Please enable JavaScript to use CodeHS

NCMF Cyber Standards Framework


Standard Description
1.1.1a Societies are groups of individuals characterized by common interests/values that are perpetuated by persistent social interaction. Lessons
1.1.1b Cybersecurity ethics is an expression of values by the designers and users. Lessons
1.1.1c Values concerning how to engage in cyber technologies can and do compete during the creative process of designing the technology and its adoption. Lessons
1.1.1d Different communities and societies have different foundational social goals and values that impact their behaviors concerning technology. Lessons
1.1.2a Political structure refers to institutions, their relations to and interactions with each other, and the laws and norms present in political systems in such a way that they constitute the political landscape of the political entity. Lessons
1.1.2b Institution refers to informal norms, shared understandings, and formal doctrines that constrain and prescribe actors' interactions with one another. Lessons
1.1.2c Cyberwarfare, cybersecurity, and privacy affect and are affected by institutions, political structures, and policies. Lessons
1.1.2d Cybersecurity laws reflect values about national security, economic security, welfare of citizens, domestic law and order, and legitimacy of government. Lessons
1.1.2e Professional codes of ethics convey the expected conduct of cybersecurity professionals. Lessons
1.2.1a Examples in history demonstrate the harms and benefits of cybersecurity from multiple perspectives. Lessons
1.2.1b There are trade-offs concerning the harms and benefits of cybersecurity, including the tensions between ensuring privacy and enabling convenience and usability. Lessons
1.2.1c Cybersecurity requires resources, including time, money, and expertise that also affects technological affordances. Lessons
1.2.2a The designer assumptions and user assumptions could differ. Another way to say this, the user may not know the assumptions of the designer for using the tool, leading the user to use the tool in a way the designer never intended. Lessons
1.2.2b Security tools were designed to help system administrators and users to improve security, but an adversary can use the same tools to exploit the target for nefarious goals. Lessons
1.3.1a Transparency is important for trustworthiness and openness in an society, but can come at a risk to privacy and security. Lessons
1.3.1b Autonomy means that every entity is in control of their own thoughts and actions. Lessons
1.3.1c Resilience is the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Lessons
1.3.1d Security is freedom from potential harm or other unwanted coercive change caused by others. Lessons
1.3.2a Ethical obligations are covenants that define a moral course of action and draw a line between right and wrong. Lessons
1.3.2b Social responsibility is an ethical theory, in which individuals are accountable for fulfilling their civic duty; the actions of an individual must benefit the whole of society. Lessons
1.3.3a The legal and ethical consequences of cybersecurity practices can be explored through ethical versus malicious (e.g. white/gray/black hat) hacking. Lessons
1.3.3b Technology moves faster than laws can be created to govern it. Lessons
1.3.3c Using the anonymity of the internet for behavior that can harm others may not be illegal. Lessons
1.3.3d Disclosure of software vulnerabilities to a party other than the software developer is legal and can be harmful. Lessons
2.1.1a Confidentiality is the protection of information from disclosure to unauthorized parties. Lessons
2.1.1b File permissions are a mechanism to control access to only those authorized. Lessons
2.1.1c Cryptography is necessary to ensure confidentiality and integrity. Lessons
2.1.1d Hiding is another aspect of confidentiality. Lessons
2.1.1e Assuring confidentiality includes prevention, detection, and response mechanisms. Lessons
2.1.2a Integrity is the trustworthiness of data or resources. Lessons
2.1.2b Assurance is determining how much and in which way to trust a system. Lessons
2.1.2c Data integrity is the information changing in authorized ways by authorized people, often called authentication. Lessons
2.1.2d Integrity mechanisms include prevention, detection and response mechanisms. Lessons
2.1.3a Availability of information refers to ensuring that authorized parties are able to access the information when needed. Lessons
2.1.3b Denial of service attacks are attempts to block availability. Lessons
2.1.3c There is a tradeoff between 1) confidentiality and integrity and 2) availability. Lessons
2.1.3d Assuring availability includes prevention, detection, and response mechanisms. Lessons
2.2.1a Simple designs are easier to understand, maintain and test for security problems. Lessons
2.2.1b Simplicity is also known as “Economy of Mechanism.” Lessons
2.2.1c A simple design incorporates a careful analysis of what is needed. Lessons
2.2.2a Abstraction is reducing the complexity of an object down to its essentials in a way that is understandable. Lessons
2.2.2b Good and elegant design involves using abstraction. Lessons
2.2.3a The attack surface of a software environment is the sum of the different points where an unauthorized user can try to enter data or to extract data from an environment. Lessons
2.2.3b Minimizing the attack surface decreases the opportunity to find an exploitable vulnerability in the system. Lessons
2.2.3c The human interface should be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Lessons
2.2.3d Common mechanisms and access should be minimized. Lessons
2.3.1a A domain refers to a collection of data or instructions that warrant protection. Lessons
2.3.1b Communications between domains are allowed only as authorized. Lessons
2.3.2a A process is a program running on a computer. Lessons
2.3.2b Each process has a region of the memory (address space), which only it can access. Lessons
2.3.2c Processes have to use defined communications mediated by the operating system to communicate with other processes. Lessons
2.3.3a Examples of resources are the memory, disk drive, network bandwidth, battery power, and a monitor. It can also be system objects such as shared memory or a linked list data structure. Lessons
2.3.3b Encapsulation allows access or manipulation of the class data in only the ways the designer intended. Lessons
2.3.4a A privilege is a right for the user to act on managed computer resources. Lessons
2.3.4b Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Lessons
2.3.4c Granting only those privileges necessary for a user to accomplish assigned duties improves accountability and limits accidental misuse. Lessons
2.3.5a A layer is a separate level that must be conquered by an attacker to breach a system. Lessons
2.3.5b Multiple independent layers require integration and independent management to get the full benefits of layered protection. Lessons
2.3.6a Data hiding can help prevent users/programmers/processes from updating/changing data in invalid ways or by mistake. Lessons
2.3.7a The principle of modularity says that individual components are capable of executing a unique part of the desired functionality and is achieved through system design. Because of this modular design, security upgrades can happen in one component without having to overhaul the entire system. Lessons
2.3.7b A system's components may be separated and recombined. Lessons
2.3.8a When something does not work, or the system fails, the system must return to a secure state. Lessons
2.3.8b A secure state is a condition when no subject can access any object in an unauthorized manner. Lessons
2.3.8c Turning off permission causes a security problem. Lessons
2.4.1a An assumption in this context is an assertion about the security of a system being designed; it can be a valid or invalid assertion. Lessons
2.4.1b Key assumptions of systems are things such as whether only valid users are in the system, whether hardware is trusted, whether the software really does what it claims to do. Lessons
2.4.1c Incorrect assumptions lead to system failures. Lessons
2.4.1d When confronting incorrect assumptions, facing up to cyber attacks is an ongoing, and constantly evolving challenge. Lessons
2.4.1e The only assumption you can safely make is that data and networks are not safe. Lessons
3.1.1a Networks carry two types of information, those that allow for the controlling of the data and the data itself. Lessons
3.1.1b Physical links include optical cables that send signals using light, cables that send signals using electrical pulses, and wireless networks that send signals over radio waves. Lessons
3.1.1c Link layer protocols such as Ethernet, Wifi (e.g., 802.11), and Bluetooth are specific to the physical layer connection and describe how the signals are used to exchange data between the devices. Lessons
3.1.1d The network layer connects different types of networks to form larger networks and ultimately the global Internet. It transmits data from one computer to another using packets and logical addressing. Lessons
3.1.1e Once a packet arrives at a device, the transport layer uses port numbers to determine which application (web browser, email app, game, etc.) receives the packet, allowing for the reliable delivery of data between a sending and receiving application. Lessons
3.1.1f Internet and device applications (web, text messaging, games, etc.) follow protocols at the application layer (e.g. http, sms, proprietary protocols, etc.). Lessons
3.1.2a Communication protocols define the rules, types, and formats of messages exchanged between devices and are necessary to allow devices to communicate with each other. Lessons
3.1.2b One commonly used protocol is the Domain Name System (DNS) which provides a mechanism to map names like “” into numbers (IP addresses), similar to a phonebook that maps names to phone numbers. Lessons
3.1.2c Some protocols are proprietary and are available only to authorized users while other protocols are published as formal standards and allow devices from any manufacturer to communicate with each other. Lessons
3.1.2d Some standards are open standards where the packet format and message exchange rules are available to everyone. In other standards called proprietary standards, the message formats and message exchange rules are only provided to authorized entities. Lessons
3.1.2e When designers rely on secrecy, assuming an adversary cannot compromise the system because the adversary cannot determine how the system works is known as security through obscurity. It is widely accepted that security through obscurity should never be your only security mechanism. Lessons
3.1.2f Cryptographic algorithms are either publicly known or proprietary. The use of proprietary cryptographic algorithms is largely discredited, as evidenced by organizations like NIST, which encourages public review of algorithms. Lessons
3.1.2g Through experiments, an adversary can often learn how proprietary protocols or algorithms work even though the adversary is not an authorized user. Lessons
3.2.1a Network mapping and recon tools allow an adversary to gain information on remote systems and an opportunity to get control of the system. Lessons
3.2.1b By directing an attack at a collection of devices (or even all devices on a network), an adversary can attack multiple devices simultaneously, in hopes of compromising a few select devices. Lessons
3.2.1c An adversary can attack a large number of systems simultaneously, which can impact a large majority of a group of people. Lessons
3.2.1d An adversary can stay undetected for a long period of time suggesting that early detection is key in preventing a large amount of damage. Lessons
3.2.2a At the physical/link layer, an adversary who is able to connect to the link can observe, and possibly modify or jam messages on that link. Lessons
3.2.2b At the network layer, an adversary may do two things, impersonate an address (spoofing) or disrupt communication (Denial of Service). Lessons
3.2.2c At the transport layer, an adversary may disguise their intentions by using port numbers incorrectly or may disrupt the ability of a device to deliver data to the application. Lessons
3.2.2d At the application layer, messages sent by the adversary may cause applications to stop working or behave in a way that serves the goals of the adversary, rather than the way they were designed. Lessons
3.2.3a Most protocols lack a security component but some protocols build in security. For example, http was designed before security was a major concern while extensions like https explicitly add security to the standard. Lessons
3.2.3b A packet can be identified by its source address (sending device), source port (sending application on the device), destination address (receiving device), and destination port (receiving application on the device). Lessons
3.2.3c Firewalls work primarily at the network and transport layer by blocking packets with addresses and ports that correspond to unwanted traffic. Lessons
3.2.3d Intrusion Detection Systems (IDS) work at all layers to identify and raise an alarm when unexpected message patterns (anomalies) or known bad patterns (signatures) are detected (blacklisting). IDS systems can also be configured to block all packets and only allow a select set of valid packets (whitelisting). Lessons
3.2.3e Intrusion Prevention Systems (IPS) are similar to IDS and also can prevent attacks by blocking messages related to anomalies or signatures. Lessons
3.2.3f Application layer defenses, such as input validation, check and block potentially harmful message data from getting to the application. Lessons
3.2.3g Devices with limited processing power such as Internet of Things (IoT) devices and control systems in industrial settings may rely almost entirely on network security devices such as firewalls and IPS for protection. Lessons
4.1.1a Data can reveal much about people, their thoughts, and lives; which makes personally identifiable information highly sensitive. Lessons
4.1.1b Data can be used to help individuals, but it can also be exploited to harm individuals. Lessons
4.1.1c Data must be protected in processing, transmitting and storage. Lessons
4.1.1d The purpose of personal data protection is not to merely protect a person’s data, but to protect the fundamental rights, freedoms, and welfare of persons who are related to that data. Lessons
4.1.1e Data integrity means only authorized changes are made only by authorized people. Lessons
4.1.1f Origin integrity means the original data is trustworthy, and its source is trusted to produce trustworthy data. Lessons
4.1.1g Data confidentiality is about protecting data against unintentional, unlawful, or unauthorized access, disclosure, or theft. Lessons
4.2.1a Policies can be introduced and enforced at the local, state, and national levels. Lessons
4.2.1b Laws are in place to protect the disclosure and misuse of financial, personal, and private information. Lessons
4.2.1c GDPR (General Data Protection Regulation) is a set of regulations designed to give citizens in the European Union more control over their personal data. Lessons
4.2.1d HIPAA (Health Insurance Portability and Accountability Act) is United States legislation that provides data privacy and security provisions for safeguarding medical information. Lessons
4.2.1e CFAA (Computer Fraud and Abuse Act) prohibits accessing a computer without authorization, or in excess of authorization. Lessons
4.2.1f There are also state cybersecurity laws. One example is CCPA (California Consumer Privacy Act), which was signed into law in 2018 to extend the privacy rights of the citizens of California. Lessons
4.2.1g An Acceptable Use Policy is a set of rules applied by the owner, creator or administrator of a network, website, or service, that restrict the ways in which the network, website or system may be used and sets guidelines as to how it should be used. Lessons
4.2.2a Physical security controls are means and devices to control physical access to sensitive information and to protect the availability of the information. Lessons
4.2.2b Physical security is an important part of defense in depth. To provide comprehensive physical security, multiple systems and processes must work together, like perimeter security, access control, and process management. Lessons
4.2.2c Commonly used physical controls include: limited entry points, redundant systems, and surveillance cameras. Lessons
4.2.3a Authentication is a process by which you verify that someone is who they claim they are. Lessons
4.2.3b Authentication requires a database of information. Lessons
4.2.3c Authentication can be done using multiple factors, something you have, something you know, something you do, and something you are. (E.g., have = card, know=password, do=sign, walk, are=fingerprint, retina) Lessons
4.2.3d Identity management includes authentication, access control, sometimes coordination across different domains, and management of the credentials throughout the lifecycle. Lessons
4.2.3e Passwords and passphrases are a common form of authentication. Lessons
4.2.3f The strength of a password is a function of length, complexity, and unpredictability. Lessons
4.2.3g Authorization is the process of establishing if the authenticated user, is permitted to have access to and/or act on a resource. Lessons
4.2.3h Groups, Roles, Privileges and Permissions are used to manage authorization. Lessons
4.2.3i Access Control is the process of enforcing the required security for a particular resource. Lessons
4.2.3j Failure to protect data can be due to faulty authentication, faculty authorization, and/or faulty access control. Lessons
4.3.1a Cryptography comes from two Greek words meaning "secret writing" and is the art and science of concealing meaning. Lessons
4.3.1b Cryptanalysis is the breaking of codes. Lessons
4.3.1c Cryptographic algorithms, also known as ciphers, are mathematical functions used in the process of encryption and decryption. Lessons
4.3.1d Encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot. Lessons
4.3.1e Decryption is the process of taking encoded or encrypted text or other data and converting it back into text that you or the computer can read and understand. Lessons
4.3.1f Ciphertext is encrypted text. Plaintext is what you have before encryption, and ciphertext is the encrypted result. Lessons
4.3.1g The primary goal of cryptography is to keep enciphered information secret. Lessons
4.3.1h Symmetric encryption is a method of encryption involving one key for encryption and decryption. Lessons
4.3.1i Public key encryption, which is asymmetric, is an encryption method that is widely used because of the enhanced security associated with its use. Lessons
4.3.1j Hash functions can be used for checking whether a file was corrupted. Lessons
4.3.1k Certificate authorities (CAs) issue digital certificates that validate the ownership. Lessons
4.3.2a There are two basic types of symmetric ciphers: Transposition ciphers that diffuse the data in the plaintext and substitution ciphers that replace the data in the plaintext. Lessons
4.3.2b In transposition ciphers the letters are not changed they are rearranged. The set of encryption functions E is simply the set of permutations of m, and the set of decryption functions D is the set of inverse permutations. Lessons
4.3.2c Anagramming is a way to attack a transposition cipher. It uses tables of n-gram frequencies to identify common n-grams. Lessons
4.3.2d A substitution cipher changes characters in the plaintext to produce the ciphertext. Lessons
4.3.2e A shift cipher is susceptible to a statistical ciphertext-only attack. Lessons
4.3.3a Public key encryption does not require the sender and receiver to share the same key. Lessons
4.3.3b Public key encryption uses a key pair - a private key known only to the entity and a cryptographically linked public key that can be shared with anyone. Lessons
4.3.3c Secret messages encipher the message with the recipient's public key, are sent, and then the recipient can decipher it using their private key. Lessons
4.3.3d Digital Signatures are a type of electronic signature that encrypts documents with digital codes that are particularly difficult to duplicate. Lessons
5.1.1a Software is a set of instructions that execute on hardware and are designed to achieve some objective on a physical device. Lessons
5.1.1b Neither hardware or software is useful without the other. Lessons
5.1.1c Software instructions may manipulate data, manipulate physical systems or manipulate both. For example, software in a vehicle may record the vehicle speed and send it to a cloud storage system, other software may cause the brakes to be physically applied and reduce the speed, and still other software may both record and manipulate the vehicle speed. Lessons
5.1.1d Malware, short for malicious software, is any software intentionally designed to cause damage to a computer, server, client, or computer network. Lessons
5.1.1e Software includes programs written to run on servers, laptops, and traditional computers. Computing devices accomplish no tasks without running software that tells it what to do. Lessons
5.1.1f Software can be written in high level languages such as Python, C, Perl, Java, and the high level software is converted into low level instructions that tell the CPU, memory, and other devices exactly what to do. Lessons
5.1.1g Software can be written in low level machine specific instructions that tell the CPU, memory, and other devices exactly what to do (e.g. add memory locations one and two and store the result in memory location. Lessons
5.1.1h Embedded software can be built directly into the physical device so the instructions on how a device will behave are physically part of the device and often cannot be changed without changing the hardware itself. Lessons
5.1.1i Embedded software is computer software, written to control machines or devices that are not typically thought of as computers, commonly known as embedded systems. Lessons
5.1.1j Software ultimately relies on the physical hardware to accomplish its task and even if the software is written perfectly, it will not perform the desired function if the hardware fails to behave as expected. Lessons
5.1.1k Hardware ultimately relies on the software instructions to accomplish its task and even if the hardware operates perfectly, it will not perform the desired function if the software directs it to execute the wrong instructions. In other words, the hardware may be able to correctly apply the brakes in a vehicle when instructed to do but it will not prevent a vehicle crash if the software is too slow in deciding when to apply the brakes. Lessons
5.1.1l The overall system can be manipulated to act incorrectly if there is a vulnerability in the hardware, the software, the interface between them, or any combination of those. Lessons
5.2.1a Internal hardware devices include CPUs, motherboards, hard drives, memory, and internal peripherals such as a CD-ROM drive, CD-R drive, or internal modem. Lessons
5.2.1b External hardware devices include monitors, keyboards, mice, printers, scanners, routers, switches, servers, IoT devices industrial control systems, and security cameras. Lessons
5.2.1c Hardware is the base level component of systems that are critical to telecommunications, health, US economic system, and national defense. Lessons
5.2.1d Tamper resistant hardware aims to detect if someone attempts to modify them and aim to become non-functional if that occurs. For example, credit card readers at a store are designed to be no longer usable if someone physically opens the credit card reader system. Lessons
5.2.2a A backdoor is a method, often secret, of bypassing normal authentication or encryption in a computer system, a product, or an embedded device (e.g. a home router) to secure remote access. Lessons
5.2.2b Manufacturing backdoors are used for malware or other penetrative purposes; backdoors aren’t limited to software and hardware, but they also affect embedded radio-frequency identification (RFID) chips and memory. Lessons
5.2.2c A side channel attack is based on information gained from the use of an algorithm or computer system, rather than weaknesses in the algorithm itself (e.g. cryptanalysis and software bugs). Lessons
5.2.2d General classes of side channel attacks include attacks such as: timing attacks, power-monitoring attacks, electromagnetic attacks, data remanence attacks. Lessons
5.2.2e Hardware vulnerabilities can also be due to weaknesses in the implementation of algorithms. Lessons
5.2.3a Hardware itself consists of many components and supply chain management attempts to ensure each component as well as the composition of these components meets an overall security policy. Lessons
5.2.3b The hardware design, manufacturing and supply chain can be attacked by malicious actors, nation states, competitors, and organized crime. Lessons
5.2.3c Physical security measures can be used to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm. Lessons
5.2.4a The hardware design can require the device to disable itself if physically tampered with. Lessons
5.2.4b Students will identify examples of fail-safe in cybersecurity, i.e., a design feature or practice that in the event of a specific type of failure, inherently responds in a way that will cause no or minimal harm to other equipment, the environment, or to people, and provide recovery opportunities. Lessons
5.3.1a Injection attacks occur when an external source such as a user provides input that causes a program to behave in ways that violate the security policy by executing harmful commands. Lessons
5.3.1b A buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations, and how this can be used as an entry point by an attacker to violate security policy. Lessons
5.3.1c A software vulnerability may exist when data is allowed to include unauthorized control instructions that dictate how the program should behave and thus can cause the program to behave in a way that violates the security policy. Lessons
5.3.1d A software vulnerability may exist when cryptographic functions are not implemented properly or when the cryptographic functions are assumed to provide more security than the algorithm provides. Lessons
5.3.1e Changes to the environment can cause software to no longer meet the security policy and secure software must include considerations for how to implement future changes (e.g., credentials, algorithms, and patching code to correct bugs and errors). Lessons
5.3.1f A software vulnerability can occur when external components that don’t meet the security policy requirements are connected to the system. Lessons
5.3.2a Input validation is code added to the program that verifies input provided by an external source is the type of input expected and will be processed correctly. Lessons
5.3.2b Static analysis of software is a process in which external tools analyze the code and automatically identify potential security vulnerabilities such as potential buffer overflows. Lessons
5.3.2c Development tools and Integrated software Development Environments (IDE)s provide static analysis tools to check for some types of insecure code such as identifying potential buffer overflows. Lessons
5.3.3a A security analysis is a process that is used to verify a program meets a specified list of security requirements. Lessons
5.3.3b Security vulnerability reports such as Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) are publicly available for software systems and should be monitored, or subscribe to their alerts. Lessons
5.3.3c A zero-day vulnerability is a software security flaw that is unknown to people who should be responsible for patching or fixing the flaw. Zero-day attacks are cyber attacks utilizing one or multiple zero-day vulnerabilities. Lessons
5.3.3d Managing vulnerability reports, patching and patch distribution is a key part of software security. Lessons
5.3.3e Dynamic analysis is a process in which external tools analyze the execution of code in order to automatically identify potential security vulnerabilities. Lessons
5.4.1a Software vulnerability examples that resulted in a loss of confidential data including breaches of credit information (Equifax), healthcare information (Anthem), government records (OPM data breach), home assistants (Amazon Echo hacks), baby monitors (many examples), and fitness tracker data (mapping military bases). Lessons
5.4.1b Software vulnerability examples that resulted in a loss of confidential data and corresponding monetary losses for the victims including intellectual property theft and ability to directly access financial data. Lessons
5.4.1c Software vulnerabilities examples that resulted in a loss of integrity such as man in the middle attacks (many examples), compromise industrial control systems (i.e. Stuxnet), vehicle control systems (Jeep Cherokee hack), and medical devices (Medtronic infusion pumps). Lessons
5.4.1d Software vulnerability examples that resulted in a loss of availability such as DDoS attacks on websites (Mirai botnet), ransomware that locks outs access to data (WannaCry, Petya, NotPetya), Telephony Denial of Service (attacks on 911). Lessons
5.4.2a A cyber-physical system (CPS) is a mechanism that is controlled or monitored by computer-based algorithms, tightly integrated with the Internet and its users. Lessons
5.4.2b Industries that employ CPS include energy management, health care, manufacturing, transportation, telecommunications, infrastructure, and military. Lessons
5.4.2c A smart grid is an electrical grid which includes a variety of operation and energy measures including smart meters, smart appliances, renewable energy resources, and energy efficient resources. Lessons
5.4.2d Increased industry connectivity will cause increased attacks from adversaries such as cyber criminals, disgruntled employees, terrorists, organized crime, and nation states. Lessons
5.4.2e Vulnerabilities may allow adversaries to interfere with connected devices. Lessons
5.4.2f The consequences of unintentional faults or malicious attacks could have severe impact on human lives and the environment. Lessons
5.4.2g By targeting trusted resources attackers can control devices and wholeheartedly manipulate users. Lessons
6.1.1a A complex system is a system composed of many components which may interact with each other. Lessons
6.1.1b Complex systems typically have input from many sources and are highly changeable. Lessons
6.1.1c The internet is a prime example of a complex system in that it is a large and complex system composed of multiple, dispersed, independent systems. Lessons
6.1.2a In complex systems, failures are rarely the result of one individual's problem or behavior; catastrophe requires multiple failures. Lessons
6.1.2b System failures are characterized by a series of actions or behaviors that are normally isolated or self-contained, but become consequential due to interconnected impact. Lessons
6.1.2c Product failure is deceptively difficult to understand given that it depends on the intrinsic properties of each part, what it’s made of, how those materials respond to varying and unanticipated conditions, and how customers use a product. Lessons
6.1.2d Given the complexity of cybersystems, there are limits to how much entities can control their functioning and success of their policies. Lessons
6.1.2e Security is a characteristic of systems and not system components. Lessons
6.1.3a Security is only as strong as the weakest link and is not limited to human actors. Lessons
6.1.3b Human operators have dual roles: as producers and defenders against failure. Lessons
6.1.3c Events ranging from natural disasters to unintentional errors can result in cybersecurity failures. Lessons
6.1.3d Change introduces new forms of failure. Lessons
6.1.4a Human users of the system have their own conscious and unconscious objectives that can undermine cybersecurity protections and policies. Lessons
6.1.4b Social engineering is one of the most widely used techniques in which an adversary compromises a system by convincing a human to violate the security policies in a way that enables the adversary to gain an advantage. Lessons
6.2.1a Cyber systems are susceptible to disruption and destruction from natural disasters; for example flooding, earthquakes, and hurricanes. Lessons
6.2.1b Disaster planning includes provisioning for the confidentiality, integrity and availability of cyber systems during natural disasters. Lessons
6.2.1c Disaster planning includes prevention, detection, and response and recovery. Lessons
6.2.1d Natural event and unintentional errors typically do not adapt in response to defenses. Lessons
6.2.2a The intentions of adversaries can be classified as theft, disclosure, disruption, destruction, and/or subversion. Lessons
6.2.2b The manner in which an adversary carries out their intentions (sometimes called attacks) is related to their capabilities and the resources they can bring to bear. Lessons
6.2.2c Cyber systems are susceptible to attack from human adversaries. Lessons
6.2.2d Incident response includes provisioning for the confidentiality, integrity and availability of cyber systems under attack by adversaries. Lessons
6.2.3a The term “kill chain” refers to the structure—or seven stages—of a cyberattack. Lessons
6.2.3b Reconnaissance is the first stage in the attack lifecycle, where adversaries gather public information about the target, and scan their networks to identify how best to plan their attack. Lessons
6.2.3c Weaponization is the second stage. Based on the information obtained through reconnaissance, the adversary will tailor their toolset to meet the specific requirements of the target network. This often includes coupling remote access with an exploit into a deliverable payload. Lessons
6.2.3d The third phase is delivery, which is the transmission of the weapon to the target environment using vectors like email attachments, phishing, websites, and removable media. Lessons
6.2.3e Exploitation is the fourth phase where the code is triggered exploiting vulnerable applications or systems. Lessons
6.2.3f The fifth stage is installation where attackers install a remote access trojan or backdoor on the victim system in order to conduct further operations, such as maintaining access, persistence and escalating privileges. Lessons
6.2.3g Command and control is the sixth phase of the cyber kill chain. With malware installed, attackers now own both sides of the connection: their malicious infrastructure and the infected machine and can now actively control the system. Attackers will establish a command channel in order to communicate and pass data back and forth between the infected devices and their own infrastructure. Lessons
6.2.3h The final stage of the kill chain is actions on the objective. Once adversaries have control, persistence, and ongoing command and communication, they will act upon their motivation in order to achieve their goal(s), e.g., data exfiltration, destruction of critical infrastructure, to deface web property, or to create fear or the means for extortion. Lessons
7.1.1a A vulnerability is a weakness or gap in a security program that can be exploited by threats to gain unauthorized access to an asset. Lessons
7.1.1b A threat is anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. Lessons
7.1.1c Attacks arise when threats exploit vulnerabilities. Lessons
7.1.2a Information assets must be identified. Lessons
7.1.2b Information assets are characterized and prioritized according to their need to be kept confidential, unchanged, and/or available, and their criticality/sensitivity. Lessons
7.1.2c Risks to information assets are a function of the likelihood that a threat source will exploit a vulnerability, and the resulting damage if the attack is successful. Lessons
7.1.3a Threats originate from internal (insider) and external sources such as nation states, multinational criminal organizations, and hacktivists/terrorists. Lessons
7.1.3b Bad actors in cyberspace are characterized by their resources, capabilities/techniques, motivations, and aversion to risk. Lessons
7.1.3c There are risks and solutions associated with closed/proprietary systems. Lessons
7.1.4a Vulnerability assessment identifies known vulnerabilities on the system. Lessons
7.1.4b Known vulnerabilities can be found in databases that collect, maintain, and disseminate information. Lessons
7.1.4c There are various automated vulnerability scanning tools, which are used for pinpointing vulnerabilities and providing remediation for these vulnerabilities. Lessons
7.1.4d Not all vulnerabilities can be exploited and not all vulnerabilities need to be mitigated. Lessons
7.1.4e Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Lessons
7.1.5a The outcome of a risk assessment should prioritize what needs to be remediated. Lessons
7.1.5b If the data or resources cost less or are of less value than their protection, adding security mechanisms is not cost effective. Lessons
7.1.5c The level of protection is a function of the attack occurring and the effects of the attack should it succeed. Lessons
7.2.1a A complex system is a system composed of many parts, which may interact with each other, where the interactions produce properties that its parts do not have. Lessons
7.2.1b The behavior of complex systems has unpredictable output, i.e., it is intrinsically difficult to model due to the dependencies, competitions, relationships, or other types of interactions between the parts or between a given system and its environment. Lessons
7.2.1c The behavior or output of cybersystems cannot be predicted simply by analyzing the parts and inputs of the system. Lessons
7.2.1d The behavior of the system is emergent and changes with time. The same input and environmental conditions do not always guarantee the same output. Lessons
7.2.1e The participants or agents of a system (human agents, including or especially adversaries, in this case) are self-learning and change their behavior based on the outcomes of the previous experience. Lessons
7.2.2a Adversaries employ strategic reasoning, including where, when, and how they might attack, as well as tactics for evading detection. Lessons
7.2.2b The steps in an attack are footprinting, scanning, enumeration, network mapping, gaining access, privilege escalation, implant, and hiding tracks. Lessons
7.2.2c Adversaries are self-interested agents whose behavior evolves and adapts in response to their environments and other actors in the system. Lessons
7.2.3a Software is frequently updated to correct both functional errors and security problems. Lessons
7.2.3b Software changes could come from an adversary that intentionally inserts code to meet the goals of the adversary. Lessons
7.2.3c Changes in software code are common and those introduced by an adversary are often not easily detected. Lessons
7.2.3d Hardware itself may act in unintended ways and an adversary is seeking to find and exploit these unintended behaviors. Lessons
7.2.4a There are risks and mitigations associated with open systems like the Internet. Lessons
7.2.4b Internet communication between a sender and receiver relies on a number of systems that are not controlled by the sender or receiver. This can include the hardware and software at the sender and the sender’s edge network. It includes a number of supporting systems such as the DNS and certificate authorities, and any number of intermediate networks. It can also include the receiver’s edge network as well as the hardware and software at the receiver. Lessons
7.2.4c Incorrect assumptions about the network can result in the loss of confidentiality by sending data to an imposter or sending data over a path where it can be observed. Lessons
7.2.4d Network vulnerabilities can result in the loss of integrity if data is sent to an imposter acting as a “man-in-the-middle” or when data is sent over a path where it can be changed. Lessons
7.2.4e Network vulnerabilities can result in the loss of availability by directing the sender to an invalid destination or sending data over a path where it can be dropped. Lessons
7.2.4f Cryptography can be used to prevent imposters and protect data so only authorized entities can view it. Lessons
7.2.4g Cryptography can be used to identify the creator of a message and show a message was not modified in transit (hash function). Lessons
7.2.4h Certificate authorities play a role in asserting the identities. Lessons
7.2.4i Cryptography does not solve operational challenges and cryptography alone is not a solution in a decentralized network. Lessons
8.1.1a Information campaigns were used and considered vital throughout history. Lessons
8.1.1b As technology progressed so did the use of both disinformation and information security in national, societal, and personal gain, often at the expense of another party. Lessons
8.1.1c Events in cyber warfare and cybercrime escalated the need for increased cybersecurity efforts. Lessons
8.1.1d The loss of confidentiality is a critical factor in warfare. Lessons
8.1.1e The violation of system integrity can alter the behavior of critical infrastructure. Lessons
8.1.1f A loss of availability has disrupted critical business functions. Lessons
8.1.1g The emergence of advanced persistent threats (APTs) have caused changes in the way individuals and companies are secured and who is involved in securing them. Lessons
8.1.1h Cybersecurity events have led to the development of various cybersecurity career paths and various needs in order to prepare people for these new types of jobs. Lessons
8.1.2a The Internet provides global connectivity and is not structured around national boundaries. Lessons
8.1.2b Security was not seen as a concern until much of the “infrastructure” for computer networks was in place. Lessons
8.1.2c Early government policies discouraged the use of encryption to build secure networks. Lessons
8.1.2d The Internet has evolved to include new types of devices and the “Internet of Things." Lessons
8.1.2e The “Internet of Things,” benefits our daily lives by providing easier access to information, the ability to offload menial tasks, and coordinate necessary information. Lessons
8.1.2f The Internet and IoT devices create new vulnerabilities an adversary can exploit. Lessons
8.1.2g The increasing dependence on the Internet and IoT devices introduces problems when these systems become unavailable. Lessons
8.2.1a Nation states have various approaches to sovereignty, investment and deterrence regarding cyber technology. Lessons
8.2.1b Cybersecurity is impacted by the state of a political alliance between nation states. Lessons
8.2.1c Past and current laws are insufficient to assign blame for taking action that make our systems more vulnerable or to punish an entity for cyber crimes. Lessons
8.2.1d To ensure the safety of a nation’s critical infrastructure both public and private sectors are responsible for cybersecurity. Lessons
8.2.1e Depending on the values of the entity, some will invest in research and development, while others invest in reverse engineering the work of others. Lessons
8.2.1f Citizens in cyber space can more readily form ideological communities which is impacting what it means to be a nation state. Lessons
8.2.1g Cultural perceptions and priorities of security may differ between countries affecting how and which security measures are implemented. Lessons
8.2.2a Nation states have various approaches to civil rights and privacy regarding cyber technology. Lessons
8.2.2b The combination of increasing power of new technology and the declining clarity and agreement on cybersecurity and privacy gives rise to problems concerning law, policy and ethics. Lessons
8.2.2c When a government provides cybersecurity it can often lead to the reduction of privacy. Lessons
8.3.1a Economic value typically measures gains achieved, not losses avoided. Lessons
8.3.1b The lack of cybersecurity can cause substantial economic losses; including the compromise of sensitive data, the modification of critical data, the improper behavior of a system, or the unavailability of a system. Lessons
8.3.1c The lack of cybersecurity can result in major financial and reputational loss, but this loss only occurs after a successful attack. Lessons
8.3.1d Even in the event of a successful attack, the loss may or may not have lasting direct economic impact on the provider of the service. Lessons
8.3.1e When misaligned incentives arise the party making the security–efficiency trade-off is not the one who loses out when attacks occur. Lessons
8.3.2a Bolting on security after the design is completed is often driven by short term incentives such as cost, speed to market, and features that are immediately transparent to potential customers. Lessons
8.3.2b Building security into the design at the onset results in better long term security when compared with bolting security onto existing systems. Lessons
8.3.2c Cybersecurity risks occur when outsourcing the production or maintenance of technology to third party sources that may have different security practices. Lessons
8.3.2d Whenever security depends on the weakest link in the global supply chain, firms do not prioritize in investing in security when they know that other players will not invest, leaving them vulnerable in any case. Lessons
8.3.3a Consumers are often driven by new functionality which is tangible while the security features of the product may only be understood or appreciated when the security fails. Lessons
8.3.3b In order to fully participate in today’s economy, consumers must give away their data and agree to a company’s terms that may conflict with their values. Lessons
8.3.3c Consumers are often unaware of the value of their information that they exchange for an incentive from a company that uses their data for monetary purposes. Lessons
8.3.3d Ill-informed consumers and businesses are prone to underinvest or invest in wrong solutions if they do not possess an accurate understanding of threats and defenses. Lessons