I-E: The Basics of Privacy Technology Flashcards
(132 cards)
1
Q
Information Privacy vs. Information Security
A
Information Privacy - focused on the policies behind handling data
Information Security - focused on the protection of data
2
Q
What is the CIA Triad?
A
Information security practices must attempt to balance confidentiality, integrity, and availability of data.
Security practices involve tradeoffs.
3
Q
Security Control
A
A measure designed to modify risk.
Can be preventive, detective, or corrective
Can be physical, technical, or administrative.
4
Q
What are the most widely adopted security standards?
A
ISO/IEC Standards 27001 and 27002
5
Q
ISO/IEC Standard 27001
A
27001 sets forth specific controls (grouped into four categories)
6
Q
ISO/IEC Standard 27002
A
27002 provides guidance on implementation of 27001
7
Q
Privacy Incident
A
An adverse event or action that is unplanned, unusual, and unwanted that happened as a result of non-compliance with the privacy policies and procedures.
7
Q
Data Breach
A
When data is accessed without authorization.
Usually used a legal term as defined in a specific statute.
8
Q
Information Privacy
A
Focuses on the policies behind handling information (i.e., the who, what, where, and why of processing personal information).
Privacy is concerned with personal information.
9
Q
Information Security
A
The protection of data from unauthorized access.
Security is focused on confidential information.
10
Q
CIA Triad - Confidentiality
A
Access to information must only be permitted for authorized persons
E.g., Access control lists, encryption, and file permissions
11
Q
CIA Triad - Integrity
A
Information should be kept in a form that is authentic, accurate, and complete
12
Q
CIA Triad - Availability
A
Information must be made available when needed.
(i.e., data must be stored and handled in such a way that those who have authorization, and a need to do so, can access it)
13
Q
Information security programs must:
A
implement various security controls
14
Q
ISO defines a “security control” as a:
A
“measure that is modifying risk,” which can include processes, policies, devices, practices, or other actions.
15
Q
Security controls aim to:
A
limit damage, loss, modification, and unauthorized access to data.
16
Q
Security Control Examples
A
IT system controls, building security, access control protocols, vendor controls, and third-party mechanisms
17
Q
Preventative Controls
A
Seek to prevent a security event from occurring or otherwise prevent errors or other negative consequences.
E.g., prepared statements in software code to prevent SQL injection (a cyberattack)
18
Q
Detective Controls
A
Seek to identify a security incident while it is in progress
E.g., active monitoring of closed-circuit televisions
19
Q
Corrective Controls
A
Seek to fix or limit the damage caused by a security incident
E.g., data loss protection systems that remotely wipe an employee’s lost hard drive
20
Q
Physical Controls
A
Mechanisms designed to limit or monitor physical access to an environment or object
E.g., locks and security cameras
21
Q
Administrative Controls
A
Internal procedures and mechanisms put in place to limit and monitor access to information, as well as train employees to follow those internal procedures
22
Q
Technical Controls
A
Applications of technology that help protect information against unauthorized access.
23
Q
4 Technical Control Categories
A
Obfuscation (e.g., randomization or hashing)
Data Minimization (e.g., data segregation)
Security (e.g., access controls and antivirus software)
Privacy Engineering (e.g., anonymous digital credentials)
24
ISO/IEC Standards 27001 and 27002 describe:
specific security controls an organization may consider adopting
25
Standard 27001
Sets forth a list of 93 different security controls
26
ISO divides the Standard 27001 controls into:
1 - Organizational Controls (internal processes)
2- People Controls
3- Physical Controls
4- Technological Controls
27
5 Attributes of the Standard 27001 Controls
1- Control Type
2- Cybersecurity Concept
3- Information security properties
4 - Operational Capabilities
5- Security Domains
28
Standard 27002
Supplements Standard 27001 to guide organizations on how to identify and implement controls.
29
Determine a Data Breach using 3 statutory definitions:
The definition of WHO is covered by the statute (e.g., "covered entities")
The definition of the term "PERSONAL INFORMATION"
The definition of the term "DATA BREACH"
30
Causes of Data Breaches
Payment Card Fraud
Hacking or Malware
Insider Breach
Physical Loss
Portable Device Loss
Stationary Device Breach
Unintended Disclosure
Unknown Breach
31
Web Client
The internet-connected device and the software used to connect to the internet
32
Web Server
A computer that stores files that may be accessed via the internet
33
Packets
The transmission of small chunks of data over the internet
34
Packet Switching
Data is broken down into small parts, sent independently over the internet, and then reassembled at the destination
35
Protocols
How a client and server communicated, and the ground rules for transferring data over the internet
36
Hypertext Transfer Protocol (HTTP)
A simple application-level protocol (i.e., the language by which a web client interfaces with the internet)
37
Hypertext Transfer Protocol Secure (HTTPS)
Transfers data over an encrypted connection using the Transport Layer Security (TLS) protocol
38
Transport Layer Security (TLS)
A cryptographic protocol that provides secure communication over a computer network.
39
Transmission Control Protocol (TCP) and Internet Protocol (IP)
The system of rules that facilitates communication and information sharing.
(the main communication protocols of the internet)
40
What is the purpose of the TLS protocol?
It increases security by allowing a web server to remain private from a web user and vice versa.
41
IP Address
a unique number assigned to each device connected to the internet
42
Dynamic IP Address
Created when an Internet Service Provider (ISP) assigns a new IP address at the beginning of each new web session.
43
Static IP Address
Where an IP address remains constant over time for a particular device or server.
44
Uniform Resource Locator (URL)
A domain name and web address of files and other materials located on a web server
45
Domain Name Server (DNS)
Converts the domain name to the associated IP address
(DNS is the telephone book of the Internet)
46
Proxy Server
An intermediary web server that provides a gateway to the web.
(can mask what occurs behind a firewall)
47
Virtual Private Network (VPN)
A VPN establishes an encrypted connection known as a "tunnel" through which data can travel between a user and a proxy server
48
Server Log
Individual web servers may create a record of visitors to a requested web page
49
Cache
A copy of downloaded content that is stored locally on a web page
50
Scripts
a list of commands or the file in which commands are saved created by a programming languages
51
Browser-Side Languages
Contained in scripts run by the web client after a script has been downloaded from the web server
E.g., HTML, CSS, XML, Javascript
52
Server-Side Languages
Run by and interact directly with web servers.
The web client never actually sees the underlying script being executed.
E.g., PHP
53
Client-Server Architecture
A design pattern in a networked system that is divided into two components: the front-end (client) and back-end (server).
54
Front End
The part of s system that users directly interface with and experience
55
Back End
The part of a system that is not directly connected to the user experience
56
Cloud Computing
The provision of software and other information IT services over the internet
57
Data Centers
Facilities that store, manage, and disseminate data and house a network's most critical systems
58
Edge Computing
A computing framework that brings applications and data processing closer to where the data is being generated
59
Mail User Agent (MUA)
Creates emails
60
Simple Mail Transfer Protocol (SMTP)
The protocol responsible for transmitting the message across the internet to its final destination (i.e., sending emails)
61
Post Office Protocol (POP3)
The email client removes the email from the server after storing it locally
62
Internet Message Access Protocol (IMAP)
The email remains on the server for later access and therefore remains accessible from multiple different email clients (i.e. receiving emails)
63
Short Message Peer-To-Peer Protocol (SMPP)
Enables messaging between applications and mobile devices; uses Short Messages Service (SMS)
64
Over the Top (OTT) Services
Systems that transfer data over the internet to avoid SMS (e.g., WhatsApp, iMessage, Signal, and Telegram)
These systems allow end-to-end encryption
65
First Party Collection
When data is collected directly from the data subject
66
Third Party Collection
When data is collected from a source other than the data subject
67
Surveillance
The observation or capturing of an individual's activities, with or without their knowledge
68
Repurposing
Taking information collected for one purpose and using it for another purpose, may be considered a form of "collection"
69
Deep Packet Inspection
An advanced method of examining and managing network traffic that filters, locates, identifies, classifies, and re-routes or blocks packets based upon their content
70
Passive Data Collection
Personal information is collected automatically, often without the user's knowledge (e.g., cookies)
71
Active Data Collection
Personal information is collected with a data subject's knowledge (e.g., web form)
72
Purposes for Deep Packet Inspection (DPI)
Security - Packets can filter malware and prevent leaks by inspecting data before it leaves a server
Online Tracking - Advertisers can track online behaviors for behavioral advertising
Censorship - Some governments use DPI to censor
73
Wi-Fi Eavesdropping
Malicious actors can intercept unencrypted data sent over an open wireless network
74
Packet Sniffing
A technique that examines and re-assembles packets
75
Side-Jacking
Intercepting unencrypted access tokens after a user has signed into a site
76
Behavioral Advertising
Targeted advertising based on information associated with an individual
77
Web Cookie
A small text file placed on the hard drive of a device by a web server
78
E.U. Cookie Directive
Information stored in a cookie is considered personal information under the GDPR, thereby requiring user consent before it can be placed on a user's device.
Exceptions: Cookies are (1) strictly necessary for the service requested by the subscriber, e.g., website security, or (2) for the sole purpose of carrying out the transmission of a communication.
79
Web Beacons
A clear one-pixel-by-one-pixel graphic image that records a visit to a webpage
80
Digital Fingerprints
A technique used to identify an individual based upon information collected automatically when a user visits a webpage (e.g., IP address, browser type)
81
Session Cookie
One that is stored only while a user is connected to a specific web server and is deleted when the user closes his or her web browser
82
Persistent Cookie
One that is set to expire at some point in the future, according to a pre-defined time
83
First-Party Cookie
One that is set and read by the web server that is hosting the website being visited.
84
Third-Party Cookie
One set and read by a party other than the web server hosting the visited website, such as an online advertising network.
85
Best Practices: Cookies
Cookies should never be used to store unencrypted personal information
Persistent cookies should only be used where necessary
Users should be notified when cookies are being used
86
Deprecation
Intended to make obsolete or superseded in the near future
87
Cross-Device Tracking
The process of mapping a user as he or she moves between devices
88
Deterministic Tracking
The method that allows an organization to track a user's devices based upon where he or she logs on the services
89
Probabilistic Tracking
Connects a user's devices based upon an assessment of probabilities and proprietary algorithms drawn from information collected on multiple devices
90
Adware
Software that monitors an end user's behavior so that advertisers can better target advertisements toward a user
91
The Children's Online Privacy Protection Act of 1998 (COPPA)
Federal legislation designed to protect children under the age of 13 who are using the internet
92
GDPR & Children's Online Privacy
Organizations that collect data of children under the age of 16 in the absence of valid parental consent
93
The Privacy Rights for California Minors in the Digital World Act
Provides individuals under 18 years old with the right to request the removal of information posted by them online, subject to certain limitations
94
California consumer Privacy Act (CCPA)
Prohibits the sale of personal information of California consumers who are under the age of 16 without appropriate consent
95
Internet of Things (IoT)
Internet connected device that collects a large amount of data from consumers
96
What is the GOAL of the NIST Cybersecurity Framework 2.0?
Provide organizations the ability to understand, assess, prioritize, and communicate cybersecurity efforts
97
6 NIST Cybersecurity Framework 2.0 Elements
1. Govern
2. Identify
3. Protect
4. Detect
5. Respond
6. Recover
98
Threat Modeling
The process of analyzing representations of a system to highlight concerns about security and privacy characteristics.
99
STRIDE Framework
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
100
4 Management Options for Cybersecurity Threats
1. Accepting the risk as is
2. Transferring the risk to another entity
3. Mitigating the risk with the implementation of privacy controls
4. Avoiding the risk entirely
101
Cybersecurity Best Practices
Adopting two-factor authentication
Always validating and sanitizing third-party inputs
102
Social Engineering
When a malicious actor attempts to manipulate a person into creating a security vulnerability or providing confidential information
103
Types of Online Threats
Spam
Malware
Spyware
Ransomware
Phishing
Structured Query Language (SQL) Injection
Cross-Site Scripting (XSS)
Cookie Poisoning
Unauthorized Access
104
Threat Modeling asks what 4 questions?
What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good enough job?
105
What is the STRIDE framework for?
Facilitating the process of threat modeling
106
Data Validation
The process of ensuring that data conforms to identified requirements and quality benchmarks
107
Data Sanitization
Takes the data input by a user and modifies it be removing potentially harmful input characters
108
Privacy-Enhancing Technologies
Technologies whose purpose is privacy
109
Privacy Engineer
A specialty discipline of systems engineering focused on achieving freedom from conditions that can create problems for individuals with unacceptable consequences that arise from the system as it processes personally identifiable information
110
Linkability
The amount of effort required to link data to a specific person
111
Identifiers
Codes or strings used to represent an individual, device, or browser
112
Strong Identifiers vs. Weak Identifiers
Strong identifiers - those that can be linked to an individual without access to additional data
Weak identifiers - data that is needed in combination with other data to properly identify an individual (more general)
113
Anonymization Techniques
Suppression
Generalization
Noise Addition
114
Suppression
Removing identifying information or values
115
Generalization
Replacing identifying information with more general elements
116
Noise Addition
Replaces identifying information with other data
117
Aggregation
Can be used to help mask individual identities by using statistics from individual records rather than the individual records themselves
118
Differential Privacy
A framework designed to protect the privacy of individuals when analyzing or sharing individually identifiable data
119
Encryption
The process of obscuring information through a cryptographic scheme to make it unreadable without additional information (e.g., a decryption key)
120
Plaintext Data
Original, unencrypted data
121
Cyphertext Data
Encrypted data
122
Encryption requires two primary components:
An algorithm
An encryption key
123
Algorithm
A mathematical application applied to a block of data; relies upon either a cipher or a code
124
Cipher
A mathematical transformation of data with specific mathematical steps
125
Code
A one-to-one replacement for a word, letter, symbol, etc.
126
Encryption Key
A small piece of data that controls the execution of the encryption algorithm
127
Symmetric Encryption
Encryption that uses a single key for both encryption and decryption
128
Asymmetric Encryption
Encryption that uses two separate keys, one for encryption and one for decryption
129
Public Key Infrastructure
A system of digital certificates, authorities, and other registration entities that verifies the authenticity of each party involved in an electronic transaction through the use of cryptography
130
Hash Functions
A type of mathematical calculation that takes an input of any length and maps it to an output of fixed length
131
Hashing Functions
"Taking user identification and converting them into an ordered system to track the user's activities without directly using personally identifiable information (PII)" (IAPP's definition)
