Information Technology & Data Analytics
jenny2000000
08-Lesson_08.pdf
Lesson 8: Protecting People and Information
Information Technology & Data Analytics
November 29, 2021
Information Technology & Data Analytics
Protecting People and Information: Threats and Safeguard
Chapter 8
8
Information Technology & Data Analytics
Introduction
13
Information Technology & Data Analytics
➢ Handling information responsibly means understanding the following issues
• Ethics
• Personal privacy
• Threats to information
• Protection of information
INTRODUCTION
14
Information Technology & Data Analytics
1. Ethics
• Learning Outcomes #1 & #2
2. Privacy
• Learning Outcome #3
3. Security
• Learning Outcome #4
CHAPTER ORGANIZATION
15
Information Technology & Data Analytics
Ethics
16
Information Technology & Data Analytics
➢ Ethics
• the principles and standards that guide our behavior toward other people
➢ Ethics are rooted in history, culture, religion, and philosophy
➢ The question is:
• what is right or wrong?
ETHICS
17
Information Technology & Data Analytics
➢ Actions in ethical dilemmas determined by
• Your basic ethical structure
• The circumstances of the situation
➢ Your basic ethical structure determines what you consider to be
• Minor ethical violations
• Serious ethical violations
• Very serious ethical violations
Factors that Determine How You Decide Ethical Issues
18
Information Technology & Data Analytics
Basic Ethical Structure
19
Information Technology & Data Analytics
1. Consequences of the action or inaction
2. Society’s opinion of the action or inaction
3. Likelihood of effect of action or inaction
4. Time to consequences of action or inaction
5. Relatedness of people who will be affected by action or inaction
6. Reach of result of action or inaction
Circumstances of the Situation
20
Information Technology & Data Analytics
➢ Intellectual property – intangible creative work that is embodied in physical form
• Is digital creative work considered intellectual property as well?
oYes!
➢ Copyright – legal protection afforded an expression of an idea
• Can you used copyrighted material without permission?
oMaybe, but usually no
➢ Fair Use Doctrine – may use copyrighted material in certain situations:
• For teaching purposes
• Certain transformative uses are considered fair in the U.S.
Intellectual Property
21
Information Technology & Data Analytics
➢ Using copyrighted software without permission violates copyright law
➢ Pirated software
• the unauthorized use, duplication, distribution, or sale of copyrighted software
➢ Remember technology can leave a trace!
• Websites you have visited
• Pictures you have taken (digital pictures have metadata)
• Emails you have sent
• Devices you have used
• Ink jet printers may leave tracking information as well
Intellectual Property
22
Information Technology & Data Analytics
➢ The European Union adopted the proposal on digital copyright rules in September, 2018
➢ Makes sharing platforms such as YouTube, Facebook, or Google News liable for copyright infringements.
➢ These parties also need to pay right holders for copyrighted material that they make available • It exempts small and micro platforms from the directive • Open source platforms will not be affected
➢ Enables authors and performers to “claim” additional remuneration from the party exploiting their rights when the remuneration originally agreed is “disproportionately” low compared to the benefits derived.
➢ This is the original proposal on copyright in the Digital Single Market
Intellectual Property
23
Information Technology & Data Analytics
➢ Always use citations and add references to the material you use
➢ Use free images protected under CC-0 (Creative Commons 0) or Public Domain Licenses
➢ Sites include, but are not limited to:
• Pexels
• Unsplash
• Public Domain Pictures
What can you do?
24
Information Technology & Data Analytics
Privacy
25
Information Technology & Data Analytics
➢ Privacy – the right to left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent
➢ Dimensions of privacy
• Psychological: to have a sense of control
• Legal: to be able to protect yourself
➢ Personal information privacy
• Do we have the right to information privacy?
• What can be done with our private data?
PRIVACY
26
Information Technology & Data Analytics
➢ Key logger (key trapper) software
• a program that, when installed on a computer, records every keystroke and mouse click
➢ Hardware key logger
• hardware device that captures keystrokes moving between keyboard and motherboard
➢ Screen capture programs
• capture screen from video card
Privacy and Other Individuals
27
Information Technology & Data Analytics
➢ E-mail is stored on many computers as it travels from sender to recipient
Is E-mail Safe?
28
Information Technology & Data Analytics
➢ E-mail service with built end-to-end encryption
Welcome, ProtonMail!
29
Information Technology & Data Analytics
Privacy Concerns
30
➢ Facebook tracks your browsing
➢ Google remembers all your searches
• You can delete your search history and other data
• https://safety.google/
• https://myactivity.google.com
➢ Your Internet Service Provider (ISP) has your browsing history
➢ Each website you visit may have many trackers that follow your browsing habits
• Add-ons such as Ghostery help blocking tracking technologies
Information Technology & Data Analytics
➢ Cookie ▪ a small file that contains information about you and your Web
activities, which a Web site places on your computer • Usually improve your browsing experience • Could store unwanted private information. The European Union
passed legislations about cookies.
➢ Web log – ▪ one line of information for every visitor to a Web site
➢ Clickstream ▪ records information about you such as what Web sites you
visited, how long you were there, what ads you looked at, and what you bought.
Privacy While Browsing
31
Information Technology & Data Analytics
➢ Anonymous Web browsing (AWB) – hides your identity from the Web sites you visit
➢ Use a proxy
➢ Use your browser’s privacy mode
➢ Use a search engine which does not track you, such as Duck Duck Go
Privacy While Browsing
32
Information Technology & Data Analytics
Anonymity while browsing
33
➢ Tor project – Promotes anonymity online
• Can be used as a browser in your device
• Orbot is a free proxy for Android to use other apps securely
➢ A proxy is another system which redirects your communications
• A proxy is someone who represents someone else
Information Technology & Data Analytics
Anonymity while browsing
34
➢ VPN • Virtual Private Network • It is an extension of a private network that links it through a
public network
➢ Current top vendors: • NordVPN • TunnelBear VPN • Private Internet
Access VPN • Proton VPN
Information Technology & Data Analytics
New Privacy Concerns
35
➢ Geolocation information
➢ Event Data Recorders (EDR) – located in the airbag control module and collects data from your car as you are driving. • What other information might your car be tracking?
➢ Tracker apps for smartphones • Some are available after jailbreaking or rooting your device, and
might be “invisible” to the user
➢ Beware of DNS Hijacking
• What can you do? ▪ Always set up the screen lock ▪ Use encrypted communications, such as Signal
Information Technology & Data Analytics
➢ Businesses want:
• To gather prospective customers’ information
• To advertise their products
➢ Businesses should:
• Let customers know about their products, but not pester them with unwanted advertising
➢ Consumers want businesses to:
• Know who they are, but not to know too much
• Provide them with what they want, but not gather information on them
Privacy and Consumers
36
Information Technology & Data Analytics
➢ Companies need information about their employees to run their business effectively
➢ As of March 2005, 60% of employers monitored employee e-mails
➢ 70% of Web traffic occurs during work hours
➢ 78% of employers reported abuse
➢ 60% employees admitted abuse
➢ Visiting inappropriate sites
➢ Gaming, chatting, stock trading, social networking, etc.
Privacy and Employees
37
Information Technology & Data Analytics
➢ Success – Hire the best people possible
➢ Efficiency – Make sure employees make the best use of their time
➢ Compliance – Ensure appropriate behavior on the job
➢ HR and Legal – Avoid litigation for employee misconduct
➢ Intellectual Property – Data Loss Prevention(DLP)
➢ Security – Avoid intrusions
Reasons for Monitoring
38
Information Technology & Data Analytics
➢ About 2,000 government agencies have databases with information on people
➢ Government agencies need information to operate effectively
➢ Whenever you are in contact with government agency, you leave behind information about yourself
Privacy and Government Agencies
39
Information Technology & Data Analytics
➢ Law enforcement
• NCIC (National Crime Information Center)
• FBI
➢ Electronic Surveillance
• Carnivore or DCS-1000
• Magic Lantern (software key logger)
• NSA (National Security Agency)
• Echelon collect electronic information by satellite
Government Agencies Storing Personal Information
40
Information Technology & Data Analytics
➢ IRS
➢ Census Bureau
➢ Student loan services
➢ FICA
➢ Social Security Administration
➢ Social service agencies
➢ Department of Motor Vehicles
Government Agencies Storing Personal Information
41
Information Technology & Data Analytics
➢ Health Insurance Portability and Accountability Act (HIPAA) protects personal health information
➢ Financial Services Modernization Act requires that financial institutions protect personal customer information
Laws on Privacy
42
Information Technology & Data Analytics
➢ General Data Protection Regulation (GDPR) • Cookies • Data breach reporting
➢ ePrivacy Directive (ePR) • Confidentiality • Metadata • Spam • Cookies (again)
➢ China’s PIPL • Similar to GDRP • Compensation and HR • Into effect November 1st,
2021
Laws on Privacy
43
Information Technology & Data Analytics
• Incident in which otherwise protected data has been viewed, stolen or used by an unauthorized entity
Data Breach
44 Breach Level Index, 2016
Information Technology & Data Analytics
• Incident in which otherwise protected data has been viewed, stolen or used by an unauthorized entity
Data Breach
45 Breach Level Index, 2017
Information Technology & Data Analytics
• Incident in which otherwise protected data has been viewed, stolen or used by an unauthorized entity
Data Breach
46 Breach Level Index, 2018 First Half Infographic
Information Technology & Data Analytics
Data Breach
47 Breach Level Index, 2018 First Half Infographic
Information Technology & Data Analytics
Data Breach
48 Breach Level Index, 2018 First Half Infographic
Information Technology & Data Analytics
Data Breach
49 Breach Level Index, 2018 First Half Infographic
Information Technology & Data Analytics
World’s Biggest Data Breaches
50 World’s Biggest Data Breaches and Hacks
Information Technology & Data Analytics
➢ The forging of someone’s identity for the purpose of fraud
Identity Theft
51 Breach Level Index, 2018 First Half Report
Information Technology & Data Analytics
Organization Records breached
Date of Breach
Type of Breach
Source of Breach
Location Industry
Thailand Tourism
106,000,000 08/21 Identity Theft Malicious Outsider
Thailand Government
Experian 220,000,000 01/21 Identity Theft Malicious Outsider
Brazil Financial
Facebook 2,100,000,000 04/04/18 Identity Theft Malicious Outsider
U.S. Social Media
Equifax 147,900,000 07/15/17 Identity Theft Malicious Outsider
U.S. Financial
Home Depot 109,000,000 09/02/14 Financial Access
Malicious Outsider
U.S. Retail
JP Morgan 83,000,000 08/27/14 Identity Theft Malicious Outsider
U.S. Financial
Notable Breaches
52 Breach Level Index
Information Technology & Data Analytics
53
➢ Vulnerability in a web applications tool, Apache Struts • The patch was released on March 7th, 2017 • Equifax knew about the flaw, but did not take action fast enough
➢ The company claims it identified the breach on July 29th, 2017 • Equifax waited for a full day to take the application offline • They discovered the breach started by Mid-May, 2017
➢ Hackers got access to Personal Identifiable Information (PII) such as: • Name, social security number, birth date, address, license
number, credit card information
➢ The breach was publicly announced on September 7th, 2017
Information Technology & Data Analytics
54
➢ Equifax created a website (equifaxsecurity2017.com)…
but instead sent its users to a fake site (securityequifax2017.com)
➢ Some of its executives sold $1.8 million USD in shares after the breached was identified
• It was later confirmed they did not know about the breach at the time
➢ The following issues also collaborated to the debacle:
• PII as not properly encrypted
• Did not have effective breach detection mechanisms
• Network was not segmented enough
Information Technology & Data Analytics
55
➢ Breach happened in 2016
➢ Hacker gained access to information of 57 million riders and drivers
➢ Names and license number of 600,000 drivers were exposed
➢ Uber paid the hacker $100,000 through its bug bounty program
➢ Company asked the hacker to:
• delete the data
• stay quiet
• Signed a nondisclosure agreement.
New York Times: Uber Settles Data Breach Investigation for $148 Million
Information Technology & Data Analytics
56
➢ Uber covered up the incident
➢ November 2017: The Breach was released to the media
➢ September, 2018: A settlement of $148 million USD was reached and divided among all US states and D.C.
New York Times: Uber Settles Data Breach Investigation for $148 Million
Information Technology & Data Analytics
57
➢ Attacks started March, 2018
➢ They tried containing it for three months
➢ Admitted to the attack six months later
➢ 9.4 million records were stolen, all from passengers
➢ They had just spent over 1 billion USD on network improvements
➢ Opened a website for users to confirm if they were affected: https://infosecurity.cathaypacific.com/
Information Technology & Data Analytics
58
➢ On July 17th, 2019, the bank received a tip that customer’s personal information was posted on Github.
➢ Two days later, they confirmed information from credit card users was taken
➢ The incident took place on March 22, nearly four months before the tip
➢ Single hacker? Paige Thompson
➢ Stolen data includes • 140,000 Social Security Numbers • 80,000 linked bank account numbers • One million Canadian Social Insurance Numbers • Customer status, credit scores, credit limits, balances, transactions,
contact information, among other data
Information Technology & Data Analytics
59
➢ How was the hack performed? • Hacker found a misconfigured firewall on a AWS cloud server • Then used a “special command” to extract files from a directory
➢ Capital One claims they fixed the breach shortly after they were notified
➢ People Affected • 100 million individuals in the USA • Six million individuals in Canada
➢ What now?
➢ Capital One official information on the issue
Information Technology & Data Analytics
➢ Phishing (carding, brand spoofing)
• a technique to gain personal information for the purpose of identity theft
➢ Spear phishing
• targeted to specific individuals
➢ Whaling
• targeted to senior business
executives and government leaders
Identity Theft
60
Phishing
Spear Phishing
Whaling
Information Technology & Data Analytics
Identity Theft
61
Information Technology & Data Analytics
Phishing and Whaling
62LinkedIn
Information Technology & Data Analytics
➢ Pharming • rerouting your request for a legitimate Web site by
osending it to a slightly different Web address oor by redirecting you after you are already on the legitimate
site
➢ Pharming gains access to the giant databases that Internet providers use to route Web traffic.
➢ Hard to spot
➢ Line of defense: • Secure websites! SSL, https
Pharming
63
Information Technology & Data Analytics
➢ Spoofing • To disguise itself to trick someone • E-mail, website and even phone spoofing are very common
➢ Spam • unsolicited e-mail from businesses advertising goods and services
➢ These e-mails get past spam filters by • Inserting extra characters • Inserting HTML tags that do nothing • Replying usually increases, rather than decreases, amount of spam
➢ Lately, e-mail servers and clients have become very efficient at filtering spam
Spoofing and Spam
64
Information Technology & Data Analytics
Spoofing
65
Information Technology & Data Analytics
➢ Adware
• software to generate ads that installs itself when you download another program
➢ Spyware (sneakware, stealthware)
• software that comes hidden in downloaded software and helps itself to your computer resources
➢ Trojan horse software
• software you don’t want disguised as something else
➢ Scareware
• It does not cause harm, but causes the user to get anxious and take action
Cyber Threats
66
Information Technology & Data Analytics
Scareware
67The Windows Club
Information Technology & Data Analytics
➢ Ransomware • Takes your device “hostage” until a ransom is paid • Cryptoviral
oIt does encrypt files, making it almost impossible to recover information
➢ Virus • It is software attached to other software which has the ability to self-
replicate • The user need to perform an action in order to activate it
➢ Worms • It is software which replicates itself without attaching to any other
software • Usually attack operating systems’ vulnerabilities through the
network or portable media
Cyber Threats
68
Information Technology & Data Analytics
Ransomware
69Wordfence
Information Technology & Data Analytics
Security
70
Information Technology & Data Analytics
➢ Attacks on information and computer resources come from inside and outside the company
➢ Computer sabotage costs about $10 billion per year
➢ In general, employee misconduct is more costly than assaults from outside
SECURITY AND EMPLOYEES
71
Information Technology & Data Analytics
Security and Employees
72
Information Technology & Data Analytics
➢ Hackers – • knowledgeable computer users who invade other people's
computers
➢ Denial-of-service (DoS) attack • floods a Web site with so many requests for service that it slows
down or crashes • Distributed DoS Attack DDoS – Many systems attack a single target.
It is very hard to stop
➢ Brute force attack • attacks based on trial an error, as opposed to expert attacks • Dictionary attack
oTries to gain access to a password by using the most common ones, based on a dictionary
Security and Outside Threats
73
Information Technology & Data Analytics
Worst Passwords 2020
74NordPass: Worst Passwords 2020
Information Technology & Data Analytics
Social Engineering
75Social Engineering Scams: MediaPro Security Awareness Animation
➢ Manipulating people to do something or to share confidential information
Information Technology & Data Analytics
How Safe Are You?
76Source: My Credit Karma Report
Information Technology & Data Analytics
➢ Anti-virus software – detects and removes or quarantines computer viruses • McAfee, Norton, Avast, AVG
➢ Anti-spyware and anti-adware software – detects and remove spyware, software and malware • AdAware Ad-block, CCleaner
➢ Spam protection software – identifies and marks and/or deletes Spam • Most corporations and web based e-mail servers have improved
their spam filters • E-mail filters can assist with this task • SPAMfighter, Mailwasher
➢ Anti-phishing software – lets you know when phishing attempts are being made • Email clients and many web browsers have this software integrated
Security Measures
77
Information Technology & Data Analytics
➢ Firewall
• Protects a computer or network from intruders.
• Software based: Windows, McAfee, Norton
• Hardware based: Usually installed in network equipment, standalone or as part of a router
• DMZ
Security Measures
78Hardware Expert
Information Technology & Data Analytics
➢ DMZ - Demilitarized zone
Firewall with DMZ
79Stack Exchange
Information Technology & Data Analytics
➢ Vulnerability Patching • Installing software packages known as patches to proactively
prevent or reactively remediate an issue
➢ Ethical Hacking • Testing system vulnerabilities to prevent attacks • Penetration testing
➢ Awareness and Training • Key to prevent attacks, as many have their inception at users’ hands
➢ Security Policies • Specify how to protect the organization from threats
Security Measures
80
Information Technology & Data Analytics
➢ Security Policies – including, but not limited to:
• Information Technology Security Policy
• General Security Policy
• Acceptable Use Policy
• Access Control Policy
• Management Security Policy
• Password Security Policy
• Encryption Security Policy
• Data Retention Policy
• Email Security Policy
• Media Disposal Policy
Security Measures
81
Information Technology & Data Analytics
➢ Two-factor authentication (2FA) – Uses a second method of identification in addition to the username and password. It can be:
• A hardware or virtual token which generates random codes
• A code sent via e-mail
• SMS, or app authentication through a mobile device
Security Measures
82Banamex
Information Technology & Data Analytics
➢ Anti-rootkit software • stops outsiders taking control of your machine
oGMER, RootRepeal, Malwarebytes, Rootkit Hunter
➢ Encryption • scrambles the contents of a file so that you can’t read it without
the decryption key
➢ Public Key Encryption (PKE) • an encryption system with two keys: a public for everyone and a
private one for the recipient
➢ Biometrics • the use of physiological characteristics for identification
purposes
Security Measures
83
Information Technology & Data Analytics
➢ AI Surveillance
• Both in technology and the workplace
➢ Next Generation Firewalls
• These Cisco videos provide good insight on these new trend
➢ Cloud Security
• Palo Alto networks is one of the most important vendors
➢ Security as a Service
• FWaaS – Firewall as a Service
• CSaaS – Cyber Security as a Service
New Security Measures?
84
Questions?
Thank you!
