IT and Society Lecture 7: Security Issues

Questions and Answers

What is the primary basis for selecting and implementing controls in ISMS?

Expert opinions

Historical data analysis

Industry standards and regulations

Risk assessment (correct)

What aspect of security management is currently lacking according to the recap on security in organizations?

State-sponsored security initiatives

Comprehensive security certifications

Public awareness programs

Data-driven collaboration with industry (correct)

What characteristic of the 27K series of standards makes them broadly applicable?

Their limited flexibility

Their focus on technology-specific measures

Their generic and adoptable nature (correct)

Their strict regulatory framework

What is implied by the term 'pipe dream' in the context of balancing security and privacy?

An unrealistic or illusory hope

What is suggested as a necessary aspect of security management in the recap?

Scientifically validated prioritization

What should continuous improvement in security management align with?

Changing risk environment

What is the primary implication of Dilma Rousseff's quote regarding privacy and democracy?

Privacy enhances freedom of expression.

What is the relationship between the NSA and the Five Eyes countries?

They work in cooperation for intelligence gathering.

When did the NSA's activities become more publicly known?

2001

What does the Prism program allow in terms of wiretapping?

It requires a warrant based on probable cause for U.S. citizens.

What significant concern arises from the NSA's wiretapping practices?

The scale and scope of wiretapping foreigners.

What role does the Foreign Intelligence Surveillance Court (FISC) play?

It supervises the issuance of warrants for wiretaps.

How can intelligence analysts access content from foreign wiretaps?

By simply clicking a designated tab indicating the subject's status.

What is a critical limitation of the information obtained through FISA regarding citizens?

Wiretapping requests can occur without supervision.

What is a key characteristic of data flow between service firms such as Yahoo and Google?

Data often flows in the clear between companies' data centers.

Why do modern websites often not encrypt backhaul traffic?

Cost is associated with backhaul encryption.

What does Tempest monitoring involve?

Monitoring electromagnetic emissions from devices.

What is one of the objectives of the Longhaul and Quantum programs?

To focus on encrypted communications.

What tactic is used in supply-chain tampering?

Manipulating purchased products to compromise them.

What has been noted about many Internet communications regarding encryption?

They appear encrypted but may not be truly secure.

What is one example of the collection strategy used by Special Collection Service?

Planting collection equipment in foreign providers.

What is a consequence of the trend toward end-to-end encryption?

Improved security for internet communications.

What is the implication of higher scores being considered better in the 2020 rating by Freedom House?

The scoring system became more favorable for countries with improved internet freedom.

Which types of content are most commonly targeted by internet filtering in various countries?

Human rights organizations and independent media.

What concern arises from the involvement of private entities in regulating speech online?

The transparency of their actions is often questionable.

What phenomenon is referred to as 'mission creep' concerning internet filtering?

An expansion in the scope of internet filtering beyond original intentions.

What is the potential 'collateral impact' of internet filtering mentioned?

Blocking access to content that was not meant to be restricted.

What is a common target for censorship in countries implementing strict internet regulations?

Religious conversion and spiritual grouping sites.

How does the transition from filtering to overt political censorship typically occur?

Governments gradually tighten control encompassing diverse content views.

What are the characteristics of the reports published by Freedom House since 1973?

They offer a blend of detailed analysis and scoring.

What is the primary justification for government surveillance according to the strong form of the argument?

To prevent and investigate terrorist attacks

What does the 'nothing-to-hide' argument imply?

Only those engaging in unlawful activities need to worry about privacy

How should privacy be viewed according to the opposing view presented?

As an essential right that requires protection

What is a key concern in balancing privacy against security?

Avoiding the infringement of individual freedoms

What does the strong form of the argument suggest about privacy interests?

They are secondary to security interests

Who are some of the proponents of the viewpoint that surveillance is justified?

A broad spectrum of society including individuals

Study Notes

Recap – Information Security Management Systems (ISMS)

• ISMS emphasizes risk-driven management, selecting and implementing security controls based on risk assessments.
• Continuous improvement adapts to changes in the risk environment.
• Documentation-centered and integrates performance evaluation for processes and controls.
• The 27K series of standards is generic, adaptable, and flexible, covering varying security needs outside ICT.
• Certification schemes associated with these standards are increasingly utilized in practice.

Security in Organizations

• A gap exists between high-quality IT security research and collaboration with industry and policy makers.
• A comprehensive, scientifically validated method for prioritizing security measures is currently lacking.

Balancing National Security and Privacy

• National security interests intensified post September 11, 2001, raising questions about the feasibility of balancing national security with privacy.
• Dilma Rousseff emphasized that without the right to privacy, freedom of expression and democracy cannot thrive.

United States and Five Eyes Alliance

• The NSA and Five Eyes (U.S., Canada, U.K, Australia, New Zealand) have made extensive efforts to exert control over Internet security and surveillance.
• Whistleblowers like Edward Snowden have revealed details about the operational methods and capabilities of Western intelligence.

NSA History

• The NSA remained relatively unknown until 1982, with James Bamford's historical overview aided by FOIA requests uncovering its activities.

Programs: Prism

• Prism allows the FBI to conduct wiretaps on U.S. citizens legally with a warrant based on probable cause.
• Foreign individuals can be wiretapped without restrictions, raising concerns about privacy and surveillance overreach.

Programs: Muscular (U.K./U.S.)

• Involves data collection among major service firms, with claims that many encrypted communications may not be secure.
• SSL encryption may only protect data between the user's device and the CDN, but not during internal transfers.

Programs: Special Collection Service

• Employs strategies like implanting collection equipment within foreign telecoms and government facilities.
• Tempest monitoring collects data from electromagnetic emissions, prompting standards for shielding electronic devices.

Research Examples

• Focus areas include encrypted communications, examining the vulnerability of encryption methods used in VPNs and TLS connections.

Government Surveillance and Privacy

• A prevailing argument posits that security needs justify government surveillance, suggesting minimal privacy concerns for law-abiding citizens.
• A counterargument promotes privacy as a fundamental right that should be protected and not perceived as something to hide.

Freedom House Ratings

• Lower scores indicate better Internet freedom; ratings shift over time reflect changing circumstances in various countries.
• Reports analyze the state of Internet freedom comprehensively, detailing the implication of censorship and freedom restrictions.

From Filtering to Censorship

• Internet filtering often targets local content critical to governments, evolving into overt censorship of dissenting views.
• Websites related to human rights, independent media, and political opposition are common targets for blocking.

Collateral Impact of Internet Filtering

• Filtering can inadvertently restrict access to a broader range of content, extending beyond intended targets and stifling free expression.

Involvement of Private Entities

• Commercial entities may impose restrictions on freedom of speech in opaque ways, complicating public accountability.
• The infrastructure set up for filtering may lead to mission creep, expanding the reasons for censorship beyond the original intent.

Description

Explore the societal issues related to information security in this lecture from Prof. Jens Grossklags. This quiz covers key concepts such as risk-driven information security management and the importance of continuous improvement to adapt to a changing risk environment.