Editing Computer security (section)

===Reducing vulnerabilities===

The act of assessing and reducing vulnerabilities to cyber attacks is commonly referred to as [[information technology security assessment]]s. They aim to assess systems for risk and to predict and test for their vulnerabilities. While [[formal verification]] of the correctness of computer systems is possible,<ref>{{cite conference |last1=Harrison |first1=J. |year=2003 |title=Formal verification at Intel |conference=18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings |pages=45–54 |doi=10.1109/LICS.2003.1210044 |isbn=978-0-7695-1884-8 |s2cid=44585546}}</ref><ref>{{cite conference |last1=Umrigar |first1=Zerksis D. |last2=Pitchumani |first2=Vijay |year=1983 |title=Formal verification of a real-time hardware design |url=http://portal.acm.org/citation.cfm?id=800667 |conference=Proceeding DAC '83 Proceedings of the 20th Design Automation Conference |publisher=IEEE Press |pages=221–227 |isbn=978-0-8186-0026-5}}</ref> it is not yet common. Operating systems formally verified include [[seL4]],<ref>{{cite web |title=Abstract Formal Specification of the seL4/ARMv6 API |url=https://sel4.systems/Docs/seL4-spec.pdf |archive-url=https://web.archive.org/web/20150521171234/https://sel4.systems/Docs/seL4-spec.pdf |archive-date=21 May 2015 |access-date=19 May 2015}}</ref> and [[SYSGO]]'s [[PikeOS]]<ref>{{cite conference |last1=Baumann |first1=Christoph |last2=Beckert |first2=Bernhard |last3=Blasum |first3=Holger |last4=Bormer |first4=Thorsten |title=Ingredients of Operating System Correctness? Lessons Learned in the Formal Verification of PikeOS |url=http://www-wjp.cs.uni-saarland.de/publikationen/Ba10EW.pdf |conference=Embedded World Conference, Nuremberg, Germany |archive-url=https://web.archive.org/web/20110719110932/http://www-wjp.cs.uni-saarland.de/publikationen/Ba10EW.pdf |archive-date=19 July 2011}}</ref><ref>{{cite web |last=Ganssle |first=Jack |title=Getting it Right |url=http://www.ganssle.com/rants/gettingitright.htm |archive-url=https://web.archive.org/web/20130504191958/http://www.ganssle.com/rants/gettingitright.htm |archive-date=4 May 2013}}</ref> – but these make up a very small percentage of the market.

It is possible to reduce an attacker's chances by keeping systems up to date with security patches and updates and by hiring people with expertise in security. Large companies with significant threats can hire Security Operations Centre (SOC) Analysts. These are specialists in cyber defences, with their role ranging from "conducting threat analysis to investigating reports of any new issues and preparing and testing disaster recovery plans."<ref>{{Cite web |title=Everything you need for a career as a SOC analyst |url=https://www.cybersecurityjobsite.com/staticpages/10300/everything-you-need-for-a-career-as-a-soc-analyst/ |access-date=2023-12-19 |website=www.cybersecurityjobsite.com}}</ref>

Whilst no measures can completely guarantee the prevention of an attack, these measures can help mitigate the damage of possible attacks. The effects of data loss/damage can be also reduced by careful [[backup|backing up]] and [[insurance]].

Outside of formal assessments, there are various methods of reducing vulnerabilities. [[Two factor authentication]] is a method for mitigating unauthorized access to a system or sensitive information.<ref>{{Cite web |title=Turn on 2-step verification (2SV) |url=https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/activate-2-step-verification-on-your-email |access-date=2023-12-19 |website=www.ncsc.gov.uk |language=en}}</ref> It requires ''something you know:'' a password or PIN, and ''something you have'': a card, dongle, cellphone, or another piece of hardware. This increases security as an unauthorized person needs both of these to gain access.

Protecting against social engineering and direct computer access (physical) attacks can only happen by non-computer means, which can be difficult to enforce, relative to the sensitivity of the information. Training is often involved to help mitigate this risk by improving people's knowledge of how to protect themselves and by increasing people's awareness of threats.<ref>{{Cite web |title=NCSC's cyber security training for staff now available |url=https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available |access-date=2023-12-19 |website=www.ncsc.gov.uk |language=en}}</ref> However, even in highly disciplined environments (e.g. military organizations), social engineering attacks can still be difficult to foresee and prevent.

Inoculation, derived from [[inoculation theory]], seeks to prevent social engineering and other fraudulent tricks and traps by instilling a resistance to persuasion attempts through exposure to similar or related attempts.<ref>{{cite conference |last1=Treglia |first1=J. |last2=Delia |first2=M. |year=2017 |title=Cyber Security Inoculation |conference=NYS Cyber Security Conference, Empire State Plaza Convention Center, Albany, NY, 3–4 June}}</ref>