Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

TM112: Block 3 > part 5, IT and the law > Flashcards

part 5, IT and the law Flashcards

(186 cards)

Start Studying
1
Q

this is an E.Ulaw that came into force in 2014 and allows individuals to have personal data about them removed from search engines if it is untrue or no longer relevant

A

what is the

right to be forgotten

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

this allows:

  1. Unauthorized access to a database
  2. Viewing restricted content of a database
  3. Changing or deleting the contents of the database
  4. reconnoitre a site before performing a serious attack
A

what 4 actions does an

SQL injection (SQLi)

allow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Section 171(1) of the General Data Protection egulation (GDPR) may allow this if:

  1. with a view to testing the effectiveness of the de-identification of personal data,
  2. without intending to cause, or threaten to cause, damage or distress to a person, and
  3. in the reasonable belief that, in the particular circumstances, re-identifying the information was justified as being in the public interest.
A

under which 3 circumstances would Section 171(1) of the General Data Protection egulation (GDPR) allow for the

de-anonimisation of anonimised data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

talk talk were attacked in july, september and october of 2015

A

in 2015 which months were talk talk attacked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

this section is concerned with

unauthorised access intending to commit or assist the commission of further offences

A

what is

section 2 of the Computer Misuse Act (CMA) 1990

concerned with

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what is a

query string

A

this is part of a websites Uniform Resource Locator (URL). it does not determine the address of the web page but instead is a method of transmitting data. for example from a web form to a server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

from this company attackers stole:

  1. 157,000 customer accounts were stolen, including information such as names and addresses, dates of birth, email and telephone details, as well as account information
  2. attackers stole complete bank or credit card records belonging to 16,000 customers
  3. partial banking details of a further 28,000 customers
A

in october 2015 what

data was stolen from talk talk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

what are the two

overriding provisions

of the

General Data Protection Regulation (GDPR)

A

these include:

  1. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection or appropriate safeguards for the rights and freedoms of data subjects in relation to the processing of personal data; or there are special circumstances meaning the transfer is necessary.
  2. Personal data shall be processed in accordance with the rights of data subjects i.e. there must be respect for fundamental rights.

(Open University, 2022)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

what did the

Data Protection Act 1998

introduce / acknowledge

A

this piece of legislation explicitly acknowledges the privacy rights of individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

access to this was provide through a terminal that cost £650 with that you would also have to pay for a quarterly subscription of £5 and a 5p page per view during peak hours

A

how could you gain access to the

prestel service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

what is

Section 3a of the Computer Misuse Act (CMA) 1990

A

This is an amendment that has been made and states that it is a criminal act to develop or supply either software or data that may be used in a crime

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

to be charged under this it must be proven that:

  1. The prosecuted had a desire to perform the crime
  2. The prosecuted took action to perform the crime

example

gaining access where you shouldnt have by accident means that you have met criteria 2 but have not met criteria 1, therfore you cannot be charged under this act

similarly if you plan an attack you have met criteria 1 but until action is taken criteria 2 you cannot be charged under this act

A

which two criteria must be met in order to be sentenced under the

Computer Misuse Act (CMA) 1990

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

YES

under Section 171(1) of the law states:

“It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data”

A

does the General Data Protection Regulation (GDPR)

prohibit the act of de-anonimizing data that has been anonimised

such as pseudonymisation data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

some knowledge an attacker may gain from using these are:

  1. which querys were successfully executed
  2. which tables do/do not exist
  3. what data does/does not exist
A

what knowledge could an attacker gain from your database by

receiving error messages

during an SQL injection (SQLi) attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

how do

databases allow webpages to be dynamic in nature

and at the same time avoids creating millions of different web pages for each user

A

a web page can usually be implemented as a template which can

have data entered into it depending on the situation such as who is logging in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

what happens when

restrictions are placed on query strings

to prevent an SQL injection (SQLi) attack

A

when taking this action the script that tuns query strings into queries will ensure that it only accepts:

  1. queries with a fixed amount of parameters
  2. Queries with parameters of certain types

Example

If the script only expects two parameters (name and date) and those parameters must be formatted a certain way or be a certain type then any other query strings that it encounters will be discarded and not passed to the database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

how can

Principle 6, Integrity and confidentiality (security)

of

article 5, General Data Protection Regulation (GDPR)

Data Protection Principles

be described / summarised

A

this can be described / summarised as:

The sixth data protection principle is that personal data processed for any purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage). (Open University, 2022)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

what is the

computer misuse act (CMA) 1990

concerned with

A

this act is concerned with unautharised access or modification to a computer as well as any crimes carried out with a computer and/or threats to life through use of a computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

in the U.K this position is taken by the

Information Commissioner’s Office (ICO)

A

general data potection regulation (GDPR) ensures that each member state has a supervisory authority (SA) which oversees data protection

what is the name of the

U.Ks supervisory authority (SA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. their profits halved
  2. they spent £60 million upgrading their systems
  3. their shares dropped
  4. 101,000 customers were lost in the 3 months following the attack
  5. they were fined £400,000 for being in breach of the data protection act (DPA) 1998
A

in the aftermath of the october 2015 attack on talk talk what were the implications for the company

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

what does

subsection 2(5) of the Computer Misuse Act (CMA) 1990

state

A

this lists punishments under section 2 and states that there is an up to 5 year pison sentence for most serious crimes. It also states that you can be charged with additional offences as well as section 2 such as when you commit theft

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

this type of conviction is whee a jury will be involved in the case

A

what is a

conviction of indictment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

what is a

conviction of indictment

A

this type of conviction is whee a jury will be involved in the case

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

what is

Section 3za of the Computer Misuse Act (CMA) 1990

A

This is another amendment which has been made to the Computer Misuse Act (CMA) 1990. it covers the most serious of computer crimes where human life has been has been harmed such as:

  1. Disrupting food,water or energy supplies
  2. Disrupting communication or transport networks
  3. Damage or disrupt healthcare
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
what does **subsection 2(2) of the Computer Misuse Act (CMA) 1990** state
This lists the types of crimes covered by section 2 such as: fraud, forgery, theft and criminal damage
26
how does **turning off error messages** help prevent an SQL injection (SQLi) attack
the reason this prevent an SQL injection (SQLi) attack is because an attacker can use these to gain a better understanding of the structure of your database
27
what 3 purposes does the **Geneal Data Protection Regulation (GDPR)** serve
this: 1. Provide a set of rules concerning data that would be enforced by every E.U member state. This makes doing business much easier in cases where data processing of a certain type would have been illegal in one country but not another 2. protects the data of EU citizens by place responsibility of protecting that data on to companies. 3. protects EU citizens data even when it is not being processed in the EU since the law extends to any country processing EU citizens data
28
name 5 requirements that the **General Data Protection Regulation (GDPR)** places on developers / companies
this requires that: 1. developers to think about the privacy of users data from the outset not just when the system is finished 2. companies process as little data as possible 3. companies only collect what they need to complete the task 4. personal data is deleted when no longer needed 5. data may not be passed to other organisations without permission
29
by taking this action on a database: 1. it makes it harder for an attacker to understand the structure of your database 2. it increases the likeelihood that the attacker will be caught before carrying out a real attack
how does **turning of database error messages** make it harder for an attacker to perform an SQL injection (SQLi) attack
30
this term covers any of the following acts: 1. Collecting new data 2. Using existing data 3. Sharing data 4. Disclosing or displaying data 5. Data storage 6. Data disposal
according to the Data Protection Act (DPA) what does the term **data processing** encompass
31
when this occurs within the query string they are separated by ampersands (&)
if **multiple parameters and their values are contained within a query string** how are they separated
32
for you to be charged with this section some actions might be: 1. Denial of service 2. Introducing malware
name two actions taken on a computer that would be chargeable under ## Footnote **Section 3 of the Computer Misuse Act (CMA) 1990**
33
this is part of a websites Uniform Resource Locator (URL). it does not determine the address of the web page but instead is a method of transmitting data. for example from a web form to a server
what is a ## Footnote **query string**
34
what are the 7 **Data Protection Principles** included in article 5 of the General Data Protection Regulation (GDPR)
this includes: 1. Lawfulness, fairness and transparency 2. Purpose limitation 3. Data minimisation 4. Accuracy 5. Storage limitation 6. Integrity and confidentiality (security) 7. Accountability
35
what is **section 1 of the Computer Misuse Act (CMA) 1990** concerned with
this section is concerned with unauthorised access to computer material
36
this piece of legislation explicitly acknowledges the privacy rights of individuals.
what did the **Data Protection Act 1998** introduce / acknowledge
37
this is a type of attack where an attacker does not know the structure of your database. instead they issue querys in hope that they will be executed by the database.
what is ## Footnote **blind injection**
38
in the aftermath of the october 2015 attack on talk talk what were the implications for the company
1. their profits halved 2. they spent £60 million upgrading their systems 3. their shares dropped 4. 101,000 customers were lost in the 3 months following the attack 5. they were fined £400,000 for being in breach of the data protection act (DPA) 1998
39
what must organisations adhere to in order to remain complient with the General Data Protection Regulation (GDPR)
in order to remain complient with this they must adhere to the seven core ## Footnote **Data Protection Principles of article 5**
40
to be charged under this section: 1. the user intends to gain access to the computer; and 2. they are not authorised to do so; and 3. they are aware that their actions are not authorised by the computer’s owner.
what 3 criteria must be met to be **charged with section 1 of the Computer Misuse Act (CMA) 1990**
41
how does **turning of database error messages** make it harder for an attacker to perform an SQL injection (SQLi) attack
by taking this action on a database: 1. it makes it harder for an attacker to understand the structure of your database 2. it increases the likeelihood that the attacker will be caught before carrying out a real attack
42
to protect this type of data: 1. Encrypt data 2. Seperate this data from the algorithm 3. Seperate this data from the data it was created from
what measures should be taken to protect ## Footnote **Pseudonymisation data**
43
if an organisation in the U.K breaches the General Data Protection Regulation (GDPR) this body may: place punishments of €20 million or 4% of an organisation’s total worldwide annual turnover of the preceding financial year, whichever is higher. For not complying with this law
if someone in the U.K is in breach of the General Data Protection Regulation (GDPR) what is the maximum punishment that can be placed on an organisation by the ## Footnote **Information Commisionoers Office (ICO)**
44
how could you gain access to the ## Footnote **prestel service**
access to this was provide through a terminal that cost £650 with that you would also have to pay for a quarterly subscription of £5 and a 5p page per view during peak hours
45
this type of conviction is where no jury is involved in the sentencing instead only a judge or majistrate handles the case
what is a ## Footnote **summary conviction**
46
the worst attack that talk talk saw in 2015 was in october
which month of 2015 saw the hardest hitting attack on talk talk
47
this can be described / summarised as: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any purposes. (Open University, 2022)
how can **P****rinciple 5, Storage limitation** of **article 5, General Data Protection Regulation (GDPR)** **Data Protection Principles** be described / summarised
48
to prevent an **error-based SQLi** what 3 actions can be taken
to prevent this the following can be implemented: 1. Ideally error messages are turned off entirely for a public facing database 2. error messages are logged to a local file for public facing database 3. srror messages are only to be used for offline development of a database
49
what content did prestel deliver to its subscribers
this delivered to its subscribers: 1. news, train times, etc 2. the first email service in the ukintroduced the worlds first online 3. 3. banking service through the Bank of Scotland and the Nottingham Building Society 4. It also introduce the worlds first online theatre ticket purchase and grocerry shopping
50
how can **P****rinciple 3, Data minimisation** of **article 5, General Data Protection Regulation (GDPR)** **Data Protection Principles** be described / summarised
this can be described / summarised as: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. (Open University, 2022)
51
what is ## Footnote **blind injection**
this is a type of attack where an attacker does not know the structure of your database. instead they issue querys in hope that they will be executed by the database.
52
this also introduced into U.K law 1. relations to national security 2. duties of the Information Commissioner’s Office (ICO) 3. EU Data Protection Directive 2016/680 (Law Enforcement Directive)
the **Data Protection Act (DPA) 2018** introduces europes general data protection regulation (GDPR) but what 3 other things did it incorporate into law
53
this works by replacing a legitimate query string with one that is malicious
how does an **SQL injection (SQLi) attack** work
54
this is a process that is implemented in order to protect the real identity of an individual _example_ Henry has Type 1 diabetes Patient 37815 has Type 1 diabetes
what is **Pseudonymisation**
55
what is a ## Footnote **query language**
this is a specialised language that is used to communicate with databases. the most common is Structured Query Language (SQL)
56
what is **Pseudonymisation**
this is a process that is implemented in order to protect the real identity of an individual _example_ Henry has Type 1 diabetes Patient 37815 has Type 1 diabetes
57
what are 2 methods that can be taken to **sanitise query strings** and prevent an SQL injection (SQLi) attack
2 methods that can be used to implement this are: 1. restricting query strings 2. parsing query strings
58
in order to remain complient with this they must adhere to the seven core ## Footnote **Data Protection Principles of article 5**
what must organisations adhere to in order to remain complient with the General Data Protection Regulation (GDPR)
59
2 methods that can be used to implement this are: 1. restricting query strings 2. parsing query strings
what are 2 methods that can be taken to **sanitise query strings** and prevent an SQL injection (SQLi) attack
60
what does **subsection 2(3) of the Computer Misuse Act (CMA) 1990** state
states that further offences committed after gaining access to the computer (section 1) does not need to happen immediately to be charged. Simply if customer details were stolen and then six months later those details were used to commit faud to those users, you can still be charged.
61
these include: 1. **consent** - There must be clear and specific, up-front statement of consent on the part of the individual; and specific consent for each use of the data 2. **contract** - one of the options of choice for many large organisations looking to circumvent the consent rules. 3. **Legal obligation** - e.g. the organisation may need to process the data to comply with national security related obligations under a law like the Investigatory Powers Act of 2016. 4. **Vital interests** - e.g. processing the data to protect someone’s life. 5. **Public task** - e.g. duties carried out by a public authority in the public interest. 6. **Legitimate interests** – the Information Commisioners Office (ICO) describes this as “the most flexible lawful basis for processing… where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact”.
what are the six ## Footnote **lawful bases upon which the Data Protection Act (DPA) 2018 allows organisations to process data**
62
the reason this prevent an SQL injection (SQLi) attack is because an attacker can use these to gain a better understanding of the structure of your database
how does **turning off error messages** help prevent an SQL injection (SQLi) attack
63
according to section 3(2) of the Data Protection Act (DPA) what is personal data?
this describes it as any information relating to an identified or identifiable living individual. _side note_ Some observations of this are: 1. It does not cover data about dead people 2. It does not protect anonymised information 3. Does not protect data about pets 4. Etc
64
which two criteria must be met in order to be sentenced under the **Computer Misuse Act (CMA) 1990**
to be charged under this it must be proven that: 1. The prosecuted had a desire to perform the crime 2. The prosecuted took action to perform the crime _example_ gaining access where you shouldnt have by accident means that you have met criteria 2 but have not met criteria 1, therfore you cannot be charged under this act similarly if you plan an attack you have met criteria 1 but until action is taken criteria 2 you cannot be charged under this act
65
these two journalist were initially found guilty of forgery and counterfeiting
what was **Robert Schifreen and fellow journalist stephen gold** initially found guilty off
66
this act meant that any public and private companies holding personal data must register with a data protection registrar who also enforced the law, however an individuals right to privacy was not covered by this piece of legislation
what did the **Data Protection Act (DPA) 1984** introduce
67
in october 2015 talk talk had been a victim of an ## Footnote **SQL injection (SQLi) attack**
in october 2015 what type of attack was talk talk subject to
68
what is the ## Footnote **right to be forgotten**
this is an E.Ulaw that came into force in 2014 and allows individuals to have personal data about them removed from search engines if it is untrue or no longer relevant
69
what was proposed after the appeal ruling of robert shifreen and stephen gold
after the appeal ruling it was proposed by the courts that legislators would have to decide if new laws should be put in place to restrict the act of unauthorised access to a computer
70
descibe what **sensitive data** is
this is any personal data that could be used against a person for reasons such as: 1. discrimination 2. persecution because of beliefs or being because of these reasons there are a wide range of protections in place for this type of personal data
71
what claim did journalists Robert Schifreen and fellow stephen gold make during their appeal and did the judge agree
the claim that Robert Schifreen and fellow journalist stephen gold made during their appeal was that the act they were charged under was never meant to be used in such a case as theirs the judge agreed with this claim and dropped all charges in 1988
72
because some software can be used in a criminal way but at the same time have legitimate uses such as assesing the security of a system what considerations before being charged with **Section 3a of the Computer Misuse Act (CMA) 1990** have been recommended to asses
Some considerations of using this section are: 1. Was the software developed to obtain unauthorised access to a computer? For instance, malware clearly obtains unauthorised access to data. 2. Does the software have a legitimate purpose, such as testing a network’s security? 3. What was the context in which the software was used to commit the offence, compared with its original intended purpose?
73
when **restricting permissions** to prevent an SQL injection (SQLi) attack what two actions can be put into place
when using this technique to prevent an SQL injection (SQLi) attack we can: 1. restrict what data a web page can see from a database 2. restrict what actions a web page can take on a database such as deleting or modifying restrictions such as these ensures that even if a malicious query string is sent to a server it will never be executed by the database because of the lack of permissions
74
this will begin after a question mark symbol (?) within the Uniform Resource Locator (URL)
where does a ## Footnote **query string** **begin within a** **Uniform Resource Locator (URL)**
75
what knowledge could an attacker gain from your database by **receiving error messages** during an SQL injection (SQLi) attack
some knowledge an attacker may gain from using these are: 1. which querys were successfully executed 2. which tables do/do not exist 3. what data does/does not exist
76
what does **subsection 2(4) of the Computer Misuse Act (CMA) 1990** state
states that you can still be charged under section 2 even if there was no way that you could have been successful. Such cases might be where an attacker did not have the required skills, the system they tried to attack had preventative measures etc
77
this lists punishments under section 2 and states that there is an up to 5 year pison sentence for most serious crimes. It also states that you can be charged with additional offences as well as section 2 such as when you commit theft
what does **subsection 2(5) of the Computer Misuse Act (CMA) 1990** state
78
Some considerations of using this section are: 1. Was the software developed to obtain unauthorised access to a computer? For instance, malware clearly obtains unauthorised access to data. 2. Does the software have a legitimate purpose, such as testing a network’s security? 3. What was the context in which the software was used to commit the offence, compared with its original intended purpose?
because some software can be used in a criminal way but at the same time have legitimate uses such as assesing the security of a system what considerations before being charged with **Section 3a of the Computer Misuse Act (CMA) 1990** have been recommended to asses
79
what sentences does **Section 3za of the Computer Misuse Act (CMA) 1990** hold
This holds the highest of penalties under the Computer Misuse Act (CMA) 1990. with the least serious offences being 14 years in jail and the most serious being life in jail
80
this is any personal data that could be used against a person for reasons such as: 1. discrimination 2. persecution because of beliefs or being because of these reasons there are a wide range of protections in place for this type of personal data
descibe what **sensitive data** is
81
who developed prestel and what was its lifetime
this was developed by the british post office in 1979 and eventually ceased its service in 1991
82
customers data was posted online and some customers were even receiving fraudulent calls such as: 1. Being tricked into making payments 2. Giving away more banking information 3. Tricking the user to install malware on to their own systems
in the aftermath of the october 2015 attack on talk talk what happened with the customer data that was stolen
83
according to the Data Protection Act (DPA) what does the term **data processing** encompass
this term covers any of the following acts: 1. Collecting new data 2. Using existing data 3. Sharing data 4. Disclosing or displaying data 5. Data storage 6. Data disposal
84
this was introduced mainly so that the uk could implement Europes General Data Protection Regulation (GDPR)
what did the **Data Protection Act (DPA) 2018** introduce
85
this describes it as any information relating to an identified or identifiable living individual. _side note_ Some observations of this are: 1. It does not cover data about dead people 2. It does not protect anonymised information 3. Does not protect data about pets 4. Etc
according to section 3(2) of the Data Protection Act (DPA) what is personal data?
86
this section is concerned with **unauthorised modification of computer material.**
what is **section 3 of the Computer Misuse Act (CMA) 1990** concerned with
87
what 3 criteria must be met to be **charged with section 1 of the Computer Misuse Act (CMA) 1990**
to be charged under this section: 1. the user intends to gain access to the computer; and 2. they are not authorised to do so; and 3. they are aware that their actions are not authorised by the computer’s owner.
88
this can be described / summarised as: Personal data shall be obtained only for one or more specified, explicit and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. (Open University, 2022)
how can **P****rinciple 2, Purpose limitation** of **article 5, General Data Protection Regulation (GDPR)** **Data Protection Principles** be described / summarised
89
this is enforced by: 1. Each member country is required to have a central **supervisory authority (SA)** which will oversee data protection. 2. Companies that have more than 250 employees must have at least one data protection officer (DPA), whos responsibility is to develop protection methods for the personal data they process as well as ensuring they are compliant with the GDPR. (under the data protection act 1998 there was no requirement to hire a DPO) 3. Companies are forced to report breaches to there supervisory authority (SA) within 72 hours of discovery (the data protection act 1998 encouraged this type of activity but it was not a requirement)
what 3 ways is ## Footnote **General Data Protection Regulation (GDPR) enforced**
90
who was the first person to discover **SQL injection (SQLi)** and what actions did he take
this was first discovered by **security expert Jeff Forristal.** upon discovery he had **attempted to warn microsoft about the issue** however, microsoft at the time saw it as no issue
91
what actions did journalists Robert Schifreen and stephen gold take on the prestel netwok
these two journalists used the username and password combo which had been seen used at a demonstartion to access the prestel network without authorisation
92
what measures should be taken to protect ## Footnote **Pseudonymisation data**
to protect this type of data: 1. Encrypt data 2. Seperate this data from the algorithm 3. Seperate this data from the data it was created from
93
this is a command written in a specialised language known as a query language and allows for entering, modifying or deleting data from a database
what is a ## Footnote **query**
94
what does **subsection 2(1) of the Computer Misuse Act (CMA) 1990** state
states that a crime has been committed under section 2 if they committed an offence under section 1 and intend to commit further crimes listed in Subsection 2(2)
95
what is the maximum sentence under ## Footnote **Section 3 of the Computer Misuse Act (CMA) 1990**
This section holds a punishment with up to 10 years in prison
96
what rights of erasure does the General Data Protection Regulation (GDPR) allow for
this allows an individuals data to be removed from a computer if: 1. it was acquired via unlawful methods 2. the privacy of the individual is seen as more important than the interests of the organisation holding the data
97
the claim that Robert Schifreen and fellow journalist stephen gold made during their appeal was that the act they were charged under was never meant to be used in such a case as theirs the judge agreed with this claim and dropped all charges in 1988
what claim did journalists Robert Schifreen and fellow stephen gold make during their appeal and did the judge agree
98
name two actions taken on a computer that would be chargeable under ## Footnote **Section 3 of the Computer Misuse Act (CMA) 1990**
for you to be charged with this section some actions might be: 1. Denial of service 2. Introducing malware
99
if **multiple parameters and their values are contained within a query string** how are they separated
when this occurs within the query string they are separated by ampersands (&)
100
what 4 actions does an **SQL injection (SQLi)** allow
this allows: 1. Unauthorized access to a database 2. Viewing restricted access of a database 3. Changing or deleting the contents of the database 4. reconnoitre a site before performing a serious attack
101
what are the 4 rules for data processing that are given under **P****rinciple 1, Lawfulness, fairness and transparency** of the **General Data Protection Regulation (GDPR)** **Data Protection Principles**
from this it says that: 1. Organisations must have a lawful basis upon which allows them to process data 2. The data they hold must not be used to break other laws, such as copyright, contract or tax laws 3. The data they hold must be used fairly and not have negative or unexpected effects on the data subject (this rule may be ignored if it is in the public interest such as police using data as part of their investigation) 4. There must be up front clarity about how data will be used
102
in october 2015 what type of attack was talk talk subject to
in october 2015 talk talk had been a victim of an ## Footnote **SQL injection (SQLi) attack**
103
to prevent this the following can be implemented: 1. Ideally error messages are turned off entirely for a public facing database 2. error messages are logged to a local file for public facing database 3. srror messages are only to be used for offline development of a database
to prevent an **error-based SQLi** what 3 actions can be taken
104
in october 2015 what ## Footnote **data was stolen from talk talk**
from this company attackers stole: 1. 157,000 customer accounts were stolen, including information such as names and addresses, dates of birth, email and telephone details, as well as account information 2. attackers stole complete bank or credit card records belonging to 16,000 customers 3. partial banking details of a further 28,000 customers
105
this is the Supervisory Authority (SA) for the U.K which oversees and enforces the General Data Protection Regulation (GDPR) Unlike the computer misuse act, data protection breaches are not automatically investigated by the police or prosecuted in a court of law. Instead it is the role of this Supervisory Authority (SA)
what is the ## Footnote **Information Commisionoers Office (ICO)**
106
this type of attack was first discovered in 1998
from which year was **SQL injection (SQLi)** first known about
107
what was **Robert Schifreen and fellow journalist stephen gold** initially found guilty off
these two journalist were initially found guilty of forgery and counterfeiting
108
the punishment for breaking this law is 1. summary conviction of 1 year in prison and/or up to £5,000 fine 2. conviction of indicement of 2 years in prison
what punishments does **section 1 of the Computer Misuse Act (CMA) 1990**
109
some types of this include: 1. racial or ethnic origins 2. political opinions 3. religious or philosophical beliefs 4. membership of a trade union 5. health 6. sexuality and sexual history 7. genetics 8. biometric data where used for ID purposes.
name some ## Footnote **types of sensitive data**
110
in the U.K this task is carried out by the ## Footnote **Information Commisioners Office (ICO)**
in the uk who is the **supevisory authority (SA)** that enforces compliance with the **General Data Potection Regulation (GDPR)**
111
the **Data Protection Act (DPA) 2018** introduces europes general data protection regulation (GDPR) but what 3 other things did it incorporate into law
this also introduced into U.K law 1. relations to national security 2. duties of the Information Commissioner’s Office (ICO) 3. EU Data Protection Directive 2016/680 (Law Enforcement Directive)
112
states that a crime has been committed under section 2 if they committed an offence under section 1 and intend to commit further crimes listed in Subsection 2(2)
what does **subsection 2(1) of the Computer Misuse Act (CMA) 1990** state
113
when **sanitising query strings by parsing the query string** what actions are carried out by the script responsible for the sanitisation
when this action is taken the script responsible for turning query strings into queries will first assess the query string to see if it contains any characters that could correspond to an SQL query in a case that it does the script can: 1. Translate the characters into safe characters 2. Ignore the string entirely Therefore ensuring that any query string containing an SQL query never reaches the database
114
after the appeal ruling it was proposed by the courts that legislators would have to decide if new laws should be put in place to restrict the act of unauthorised access to a computer
what was proposed after the appeal ruling of robert shifreen and stephen gold
115
what did the **Data Protection Act (DPA) 1984** introduce
this act meant that any public and private companies holding personal data must register with a data protection registrar who also enforced the law, however an individuals right to privacy was not covered by this piece of legislation
116
how can **P****rinciple7, Accountability** of **article 5, General Data Protection Regulation (GDPR)** **Data Protection Principles** be described / summarised
this can be described / summarised as: (this is not listed as a data protection principle in the DPA 2018 but is a principle in the GDPR) data processors and controllers must have technical and organisational measures in place to demonstrate compliance with the GDPR and DPA 2018 (Open University, 2022)
117
This section holds a punishment with up to 10 years in prison
what is the maximum sentence under ## Footnote **Section 3 of the Computer Misuse Act (CMA) 1990**
118
this requires that: 1. developers to think about the privacy of users data from the outset not just when the system is finished 2. companies process as little data as possible 3. companies only collect what they need to complete the task 4. personal data is deleted when no longer needed 5. data may not be passed to other organisations without permission
name 5 requirements that the **General Data Protection Regulation (GDPR)** places on developers / companies
119
this delivered to its subscribers: 1. news, train times, etc 2. the first email service in the ukintroduced the worlds first online 3. 3. banking service through the Bank of Scotland and the Nottingham Building Society 4. It also introduce the worlds first online theatre ticket purchase and grocerry shopping
what content did prestel deliver to its subscribers
120
when using this technique to prevent an SQL injection (SQLi) attack we can: 1. restrict what data a web page can see from a database 2. restrict what actions a web page can take on a database such as deleting or modifying restrictions such as these ensures that even if a malicious query string is sent to a server it will never be executed by the database because of the lack of permissions
when **restricting permissions** to prevent an SQL injection (SQLi) attack what two actions can be put into place
121
how does an **SQL injection (SQLi) attack** work
this works by replacing a legitimate query string with one that is malicious
122
This is an amendment that has been made and states that it is a criminal act to develop or supply either software or data that may be used in a crime
what is ## Footnote **Section 3a of the Computer Misuse Act (CMA) 1990**
123
what is a ## Footnote **query**
this is a command written in a specialised language known as a query language and allows for entering, modifying or deleting data from a database
124
what is a ## Footnote **summary conviction**
this type of conviction is where no jury is involved in the sentencing instead only a judge or majistrate handles the case
125
in 2015 which months were talk talk attacked
talk talk were attacked in july, september and october of 2015
126
from this it says that: 1. Organisations must have a lawful basis upon which allows them to process data 2. The data they hold must not be used to break other laws, such as copyright, contract or tax laws 3. The data they hold must be used fairly and not have negative or unexpected effects on the data subject (this rule may be ignored if it is in the public interest such as police using data as part of their investigation) 4. There must be up front clarity about how data will be used
what are the 4 rules for data processing that are given under **P****rinciple 1, Lawfulness, fairness and transparency** of the **General Data Protection Regulation (GDPR)** **Data Protection Principles**
127
what is **section 3 of the Computer Misuse Act (CMA) 1990** concerned with
this section is concerned with **unauthorised modification of computer material.**
128
this was first discovered by **security expert Jeff Forristal.** upon discovery he had **attempted to warn microsoft about the issue** however, microsoft at the time saw it as no issue
who was the first person to discover **SQL injection (SQLi)** and what actions did he take
129
how does the General Data Protection Regulation (GDPR) treat ## Footnote **Pseudonymisation data**
the General Data Protection Regulation (GDPR) treats this as if it were any other personal data
130
does **turning off error messages** stop an SQL injection (SQLi) attack
NO taking this action on a databse does not stop an SQL injection (SQLi) attack
131
This is another amendment which has been made to the Computer Misuse Act (CMA) 1990. it covers the most serious of computer crimes where human life has been has been harmed such as: 1. Disrupting food,water or energy supplies 2. Disrupting communication or transport networks 3. Damage or disrupt healthcare
what is ## Footnote **Section 3za of the Computer Misuse Act (CMA) 1990**
132
what is an ## Footnote **error-based SQLi**
this is a type of attack in which the error messages produced by the database are used to understand the structure and potential weaknesses of a database. this is often implemented as a first stage of an attack
133
how can **P****rinciple 4, Accuracy** of **article 5, General Data Protection Regulation (GDPR)** **Data Protection Principles** be described / summarised
this can be described / summarised as: Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate or misleading is erased or rectified without delay. (Open University, 2022)
134
in the uk who is the **supevisory authority (SA)** that enforces compliance with the **General Data Potection Regulation (GDPR)**
in the U.K this task is carried out by the ## Footnote **Information Commisioners Office (ICO)**
135
this can be described / summarised as: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. (Open University, 2022)
how can **P****rinciple 3, Data minimisation** of **article 5, General Data Protection Regulation (GDPR)** **Data Protection Principles** be described / summarised
136
this can be described / summarised as: The sixth data protection principle is that personal data processed for any purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage). (Open University, 2022)
how can **P****rinciple 6, Integrity and confidentiality (security)** of **article 5, General Data Protection Regulation (GDPR)** **Data Protection Principles** be described / summarised
137
how can **P****rinciple 5, Storage limitation** of **article 5, General Data Protection Regulation (GDPR)** **Data Protection Principles** be described / summarised
this can be described / summarised as: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any purposes. (Open University, 2022)
138
if someone in the U.K is in breach of the General Data Protection Regulation (GDPR) what is the maximum punishment that can be placed on an organisation by the ## Footnote **Information Commisionoers Office (ICO)**
if an organisation in the U.K breaches the General Data Protection Regulation (GDPR) this body may: place punishments of €20 million or 4% of an organisation’s total worldwide annual turnover of the preceding financial year, whichever is higher. For not complying with this law
139
this can be prevented by: 1. update software 2. restrict permissions 3. turn off error messages 4. sanitise query strings
name 4 methods that can ## Footnote **prevent SQL injection (SQLi) attacks**
140
what is the ## Footnote **Information Commisionoers Office (ICO)**
this is the Supervisory Authority (SA) for the U.K which oversees and enforces the General Data Protection Regulation (GDPR) Unlike the computer misuse act, data protection breaches are not automatically investigated by the police or prosecuted in a court of law. Instead it is the role of this Supervisory Authority (SA)
141
under which 3 circumstances would Section 171(1) of the General Data Protection egulation (GDPR) allow for the ## Footnote **de-anonimisation of anonimised data**
Section 171(1) of the General Data Protection egulation (GDPR) may allow this if: 1. with a view to testing the effectiveness of the de-identification of personal data, 2. without intending to cause, or threaten to cause, damage or distress to a person, and 3. in the reasonable belief that, in the particular circumstances, re-identifying the information was justified as being in the public interest.
142
this was a service that was capable of delivering thousands of pages each with different content to subscribing customers
what was ## Footnote **prestel**
143
this section is concerned with unauthorised access to computer material
what is **section 1 of the Computer Misuse Act (CMA) 1990** concerned with
144
what are the six ## Footnote **lawful bases upon which the Data Protection Act (DPA) 2018 allows organisations to process data**
these include: 1. **consent** - There must be clear and specific, up-front statement of consent on the part of the individual; and specific consent for each use of the data 2. **contract** - one of the options of choice for many large organisations looking to circumvent the consent rules. 3. **Legal obligation** - e.g. the organisation may need to process the data to comply with national security related obligations under a law like the Investigatory Powers Act of 2016. 4. **Vital interests** - e.g. processing the data to protect someone’s life. 5. **Public task** - e.g. duties carried out by a public authority in the public interest. 6. **Legitimate interests** – the Information Commisioners Office (ICO) describes this as “the most flexible lawful basis for processing… where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact”.
145
does the General Data Protection Regulation (GDPR) **prohibit the act of de-anonimizing data that has been anonimised** such as pseudonymisation data
YES under Section 171(1) of the law states: “It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data”
146
the General Data Protection Regulation (GDPR) treats this as if it were any other personal data
how does the General Data Protection Regulation (GDPR) treat ## Footnote **Pseudonymisation data**
147
this can be described / summarised as: (this is not listed as a data protection principle in the DPA 2018 but is a principle in the GDPR) data processors and controllers must have technical and organisational measures in place to demonstrate compliance with the GDPR and DPA 2018 (Open University, 2022)
how can **P****rinciple7, Accountability** of **article 5, General Data Protection Regulation (GDPR)** **Data Protection Principles** be described / summarised
148
this is a specialised language that is used to communicate with databases. the most common is Structured Query Language (SQL)
what is a ## Footnote **query language**
149
This holds the highest of penalties under the Computer Misuse Act (CMA) 1990. with the least serious offences being 14 years in jail and the most serious being life in jail
what sentences does **Section 3za of the Computer Misuse Act (CMA) 1990** hold
150
general data potection regulation (GDPR) ensures that each member state has a supervisory authority (SA) which oversees data protection what is the name of the **U.Ks supervisory authority (SA)**
in the U.K this position is taken by the **Information Commissioner’s Office (ICO)**
151
states that you can still be charged under section 2 even if there was no way that you could have been successful. Such cases might be where an attacker did not have the required skills, the system they tried to attack had preventative measures etc
what does **subsection 2(4) of the Computer Misuse Act (CMA) 1990** state
152
states that further offences committed after gaining access to the computer (section 1) does not need to happen immediately to be charged. Simply if customer details were stolen and then six months later those details were used to commit faud to those users, you can still be charged.
what does **subsection 2(3) of the Computer Misuse Act (CMA) 1990** state
153
1. states that a bug or accidental damage cannot be prosecuted 2. states that you do not actually need to cause harm and only the intent is enough 3. states that any modification that is done does not need to be permanent to still be charged
under **Section 3 of the Computer Misuse Act (CMA) 1990** name 3 conditions that would/would not allow a conviction
154
what are the 3 penalties that can be enforced under the ## Footnote **General Data Protection Regulation (GDPR)**
under this the penalties are: 1. Written warnings for relatively minor breaches, first offences or unintentional non-compliance. 2. More serious failings require organisations to undergo regular data protection audits to ensure that they are brought into compliance with GDPR. 3. The most serious incidents could result in fines of up to €20 million or 4% of an organisation’s annual global turnover – whichever is greater. (Previously the UK DPA 1998 had a stipulated maximum fine of just £500,000).
155
this: 1. Provide a set of rules concerning data that would be enforced by every E.U member state. This makes doing business much easier in cases where data processing of a certain type would have been illegal in one country but not another 2. protects the data of EU citizens by place responsibility of protecting that data on to companies. 3. protects EU citizens data even when it is not being processed in the EU since the law extends to any country processing EU citizens data
what 3 purposes does the **Geneal Data Protection Regulation (GDPR)** serve
156
a web page can usually be implemented as a template which can have data entered into it depending on the situation such as who is logging in
how do **databases allow webpages to be dynamic in nature** and at the same time avoids creating millions of different web pages for each user
157
from which year was **SQL injection (SQLi)** first known about
this type of attack was first discovered in 1998
158
this act is concerned with unautharised access or modification to a computer as well as any crimes carried out with a computer and/or threats to life through use of a computer
what is the **computer misuse act (CMA) 1990** concerned with
159
this includes: 1. Lawfulness, fairness and transparency 2. Purpose limitation 3. Data minimisation 4. Accuracy 5. Storage limitation 6. Integrity and confidentiality (security) 7. Accountability
what are the 7 **Data Protection Principles** included in article 5 of the General Data Protection Regulation (GDPR)
160
under this the penalties are: 1. Written warnings for relatively minor breaches, first offences or unintentional non-compliance. 2. More serious failings require organisations to undergo regular data protection audits to ensure that they are brought into compliance with GDPR. 3. The most serious incidents could result in fines of up to €20 million or 4% of an organisation’s annual global turnover – whichever is greater. (Previously the UK DPA 1998 had a stipulated maximum fine of just £500,000).
what are the 3 penalties that can be enforced under the ## Footnote **General Data Protection Regulation (GDPR)**
161
what was ## Footnote **prestel**
this was a service that was capable of delivering thousands of pages each with different content to subscribing customers
162
this allows an individuals data to be removed from a computer if: 1. it was acquired via unlawful methods 2. the privacy of the individual is seen as more important than the interests of the organisation holding the data
what rights of erasure does the General Data Protection Regulation (GDPR) allow for
163
this is a type of attack in which the error messages produced by the database are used to understand the structure and potential weaknesses of a database. this is often implemented as a first stage of an attack
what is an ## Footnote **error-based SQLi**
164
what 3 ways is ## Footnote **General Data Protection Regulation (GDPR) enforced**
this is enforced by: 1. Each member country is required to have a central **supervisory authority (SA)** which will oversee data protection. 2. Companies that have more than 250 employees must have at least one data protection officer (DPA), whos responsibility is to develop protection methods for the personal data they process as well as ensuring they are compliant with the GDPR. (under the data protection act 1998 there was no requirement to hire a DPO) 3. Companies are forced to report breaches to there supervisory authority (SA) within 72 hours of discovery (the data protection act 1998 encouraged this type of activity but it was not a requirement)
165
what happened during the year of **1981** concerning uk data protection
what year did Britain s first data privacy laws were introduced to come in line with the EU. The laws were introduced to protect personal data from being exported from a country with strong privacy rules to one with lack
166
which month of 2015 saw the hardest hitting attack on talk talk
the worst attack that talk talk saw in 2015 was in october
167
what did the **Data Protection Act (DPA) 2018** introduce
this was introduced mainly so that the uk could implement Europes General Data Protection Regulation (GDPR)
168
name 4 methods that can ## Footnote **prevent SQL injection (SQLi) attacks**
this can be prevented by: 1. update software 2. restrict permissions 3. turn off error messages 4. sanitise query strings
169
when taking this action the script that tuns query strings into queries will ensure that it only accepts: 1. queries with a fixed amount of parameters 2. Queries with parameters of certain types _Example_ If the script only expects two parameters (name and date) and those parameters must be formatted a certain way or be a certain type then any other query strings that it encounters will be discarded and not passed to the database
what happens when **restrictions are placed on query strings** to prevent an SQL injection (SQLi) attack
170
this can be described / summarised as: Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate or misleading is erased or rectified without delay. (Open University, 2022)
how can **P****rinciple 4, Accuracy** of **article 5, General Data Protection Regulation (GDPR)** **Data Protection Principles** be described / summarised
171
under **Section 3 of the Computer Misuse Act (CMA) 1990** name 3 conditions that would/would not allow a conviction
1. states that a bug or accidental damage cannot be prosecuted 2. states that you do not actually need to cause harm and only the intent is enough 3. states that any modification that is done does not need to be permanent to still be charged
172
in the aftermath of the october 2015 attack on talk talk what happened with the customer data that was stolen
customers data was posted online and some customers were even receiving fraudulent calls such as: 1. Being tricked into making payments 2. Giving away more banking information 3. Tricking the user to install malware on to their own systems
173
how can **P****rinciple 2, Purpose limitation** of **article 5, General Data Protection Regulation (GDPR)** **Data Protection Principles** be described / summarised
this can be described / summarised as: Personal data shall be obtained only for one or more specified, explicit and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. (Open University, 2022)
174
This lists the types of crimes covered by section 2 such as: fraud, forgery, theft and criminal damage
what does **subsection 2(2) of the Computer Misuse Act (CMA) 1990** state
175
name some ## Footnote **types of sensitive data**
some types of this include: 1. racial or ethnic origins 2. political opinions 3. religious or philosophical beliefs 4. membership of a trade union 5. health 6. sexuality and sexual history 7. genetics 8. biometric data where used for ID purposes.
176
these two journalists used the username and password combo which had been seen used at a demonstartion to access the prestel network without authorisation
what actions did journalists Robert Schifreen and stephen gold take on the prestel netwok
177
what is **section 2 of the Computer Misuse Act (CMA) 1990** concerned with
this section is concerned with **unauthorised access intending to commit or assist the commission of further offences**
178
this was developed by the british post office in 1979 and eventually ceased its service in 1991
who developed prestel and what was its lifetime
179
what year did Britain s first data privacy laws were introduced to come in line with the EU. The laws were introduced to protect personal data from being exported from a country with strong privacy rules to one with lack
what happened during the year of **1981** concerning uk data protection
180
what punishments does **section 1 of the Computer Misuse Act (CMA) 1990**
the punishment for breaking this law is 1. summary conviction of 1 year in prison and/or up to £5,000 fine 2. conviction of indicement of 2 years in prison
181
when this action is taken the script responsible for turning query strings into queries will first assess the query string to see if it contains any characters that could correspond to an SQL query in a case that it does the script can: 1. Translate the characters into safe characters 2. Ignore the string entirely Therefore ensuring that any query string containing an SQL query never reaches the database
when **sanitising query strings by parsing the query string** what actions are carried out by the script responsible for the sanitisation
182
NO taking this action on a databse does not stop an SQL injection (SQLi) attack
does **turning off error messages** stop an SQL injection (SQLi) attack
183
where does a ## Footnote **query string** **begin within a** **Uniform Resource Locator (URL)**
this will begin after a question mark symbol (?) within the Uniform Resource Locator (URL)
184
these include: 1. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection or appropriate safeguards for the rights and freedoms of data subjects in relation to the processing of personal data; or there are special circumstances meaning the transfer is necessary. 2. Personal data shall be processed in accordance with the rights of data subjects i.e. there must be respect for fundamental rights. (Open University, 2022)
what are the two **overriding provisions** of the **General Data Protection Regulation (GDPR)**
185
what happens when a ## Footnote **server receives a query string**
when it receives this it will: 1. Extract the contents of the query string 2. Generate and send a query to the database
186
when it receives this it will: 1. Extract the contents of the query string 2. Generate and send a query to the database
what happens when a ## Footnote **server receives a query string**

TM112: Block 3 (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions