4. What is Data Privacy?
The aspect of information technology (IT) that deals with the
ability an organization or individual has to determine what data
in a computer system can be shared with third parties.
The challenge of data privacy is to utilize data while protecting
individual's privacy preferences and their personally
identifiable information.
The fields of computer security, data security and information
security design and utilize software, hardware and human
resources to address this issue.
5. As the laws and regulations related to Privacy and Data
Protection are constantly changing, it is important to keep
abreast of any changes in the law and continually reassess
compliance with data privacy and security regulations.
Privacy concerns exist wherever personally identifiable
information or other sensitive information is collected, stored,
used, and finally destroyed or deleted in digital form or
otherwise.
Improper or non-existent disclosure control can be the root
cause for privacy issues.
What is Data Privacy?
6. Data privacy issues can arise in response to information from a wide range of
sources, such as:
Healthcare records
Criminal justice investigations and proceedings
Financial institutions and transactions
Biological traits, such as genetic material
Residence and geographic records
Ethnicity
Privacy breach
Location-based service and geo-location
Web surfing behavior or user preferences using persistent cookies
What is Data Privacy?
7. Data Security Vs. Data Privacy
Data security is commonly referred to as the confidentiality,
availability, and integrity of data.
Data privacy is suitably defined as the appropriate use of data.
When companies and merchants use data or information that is
provided or entrusted to them, the data should be used
according to the agreed purposes.
Companies need to enact a data security policy for the sole
purpose of ensuring data privacy or the privacy of their
consumers' information.
8. Data Security Vs. Data Privacy
Companies must ensure data privacy because the information is
an asset to the company.
A data security policy is simply the means to the desired end,
which is data privacy.
No data security policy can overcome the willing sell or
soliciting of the consumer data that was entrusted to an
organization.
9. Need Of Data Privacy
Every time we use a service, we have to hand over some of our
personal information.
Even without our knowledge, information is being generated and
captured by companies and agencies we are likely to have never
knowingly interacted with.
“The only way citizens and consumers can have confidence in both
government and business is through strong data protection practices,
with effective legislation to help minimize needless monitoring by
officialdom and regulate surveillance by companies.”
10. Need Of Data Privacy
Data protection rules need to be enforced by a regulator or authority,
often called a Privacy Commissioner.
The strength of the powers invested in these authorities varies from
country to country and so does its independence from Government.
These powers can include the ability to conduct investigations, act on
complaints and impose fines when they discover an organization has
broken the law.
11. Data Protection Laws
As of August 2014, over 100 countries around the world have
enacted comprehensive data protection legislation, and several other
countries are in the process of passing such laws.
The strongest and most comprehensive laws are in the countries of
the European Union and European Economic Area that have
implemented the 1995 Data Protection Directive.
Canada is another leading example with two separate pieces of
legislation applying at the national level to government and industry.
12. Data Protection Laws
Data protection law has become not only a vehicle for
protecting citizens and consumers, it has became a gateway to
trade.
The OECD Guidelines on the Protection of Privacy, first
agreed in 1980 and revised in 2013, were the pioneer in
establishing the data protection principles, adopted by many
countries in their legislation.
The EU's 1995 Directive standardized laws to some extent
across European Union member states, partly to enable trade
within the European market.
13. Data Protection Act Principles
The Data Protection Act is the law that protects us against illegal and
inappropriate use of our personal information without our consent, and the
same applies to us using the information of others
Anyone who processes personal information must comply with eight
principles of the Data Protection Act, which make sure that personal
information is:
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with your rights
Secure
Not transferred to other countries without adequate protection
14. State of Data Privacy in 2015
According to a recent survey by Dimensional Research,
93% of businesses are challenged by data privacy.
It estimated that by 2018, more than 9 billion U.S. dollars
will be lost due to payment card fraud, 6.4 billion due to
CNP (card not present) transactions.
17. State of Data Privacy in 2015
Another increasing worry in the online medium is malicious
use of personal information intended to humiliate, harass or in
other ways damage someone’s reputation.
Especially among youth, internet bullying is one of the biggest
fear parents have when it comes to their children’s online
safety.
19. Introduction
Advancements in information technology (IT) have raised concerns
about the risks to data associated with weak IT security.
Inadequate IT security may result in compromised confidentiality,
integrity, and availability of the data due to unauthorized access.
To ensure that individual privacy remains carefully protected, local
and state education agencies should implement state-of-the-art
information security practices.
Staying ahead of the ever-evolving threat of a data breach requires
diligence on the part of the education community in understanding
and anticipating the risks.
21. Non-existent Security Architecture
Some organizations do not have an established security
architecture in place, leaving their networks vulnerable to
exploitation and the loss of personally identifiable information
(PII).
Inadequate network protection results in increased vulnerability
of the data, hardware, and software, including susceptibility to
malicious software.
22. Non-existent Security Architecture
If the network contains sensitive information or PII, it is critical
that even in a very limited resource environment, minimal user,
network and perimeter security protection mechanisms (such as
anti-virus) are implemented.
Mitigation: If an organization does not have the appropriate
personnel to design a security architecture, it is recommended
that a third party be brought in to consult with the IT team.
23. Un-patched Client Side Software and Applications
Computers run a variety of software applications, including
older versions of that may sometimes contain vulnerabilities
that can be exploited by malicious actors.
Mitigation: To reduce the ability of malicious actors to
compromise or destroy an organization’s security system,
implement a robust patch management program that identifies
vulnerable software applications and regularly updates the
software security to ensure ongoing protection from known
threats.
24. Phishing and Targeted Attacks
(“Spear Phishing”)
One way malicious individuals or criminals (e.g., hackers)
target individuals and organizations to gain access to personal
information is through emails containing malicious code this is
referred to as phishing. Once infected emails are opened, the
user’s machine can be compromised.
Mitigation:
To reduce vulnerability to phishing and other e-mail security
scams, organizations should install professional enterprise-
level e-mail security software.
26. Phishing and Targeted Attacks
(“Spear Phishing”)
It is recommended that this software check both incoming and
outgoing messages to ensure that spam messages are not being
transmitted if a system becomes compromised.
In addition, organizations should provide regular internet
security training to staff to ensure user-awareness about e-mail
scams.
27. Internet Websites
Malicious code can be transferred to a computer through
browsing webpages that have not undergone security updates.
Simply browsing the internet and visiting compromised or
unsecured websites could result in malicious software being
downloaded to an organization’s computers and network.
Mitigation: To prevent threats from compromised websites,
employ firewalls and antivirus software to help identify and
block potentially risky web pages.
28. Poor Configuration Management
Any computer connected to the network, whether at work or at
home, that does not follow configuration management policy,
is vulnerable to an attack.
Weak data security protection measures that do not restrict
which machines can connect to the organization’s network
make it vulnerable to this type of threat.
29. Poor Configuration Management
Mitigation:
Establish a configuration management policy for connecting
any hardware to the network.
The policy should specify security mechanisms and procedures
for various types of hardware, including computers, printers,
and networking devices.
It is also recommended to implement a Network Access
Control solution to enforce configuration policy requirements.
30. Mobile Devices
Use of mobile devices, such as laptops or handheld devices,
including smartphones, is exploding; however, the ability to secure
them is lagging behind.
Data breaches can occur in a number of ways: devices can be lost,
stolen, or their security can be compromised by malicious code
invading the operating system and applications.
31. Mobile Devices
Mitigation:
To promote data security in case a device is lost or stolen,
encrypt data on all mobile devices storing sensitive
information.
Until more data encryption, user authentication, and anti-
malware solutions become available for mobile devices, the
best protection strategy is to implement a strict mobile device
usage policy and monitor the network for malicious activity.
32. Cloud Computing
In cloud computing large amounts of customer data are stored in
shared resources, which raises a variety of data encryption and
availability issues.
Further, the cloud provider faces the same data security
responsibilities and challenges as the organization that owns the data,
including patching and managing their applications against malicious
code.
Mitigation:
Conduct an assessment to compare benefits from adopting cloud
computing, including cost savings and increased efficiency, against
associated security risks.
33. Cloud Computing
It is critical to ensure that solutions offered by the cloud
provider effectively comply with the organization’s information
system security requirements, including operational and risk
management policies.
34. Removable media
The use of removable media on an organization’s network
poses a significant security threat.
Without proper protection, these types of media provide a
pathway for malware to move between networks or hosts.
Following proper security measures when using removable
media devices is necessary to decrease the risk of infecting
organization’s machines or the entire network.
35. Removable media
Mitigation:
To minimize the security risks, apply simple preventative steps.
These include disabling the “auto run” feature of the operating
system on the organization’s machines and training users to
scan removable media for viruses before opening the files.
36. Botnets
Botnets are networks of compromised computers used by
hackers for malicious purposes, usually criminal in nature.
Clean up efforts resulting from botnet infestation may be costly
and damaging to an organization’s reputation.
Mitigation:
Since there are many ways computers can become
compromised, having a strong security architecture is critical to
defending against a malicious botnet attack.
38. Botnets
Strategies for botnet detection involve analyzing patterns of
data sent over the network, and monitoring computer resources
usage and external connections.
39. Zero-day Attacks
A zero-day attack is a threat aimed at exploiting a software
application vulnerability before the application vendor
becomes aware of it and before the vulnerability becomes
widely known to the internet security community.
These attacks are among the hardest to mitigate and leave
computers and networks extremely vulnerable.
42. Zero-day Attacks
Mitigation:
Unless an organization has access to IT analysts who are highly
experienced in technical vulnerability assessment, a frequently
recommended approach to mitigation is to wait for the vendor
to release a patch that fixes the vulnerability.
The organization should keep abreast of the latest software
patches and deploy the fix as soon as it is distributed by the
developer.
44. Insider Threats
An insider is defined as someone with legitimate access to the
network.
Because information accessed by insiders can be easily stolen,
copied, deleted, misfiled, or changed, insider threats can be
some of the most damaging, regardless of whether they occur
due to user carelessness or malicious attempts.
45. Insider Threats
Mitigation:
To mitigate this type of threat, establish and enforce a well-
defined privilege rights management system.
Audit programs are useful in enforcing access controls and
monitoring suspicious activity.
46. Poor Passwords
Implementing a policy on strong user passwords is critical to
data protection.
Modern password-cracking programs can easily break weak
passwords, such as those containing common words or word
groups found in a dictionary.
For this reason, user-selected passwords are generally
considered to be weaker than randomly-generated passwords.
47. Poor Passwords
Mitigation:
Use a professional password-generating program as an
enterprise-level solution.
In addition to implementing procedures for generating strong
passwords, train users on how to maintain the security of their
passwords.
For enhanced security, consider implementing more advanced
authentication capabilities, such as multi-factor authentication.
48. Physical Security
Physical security is essential to preventing unauthorized
access to sensitive data as well as protecting an
organization’s personnel and resources.
A Physical safety measures include securing access to
dedicated computers, server rooms, routers, printers, and
any areas that process or store sensitive data.
49. Physical Security
Mitigation:
Establish and enforce a physical security system.
Strong physical security includes access control policies
and procedures; physical barriers surveillance and alarm
systems; and security breach notification, response, and
system recovery procedures.
50. Insufficient Backup and Recovery
Lack of a robust data backup and recovery solution puts
an organization’s data at risk and undermines the
effectiveness of its IT operations.
Data and system recovery capabilities allow an
organization to reduce the risk of damage associated with
a data breach.
51. Insufficient Backup and Recovery
Mitigation:
Establish an organizational policy and specify procedures
for data backup, storage, and retrieval.
Many advanced data and system backup and recovery
tools are available on the market.
52. Improper Destruction
Discarded electronic devices, such as computers or
portable drives, that have been used in processing and
storing sensitive data, remain vulnerable unless the data
are erased properly.
A data breach can occur if recovery tools are used to
extract improperly erased or overwritten data.
53. Improper Destruction
Mitigation:
Establish a policy for protecting or destroying no longer needed
IT assets and media that may contain sensitive data.
Several standards organizations offer guidelines that outline
best practices for ensuring data are discarded properly,
including recommendations published by the National Institute
of Standards and Technology (NIST) titled NIST SP 800-88,
“Guidelines for Media Sanitization.”
54. Social Media
Using organization’s devices and network resources to access
social media websites poses a high data security threat.
Social networking sites are often targeted by malware, receive
a high degree of spam, and are frequently used to gain
information for identity theft.
Mitigation:
Introduce and reinforce a policy forbidding access to some
social media websites while using an organization’s resources
and equipment.
55. Social Media
Train users about the security threats generated by visiting
these sites.
Organizations that allow access to social media websites
should deploy a strong anti-virus and spam filtering solution.
56. Conclusion
Understanding the vast array of threats is the first step in ensuring
adequate protection of sensitive data.
All networks are vulnerable to cyber security threats.
A comprehensive data security program is essential for mitigating
these threats and preventing a data breach.
A holistic approach to data security begins with understanding the
network, its architecture, user population, and mission requirements.
Consistent implementation of the security plan will reduce
susceptibility to cyber threats and increase the overall security of an
organization’s data.
58. Introduction
58
“Access control” is where security engineering meets
computer science.
Its function is to control which (active) subject have access
to a which (passive) object with some specific access
operation.
subject Access
Operation
object
Figure I. Access Control Model
59. Introduction
Access Controls: The security features that control how users
and systems communicate and interact with one another.
Access: The flow of information between subject and object
Subject: An active entity that requests access to an object or
the data in an object
Object: A passive entity that contains information
60. Security Principles
The three main security principles also pertain to access
control:
Availability
Integrity
Confidentiality
61. Identification, Authentication, and Authorization
Identification, Authentication, and Authorization are
distinct functions.
Identification
Authentication
Authorization
Identity Management: A broad term to include the use
of different products to identify, authenticate, and
authorize users through automated means
62. Identification
Method of establishing the subject’s identity
User, Program, Process
Use of username or other public information
Identification component requirements
Each value should be unique
Follow a standard naming scheme
Non-descriptive of the user’s position or tasks
Must not be shared between users
63. Authentication
Method of proving the identity
Something you know (Passwords, OTP, Passphrase)
Something you have (Smart Card, Token, Document)
Something you are (Fingerprints, Retina Scan)
Use of passwords, token, or biometrics other private
information
What is two factor authentication?
Strong authentication
65. Types of Access Controls
Administrative controls
Define roles, responsibilities, policies, and administrative
functions to manage the control environment.
Technical controls
Use hardware and software technology to implement access
control.
Physical controls
Ensure safety and security of the physical environment.
66. Administrative controls
Policies and procedures
Security awareness training
Asset classification and control
Employment policies and practices (background checks, job
rotations, and separation of duties)
Account administration
Account, log monitoring
Review of audit trails
68. Physical controls
HVAC
Fences, locked doors, and restricted areas
Guards and dogs
Motion detectors
Video cameras
Fire detectors
Smoke detectors
69. Categories of Access Controls
Control Type Description
Preventive Avoid incident
Deterrent Discourage incident
Detective Identify incident
Corrective Remedy circumstance/mitigate damage and restore
controls
Recovery Restore conditions to normal
Compensating Alternative control
70. Access Control Threats
Insiders
Countermeasures include good policies and procedures, separation of
duties, job rotation
Dictionary Attacks
Countermeasures include strong password policies, strong
authentication, intrusion detection and prevention
Brute Force Attacks
Countermeasures include penetration testing, minimum necessary
information provided, monitoring, intrusion detection, clipping levels
Spoofing at Logon
Countermeasures include a guaranteed trusted path, security awareness
to be aware of phishing scams, SSL connection
71. Access Control Monitoring
Intrusion Detection Systems
Network Based (NIDS)
Host Based (HIDS)
HIDS and NIDS can be:
Signature Based
Statistical Anomaly Based
Protocol Anomaly Based
Traffic Anomaly Based
Rule Based
72. Access Control Monitoring
Intrusion Prevention Systems
Preventative and proactive technology, IDS is a detective technology.
Network Based (NIPS)
Host Based (HIPS)
Honeypots
An attractive offering that hopes to lure attackers away from critical
systems
Network sniffers
A general term for programs or devices that are able to examine traffic on
a LAN segment.
73. Access Control Models
Organizations use access control mechanisms to mitigate the
risks of unauthorized access to their data, resources, and
systems. Several access control models exist.
In some cases, the more complicated models expand upon and
enhance earlier models, while in other cases they represent a
rethinking of the fundamental manner in which access control
should be done.
In many cases, the newer, more complicated models arose not
from deficiencies in the security that earlier models provide,
but from the need for new models to address changes in
organizational structures, technologies, organizational needs,
technical capabilities, and/or organizational relationships.
74. Access Control Models
ACL
RBAC ABAC
PBAC
RAdAC
IncreasingPolicyBasisfor
AccessControlDecision
Increasingly Finer Granularity of Access Control
75. Access Control Lists (ACL)
The concept of an ACL is very simple: each resource on a
system to which access should be controlled, referred to as
an object, has its own associated list of mappings between
the set of entities requesting access to the resource and the
set of actions that each entity can take on the resource.
Some applications also maintain access control lists to
determine which users are able to view certain data
elements.
76. Access Control List (ACL)
76
Matrix is stored by column.
Each object is associated with a list
Indicate for each subject the actions that the subject can
exercise on the object
77. Access Control Lists: Limitations
The ACL for a particular file, process, or other resource must
be checked every time the resource is accessed, and this can be
an inefficient means of providing access control.
ACLs control not only user access to system resources; they
also control application and system access as well.
ACLs can also be difficult to manage in an enterprise setting
where many people need to have different levels of access to
many different resources.
Selectively adding, deleting and changing ACLs on individual
files, or even groups of files, can be time-consuming and error-
prone.
78. Role-based Access Control (RBAC)
RBAC determines access based on roles.
More than one person can have the same role.
RBAC allows for the grouping of individuals into categories of
people who fulfill a particular role.
One set of access control permissions on a particular resource.
The source code tree for a new piece of software can be set
once for all members of the software engineering department.
80. Role-based Access Control: Limitations
One of the most significant is the fact that dividing people into
categories based on roles makes it more difficult to define
granular access controls for each person.
It is often necessary to create more specific versions of roles or
devise other mechanisms to exclude specific individuals who
fall into a particular role, but do not necessarily need to have
the full rights accorded to other members of a group.
81. Attribute Based Access Control (ABAC)
Access control decisions are made based on a set of characteristics,
or attributes.
Associated with the requester, the environment, and/or the resource
itself.
Each attribute is a discrete, distinct field that a policy decision point
can compare against a set of values to determine whether or not to
allow or deny access.
Attributes do not necessarily need to be related to each other.
A
ttributes that go into making a decision can come from disparate,
unrelated sources.
82. Attribute Based Access Control: Limitations
One limitation of the ABAC model is that in a large
environment with many resources, individuals, and
applications, there can be disparate attributes and access
control mechanisms among the organizational units.
It is often necessary to harmonize access control across
the enterprise in order to meet enterprise governance
requirements.
83. Policy-based Access Control (PBAC)
Emerging model that seeks to help enterprises address the need to
implement concrete access controls based on abstract policy and
governance requirements.
PBAC can be said to be a harmonization and standardization of the
ABAC model at an enterprise level in support of specific governance
objectives.
PBAC combines attributes from the resource, the environment, and
the requester with information on the particular set of circumstances
under which the access request is made
It uses rule sets that specify whether the access is allowed under
organizational policy for those attributes under those circumstances.
84. Policy-based Access Control: Limitations
In contrast to the other access control models, PBAC
requires not only complicated application-level logic to
determine access based on attributes, but also a
mechanism to specify policy rules in unambiguous terms.
85. Risk-Adaptive Access Control (RAdAC)
Devised to bring real-time, adaptable, risk-aware access
control to the enterprise.
RAdAC represents a fundamental shift in the way access
control is managed.
It extends upon other earlier access control models by
introducing environmental conditions and risk levels into
the access control decision process.
86. Risk-Adaptive Access Control: Limitations
RAdAC faces a variety of non-technical challenges, including
those of policy and law:
Does deploying RAdAC in certain environments violate the law?
Who is accountable if a security breach were to occur?
Are the system owners, the RAdAC implementers and
administrators, and/or the RAdAC system designers ultimately
responsible if a breach were to occur?
87. Conclusion
The business-to-business (B2B) relationships that enable
organizations to successfully execute their missions, for example,
sometimes require users or systems from one business to access
resources from business partners.
Simpler access control models often cannot adequately meet the
complex access control requirements that such relationships require,
and so more granular, powerful, dynamic models and mechanisms
are needed to address these new realities.
In short, increasingly complex data access and sharing requirements
drive the need for increasingly complex access control models and
mechanisms.
88. [1] Data Protection Principles in the Personal Data (Privacy) Ordinance – from the Privacy
Commissioner’s perspective (2nd Edition), pdf available at: www.pcpd.org.hk. Last accessed
August , 2016.
[2] Pew Research Center, Anonymity, Privacy, and Security Online, available at:
http://www.pewinternet.org/2013/09/05/anonymity-privacy-and-security-online/. Last accessed
August , 2016.
[3] Survey, Mobile, cloud computing are source of most healthcare security worries, available at:
http://mobihealthnews.com/23519/survey-mobile-cloud-computing-are-source-of-most-healthcare-
security-worries/. Last accessed August , 2016.
[4] Privacy Technical Assistance Center USA, “Data Security: Top Threats to Data Protection ”, pdf
available at: http://ptac.ed.gov/sites/default/files/issue-brief-threats-to-your-data.pdf, Last
accesssed: August 2016.
HelpSec, “Malware-infected home routers used to launch DDoS attacks”, available at:
http://www.helpsec.net/malware-infected-home-routers-used-to-launch-ddos-attacks, Last
accesssed: August 2016.
InfoSec, “Wrong response to zero day attacks exposes serious risks”, available at:
http://www.infosecisland.com/blogview/22600-Wrong-response-to-zero-day-attacks-exposes-
serious-risks.html, Last accesssed: August 2016.
References
89. References
[5] Trend Micro, “Malicious Ads Redirect to Flash Zero-Day Exploit, Affects Top Video-Sharing Site”,
available at: http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-
threats/malicious-ads-redirect-to-flash-zero-day-exploit-affects-top-video-sharing, Last accesssed:
August 2016.
[6] BCS, “Top 10 database attacks”,available at: http://www.bcs.org/content/ConWebDoc/8852, Last
accesssed: August 2016.
[7] Muhammad Wajahat Rajab, “Access Control”, Available at: http://www.slideshare.net/wajraj/access-
control-presentation-23717821, Last accessed : August 2016.
[8] EECS, “Access Control ”, Available http://www.web.eecs.umich.edu/~aprakash/security/handouts/
AccessModel_040112_v2.ppt, Last accessed : August 2016.