Data Privacy and Cryptography Quiz

Questions and Answers

What type of technology primarily leads to the exfiltration of data from users?

Computers

Smartphones (correct)

Tablets

Household appliances

Which feature of smartphones allows third parties to track user interactions?

Battery optimization

Notification settings

Voice commands

Location services (correct)

What is a common method used by advertisers to target users based on their data trails?

Print advertisements

Telemarketing calls

Contracting with third-party ad networks (correct)

Direct email campaigns

How do filtering apps used before uploading photos to social media impact data security?

They can access all photos and their associated data.

What allows smartphones to provide less control over user privacy compared to standard computers?

Inherent app capabilities to access data

Where might the data trail from a user stopping at a store primarily be derived from?

Location services and credit card usage

What type of identifiers are primarily linked to data exfiltration in smartphones?

Mobile advertising identifiers

What statement about smartphones and privacy is true?

They significantly compromise user privacy.

Which benefit of cryptography ensures that only authorized parties can view the information?

Confidentiality

What does the integrity benefit of cryptography specifically ensure?

Information is correct and unaltered

Which cryptographic benefit provides proof that a user performed a specific action?

Non-repudiation

What begins almost always with the theft of personal data?

Identity theft

What type of cryptography uses a single key for both encryption and decryption?

Symmetric cryptography

Which aspect of cryptography makes information difficult to understand or unclear?

Obfuscation

How can statistical inferences about individuals be made from social media interactions?

By analyzing likes on Facebook

What is the primary purpose of authentication in cryptography?

To confirm the identity of users

What is a potential issue created by the sharing or interchange of data?

Unintended cross-pollination

Which of the following is NOT a risk associated with private data gathering?

Improved advertising placement

Which cryptographic benefit ensures that data cannot be altered by unauthorized users?

Integrity

In the context of cryptography, what does non-repudiation prevent individuals from doing?

Claiming they did not perform an action

What problem arises from the inability of users to verify the accuracy of their data?

Erroneous decisions made about individuals

What is a consequence of being placed in a social group online?

Misleading applications of group characteristics

How do surveillance-based advertisers primarily gather personal data?

Through tracked online behavior

Which software tool is specifically designed for file encryption?

Folder Lock

Which of the following best describes the challenge users face with their private data?

Lack of formal rights to know about their gathered data

What type of encryption protects all data on a storage unit?

Full Disk Encryption

Which of the following is a hardware-based cryptographic device?

Trusted Platform Module

Which encryption method is effective for data moving over a network?

End-to-end encryption

Which software is part of Microsoft's encryption offerings?

Microsoft’s BitLocker

What cryptographic service does a Hardware Security Module provide?

Removable external cryptographic functions

Which of the following is a characteristic of hardware encryption?

Embedded in hardware for increased security

Which feature best describes Apple's FileVault?

It protects groups of files on macOS.

What is the role of a key in cryptography?

A key is a value entered into the algorithm to produce ciphertext.

Which statement accurately describes symmetric cryptography?

It uses one key for both encryption and decryption.

What should be limited to employees who have a specific job function?

Administrative access

What limitation does TLS have regarding message protection?

TLS secures messages only while they are in transit.

What is a recommended practice for encrypting sensitive customer information?

Use industry-tested and accepted algorithms

Which of the following is a characteristic of symmetric cryptography?

It can use the same key for different encryption processes.

What is the best action to take when disposing of sensitive data?

Dispose of them securely

Which of the following statements about keys in cryptographic algorithms is true?

Keys must remain secret to ensure data confidentiality.

What can occur if administrative access is not limited effectively within an organization?

Increased risk of unauthorized system changes

Which of the following methods is not a valid way to securely dispose of personal information?

Selling equipment with data intact

What common mistake might organizations make regarding data encryption?

Implementing nonstandard encryption methods

Which is a consequence of not properly disposing of sensitive personal information?

Risk of data breaches

Which practice helps ensure sensitive information is protected when it is no longer needed?

Disposing of it securely

Study Notes

Security Awareness, Module 6: Privacy

• Module Objectives:
  • Explain how data is being stolen from users.
  • Identify "data thieves."
  • Describe the risks associated with data theft.
  • Define cryptography and explain how it provides protection.
  • Explain how to strengthen privacy by limiting cookies, disabling MAIDs, and following best practices.

Introduction

• Technology has eroded personal privacy.
• Unauthorized individuals access and use data without permission.
• These individuals do not break laws.
• Data theft results in hundreds of billions of dollars annually.

Data Theft

• Data theft involves:
  • Knowing what data is being stolen.
  • Knowing how the data is being stolen.
  • Identifying the data thieves.
  • Understanding the risks to users.
  • Understanding usage of stolen data.

What Is Being Stolen and How? (1 of 2)

• Data types stolen in a typical day:
  • Smartphone information for weather forecasts and traffic conditions.
  • Tracking features allow third parties to collect data about the user's interaction with the app.
  • Company contracts with third-party ad networks for ad space to target tracked individuals, using apps to filter selfies before uploading to social media.
  • The app accesses any data about the photos uploaded.

What Is Being Stolen and How? (2 of 2)

• Data trail from everyday interactions with technology:
  • Data collected from stopping at a yogurt store using a credit card.
  • Examples: household appliances, televisions, automobiles, personal assistants (Alexa, Siri), and web forms.

How Data Is Exfiltrated (1 of 2)

• Majority of stolen data is from smartphones using trackers.
• Smartphones are not designed to protect user privacy.
• Smartphones offer less user control over the device compared to standard computers.
• Data exfiltration is primarily based on location services and mobile advertising identifiers.

How Data Is Exfiltrated (2 of 2)

• Location services (geolocation, GPS, Wi-Fi):
  • Apps on the smartphone request and transmit location data back to the hosting company.
• Mobile Advertising Identifier (MAID):
  • Unique number identifies a specific device.
  • Links location data and app interaction.

Who Are the Data Thieves? (1 of 5)

• Three primary entities that steal user data:
  • Surveillance-based advertisers.
  • Governments.
  • Schools.

Who Are the Data Thieves? (2 of 5)

• Surveillance-based advertisers (ad tech):
  • Target individuals pre-identified through smartphone tracking data.
  • Advertising targeting individual characteristics
  • Tracking consumer activities over multiple devices (smartphones, laptops, tablets)

Who Are the Data Thieves? (3 of 5)

• Governments:
  • Can monitor citizen activities without their knowledge or permission.
  • Enabled via the Communications Assistance for Law Enforcement Act (CALEA) of 1994.
  • Allows targeted surveillance on phones, the internet, and VoIP traffic.

Who Are the Data Thieves? (4 of 5)

• Schools:
  • Increasingly gather information about their students to:
    • Locate missing students.
    • Determine if a student attended a class.
    • Identify potential threats to other students.

Who Are the Data Thieves? (5 of 5)

• Table 6-1: Data types collected by schools:
  • Location data (ex: Wi-Fi connections, contactless chips).
  • Audiovisual data (facial recognition).
  • Web browsing data (visited websites).
  • Device usage (social media postings).

What Are the Risks? (1 of 3)

• Associations with groups: Group characteristics may not accurately reflect individual characteristics.
• Statistical inferences: Likes and activity on certain platforms can reveal sensitive traits (sexual orientation, drug use, political beliefs)
• Unintended cross-pollination: Data sharing can have unintended negative consequences.

What Are the Risks? (2 of 3)

• Identity theft: Theft of personal data as a precursor. Often carried out by surveillance-based advertisers, businesses, governments, or schools.
• Individual inconveniences: Targeted ad marketing can be viewed as annoying or unwanted.

What Are the Risks? (3 of 3)

• Table 6-2 : Issues regarding how private data is gathered and kept secret:
  • Data is frequently gathered and remains secret.
  • Data accuracy cannot be verified.
  • Identity theft can affect and negatively impact data accuracy.
  • Unknown factors can affect overall data ratings.
  • Informed consent for privacy is frequently missing and misunderstood.
  • Data is used for important life decisions (jobs, consumer credit, life insurance, and ID verification).
  • Can perpetuate or reinforce harmful stereotypes based on the user's private data (eg: men more likely to be shown job ads in science, tech, engineering, and math fields compared to women).

Privacy Protections

• Implementations to reduce risks associated with private data:
  • Cryptography.
  • Limiting cookies.
  • Disabling and monitoring MAIDs.
  • Following best practices.
  • Organizations that collect private data have responsibilities

Use Cryptography (1 of 22)

• Cryptography (hidden writing): The practice of transforming information to prevent unauthorized understanding.
• Encryption: Transforming data into a scrambled message.
• Decryption: Transforming the scrambled message back into the original data.
• Cipher: A cryptographic algorithm using a mathematical value (key) for encryption.
• Key: A mathematical value to encrypt and decrypt data.

Use Cryptography (2 of 22)

• Cleartext data: Data in its unencrypted form (plaintext).
• Plaintext data: Cleartext data to be encrypted.
• Ciphertext data: Scrambled and unreadable output of encryption. Based on mathematical formulas for encryption and decryption.

Use Cryptography (3 of 23)

• Figure 6-1: Graphic illustrating the cryptographic process (encryption & decryption). Includes labels for plaintext, ciphertext, encryption algorithm, decryption algorithm, key, and transmission.

###Use Cryptography (4 of 23)

• Benefits of Cryptography:
  • Confidentiality
  • Integrity
  • Authentication
  • Non-repudiation
  • Obfuscation

###Use Cryptography (5 of 22)

• Table 6-3: Information protections via cryptography
• Confidentiality: Ensures authorized access only.
• Integrity: Ensures data is correct and unaltered.
• Authentication: Verifies the sender's legitimacy.
• Non-repudiation: Proves the user performed an action.
• Obfuscation: Makes information obscure.

###Use Cryptography (6 of 22)

• Types of Cryptography:
  • Symmetric cryptography: Uses the same key for encryption and decryption. (Identical keys). Distribution poses a significant challenge.
  • Asymmetric cryptography: Uses two keys (public and private), related mathematically. Distribution of the public key is easier.

###Use Cryptography (7 of 22)

• Symmetric Cryptography:
  • Original cryptography for encrypting and decrypting data.
  • Same key used for encryption and decryption.
  • Also known as private key cryptography.
  • Identical keys for encryption and decryption.

###Use Cryptography (8 of 22)

• Figure 6-2: A graphic illustrating symmetric (private key) cryptography. Includes labels for plaintext, ciphertext, encryption algorithm, decryption algorithm, key, and transmission pathways.

###Use Cryptography (9 of 22)

• Asymmetric Cryptography:
  • Also known as public key cryptography.
  • Uses two mathematical keys (public and private).
  • Public key is widely distributed.
  • Private key is kept confidential and known only to the individual to whom it belongs.

###Use Cryptography (10 of 22)

• Figure 6-3: A graphic illustrating asymmetric (public key) cryptography. Includes labels of plaintext, ciphertext, encryption algorithm, decryption algorithm, public key, private key, and transmission Pathways.

###Use Cryptography (11 of 22)

• Asymmetric Cryptography Principles:
  • Key pairs: Requires a pair of keys (public and private), for different purposes (encryption, decryption).
  • Public Key: Does not need protection in comparison to the private key.
  • Private key: Should be kept confidential.
  • Direction: Keys can be used in both directions (encrypt and decrypt).

###Use Cryptography (12 of 22)

• Table 6-4: Asymmetric cryptography practices. Displays actions, keys used for encryption and decryption, and explanations for specific scenarios.

###Use Cryptography (13 of 22)

• Protections Through Cryptography: Data at-rest, data in transit. -Data at rest:Stored on electronic media (mobile, laptop, external storage). Encryption can be implemented by using software running on the device.

###Use Cryptography (14 of 22)

• Encryption through Software:
  • Third-party software tools (GNU Privacy Guard (GNuPG), AxCrypt, Folder Lock, VeraCrypt).

###Use Cryptography (15 of 22)

• Figure 6-4: A graphic illustrating the VeraCrypt volume creation wizard. Includes labels and elements related to the file system, speeds, and times.

Use Cryptography (16 of 22)

• Encryption through Software:
  • Operating system support: Protecting groups of files takes advantage of OS's file encryption support. Examples include Microsoft's Encrypting File System (EFS) for Windows and Apple's FileVault.
  • Full disk encryption (FDE): Protects all data on a storage unit (e.g., Microsoft's BitLocker).

Use Cryptography (17 of 22)

• Hardware Encryption:
  • Hardware vs. software: Cannot be exploited like software encryption; provides higher security level.
  • Self-encrypting drives (SEDs): Secure all data on the drive.
  • Hardware Security Module (HSM): Removable external cryptographic hardware device.
  • Trusted Platform Module (TPM): Cryptographic chip on the computer motherboard.

Use Cryptography (18 of 22)

• Data in Transit:
  • Data transferred over a network.
  • Protection through cryptography (using digital certificates, end-to-end encryption, and Transport Layer Security (TLS)).

Use Cryptography (19 of 22)

• Digital Certificates:
  • Associate user identity to a public key using third-party verification of owner and public key.
  • Enable authenticity of web servers and cryptographic connections to the web server.
  • Certificates issued from a web server to a device (e.g., client computer)

Use Cryptography (20 of 22)

• Types of Digital Certificates:
  • Code signing certificates: Verify software publishers to prevent unauthorized alterations to software.
  • Email security certificates: Enable users to digitally sign and encrypt mail messages.

Use Cryptography (21 of 22)

• Figure 6-6: A graphic illustrating a verified publisher message in a user account control pop-up. Includes labels associated with the software origin and authentication from a third-party vendor.

Use Cryptography (22 of 22)

• End-to-End Encryption (E2EE):
  • Protect from sender to receiver.
• Transport Layer Security (TLS):
  • Secure transmissions between the user and their app's servers, and from the app's servers to the recipient's device. Hypertext Transport Protocol Secure (HTTPS) is an example. Virtual Private Network (VPN) is another example.

Limit Cookies (1 of 2)

• HTTP (stateless): Does not record user interaction.
• Stateful protocol: Keeps track of everything.
• Cookies: Files on user's local computer for remembering.

Limit Cookies (2 of 2)

• First-party cookie: Created by the website
• Third-party cookie: Used for advertising by other websites.
• Session cookie: Stored in RAM; temporary.

Disable and Monitor MAIDs

• Disable MAIDs on mobile devices to prevent tracking.
• Navigate to settings>Privacy on mobile devices to disable.

Follow Privacy Best Practices (1 of 3)

• Use encryption for protecting sensitive documents.
• Use strong passwords.
• Shred documents containing personal information.
• Avoid carrying sensitive info (SSN, etc.) in wallets.
• Avoid sharing private information over the phone.
• Store personal info in a secure location.
• Exercise caution regarding social media postings.

Follow Privacy Best Practices (2 of 3)

• Keep recent financial statements for limited time.
• Install anti-spyware/virus software.
• Use a popup blocker.
• Manage browser cookies (control cookies, use private browsing option, review privacy options).
• Turn on privacy features (e.g., in the browser)

Follow Privacy Best Practices (3 of 3)

• Enable Wi-Fi Protected Access 2 (WPA2) Personal.
• Be cautious about permission requests from websites and apps to collect data.
• Confirm HTTPS protocol when providing sensitive information, such as credit cards.
• Avoid sharing personal information for coupons/contests.
• Use common sense.

Responsibilities of Organizations (1 of 4)

• Misuse example: During online registration, collecting sensitive credentials and storing them in cleartext.
• Responsible action: Collect only necessary information.
• Explanation: Do not collect unnecessary personal information. Only collect if necessary. Limit information collection.

Responsibilities of Organizations (2 of 4)

• Misuse example: Storing customer credit card information for an extended period (30 days) after the sale.
• Responsible action: Keep personal information only as long as necessary.
• Explanation: Dispose of sensitive information securely after it is no longer needed.

Responsibilities of Organizations (3 of 4)

• Misuse example: Using real personal information for employee training sessions with no subsequent cleanup. Large scale failure to restrict employee access to sensitive information.
• Responsible action: Limit/restrict administrative access.
• Explanation: Avoid using real data whenever feasible in training situations. Restrict employee access to minimize potential data breaches.

Responsibilities of Organizations (4 of 4)

• Misuse example: Sensitive personal information discarded unsafely (e.g. in dumpsters)
• Responsible action: Properly dispose of sensitive data.
• Explanation: Shred or otherwise destroy sensitive information before disposal to ensure data security and avoid breaches.

Knowledge Check Activity 6-2

• Which two statements are correct (regarding cryptography):
  • A key is a mathematical value entered into the algorithm to produce the ciphertext.
  • TLS protects messages only as they travel from the user's device to the app's servers, and then from the app's servers to the recipient's device.

Description

Test your knowledge on data privacy, smartphone tracking, and cryptographic principles. This quiz covers how modern technology impacts user privacy and methods to secure personal information. Explore the intersection of data exfiltration and cryptography in today's digital landscape.