Security Awareness, 6e Module 6: Privacy PDF
Document Details
Uploaded by BlitheObsidian8424
Zayed University
2024
Mark Ciampa
Tags
Summary
This presentation, part of the Security Awareness 6th edition, details security elements around privacy. The document explains how data is stolen, identifies data thieves, and discusses the risks of data theft. Cybersecurity concepts and best practices for preventing data breaches are explored.
Full Transcript
Security Awareness, 6e Module 6: Privacy Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible we...
Security Awareness, 6e Module 6: Privacy Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 1 Module Objectives 6.1: Explain how data is being stolen from users 6.2: Identify “data thieves” 6.3: Describe the risks associated with data theft 6.4: Define cryptography and explain how it can provide protection 6.5: Explain how to strengthen privacy through limiting cookies, disabling MAIDs, and following privacy best practices Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2 Introduction Introduction of technology has caused an erosion of our personal privacy There are unauthorized individuals who are accessing and using our data without our knowledge and permission These individuals are not classified as attackers and they do not break any laws They earn hundreds of billions of dollars annually using our data Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3 Data Theft Data theft involves: Knowing what is being stolen How it is being stolen Identifying the data thieves Understanding the risks to users Usage of the data Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4 What Is Being Stolen and How? (1 of 2) Types of data that can be stolen during a typical day – Smartphone to check the weather forecast and traffic conditions Tracking features allow third parties to collect data from the user’s interaction with the app – Ad appears for a scooter The scooter company contracts with a third-party ad network to bid for ad space to target those being tracked – Use a filtering app before uploading a selfie to social media The filtering app can access any of the photos, along with data about the photos Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5 What Is Being Stolen and How? (2 of 2) Stopped at a yogurt store – The trackers know where you stopped and using a credit card provides more information Every time a user interacts with technology, they leave behind a “data trail,” which is a digital record of their activity – Household appliances – Televisions – Automobiles – Personal Assistants (Alexa, Siri) – Web forms Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6 How Data Is Exfiltrated (1 of 2) The majority of data stolen (exfiltrated) through trackers is from user’s smartphones Smartphones were not designed to protect users’ privacy Smartphones give users much less control over the device than a standard computer Exfiltration is primarily based on location services and mobile advertising identifiers Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7 How Data Is Exfiltrated (2 of 2) Location services – Most smartphones use geolocation, GPS, or Wi-Fi access points (Aps) to identify the geographical location of the device – Apps on the smartphone request the current location data and can also transmit the location back to the company behind the app (called the mother ship) Mobile Advertising Identifier (MAID) – A unique number that identifies a specific device – Linking together of location services data and app interaction data Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8 Who Are the Data Thieves? (1 of 5) The three primary entities that steal data from users – Surveillance-based advertisers – Governments – Schools Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9 Who Are the Data Thieves? (2 of 5) Surveillance-based advertisers (also known as ad tech) – Internet-based digital advertising that is targeted at individuals who have been pre-identified through smartphone tracking data – Internet advertising has overcome the limitations of traditional advertising – The ad is targeted at an individual based on the characteristics of the individual – A surveillance-based ad will typically follow the consumer continually for several days by appearing on their smartphone, laptop, and tablet whenever the user opens a web browser Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10 Who Are the Data Thieves? (3 of 5) Governments – Data collected by surveillance-based advertisers can essentially be purchased by any entity, including governments – Governments can monitor the actions of citizens without the citizen’s knowledge or permission – Communications Assistance for Law Enforcement Act (CALEA) is a wiretapping law passed in 1994 Ensures access to targeted surveillance in phones, the Internet, and voice over IP (VoIP) Internet traffic Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11 Who Are the Data Thieves? (4 of 5) Schools – Educational institutions have increasingly been active in gathering information about their students – The data can be used to Locate a missing student Determine if a student attended a class Determine if a student may pose a threat to other students Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12 Who Are the Data Thieves? (5 of 5) Table 6-1 Data types collected by schools Data type Example Description Location data Wi-Fi connections, Schools have used this data for automated contactless chips in bus attendance tracking, class tardiness, and passes, and ID cards identifying who is riding a school bus. Audiovisual data Facial recognition Locating a student on a large campus can be easily done through monitoring cameras and microphones of recorded images and sounds. Web browsing data Visited websites Schools can monitor which websites a student visits and then intervene if necessary. Device usage Social media postings Offenders who post harmful or threatening messages can be tracked by monitoring their device usage. Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13 What Are the Risks? (1 of 3) Associations with groups – Once a person is placed in a group, the characteristics of that group are applied, which may not always be accurate Statistical inferences – Can go beyond groupings – Likes on Facebook can statistically reveal sexual orientation, drug use, and political beliefs Unintended cross-pollination – Sharing or interchange of data that is often intended to create a higher benefit, may cast a negative light on a person Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14 What Are the Risks? (2 of 3) Identity theft – Almost always, identity theft begins with the theft of personal data that has been collected on a user by surveillance-based advertisers, businesses, governments, or schools Individual inconveniences – Ad marketing campaigns are often considered annoying and unwanted Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15 What Are the Risks? (3 of 3) Table 6-2 Issues regarding how private data is gathered and used Issue Explanation The data is gathered and kept Users have no formal rights to find out what private information is being gathered, who gathers it, or secret. how it is being used. The accuracy of the data cannot Because users do not have the right to correct or control what personal information is gathered, its be verified. accuracy may be suspect. In some cases, inaccurate or incomplete data may lead to erroneous decisions made about individuals without any verification. Identity theft can impact the Victims of identity theft will often have information added to their profile that was the result of actions accuracy of data. by the identity thieves, and even this vulnerable group has no right to see or correct the information. Unknown factors can impact Ratings are often created by combining thousands of individual factors or data streams, including race, overall ratings. religion, age, gender, household income, zip code, presence of medical conditions, transactional purchase information from retailers, and hundreds more data points about individual consumers. How these different factors impact a person’s overall rating is unknown. Informed consent is usually Statements in a privacy policy such as “We may share your information for marketing purposes with missing or misunderstood. third parties” is not clearly informed consent to freely allow the use of personal data. Often users are not even asked for permission to gather their information. Data is being used for Private data is being used on an ever-increasing basis to determine eligibility for significant life increasingly important opportunities, such as jobs, consumer credit, insurance, and identity verification. decisions. Targeted ads based on private Targeted advertising can perpetuate and reinforce harmful stereotypes. For example, research has data can lead to discrimination. shown that online employment ads for science, technology, engineering, and mathematics are disproportionately shown to men and hidden from women. Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 16 Knowledge Check Activity 6-1 Which two statements are correct? 1. Only about 10 percent of smartphone apps have tracking features. 2. As smartphones determine their current location, this information is then packaged into a feature on smartphones known as location services. 3. Surveillance-based advertising is targeted at an individual based on the characteristics of the individual. Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17 Knowledge Check Activity 6-1: Answer Which two statements are correct? As smartphones determine their current location, this information is then packaged into a feature on smartphones known as location services. Surveillance-based advertising is targeted at an individual based on the characteristics of the individual. Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 18 Privacy Protections Protections may be implemented to reduce the risks associated with private data – Cryptography – Limiting cookies – Disabling and monitoring MAIDs – Following best practices – Organizations that collect private data have responsibilities Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19 Use Cryptography (1 of 22) What Is Cryptography? (hidden writing) – Practice of transforming information so that it cannot be understood by unauthorized parties and thus is secure – Encryption is the process of changing the original text into a scrambled message – Decryption is the process of changing the secret message back to its original form – Cipher is a cryptographic algorithm that uses a mathematical value (a key) to encrypt the plaintext data – A key is a mathematical value entered into the algorithm to produce the ciphertext Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20 Use Cryptography (2 of 22) Cleartext data – Data in an unencrypted form Plaintext data – Cleartext data that is to be encrypted – Also the result of decryption Ciphertext data – Scrambled and unreadable output of encryption – Consists of procedures based on a mathematical formula used to encrypt and decrypt data Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21 Use Cryptography (3 of 23) Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22 Use Cryptography (4 of 23) Benefits of Cryptography – Confidentiality – Integrity – Authentication – Non-repudiation – Obfuscation Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23 Use Cryptography (5 of 22) Table 6-3 Information protections by cryptography Characteristic Description Protection Confidentiality Ensures that only authorized Encrypted information can only be viewed by parties can view the information those who have been provided the key. Integrity Ensures that the information is Encrypted information cannot be changed correct and no unauthorized except by authorized users who have the person or malicious software has key. altered that data Authentication Provides proof of the genuineness Proof that the sender was legitimate and not of the user an imposter can be obtained. Non-repudiation Proves that a user performed an Individuals are prevented from fraudulently action denying that they were involved in a transaction. Obfuscation Makes something obscure or By making obscure the original information unclear cannot be determined. Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24 Use Cryptography (6 of 22) Types of Cryptography – Symmetric cryptography – Asymmetric cryptography Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25 Use Cryptography (7 of 22) Symmetric Cryptography – The original cryptography for encrypting and decrypting data – Use the same single key to encrypt and decrypt – Also called private key cryptography (uses private key) – Identical keys are used to encrypt and decrypt – Distributing and maintaining a secure single key among multiple users, who are often scattered geographically, poses significant challenges Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26 Use Cryptography (8 of 22) Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 27 Use Cryptography (9 of 22) Asymmetric Cryptography – Also known as public key cryptography – Uses two keys instead of one One is known as the public key and one is known as the private key – Keys are mathematically related Public key is known to everyone and can be freely distributed Private key is known only to the individual to whom it belongs Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28 Use Cryptography (10 of 22) Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 29 Use Cryptography (11 of 22) Important principles regarding asymmetric cryptography: – Key pairs Requires a pair of keys – Public key Do not need to be protected – Private key Should be kept confidential – Both directions Keys can work in both directions (encryption and decryption) Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30 Use Cryptography (12 of 22) Table 6-4 Asymmetric cryptography practices Action Whose key to Which key to Explanation use use Bob wants to send Alice an Alice’s key Public key When an encrypted message is to be sent, the encrypted message. recipient’s key, and not the sender’s key, is used. Alice wants to read an encrypted Alice’s key Private key An encrypted message can be read only by message sent by Bob. using the recipient’s private key. Bob wants to send a copy to Bob’s key Public key to An encrypted message can be read only by the himself of the encrypted encrypt recipient’s private key. Bob would need to message that he sent to Alice. Private key to encrypt it with his public key and then use his decrypt private key to decrypt it. Bob receives an encrypted reply Bob’s key Private key The recipient’s private key is used to decrypt message from Alice. received messages. Bob wants Susan to read Alice’s Susan’s key Public key The message should be encrypted with Susan's reply message that he received. key for her to decrypt and read with her private key. Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 31 Use Cryptography (13 of 22) Protections Through Cryptography – Categorized as it pertains to protecting data at rest and data in transit – Data at rest Data that is stored on electronic media on a mobile device, laptop, or external storage unit Cryptography can be implemented through software running on a device Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32 Use Cryptography (14 of 22) Encryption through Software – There are third-party software tools available GNU Privacy Guard (GNuPG) AxCrypt Folder Lock VeraCrypt Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33 Use Cryptography (15 of 22) Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34 Use Cryptography (16 of 22) Encryption through Software – Protecting groups of files can take advantage of the operating system’s (OS’s) file encryption support Microsoft’s Encrypting File System (EFS) is for Windows Apple’s FileVault – Full disk encryption (FDE) protects all data on a storage unit Microsoft’s BitLocker Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 35 Use Cryptography (17 of 22) Hardware Encryption – Cannot be exploited like software encryption – Cryptography can be embedded in hardware to provide a higher degree of security – Self-encrypting drives (SEDs) can protect all files stored on them – Hardware Security Module (HSH) is a removable external cryptographic hardware device – Trusted Platform Module (TPM) is a chip on the motherboard of the computer that provides cryptographic services Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 36 Use Cryptography (18 of 22) Data in Transit – Data moving over a network from one location to another – Data in transit can be protected through cryptography by using Digital certificates End-to-end encryption Transport layer security Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 37 Use Cryptography (19 of 22) Digital Certificates – Technology used to associate a user’s identity to a public key – Has been “digitally signed” by a trusted third party – Third party verifies the owner and public key – Server digital certificates are often issued from a web server to a user’s client computer Can ensure the authenticity of the web server Can ensure the authenticity of the cryptographic connection to the web server Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 38 Use Cryptography (20 of 22) Two of the more common type of digital certificates are – Code signing digital certificate Used by software developers to digitally sign a program to prove that the software comes from the entity that signed it and no unauthorized third party has altered or compromised it When the installation is launched, a pop-up window appears that says Verified publisher – Email digital certificate Allows a user to digitally sign and encrypt mail messages Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 39 Use Cryptography (21 of 22) Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 40 Use Cryptography (22 of 22) End-to-End Encryption (E2EE) – Protects messages in all the way from the sender to the receiver – No one can “listen in” and eavesdrop on the communication Transport Layer Security (TLS) – Protects messages only as they travel from the user’s device to the app’s servers, and then from the app’s servers to the recipient’s device – The service provider can view unencrypted copies of the message – Hypertext Transport Protocol Secure (HTTPS) is an example – Virtual private network (VPN) is another example Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 41 Limit Cookies (1 of 2) HTTP is a stateless protocol, which does not make a record of the user’s interaction with the client – A stateful protocol “remembers” everything that occurs between the browser client and the server A site using HTTP can “remember” by using a cookie, which is a file on the user’s local computer Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 42 Limit Cookies (2 of 2) First-party cookie – Created from a website that a user is currently viewing Third-party cookie – A website attempts to place additional cookies on the local hard drive, usually for advertising Session cookie – Stored in random access memory (RAM) and only lasts for the duration of visiting the website Clearing the browser’s memory (cache) of cookies can help ensure more privacy Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 43 Disable and Monitor MAIDs For mobile devices, MAIDs can be disabled to prevent tracking Navigate to Settings > Privacy to disable tracking Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 44 Follow Privacy Best Practices (1 of 3) Use encryption to protect sensitive documents that contain personal information Use strong passwords Shred financial documents that contain personal information Do not carry a Social Security number in a wallet Do not provide personal information over the phone Keep personal information in a secure location Be cautious about what information is posted on social networking sites Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 45 Follow Privacy Best Practices (2 of 3) Keep only the last three months of most recent financial statements Install antispyware software Use a popup blocker Control cookies through the web browser Use the private browsing option in your browser Review the privacy options of the web browser – Turn on features that will provide the highest level of privacy without negatively impacting browser Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 46 Follow Privacy Best Practices (3 of 3) Turn on Wi-Fi Protected Access 2 (WPA2) Personal on Wi-Fi networks Be cautious about granting permission to a website or app request to collect data Be sure that https appear at the beginning of a web address that asks for credit card numbers or other personal information Be cautious about surrendering personal information in exchange for a coupon or to enter a contest Use common sense Encourage vendors to change their practices on data collection Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 47 Responsibilities of Organizations (1 of 4) Example of misuse Responsible Explanation action During the online registration process, Collect only Organizations should not collect the organization required new users to necessary any personal information unless provide both their email address and personal it is necessary, and the the password to that email account information. information that is collected and then stored the information in should be limited. cleartext. An organization collected customers’ Keep personal Unless there is a legitimate credit and debit card information to information only business need, personal process transactions in its retail stores as long as information should be securely but then stored that information for 30 necessary. disposed of as soon as any days, long after the sale was transactions are completed. complete. Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 48 Responsibilities of Organizations (2 of 4) Example of misuse Responsible action Explanation An organization used actual personal Do not use personal Fictitious information should information in employee training information when it be used for any training or sessions and then failed to remove the is not necessary. development purposes. information from employees’ computers after the training was completed. Over 7,000 files containing users’ Restrict access to If employees do not need to personal information were sensitive use customers’ personal inadvertently sent to a third party by information. information as part of their an organization that had failed to job function, access to such restrict employee access to sensitive information should be denied. personal information. Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 49 Responsibilities of Organizations (3 of 4) Example of misuse Responsible Explanation action An organization gave all of its Limit Administrative access, which allows a employees’ administrative control administrative user to make system-wide changes, over the system, including the access. should be limited to employees who ability to reset user account have that job function. passwords and view users’ comments. An organization stored sensitive Use industry-tested Organizations should take advantage customer information that was and accepted of the “collected wisdom” of encrypted with a nonstandard and methods. encryption algorithms that have been proprietary form of encryption, tested by experts over many years. which contained several vulnerabilities. Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 50 Responsibilities of Organizations (4 of 4) Example of misuse Responsible Explanation action Sensitive personal information was Dispose of sensitive When paperwork or equipment thrown away in dumpsters and data securely. containing personal information is hard drives that contained no longer needed, it should be personal information were sold as destroyed by shredding, burning, surplus. or pulverizing to make the data unreadable. Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 51 Knowledge Check Activity 6-2 Which two statements are correct? 1. A key is a mathematical value entered into the algorithm to produce the ciphertext. 2. Symmetric cryptography uses one key to encrypt data and a different key to decrypt data. 3. TLS protects messages only as they travel from the user’s device to the app’s servers, and then from the app’s servers to the recipient’s device. Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 52 Knowledge Check Activity 6-2: Answer Which two statements are correct? A key is a mathematical value entered into the algorithm to produce the ciphertext. TLS protects messages only as they travel from the user’s device to the app’s servers, and then from the app’s servers to the recipient’s device. Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 53 Summary Click the link to review the objectives for this presentation. Link to Objectives Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 54
