-11-06 }}</ref><ref>{{cite web |url=https://www.npr.org/sections/thetwo-way/2015/06/04/412086068/massive-data-breach-puts-4-million-federal-employees-records-at-risk |title=Massive Data Breach Puts 4 Million Federal Employees' Records at Risk |work=NPR |date=4 June 2015 |access-date=5 June 2015 |author=Sanders, Sam |url-status=live |archive-url=https://web.archive.org/web/20150605041629/http://www.npr.org/sections/thetwo-way/2015/06/04/412086068/massive-data-breach-puts-4-million-federal-employees-records-at-risk |archive-date=5 June 2015  }}</ref><ref>{{cite news |url=http://www.cnn.com/2015/06/04/politics/federal-agency-hacked-personnel-management/ |title=U.S. government hacked; feds think China is the culprit |work=CNN |date=4 June 2015 |access-date=5 June 2015 |author=Liptak, Kevin |url-status=live |archive-url=https://web.archive.org/web/20150606063139/http://www.cnn.com/2015/06/04/politics/federal-agency-hacked-personnel-management/ |archive-date=6 June 2015  }}</ref><ref>{{cite news |title=Encryption "would not have helped" at OPM, says DHS official |first=Sean |last=Gallagher |url=https://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/ |url-status=live |archive-url=https://web.archive.org/web/20170624014751/https://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/ |archive-date=24 June 2017  }}</ref> Local and regional government infrastructure such as [[traffic light]] controls, police and intelligence agency communications, [[Office of Personnel Management data breach|personnel records]], as well as student records.<ref>{{cite journal|url=http://www.edweek.org/ew/articles/2015/10/21/lessons-learned-from-security-breaches.html|title=Schools Learn Lessons From Security Breaches|date=19 October 2015|journal=Education Week|access-date=23 May 2016|url-status=live|archive-url=https://web.archive.org/web/20160610130749/http://www.edweek.org/ew/articles/2015/10/21/lessons-learned-from-security-breaches.html|archive-date=10 June 2016|last1=Davis|first1=Michelle R.}}</ref>

 

The [[FBI]], [[CIA]], and [[The Pentagon|Pentagon]], all utilize secure controlled access technology for any of their buildings. However, the use of this form of technology is spreading into the entrepreneurial world. More and more companies are taking advantage of the development of digitally secure controlled access technology. GE's ACUVision, for example, offers a single panel platform for access control, alarm monitoring and digital recording.<ref>{{cite web |title=GE's Introduces ACUVision as a Single Panel Solution |url=https://www.securityinfowatch.com/access-identity/access-control/press-release/10577631/ge-infrastructure-security-ges-introduces-acuvision-as-a-single-panel-solution |website=www.securityinfowatch.com |date=11 August 2005 |publisher=Security Info Watch |access-date=24 September 2019}}</ref>

While the IoT creates opportunities for more direct integration of the physical world into computer-based systems,<ref>{{cite web | url=https://hbr.org/resources/pdfs/comm/verizon/18980_HBR_Verizon_IoT_Nov_14.pdf |archive-url=https://web.archive.org/web/20150317052909/https://hbr.org/resources/pdfs/comm/verizon/18980_HBR_Verizon_IoT_Nov_14.pdf |archive-date=2015-03-17 |url-status=live | title=Internet of Things: Science Fiction or Business Fact? | work=Harvard Business Review | access-date=4 November 2016}}</ref><ref>{{cite web | url=http://www.internet-of-things-research.eu/pdf/Converging_Technologies_for_Smart_Environments_and_Integrated_Ecosystems_IERC_Book_Open_Access_2013.pdf | title=Internet of Things: Converging Technologies for Smart Environments and Integrated Ecosystems | publisher=River Publishers | access-date=4 November 2016 | first1=Ovidiu | last1=Vermesan | first2=Peter | last2=Friess | url-status=live | archive-url=https://web.archive.org/web/20161012010519/http://www.internet-of-things-research.eu/pdf/Converging_Technologies_for_Smart_Environments_and_Integrated_Ecosystems_IERC_Book_Open_Access_2013.pdf | archive-date=12 October 2016 | df=dmy-all }}</ref>

[[Medical devices]] have either been successfully attacked or had potentially deadly vulnerabilities demonstrated, including both in-hospital diagnostic equipment<ref>{{cite web|url=http://www.darkreading.com/vulnerabilities---threats/hospital-medical-devices-used-as-weapons-in-cyberattacks/d/d-id/1320751|title=Hospital Medical Devices Used As Weapons in Cyberattacks|work=Dark Reading|date=6 August 2015|access-date=23 May 2016|url-status=live|archive-url=https://web.archive.org/web/20160529002947/http://www.darkreading.com/vulnerabilities---threats/hospital-medical-devices-used-as-weapons-in-cyberattacks/d/d-id/1320751|archive-date=29 May 2016}}</ref> and implanted devices including [[pacemaker]]s<ref>{{cite web|url=http://www.computerworld.com/article/2492453/malware-vulnerabilities/pacemaker-hack-can-deliver-deadly-830-volt-jolt.html|title=Pacemaker hack can deliver deadly 830-volt jolt|first=Jeremy|last=Kirk|date=17 October 2012|work=Computerworld|access-date=23 May 2016|url-status=live|archive-url=https://web.archive.org/web/20160604201841/http://www.computerworld.com/article/2492453/malware-vulnerabilities/pacemaker-hack-can-deliver-deadly-830-volt-jolt.html|archive-date=4 June 2016}}</ref> and [[insulin pump]]s.<ref>{{cite news|url=http://www.thedailybeast.com/articles/2014/11/17/how-your-pacemaker-will-get-hacked.html|title=How Your Pacemaker Will Get Hacked|newspaper=The Daily Beast|access-date=23 May 2016|url-status=live|archive-url=https://web.archive.org/web/20160520155616/http://www.thedailybeast.com/articles/2014/11/17/how-your-pacemaker-will-get-hacked.html|archive-date=20 May 2016|date=17 November 2014|agency=Kaiser Health News}}</ref> There are many reports of hospitals and hospital organizations getting hacked, including [[ransomware]] attacks,<ref>{{cite magazine|last1=Leetaru|first1=Kalev|title=Hacking Hospitals And Holding Hostages: Cybersecurity In 2016|url=https://www.forbes.com/sites/kalevleetaru/2016/03/29/hacking-hospitals-and-holding-hostages-cybersecurity-in-2016/|magazine=Forbes|access-date=29 December 2016|url-status=live|archive-url=https://web.archive.org/web/20161229104021/http://www.forbes.com/sites/kalevleetaru/2016/03/29/hacking-hospitals-and-holding-hostages-cybersecurity-in-2016/|archive-date=29 December 2016}}</ref><ref name="wiwo1">{{cite web|title=Cyber-Angriffe: Krankenhäuser rücken ins Visier der Hacker|date=7 December 2016 |url=http://www.wiwo.de/technologie/digitale-welt/cyber-angriffe-krankenhaeuser-ruecken-ins-visier-der-hacker/14946040.html|publisher=Wirtschafts Woche|access-date=29 December 2016|url-status=live|archive-url=https://web.archive.org/web/20161229101724/http://www.wiwo.de/technologie/digitale-welt/cyber-angriffe-krankenhaeuser-ruecken-ins-visier-der-hacker/14946040.html|archive-date=29 December 2016}}</ref><ref>{{cite web|title=Hospitals keep getting attacked by ransomware{{snd}}Here's why|url=http://www.businessinsider.com/hospital-ransomware-hack-2016-5|website=Business Insider|access-date=29 December 2016|url-status=live|archive-url=https://web.archive.org/web/20161229101247/http://www.businessinsider.com/hospital-ransomware-hack-2016-5|archive-date=29 December 2016}}</ref><ref>{{cite web|title=MedStar Hospitals Recovering After 'Ransomware' Hack|url=https://www.nbcnews.com/news/us-news/medstar-hospitals-recovering-after-ransomware-hack-n548121|work=NBC News|date=31 March 2016 |access-date=29 December 2016|url-status=live|archive-url=https://web.archive.org/web/20161229103355/https://www.nbcnews.com/news/us-news/medstar-hospitals-recovering-after-ransomware-hack-n548121|archive-date=29 December 2016}}</ref> [[Windows XP]] exploits,<ref>{{cite web|last1=Pauli|first1=Darren|title=US hospitals hacked with ancient exploits|url=https://www.theregister.co.uk/2016/06/28/medjack/|website=The Register|access-date=29 December 2016|url-status=live|archive-url=https://web.archive.org/web/20161116141207/http://www.theregister.co.uk/2016/06/28/medjack|archive-date=16 November 2016}}</ref><ref>{{cite web|last1=Pauli|first1=Darren|title=Zombie OS lurches through Royal Melbourne Hospital spreading virus|url=https://www.theregister.co.uk/2016/01/19/melbourne_hospital_pathology_wing_splattered_by_virus/|website=The Register|access-date=29 December 2016|url-status=live|archive-url=https://web.archive.org/web/20161229101019/http://www.theregister.co.uk/2016/01/19/melbourne_hospital_pathology_wing_splattered_by_virus/|archive-date=29 December 2016}}</ref> viruses,<ref>{{cite news|title=Hacked Lincolnshire hospital computer systems 'back up'|url=https://www.bbc.com/news/uk-england-humber-37849746|work=BBC News|access-date=29 December 2016|date=2 November 2016|url-status=live|archive-url=https://web.archive.org/web/20161229101819/http://www.bbc.com/news/uk-england-humber-37849746|archive-date=29 December 2016}}</ref><ref>{{cite news|title=Lincolnshire operations cancelled after network attack|url=https://www.bbc.com/news/uk-england-humber-37822084|work=BBC News|access-date=29 December 2016|date=31 October 2016|url-status=live|archive-url=https://web.archive.org/web/20161229101209/http://www.bbc.com/news/uk-england-humber-37822084|archive-date=29 December 2016}}</ref> and data breaches of sensitive data stored on hospital servers.<ref>{{cite news|title=Legion cyber-attack: Next dump is sansad.nic.in, say hackers|url=http://indianexpress.com/article/technology/tech-news-technology/legion-hacking-no-political-agenda-just-computer-geeks-says-hacker-4423167/|newspaper=The Indian Express|access-date=29 December 2016|date=12 December 2016|url-status=live|archive-url=https://web.archive.org/web/20161229100631/http://indianexpress.com/article/technology/tech-news-technology/legion-hacking-no-political-agenda-just-computer-geeks-says-hacker-4423167/|archive-date=29 December 2016}}</ref><ref name="wiwo1" /><ref>{{cite web|title=Former New Hampshire Psychiatric Hospital Patient Accused Of Data Breach|url=http://boston.cbslocal.com/2016/12/27/former-patient-accused-data-breech-new-hampshire-psychiatric-hospital/|publisher=CBS Boston|access-date=29 December 2016|url-status=live|archive-url=https://web.archive.org/web/20170929233237/http://boston.cbslocal.com/2016/12/27/former-patient-accused-data-breech-new-hampshire-psychiatric-hospital/|archive-date=29 September 2017|date=27 December 2016}}</ref><ref>{{cite web|title=Texas Hospital hacked, affects nearly 30,000 patient records|url=http://www.healthcareitnews.com/news/texas-hospital-hacked-affects-nearly-30000-patient-records|publisher=Healthcare IT News|access-date=29 December 2016|date=4 November 2016|url-status=live|archive-url=https://web.archive.org/web/20161229171117/http://www.healthcareitnews.com/news/texas-hospital-hacked-affects-nearly-30000-patient-records|archive-date=29 December 2016}}</ref> On 28 December 2016 the US [[Food and Drug Administration]] released its recommendations for how medical [[Medical device manufacturing|device manufacturers]] should maintain the security of Internet-connected devices – but no structure for enforcement.<ref>{{cite web|last1=Becker|first1=Rachel|title=New cybersecurity guidelines for medical devices tackle evolving threats|url=https://www.theverge.com/2016/12/27/14095166/fda-guidance-medical-device-cybersecurity-cyberattack-hacking-guidelines|website=The Verge|access-date=29 December 2016|date=27 December 2016|url-status=live|archive-url=https://web.archive.org/web/20161228210257/http://www.theverge.com/2016/12/27/14095166/fda-guidance-medical-device-cybersecurity-cyberattack-hacking-guidelines|archive-date=28 December 2016}}</ref><ref>{{cite web|title=Postmarket Management of Cybersecurity in Medical Devices|website=[[Food and Drug Administration]]|url=https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf|access-date=29 December 2016|date=28 December 2016|url-status=dead|archive-url=https://web.archive.org/web/20161229102808/https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf|archive-date=29 December 2016}}</ref>

In distributed generation systems, the risk of a cyber attack is real, according to ''Daily Energy Insider''. An attack could cause a loss of power in a large area for a long period of time, and such an attack could have just as severe consequences as a natural disaster. The District of Columbia is considering creating a Distributed Energy Resources (DER) Authority within the city, with the goal being for customers to have more insight into their own energy use and giving the local electric utility, [[Pepco]], the chance to better estimate energy demand. The D.C. proposal, however, would "allow third-party vendors to create numerous points of energy distribution, which could potentially create more opportunities for cyber attackers to threaten the electric grid."<ref>{{Cite news|url=https://dailyenergyinsider.com/featured/13110-d-c-distributed-4:.energy-proposal-draws-concerns-of-increased-cybersecurity-risks/|title=D.C. distributed energy proposal draws concerns of increased cybersecurity risks|last=Brandt|first=Jaclyn|date=18 June 2018|work=Daily Energy Insider|access-date=4 July 2018|language=en-US}}</ref>

{{Further|List of cyber-attacks|List of data breaches}}

In early 2007, American apparel and home goods company [[TJX Companies|TJX]] announced that it was the victim of an [[Hacker (computer security)|unauthorized computer systems intrusion]]<ref>{{cite press release |title=The TJX Companies, Inc. Victimized by Computer System Intrusion; Provides Information to Help Protect Customers  |publisher=The TJX Companies, Inc. |date=17 January 2007 |url=http://www.businesswire.com/news/tjx/20070117005971/en |access-date=12 December 2009 |url-status=live |archive-url=https://web.archive.org/web/20120927014805/http://www.businesswire.com/news/tjx/20070117005971/en |archive-date=27 September 2012  }}</ref> and that the hackers had accessed a system that stored data on [[credit card]], [[debit card]], [[cheque|check]], and merchandise return transactions.<ref>[http://www.myfoxtwincities.com/myfox/pages/Home/Detail?contentId=2804836&version=3&locale=EN-US&layoutCode=TSTY&pageId=1.1.1 Largest Customer Info Breach Grows] {{webarchive|url=https://web.archive.org/web/20070928041047/http://www.myfoxtwincities.com/myfox/pages/Home/Detail?contentId=2804836&version=3&locale=EN-US&layoutCode=TSTY&pageId=1.1.1 |date=28 September 2007 }}. MyFox Twin Cities, 29 March 2007.</ref>

In early 2013, documents provided by [[Edward Snowden]] were published by ''[[The Washington Post]]'' and ''[[The Guardian]]''<ref>{{cite news|last=Greenwald|first=Glenn|title=NSA collecting phone records of millions of Verizon customers daily|url=https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order|newspaper=The Guardian|access-date=16 August 2013|quote=Exclusive: Top secret court order requiring [[Verizon]] to hand over all call data shows scale of domestic surveillance under [[Barack Obama|Obama]]|url-status=live|archive-url=https://web.archive.org/web/20130816045641/http://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order|archive-date=16 August 2013|date=6 June 2013}}</ref><ref>{{cite web |last=Seipel |first=Hubert |title=Transcript: ARD interview with Edward Snowden |url=https://www.freesnowden.is/fr/2014/01/27/video-ard-interview-with-edward-snowden/ |work=La Foundation Courage |access-date=11 June 2014 |url-status=live |archive-url=https://web.archive.org/web/20140714174333/https://www.freesnowden.is/fr/2014/01/27/video-ard-interview-with-edward-snowden/ |archive-date=14 July 2014  }}</ref> exposing the massive scale of [[NSA]] global surveillance. There were also indications that the NSA may have inserted a backdoor in a [[NIST]] standard for encryption.<ref>{{cite journal |first=Lily Hay |last=Newman |date=9 October 2013 |url=https://spectrum.ieee.org/can-you-trust-nist |title=Can You Trust NIST? |journal=IEEE Spectrum |url-status=live |archive-url=https://web.archive.org/web/20160201095426/https://spectrum.ieee.org/telecom/security/can-you-trust-nist |archive-date=1 February 2016  }}</ref> This standard was later withdrawn due to widespread criticism.<ref>{{cite news| url=https://www.nist.gov/itl/csd/sp800-90-042114.cfm | work=National Institute of Standards and Technology | title=NIST Removes Cryptography Algorithm from Random Number Generator Recommendations | date=21 April 2014}}</ref> The NSA additionally were revealed to have tapped the links between [[Google]]'s data centers.<ref>[http://mashable.com/2013/10/30/nsa-google-yahoo-data-centers/ "New Snowden Leak: NSA Tapped Google, Yahoo Data Centers"] {{webarchive|url=https://web.archive.org/web/20140709131535/http://mashable.com/2013/10/30/nsa-google-yahoo-data-centers/ |date=9 July 2014 }}, 31 October 2013, Lorenzo Franceschi-Bicchierai, mashable.com</ref>

A Ukrainian hacker known as [[Rescator]] broke into [[Target Corporation]] computers in 2013, stealing roughly 40 million credit cards,<ref>{{cite news |url=http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data |title=Target Missed Warnings in Epic Hack of Credit Card Data |first1=Michael |last1=Riley |first2=Ben |last2=Elgin |first3=Dune |last3=Lawrence |first4=Carol |last4=Matlack |work=Businessweek |date=17 March 2014 |archive-url=https://web.archive.org/web/20150127015928/http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data |archive-date=27 January 2015  }}</ref> and then [[Home Depot]] computers in 2014, stealing between 53 and 56 million credit card numbers.<ref>{{cite web|url=https://www.cnet.com/news/53-million-emails-stolen-in-home-depot-breach/ |first1=Seth |last1=Rosenblatt |title=Home Depot says 53 million emails stolen|date=6 November 2014|publisher=CBS Interactive|work=CNET|url-status=live|archive-url=https://web.archive.org/web/20141209035159/http://www.cnet.com/news/53-million-emails-stolen-in-home-depot-breach/|archive-date=9 December 2014}}</ref> Warnings were delivered at both corporations, but ignored; physical security breaches using [[Self-checkout|self checkout machine]]s are believed to have played a large role. "The malware utilized is absolutely unsophisticated and uninteresting," says Jim Walter, director of threat intelligence operations at security technology company McAfee – meaning that the heists could have easily been stopped by existing [[antivirus software]] had administrators responded to the warnings. The size of the thefts has resulted in major attention from state and Federal United States authorities and the investigation is ongoing.

In April 2015, the [[United States Office of Personnel Management|Office of Personnel Management]] [[Office of Personnel Management data breach|discovered it had been hacked]] more than a year earlier in a data breach, resulting in the theft of approximately 21.5&nbsp;million personnel records handled by the office.<ref>{{Cite news|url=https://www.reuters.com/article/us-cybersecurity-usa-idUSKCN0PJ2M420150709|title=Millions more Americans hit by government personnel data hack|date=9 July 2017|newspaper=Reuters|access-date=25 February 2017|url-status=live|archive-url=https://web.archive.org/web/20170228005352/http://www.reuters.com/article/us-cybersecurity-usa-idUSKCN0PJ2M420150709|archive-date=28 February 2017}}</ref> The Office of Personnel Management hack has been described by federal officials as among the largest breaches of government data in the history of the United States.<ref>{{cite news|url=https://www.wsj.com/articles/u-s-suspects-hackers-in-china-behind-government-data-breach-sources-say-1433451888|title=U.S. Suspects Hackers in China Breached About four (4) Million People's Records, Officials Say|last=Barrett|first=Devlin|website=The Wall Street Journal|date=4 June 2015|url-status=live|archive-url=https://web.archive.org/web/20150604215718/http://www.wsj.com/articles/u-s-suspects-hackers-in-china-behind-government-data-breach-sources-say-1433451888|archive-date=4 June 2015}}</ref> Data targeted in the breach included [[personally identifiable information]] such as [[Social Security number]]s, names, dates and places of birth, addresses, and fingerprints of current and former government employees as well as anyone who had undergone a government background check.<ref>{{cite web|url=https://www.usnews.com/news/articles/2015/06/05/china-suspected-in-theft-of-federal-employee-records|title=China Suspected in Theft of Federal Employee Records|last=Risen|first=Tom|date=5 June 2015|website=U.S. News & World Report|archive-url=https://web.archive.org/web/20150606064331/http://www.usnews.com/news/articles/2015/06/05/china-suspected-in-theft-of-federal-employee-records|archive-date=6 June 2015}}</ref><ref>{{cite news|url=https://www.reuters.com/article/us-cybersecurity-usa-idUSKCN0PJ2M420150709|title=Estimate of Americans hit by government personnel data hack skyrockets|last=Zengerle|first=Patricia|date=19 July 2015|newspaper=Reuters|url-status=live|archive-url=https://web.archive.org/web/20150710075449/http://www.reuters.com/article/2015/07/09/us-cybersecurity-usa-idUSKCN0PJ2M420150709|archive-date=10 July 2015}}</ref> It is believed the hack was perpetrated by Chinese hackers.<ref>{{cite news|url=https://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html|title=Hacking Linked to China Exposes Millions of U.S. Workers|last=Sanger|first=David|date=5 June 2015|work=The New York Times|url-status=live|archive-url=https://web.archive.org/web/20150605135158/http://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html|archive-date=5 June 2015}}</ref>

In June 2021, the cyber attack took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast.<ref>{{cite news| title=Hackers Breached Colonial Pipeline Using Compromised Password| author1=Turton, W.| author2=Mehrotra, K.| url=https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password| publisher=Bloomberg L.P.| date=4 June 2021| access-date=3 December 2023}}</ref>

International legal issues of cyber attacks are complicated in nature. There is no global base of common rules to judge, and eventually punish, cybercrimes and cybercriminals - and where security firms or agencies do locate the cybercriminal behind the creation of a particular piece of [[malware]] or form of [[Cyber-Attacks|cyber attack]], often the local authorities cannot take action due to lack of laws under which to prosecute.<ref name="ted.com">{{cite web |title=Mikko Hypponen: Fighting viruses, defending the net |url=http://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html |publisher=TED |url-status=live |archive-url=https://web.archive.org/web/20130116010603/http://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html |archive-date=16 January 2013  }}</ref><ref>{{cite web |title=Mikko Hypponen – Behind Enemy Lines | date=9 December 2012 |url=https://www.youtube.com/watch?v=0TMFRO66Wv4 |publisher=Hack in the Box Security Conference |url-status=live |archive-url=https://web.archive.org/web/20161125075257/https://www.youtube.com/watch?v=0TMFRO66Wv4 |archive-date=25 November 2016  }}</ref> Proving [[cyber attribution|attribution for cybercrimes and cyberattacks]] is also a major problem for all law enforcement agencies. "[[Computer viruses]] switch from one country to another, from one jurisdiction to another – moving around the world, using the fact that we don't have the capability to globally police operations like this. So the Internet is as if someone [had] given free plane tickets to all the online criminals of the world."<ref name="ted.com" /> The use of techniques such as [[dynamic DNS]], [[fast flux]] and [[Bulletproof hosting|bullet proof servers]] add to the difficulty of investigation and enforcement.

On 22 May 2020, the UN Security Council held its second ever informal meeting on cybersecurity to focus on cyber challenges to [[World peace|international peace]]. According to UN Secretary-General [[António Guterres]], new technologies are too often used to violate rights.<ref>{{cite web|url=https://www.hrw.org/news/2020/05/26/its-time-treat-cybersecurity-human-rights-issue|title=It's Time to Treat Cybersecurity as a Human Rights Issue|access-date=26 May 2020|website=Human Rights Watch|date=26 May 2020}}</ref>

* The purpose of the Messaging Anti-Abuse Working Group (MAAWG) is to bring the messaging industry together to work collaboratively and to successfully address the various forms of messaging abuse, such as spam, viruses, denial-of-service attacks and other messaging exploitations.<ref>{{cite web |title=MAAWG |url=http://www.maawg.org/about_maawg |url-status=live |archive-url=https://web.archive.org/web/20140923153548/http://www.maawg.org/about_maawg |archive-date=23 September 2014  }}</ref> [[France Télécom|France Telecom]], [[Facebook]], [[AT&T]], [[Apple Inc.|Apple]], [[Cisco]], [[Sprint Nextel|Sprint]] are some of the members of the MAAWG.<ref>{{cite web |title=MAAWG |url=http://www.maawg.org/about/roster |url-status=live |archive-url=https://web.archive.org/web/20141017165203/http://www.maawg.org/about/roster |archive-date=17 October 2014  }}</ref>

===Computer emergency response teams===

{{Main|Computer emergency response team}}

Most countries have their own computer emergency response team to protect network security.

 

The [[Canadian Cyber Incident Response Centre]] (CCIRC) is responsible for mitigating and responding to threats to Canada's critical infrastructure and cyber systems. It provides support to mitigate cyber threats, technical support to respond & recover from targeted cyber attacks, and provides online tools for members of Canada's critical infrastructure sectors.<ref>{{cite web |title=Canadian Cyber Incident Response Centre |url=http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/ccirc-ccric-eng.aspx |website=Public Safety Canada |access-date=1 November 2014 |url-status=live |archive-url=https://web.archive.org/web/20141008035436/http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/ccirc-ccric-eng.aspx |archive-date=8 October 2014  }}</ref> It posts regular cybersecurity bulletins<ref>{{cite web |title=Cyber Security Bulletins |url=http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/index-eng.aspx |website=Public Safety Canada |access-date=1 November 2014 |url-status=live |archive-url=https://web.archive.org/web/20141008194739/http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/index-eng.aspx |archive-date=8 October 2014  }}</ref> & operates an online reporting tool where individuals and organizations can report a cyber incident.<ref>{{cite web |title=Report a Cyber Security Incident |url=http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/rprt-eng.aspx |website=Public Safety Canada |publisher=Government of Canada |access-date=3 November 2014 |url-status=live |archive-url=https://web.archive.org/web/20141111212708/http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/rprt-eng.aspx |archive-date=11 November 2014  }}</ref>

==== Australia ====

[[Australian federal government]] announced an $18.2 million investment to fortify the [[cybersecurity]] resilience of small and medium enterprises (SMEs) and enhance their capabilities in responding to cyber threats. This financial backing is an integral component of the [https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy 2023-2030 Australian Cyber Security Strategy]. A substantial allocation of $7.2 million is earmarked for the establishment of a voluntary cyber health check program, facilitating businesses in conducting a comprehensive and tailored self-assessment of their cybersecurity upskill.

This avant-garde health assessment serves as a diagnostic tool, enabling enterprises to ascertain the robustness of [https://www.homeaffairs.gov.au/reports-and-pubs/files/strengthening-australias-cyber-security-submissions/nsw-young-lawyers.pdf Australia's cyber security regulations]. Furthermore, it affords them access to a repository of educational resources and materials, fostering the acquisition of skills necessary for an elevated cybersecurity posture. This groundbreaking initiative was jointly disclosed by Minister for Cyber Security [[Clare O'Neil]] and Minister for Small Business [[Julie Collins]].<ref>"Australian federal government announces cybersecurity support for SMBs",{{cite web |url=https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy |title=2023-2030 Australian Cyber Security Strategy |access-date=22 November 2023 }}</ref>

==== India ====

Some provisions for cybersecurity have been incorporated into rules framed under the Information Technology Act 2000.<ref>{{cite web|title=Need for proper structure of PPPs to address specific cyberspace risks|url=http://www.orfonline.org/cyfy-event/need-for-proper-structure-of-ppps-to-address-specific-cyberspace-risks/|url-status=live|archive-url=https://web.archive.org/web/20171113165123/http://www.orfonline.org/cyfy-event/need-for-proper-structure-of-ppps-to-address-specific-cyberspace-risks/|archive-date=13 November 2017}}</ref>

The Indian Companies Act 2013 has also introduced cyber law and cybersecurity obligations on the part of Indian directors. Some provisions for cybersecurity have been incorporated into rules framed under the Information Technology Act 2000 Update in 2013.<ref>{{cite web|url=https://www.ncdrc.res.in/|title=National Cyber Safety and Security Standards(NCSSS)-Home|work=www.ncdrc.res.in|access-date=19 February 2018|archive-date=19 February 2018|archive-url=https://web.archive.org/web/20180219150958/https://www.ncdrc.res.in/}}</ref>

==== South Korea ====

==== United States ====

===== Cyber Plan =====

The [[United States]] has its first fully formed cyber plan in 15 years, as a result of the release of this National Cyber plan.<ref>{{cite news |last1=White |first1=House |title=National security strategy |url=https://bidenwhitehouse.archives.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf |agency=US gov |issue=March 2032 |publisher=white house |date=March 2023}}</ref> In this policy, the US says it will: Protect the country by keeping networks, systems, functions, and data safe; Promote American wealth by building a strong digital economy and encouraging strong domestic innovation; Peace and safety should be kept by making it easier for the US to stop people from using computer tools for bad things, working with friends and partners to do this; and increase the United States' impact around the world to support the main ideas behind an open, safe, reliable, and compatible Internet.<ref>{{cite web |last1=Adil |first1=Sajid |title=Do You Know About Biggest Cybersecurity Threats In 2023? |url=https://cybernexguard.com/do-you-know-about-biggest-cybersecurity-threats-in-2023/ |website=Cybernexguard |date=16 October 2023 |publisher=Adil Sajid |access-date=18 December 2023}}</ref>

The new U.S. cyber strategy<ref>{{cite web |last1=Adil |first1=Sajid |title=National Cyber Strategy of the United States of America |url=https://digital.library.unt.edu/ark:/67531/metadc1259394/ |website=University Libraries UNT Digital Library |date=September 2018 |access-date=18 December 2023}}</ref> seeks to allay some of those concerns by promoting responsible behavior in [[cyberspace]], urging nations to adhere to a set of norms, both through international law and voluntary standards. It also calls for specific measures to harden U.S. government networks from attacks, like the June 2015 intrusion into the [[U.S. Office of Personnel Management]] (OPM), which compromised the records of about 4.2 million current and former government employees. And the strategy calls for the U.S. to continue to name and shame bad cyber actors, calling them out publicly for attacks when possible, along with the use of economic sanctions and diplomatic pressure.<ref>{{cite web |last1=Adil |first1=Sajid |title=Do You Know About Biggest Cybersecurity Threats In 2023? |url=https://digital.library.unt.edu/ark:/67531/metadc1259394/#collections |website=University Libraries UNT Digital Library |date=September 2018 |access-date=18 December 2023}}</ref>

The 1986 {{USC|18|1030}}, the [[Computer Fraud and Abuse Act]] is the key legislation. It prohibits unauthorized access or damage of ''protected computers'' as defined in {{USCSub|18|1030|e|2}}. Although various other measures have been proposed<ref>{{USBill|111|HR|4962|pipe=International Cybercrime Reporting and Cooperation Act|site=yes}}</ref><ref>{{Cite web|url=http://hsgac.senate.gov/public/index.cfm?FuseAction=Files.View&FileStore_id=4ee63497-ca5b-4a4b-9bba-04b7f4cb0123|archive-url=https://web.archive.org/web/20120120040012/http://hsgac.senate.gov/public/index.cfm?FuseAction=Files.View&FileStore_id=4ee63497-ca5b-4a4b-9bba-04b7f4cb0123|url-status=unfit|title=111th Congress, 2nd Session|archive-date=20 January 2012}}</ref> – none have succeeded.

In 2013, [[executive order]] [[s:Executive Order 13636|13636]] ''Improving Critical Infrastructure Cybersecurity'' was signed, which prompted the creation of the [[NIST Cybersecurity Framework]].

In response to the [[Colonial Pipeline ransomware attack]]<ref>{{cite web| url = https://www.npr.org/2021/05/13/996617560/biden-advisor-on-cyber-threats-and-the-new-executive-order-to-combat-them| title = Biden Adviser On Cyber Threats And The New Executive Order To Combat Them| website = [[NPR]]}}</ref> President [[Joe Biden]] signed Executive Order 14028<ref>[https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ Executive Order on Improving the Nation's Cybersecurity] (full text)</ref> on May 12, 2021, to increase software security standards for sales to the government, tighten detection and security on existing systems, improve information sharing and training, establish a Cyber Safety Review Board, and improve incident response.

The [[United States Department of Homeland Security|Department of Homeland Security]] has a dedicated division responsible for the response system, [[risk management]] program and requirements for cybersecurity in the United States called the [[National Cyber Security Division]].<ref>{{cite web|title=National Cyber Security Division |url=https://www.dhs.gov/xabout/structure/editorial_0839.shtm |publisher=U.S. Department of Homeland Security |access-date=14 June 2008 |archive-url=https://web.archive.org/web/20080611210347/https://www.dhs.gov/xabout/structure/editorial_0839.shtm |archive-date=11 June 2008  }}</ref><ref name="CSRDC-FAQ" /> The division is home to US-CERT operations and the National Cyber Alert System.<ref name="CSRDC-FAQ">{{cite web |title=FAQ: Cyber Security R&D Center |url=http://www.cyber.st.dhs.gov/faq.html |publisher=U.S. Department of Homeland Security S&T Directorate |access-date=14 June 2008 |url-status=live |archive-url=https://web.archive.org/web/20081006042850/http://www.cyber.st.dhs.gov/faq.html |archive-date=6 October 2008  }}</ref> The National Cybersecurity and Communications Integration Center brings together government organizations responsible for protecting computer networks and networked infrastructure.<ref>AFP-JiJi, "U.S. boots up cybersecurity center", 31 October 2009.</ref>

The [[USCYBERCOM|United States Cyber Command]], also known as USCYBERCOM, "has the mission to direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and international partners."<ref>{{cite web|title=Mission and Vision|url=https://www.cybercom.mil/About/Mission-and-Vision/|access-date=20 June 2020|website=www.cybercom.mil}}</ref> It has no role in the protection of civilian networks.<ref>{{cite speech |url=https://www.defense.gov/speeches/speech.aspx?speechid=1399 |title=Remarks at the Defense Information Technology Acquisition Summit|author=William J. Lynn, III |date=November 12, 2009|access-date=10 July 2010 |url-status=live <!-- technically unfit but effectively dead-->|archive-url=https://web.archive.org/web/20100415113237/http://www.defense.gov/speeches/speech.aspx?speechid=1399 |location=Washington D.C. |archive-date=15 April 2010  }}</ref><ref>{{cite web | last=Shachtman | first=Noah | title=Military's Cyber Commander Swears: "No Role" in Civilian Networks  | website=brookings.edu | date=2010-09-23 | url=http://www.brookings.edu/opinions/2010/0923_military_internet_shachtman.aspx | archive-url=https://web.archive.org/web/20101106032102/http://www.brookings.edu/opinions/2010/0923_military_internet_shachtman.aspx | archive-date=2010-11-06 }}</ref>

The [[Food and Drug Administration]] has issued guidance for medical devices,<ref>{{cite web|url=https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm|title=Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication|website=[[Food and Drug Administration]]|access-date=23 May 2016|url-status=dead|archive-url=https://web.archive.org/web/20160528153847/https://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm|archive-date=28 May 2016}}</ref> and the [[National Highway Traffic Safety Administration]]<ref>{{cite web|url=http://www.nhtsa.gov/Research/Crash+Avoidance/Automotive+Cybersecurity|title=Automotive Cybersecurity – National Highway Traffic Safety Administration (NHTSA)|access-date=23 May 2016|archive-url=https://web.archive.org/web/20160525195552/http://www.nhtsa.gov/Research/Crash+Avoidance/Automotive+Cybersecurity|archive-date=25 May 2016}}</ref> is concerned with automotive cybersecurity. After being criticized by the [[Government Accountability Office]],<ref>{{cite report |url=http://www.gao.gov/products/GAO-15-370 |title=Air Traffic Control: FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen |number=GAO-15-370 |access-date=23 May 2016 |url-status=live |archive-url=https://web.archive.org/web/20160613150636/http://www.gao.gov/products/GAO-15-370 |archive-date=13 June 2016  |date=14 April 2015 |publisher=U. S. Government Accountability Office}}</ref> and following successful attacks on airports and claimed attacks on airplanes, the [[Federal Aviation Administration]] has devoted funding to securing systems on board the planes of private manufacturers, and the [[Aircraft Communications Addressing and Reporting System]].<ref>{{cite web|url=http://www.nextgov.com/cybersecurity/2016/03/faa-has-started-shaping-cybersecurity-regulations/126449/|title=FAA Working on New Guidelines for Hack-Proof Planes|first=Aliya|last=Sternstein|date=4 March 2016|work=Nextgov|access-date=23 May 2016|url-status=live|archive-url=https://web.archive.org/web/20160519181332/http://www.nextgov.com/cybersecurity/2016/03/faa-has-started-shaping-cybersecurity-regulations/126449/|archive-date=19 May 2016}}</ref> Concerns have also been raised about the future [[Next Generation Air Transportation System]].<ref>{{cite web | url=https://www.fas.org/sgp/crs/homesec/IN10296.pdf | title=Protecting Civil Aviation from Cyberattacks | date=18 June 2015 | access-date=4 November 2016 | first=Bart | last=Elias | url-status=live | archive-url=https://web.archive.org/web/20161017100306/https://www.fas.org/sgp/crs/homesec/IN10296.pdf | archive-date=17 October 2016 | df=dmy-all }}</ref>

* [[CERT Coordination Center|CERT/CC]]: created by the [[Defense Advanced Research Projects Agency]] (DARPA) and run by the [[Software Engineering Institute]] (SEI).

 

In the context of [[Nuclear power in the United States|U.S. nuclear power plants]], the [[Nuclear Regulatory Commission|U.S. Nuclear Regulatory Commission (NRC)]] outlines cybersecurity requirements under [[Nuclear safety and security#Title 10 CFR Part 73 (U.S. NRC)|10 CFR Part 73]], specifically in §73.54.<ref>Details can be found in [https://www.ecfr.gov/current/title-10/section-73.54 10 CFR 73.54, Protection of digital computer and communication systems and networks].</ref>

 

 

The [[Nuclear Energy Institute]]'s NEI 08-09 document, ''Cyber Security Plan for Nuclear Power Reactors'',<ref>''[https://www.nrc.gov/docs/ML1011/ML101180437.pdf Cyber Security Plan for Nuclear Power Reactors]'' - Nuclear Energy Institute</ref> outlines a comprehensive framework for [[cybersecurity]] in the [[nuclear power industry]]. Drafted with input from the [[Nuclear Regulatory Commission|U.S. NRC]], this guideline is instrumental in aiding [[licensee]]s to comply with the [[Title 10 of the Code of Federal Regulations|Code of Federal Regulations (CFR)]], which mandates robust protection of digital computers and equipment and communications systems at nuclear power plants against cyber threats.<ref>Refer to '''[https://www.nrc.gov/docs/ML1011/ML101180437.pdf NEI 08-09]''' for more details.</ref>

{{blockquote|In the future, wars will not just be fought by soldiers with guns or with planes that drop bombs. They will also be fought with the click of a mouse a half a world away that unleashes carefully weaponized computer programs that disrupt or destroy critical industries like utilities, transportation, communications, and energy. Such attacks could also disable military networks that control the movement of troops, the path of jet fighters, the command and control of warships.<ref>{{cite journal |last1=Clayton |first1=Mark |title=The new cyber arms race |url=http://www.csmonitor.com/USA/Military/2011/0307/The-new-cyber-arms-race |journal=The Christian Science Monitor |access-date=16 April 2015 |url-status=live |archive-url=https://web.archive.org/web/20150416090310/http://www.csmonitor.com/USA/Military/2011/0307/The-new-cyber-arms-race |archive-date=16 April 2015 |df=dmy-all |date=2011-03-07 }}</ref>}}

This has led to new terms such as ''cyberwarfare'' and ''[[cyberterrorism]]''. The [[United States Cyber Command]] was created in 2009<ref>{{Cite news |author=Nakashima, Ellen |date=13 September 2016 |title=Obama to be urged to split cyberwar command from NSA |newspaper=[[The Washington Post]] |url=https://www.washingtonpost.com/world/national-security/obama-to-be-urged-to-split-cyberwar-command-from-the-nsa/2016/09/12/0ad09a22-788f-11e6-ac8e-cf8e0dd91dc7_story.html |archive-url=https://archive.today/20161012083815/https://www.washingtonpost.com/world/national-security/obama-to-be-urged-to-split-cyberwar-command-from-the-nsa/2016/09/12/0ad09a22-788f-11e6-ac8e-cf8e0dd91dc7_story.html |archive-date=12 October 2016 |access-date=15 June 2017 }}</ref> and many other countries [[Cyberwarfare#Cyber activities by nation|have similar forces]].

There are a few critical voices that question whether cybersecurity is as significant a threat as it is made out to be.<ref>{{Cite journal|last=Overland|first=Indra|date=1 March 2019|title=The geopolitics of renewable energy: Debunking four emerging myths|journal=Energy Research & Social Science|volume=49|pages=36–40|doi=10.1016/j.erss.2018.10.018|issn=2214-6296|doi-access=free|bibcode=2019ERSS...49...36O |hdl=11250/2579292|hdl-access=free}}</ref><ref>{{Cite journal|last1=Maness|first1=Ryan C.|last2=Valeriano|first2=Brandon|date=11 June 2018|title=How We Stopped Worrying about Cyber Doom and Started Collecting Data|journal=Politics and Governance|language=en|volume=6|issue=2|pages=49–60|doi=10.17645/pag.v6i2.1368|issn=2183-2463|doi-access=free|hdl=10945/60589|hdl-access=free}}</ref><ref>{{Cite journal|last1=Maness|first1=Ryan C.|last2=Valeriano|first2=Brandon|s2cid=146145942|date=25 March 2015|title=The Impact of Cyber Conflict on International Interactions|journal=Armed Forces & Society|language=en-US|volume=42|issue=2|pages=301–323|doi=10.1177/0095327x15572997|issn=0095-327X}}</ref>

Cybersecurity is a fast-growing field of [[Information technology|IT]] concerned with reducing organizations' risk of hack or data breaches.<ref>{{Cite book|last=Bullard|first=Brittany|url=https://onlinelibrary.wiley.com/doi/book/10.1002/9781119271260|title=Style and Statistics: The Art of Retail Analytics|date= 2016|publisher=Wiley|isbn=978-1-119-27031-7|language=en|doi=10.1002/9781119271260.ch8}}</ref> According to research from the Enterprise Strategy Group, 46% of organizations say that they have a "problematic shortage" of cybersecurity skills in 2016, up from 28% in 2015.<ref>{{cite web|url=http://www.networkworld.com/article/3045801/security/cybersecurity-skills-shortage-impact-on-cloud-computing.html|title=Cybersecurity Skills Shortage Impact on Cloud Computing|last=Oltsik|first=Jon|website=Network World|access-date=23 March 2016|archive-url=https://web.archive.org/web/20160323042705/http://www.networkworld.com/article/3045801/security/cybersecurity-skills-shortage-impact-on-cloud-computing.html|archive-date=23 March 2016|date=18 March 2016}}</ref> Commercial, government and non-governmental organizations all employ cybersecurity professionals. The fastest increases in demand for cybersecurity workers are in industries managing increasing volumes of consumer data such as finance, health care, and retail.<ref>{{cite web|last=Robinson|first=Terry|date=2018-05-30|title=Why is a Degree in Cyber Security one of the Best?|url=https://www.degreequery.com/why-is-a-degree-in-cyber-security-one-of-the-best/|access-date=2021-10-10|website=DegreeQuery.com|language=en-US|archive-date=10 October 2021|archive-url=https://web.archive.org/web/20211010052542/https://www.degreequery.com/why-is-a-degree-in-cyber-security-one-of-the-best/}}</ref> However, the use of the term ''cybersecurity'' is more prevalent in government job descriptions.<ref>{{cite web |last=de Silva |first=Richard |title=Government vs. Commerce: The Cyber Security Industry and You (Part One) |url=http://www.defenceiq.com/defence-technology/articles/the-cyber-security-industry-and-you/ |publisher=Defence IQ |access-date=24 April 2014 |date=11 October 2011 |url-status=live |archive-url=https://web.archive.org/web/20140424200253/http://www.defenceiq.com/defence-technology/articles/the-cyber-security-industry-and-you/ |archive-date=24 April 2014  }}</ref>

Typical cybersecurity job titles and descriptions include:<ref>{{cite web |title=Department of Computer Science |url=http://www.cs.gwu.edu/academics/graduate_programs/master/cybersecurity/cybersecurity-jobs |access-date=30 April 2013 |archive-url=https://web.archive.org/web/20130603085633/http://www.cs.gwu.edu/academics/graduate_programs/master/cybersecurity/cybersecurity-jobs |archive-date=3 June 2013  }}</ref>

===Security analyst===

 

===Security engineer===

 

===Security architect===

 

===Chief Information Security Officer (CISO)===

: A high-level management position responsible for the entire information security division/staff. The position may include hands-on technical work.<ref>{{cite web|date=2021-08-01|title=How to become a Chief Information Security Officer (CISO)?|url=https://cybersecuritycareer.org/chief-information-security-officer-ciso/|access-date=2022-01-04|website=cybersecuritycareer.org}}</ref>

 

===Chief Security Officer (CSO)===

 

 

Student programs are also available for people interested in beginning a career in cybersecurity.<ref>{{cite web|title=Student Cybersecurity Resources|url=https://niccs.cisa.gov/formal-education/students-launch-your-cyber-career|url-status=live|archive-url=https://web.archive.org/web/20201105234726/https://niccs.cisa.gov/formal-education/students-launch-your-cyber-career |archive-date=5 November 2020 |publisher=NICCS (US National Initiative for Cybercareers and Studies)}}</ref><ref>{{cite web |url=https://www.dhs.gov/join-dhs-cybersecurity |title=Current Job Opportunities at DHS |publisher=U.S. Department of Homeland Security |access-date=5 May 2013 |url-status=live |archive-url=https://web.archive.org/web/20130502135412/http://www.dhs.gov/join-dhs-cybersecurity |archive-date=2 May 2013  }}</ref> Meanwhile, a flexible and effective option for information security professionals of all experience levels to keep studying is online security training, including webcasts.<ref>{{cite web |url=https://www.dhs.gov/cybersecurity-training-exercises |title=Cybersecurity Training & Exercises |publisher=U.S. Department of Homeland Security |access-date=9 January 2015 |url-status=live |archive-url=https://web.archive.org/web/20150107111146/http://www.dhs.gov/cybersecurity-training-exercises |archive-date=7 January 2015  |date=12 May 2010 }}</ref><ref>{{cite web |title=Cyber Security Awareness Free Training and Webcasts |url=https://msisac.cisecurity.org/resources/videos/free-training.cfm |publisher=MS-ISAC (Multi-State Information Sharing & Analysis Center) |access-date=9 January 2015 |url-status=live |archive-url=https://web.archive.org/web/20150106064140/http://msisac.cisecurity.org/resources/videos/free-training.cfm |archive-date=6 January 2015  }}</ref> A wide range of certified courses are also available.<ref>{{cite web|url=http://iase.disa.mil/iawip/Pages/iabaseline.aspx|title=DoD Approved 8570 Baseline Certifications|website=iase.disa.mil|archive-url=https://web.archive.org/web/20161021073353/http://iase.disa.mil/iawip/Pages/iabaseline.aspx|archive-date=21 October 2016|access-date=19 June 2017}}</ref>

In the United Kingdom, a nationwide set of cybersecurity forums, known as the [[UK Cyber Security Forum|U.K Cyber Security Forum]], were established supported by the Government's cybersecurity strategy<ref>{{cite web |url=https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/386093/The_UK_Cyber_Security_Strategy_Report_on_Progress_and_Forward_Plans_-_De___.pdf |title=The UK Cyber Security Strategy: Report on Progress and Forward Plans December 2014 |publisher=United Kingdom Cabinet Office |access-date=20 August 2021 |url-status=live|archive-url=https://web.archive.org/web/20180418230804/https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/386093/The_UK_Cyber_Security_Strategy_Report_on_Progress_and_Forward_Plans_-_De___.pdf |archive-date=18 April 2018 }}</ref> in order to encourage start-ups and innovation and to address the skills gap<ref>{{Cite web|url=https://www.gov.uk/government/news/cyber-skills-for-a-vibrant-and-secure-uk|title=Cyber skills for a vibrant and secure UK|website=GOV.UK}}</ref> identified by the [[Government of the United Kingdom|U.K Government]].

In Singapore, the [[Cyber Security Agency (Singapore)|Cyber Security Agency]] has issued a Singapore Operational Technology (OT) Cybersecurity Competency Framework (OTCCF). The framework defines emerging cybersecurity roles in Operational Technology. The OTCCF was endorsed by the [[Infocomm Media Development Authority]] (IMDA). It outlines the different OT cybersecurity job positions as well as the technical skills and core competencies necessary. It also depicts the many career paths available, including vertical and lateral advancement opportunities.<ref>{{cite press release | title=Singapore Operational Technology (OT) Cybersecurity Competency Framework | website=Cyber Security Agency | date=2021-10-08 | url=https://www.csa.gov.sg/News/Press-Releases/singapore-operational-technology-cybersecurity-competency-framework | archive-url=https://web.archive.org/web/20211016185633/https://www.csa.gov.sg/News/Press-Releases/singapore-operational-technology-cybersecurity-competency-framework | archive-date=16 October 2021 | access-date=23 October 2021 }}</ref>

* Access [[authorization]] restricts access to a computer to a group of users through the use of [[authentication]] systems. These systems can protect either the whole computer, such as through an interactive [[login]] screen, or individual services, such as a [[File Transfer Protocol|FTP]] server. There are many methods for identifying and authenticating users, such as [[passwords]], [[identification card]]s, [[smart card]]s, and [[biometric]] systems.

* [[Application software|Applications]] are [[executable|executable code]], so general corporate practice is to [[Superuser|restrict or block users the power]] to install them; to install them only when there is a demonstrated need (e.g. software needed to perform assignments); to install only those which are known to be reputable (preferably with access [[open source software|to the computer code]] used to create the application), and to reduce the [[attack surface]] by installing as few as possible. They are typically run with [[least privilege]], with a robust process in place to identify, test and install any released [[security patch]]es or updates for them.

* [[Cryptography|Cryptographic]] techniques can be used to defend data in transit between systems, reducing the probability that the data exchange between systems can be intercepted or modified.

[[File:Encryption - decryption.svg|thumb|300px|[[Cryptography|Cryptographic]] techniques involve transforming information, scrambling it, so it becomes unreadable during transmission. The intended recipient can unscramble the message; ideally, eavesdroppers cannot.]]

* [[Encryption]] is used to protect the confidentiality of a message. [[Cryptography|Cryptographically]] secure [[cipher]]s are designed to make any practical attempt of [[cryptanalysis|breaking]] them infeasible. [[symmetric-key algorithm|Symmetric-key]] ciphers are suitable for bulk encryption using [[shared key]]s, and [[public-key encryption]] using [[digital certificate]]s can provide a practical solution for the problem of securely communicating when no key is shared in advance.

* [[Firewall (networking)|Firewalls]] serve as a gatekeeper system between networks, allowing only traffic that matches defined rules. They often include detailed [[Logfile|logging]], and may include [[Intrusion detection system|intrusion detection]] and [[Intrusion detection system#Intrusion prevention|intrusion prevention]] features. They are near-universal between company [[local area networks]] and the Internet, but can also be used internally to impose traffic rules between networks if [[network segmentation]] is configured.

The [[Security and Privacy in Computer Systems|April 1967 session]] organized by [[Willis Ware]] at the [[Spring Joint Computer Conference]], and the later publication of the [[Ware Report]], were foundational moments in the history of the field of computer security.<ref name="MAHC.2016.48">{{Cite journal |last1=Misa |first1=Thomas J. |year=2016 |title=Computer Security Discourse at RAND, SDC, and NSA (1958-1970) |url=https://dl.acm.org/doi/10.1109/MAHC.2016.48 |journal=IEEE Annals of the History of Computing |volume=38 |issue=4 |pages=12–25 |doi=10.1109/MAHC.2016.48 |s2cid=17609542|url-access=subscription }}</ref> Ware's work straddled the intersection of material, cultural, political, and social concerns.<ref name="MAHC.2016.48" />

A 1977 [[NIST]] publication<ref>{{cite web |first1=A. J.|last1=Neumann|first2=N.|last2=Statland|first3=R. D.|last3=Webb |date=1977 |title=Post-processing audit tools and techniques |url=https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nbsspecialpublication500-19.pdf |url-status=live |archive-url=https://web.archive.org/web/20161010044638/http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nbsspecialpublication500-19.pdf |archive-date=2016-10-10 |access-date=2020-06-19 |website=nist.gov |publisher=US Department of Commerce, National Bureau of Standards |pages=11–3–11–4 |language=en-US}}</ref> introduced the ''CIA triad'' of confidentiality, integrity, and availability as a clear and simple way to describe key security goals.<ref>{{cite web |last1=Irwin |first1=Luke |date=5 April 2018 |title=How NIST can protect the CIA triad, including the often overlooked 'I' – integrity |url=https://blog.itgovernanceusa.com/blog/how-nist-can-protect-the-cia-triad-including-the-often-overlooked-i-integrity |access-date=16 January 2021 |website=www.itgovernanceusa.com}}</ref> While still relevant, many more elaborate frameworks have since been proposed.<ref>{{cite web |last=Perrin |first=Chad |date=30 June 2008 |title=The CIA Triad |url=http://www.techrepublic.com/blog/security/the-cia-triad/488 |access-date=31 May 2012 |website=techrepublic.com}}</ref><ref>{{cite report |url=http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf |title=Engineering Principles for Information Technology Security |last1=Stoneburner |first1=G. |last2=Hayden |first2=C. |publisher=csrc.nist.gov |doi=10.6028/NIST.SP.800-27rA |last3=Feringa |first3=A. |archive-url=https://web.archive.org/web/20041012074937/http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf |archive-date=2004-10-12 |url-status=live |year=2004}} ''Note: this document has been superseded by later versions.''</ref>

However, in the 1970s and 1980s, there were no grave computer threats because computers and the internet were still developing, and security threats were easily identifiable. More often, threats came from malicious insiders who gained unauthorized access to sensitive documents and files. Although malware and network breaches existed during the early years, they did not use them for financial gain. By the second half of the 1970s, established computer firms like [[IBM]] started offering commercial access control systems and computer security software products.<ref>{{Cite journal |last=Yost |first=Jeffrey R. |date=April 2015 |title=The Origin and Early History of the Computer Security Software Products Industry |url=https://ieeexplore.ieee.org/document/7116464 |journal=IEEE Annals of the History of Computing |volume=37 |issue=2 |pages=46–58 |doi=10.1109/MAHC.2015.21 |issn=1934-1547 |s2cid=18929482|url-access=subscription }}</ref>

One of the earliest examples of an attack on a computer network was the [[computer worm]] [[Creeper and Reaper|Creeper]] written by Bob Thomas at [[BBN Technologies|BBN]], which propagated through the [[ARPANET]] in 1971.<ref>{{Cite web |date=2023-04-19 |title=A Brief History of Computer Viruses & What the Future Holds |url=https://www.kaspersky.com/resource-center/threats/a-brief-history-of-computer-viruses-and-what-the-future-holds |access-date=2024-06-12 |website=www.kaspersky.com |language=en}}</ref> The program was purely experimental in nature and carried no malicious payload. A later program, [[Creeper and Reaper|Reaper]], was created by [[Ray Tomlinson]] in 1972 and used to destroy Creeper.{{citation needed|date=April 2020}}

NSA contractors created and sold ''click-and-shoot'' attack tools to US agencies and close allies, but eventually, the tools made their way to foreign adversaries.<ref>{{Cite web |last1=Perlroth |first1=Nicole |last2=Sanger |first2=David |last3=Shane |first3=Scott |date=May 6, 2019 |title=How Chinese Spies Got the N.S.A.'s Hacking Tools, and Used Them for Attacks |url=https://www.nytimes.com/2019/05/06/us/politics/china-hacking-cyber.html |access-date=October 18, 2024 |website=The New York Times}}</ref> In 2016, NSAs own hacking tools were hacked, and they have been used by Russia and North Korea.{{citation needed|date=April 2020}} NSA's employees and contractors have been recruited at high salaries by adversaries, anxious to compete in [[cyberwarfare]].{{citation needed|date=April 2020}} In 2007, the United States and [[Israel]] began exploiting security flaws in the [[Microsoft Windows]] operating system to attack and damage equipment used in Iran to refine nuclear materials. Iran responded by heavily investing in their own cyberwarfare capability, which it began using against the United States.<ref name="perlroth" />

* Cybersecurity Best Practices | Cybersecurity and Infrastructure Security Agency CISA. (n.d.). Retrieved April 24, 2024, from https://www.cisa.gov/topics/cybersecurity-best-practices