Digital security, ethics and privacy

• Digital security risks
• Cybercrimes and criminals
• Internet and network attacks
• Wireless security
• Establish policy to ensure safety
• Ethics
• Privacy:
• Protect yourself and your data
• Information privacy

Module 5

Digital Security, Ethics, and Privacy: Avoiding and Recognizing Threats

Risks Associated with Technology Use�(1 of 5)

• A risk is any possibility that something might occur resulting in an injury or a loss.
• A digital security risk is any event or action that could cause a loss of or damage to computer or mobile device hardware, software, data, information, or processing capability.
• Types of digital security risks include threats to our information, physical health, mental health, and the environment.

​

​

Figure 5-1 You can protect yourself from digital security risks.

Cybercrimes and Criminals (2 of 5)

• State-sponsored attackers are employed by the government to launch computer attacks against their enemies through nation-state actors.
• The term, cyberwarfare, describes an attack whose goal ranges from disabling a government’s computer network to crippling a country.
• These attackers try to steal and then use your credit card numbers, online financial account information, or Social Security numbers using data mining.
• Data mining is the process of sifting through Big Data to find the important questions that will yield fruitful results.
• A cyber extortionist is an individual who threatens to expose confidential information, exploit a security flaw, or launch an attack that will compromise the organization’s network.
• Social engineering is a category of attack that attempts to trick the victim into giving valuable information to the attacker.
• Examples include hoaxes and phishing

​

Risks Associated with Technology Use�(3 of 5)

• Any illegal act involving the use of a computer or related devices is generally referred to as a computer crime and the term cybercrime refers to online or Internet-based illegal acts, such as distributing malicious software or committing identity theft.
• Software used by cybercriminals is called crimeware. Cybersecurity is the practice of protection against digital threats, including unauthorized or illegal access to data.
• Digital forensics, or cyber forensics is the discovery, collection, and analysis of evidence found on computers and networks.
• A digital forensics examiner must have knowledge of the law, technical experience with many types of hardware and software products, superior communication skills, familiarity with corporate structures and policies, a willingness to learn and update skills, and a knack for problem-solving.

Risks Associated with Technology Use�(4 of 5)

• A digital detox is a period of time during which an individual refrains from using technology.
• Threat actor is a more general and common term used to describe individuals who launch attacks against other users and their computers.
• The dark web is a part of the web that is accessed using specialized software, where users and website operators can remain anonymous while performing illegal actions.
• Script kiddies are individuals who want to attack computers.
• A hacker is a person who intends to access a computer system without permission.
• A cracker is someone who accesses a computer or network illegally but has the intent of destroying data, stealing information, or other malicious action.
• Hacktivists are attackers who are strongly motivated by principles or beliefs.
• Cyberterrorists attack a nation’s computer networks, like the electrical power grid, to cause disruption and panic among citizens.

​

​

Cybercrimes and Criminals (5 of 5)

Table 5-1 Social engineering principles.

Ethics and Society (1 of 4)

• The standards that determine whether an action is good or bad are known as ethics.
• Technology ethics are the moral guidelines that govern the use of computers, mobile devices, information systems, and related technologies.
• Frequently discussed areas of computer ethics include information accuracy, intellectual property rights, and green computing.

Ethics and Society (2 of 4)

Information Accuracy

• Information accuracy is a concern today because many users access information maintained by other people or companies, such as on the Internet.
• With graphics equipment and software, users can easily digitize photos and then add, change, or remove images.

Figure 5-3 A digitally edited photo that shows a fruit that looks like an apple on the outside and an orange on the inside.

Ethics and Society (3 of 4)

Intellectual Property Rights

• Intellectual property rights are the rights to which creators are entitled to their work.
• Creative Commons is another source for finding content that may or may not be used, along with any restrictions or payment needed to use it.
• A common infringement of copyright is piracy, where people illegally copy software, movies, and music.
• These issues with copyright law led to the development of the digital rights management strategy.

Ethics and Society (4 of 4)

Green Computing

• Green computing involves reducing electricity and environmental waste while using computers, mobile devices, and related technologies.
• Organizations can implement a variety of measures to reduce electrical waste.

Figure 5-5 A list of suggestions to make computing healthy for the environment.

Internet and Network Attacks (1 of 6)

• Information transmitted over networks has higher degree of a security risk than information kept on an organization’s premises.
• These types of attacks can affect your privacy, personal information, finances, and more.
• Malware is short for malicious software which consists of programs that act without a user’s knowledge and deliberately alter the operations of computers and mobile devices.
• Malware can deliver its payload, or destructive event or prank, on a computer or mobile device in a variety of ways.
• A common way that computers and mobile devices become infected with viruses and other malware is through users opening infected email attachments.

​

Internet and Network Attacks (2 of 6)

Table 5-2 Common types of malware.

Internet and Network Attacks (3 of 6)

Botnets

• A compromised computer or device, known as a zombie, is one whose owner is unaware that the computer or device is being controlled remotely by an outsider.
• A botnet, or zombie army, is a group of compromised computers or mobile devices connected to a network that are used to attack other networks, usually for nefarious purposes.
• A bot is a program that performs a repetitive task on a network.
• Cybercriminals install malicious bots on unprotected computers and devices to create botnets.

Internet and Network Attacks (4 of 6)

Denial of Service Attacks

• A DoS attack is a type of attack, usually on a server, that is meant to overload the server with network traffic so that it cannot provide necessary services, such as the web or email.
• A more devastating type of DoS attack is the distributed DoS (DDoS) attack in which multiple computers, such as a zombie army, are used to attack a server or other network resource.
• The damage caused by a DoS or DDoS attack usually is extensive.

Back Doors

• A back door is a program or set of instructions in a program that allows users to bypass security controls when accessing a program, computer, or network.
• A rootkit can be a back door.
• Some worms leave back doors, which have been used to spread other worms or to distribute spam from the unsuspecting victim’s computers.
• Programmers often build back doors into programs during system development to save development time.

​

Internet and Network Attacks (5 of 6)

• Spoofing is a technique intruders use to make their network or Internet transmission appear legitimate to a victim’s computer or network.
• Two common types of spoofing schemes are IP and address spoofing.
• IP spoofing occurs when an intruder computer tricks a network into believing its IP address is associated with a trusted source.
• Address spoofing occurs when the sender’s email address or other components of an email header are altered.

Figure 5-5 Spoofers alter the components and header of an email message so that it appears the message originated from a different sender.

Internet and Network Attacks (6 of 6)

Practices for Protection from Viruses and Other Malware

• Use virus protection software
• Use a firewall
• Be suspicious of all unsolicited email and text messages
• Disconnect your computer from the Internet
• Download software with caution
• Close spyware windows
• Before using any removable media, scan it for malware
• Keep current and back up regularly

Secure IT: Protect Yourself and Your�Data (1 of 7)

• Your digital footprint is the record of everything you do online.
• A digital footprint can be nearly impossible to completely erase.
• Firewalls and access controls protect data and information on computers and other devices For most computer users, the greatest risk comes from attackers who want to steal their information for their own financial gain.
• The risks you face online when using the Internet or email include:
• Online Banking
• E-commerce Shopping
• Fake Websites
• Social Media Sites

Secure IT: Protect Yourself and Your�Data (2 of 7)

Table 5-3 Uses of personal information.

Secure IT: Protect Yourself and Your�Data (3 of 7)

• Mobile users today often access their company networks through a virtual private network (VPN).
• A VPN is a private, secure path across a public network that allows authorized users to secure access to a company or other network.
• A VPN provides the mobile user with a secure connection to the company’s network server as if the user has a private line.
• VPNs help ensure that data is safe from being intercepted by unauthorized people by encrypting data as it transmits from a laptop, smartphone, or other mobile devices.

Secure IT: Protect Yourself and Your�Data (4 of 7)

• Firewalls protect network resources from outsiders and to restrict employees’ access to sensitive data, such as payroll or personnel records.
• A proxy server is a server outside the organization’s network that controls which communications pass in and out of the organization’s network.
• Both Windows and Mac operating systems include firewall capabilities, including monitoring Internet traffic to and from installed applications.

Figure 5-8 How a firewall works.

Secure IT: Protect Yourself and Your�Data (5 of 7)

• Unauthorized access is the use of a computer or network without permission. It is possibly an illegal activity.
• Organizations take several measures to help prevent unauthorized access and use.
• An organization’s acceptable use policy (AUP) should specify the acceptable use of technology by employees for personal reasons.
• An organization should document and explain AUP to employees.
• The AUP also should specify the personal activities, if any, that are allowed on company time.

Secure IT: Protect Yourself and Your�Data (6 of 7)

• Many organizations use access controls to minimize the chance that a perpetrator, intentionally or an employee accidentally may access confidential information on a computer, mobile device, or network.
• The computer, device, or network should maintain an audit trail that records access attempts, both successful and unsuccessful.
• To protect against data loss caused by hardware, software, or information theft or system failure, backup is required.
• Online backup services use special software on the computer to monitor what files have changed or have been created. Cloud backup services can save you the cost of maintaining hardware.

Secure IT: Protect Yourself and Your�Data (7 of 7)

Table 5-4 Various backup methods.

Wireless Security (1 of 5)

Protect Mobile Devices

• Along with the protection of devices from theft, it is also necessary to protect the privacy of your information.
• Some risks from attacks on Wi-Fi networks include the following:
• Reading wireless transmissions or viewing or stealing computer data
• Injecting malware or downloading harmful content

Precautions

• When using public Wi-Fi, be sure you are connecting to the approved wireless network.
• Limit the type of activity you do on public networks to simple web surfing or watching online videos.
• Accessing online banking sites or sending confidential information that could be intercepted is not a good idea.
• Configuring your Wi-Fi wireless router to provide the highest level of security is an important step.

​

Wireless Security (2 of 5)

Table 5-5 Configuration settings for wireless routers.

Wireless Security (3 of 5)

Table 5-5 Configuration settings for wireless routers (continued).

Wireless Security (4 of 5)

Secure Your Wireless Network

• The following list provides suggestions for securing your wireless network.
• Immediately upon connecting your wireless access point and/or router, change the password required to access administrative features
• Change the SSID, or network name, from the default to something
• Do not broadcast the SSID
• Enable an encryption method, and specify a strong password
• Enable and configure the Media Access Control (MAC) address control feature; a MAC address is a unique hardware identifier for your computer or device
• Choose a secure location for your wireless router so that unauthorized people cannot access it

​

Wireless Security (5 of 5)

Cloud Data Privacy

• The cloud offers a tremendous amount of storage space at a relatively low cost; the security of data and the reliability of cloud companies trigger concerns.
• Two types of risks arising from cloud computing include:
• Personal risks: International laws and industry regulations protect sensitive and personal data.
• Business risks: Ownership and security of data should be included in any contract between a business and a cloud storage provider.

Information Privacy (1 of 11)

• Authentication is the process of ensuring that the person requesting access to a computer or other resources is authentic and not an imposter.
• Different methods of authentication are:
• Passwords
• Biometrics
• 2 FA
• CAPTCHA
• Encryption

​

Information Privacy (2 of 11)

Passwords

• A username—a user ID (identification), log-on name, or sign-in name—is a unique combination of characters, numbers, or alphabets that identifies one specific user.
• A password is a secret combination of letters, numbers, and/or characters that only the user should know.

​

Figure 5-9 User sign in requiring password.

Information Privacy (3 of 11)

Table 5-6 Ten most common passwords.

Table 5-7 Numbers of possible passwords.

Information Privacy (4 of 11)

• Use a password manager, which is a program that helps you create and store multiple strong passwords in a single user vault file that is protected by one strong master password.
• Password managers use two-step verification and advanced encryption techniques to ensure information is stored securely.
• Some organizations use passphrases to authenticate users.
• A PIN (personal identification number), sometimes called a pass code, is a numeric password. PINs provide an additional level of security.
• A possessed object is any item that you must possess, or carry with you, to gain access to a computer or computer facility. For example, badges, cards, smart cards, and keys.
• The card you use in an ATM (automated teller machine) is a possessed object that allows access to your bank account.

​

​

​

Information Privacy (5 of 11)

Biometrics

• Biometric security uses the unique characteristics of your face, hands, or eyes to authenticate you.
• Some of the different types of biometrics include:
• Retina
• Fingerprint
• Voice
• Face
• Iris
• Hand
• Signature

​

​

Figure 5-10 Facial recognition.

Information Privacy (6 of 11)

• Two-Factor Authentication is multiple types of authentication.
• The most common authentication elements that are combined are passwords and codes sent to a cell phone using a text message.
• Its short form is 2FA.
• It makes authentication stronger.

Figure 5-12 Two-factor authentication.

Information Privacy (7 of 11)

CAPTCHAs

• CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.”
• A CAPTCHA is a program developed at Carnegie Mellon University that displays an image containing a series of distorted characters to identify and enter to verify that user input is from humans.

Figure 5-13 CAPTCHAs verify human usage.

Information Privacy (8 of 11)

Encryption

• Encryption is the process of scrambling information in such a way that it cannot be read unless the user possesses the key to unlock it so that it is returned to a readable format (decryption).
• A digital signature is an electronic, encrypted, and secure stamp of authentication on a document issued by a CA organization.

Browser Security

• Although all browsers are different, each can be configured for stronger security through different settings.
• Some of the important security settings include:
• Cookies, scripting, plug-ins, pop-ups, and clear browsing data

​

​

Information Privacy (9 of 11)

Protect your Personal and Financial Information

• Your personal information includes not only your identity but your financial information.
• Attackers can impersonate you, either to cause distress or for their financial gain.
• You can, and should, take several steps to prevent your information from being stolen and falling into the hands of attackers.

Actions to Protect Your Personal and Financial Information

• The United States has laws in place to help users monitor and protect their financial information that is stored by a credit reporting agency.
• You can request one free credit report annually to review your credit history and determine if an attacker has secretly taken out a credit card or even a loan in your name.
• You can also have a credit freeze (as well as a thaw) put on your credit information so that it cannot be accessed without your explicit permission. These are also free.
• It is a good idea to monitor your credit information regularly.

​

​

Information Privacy (10 of 11)

Protecting Your Online Profile

• Several general defenses can be used for any social networking site.
• First and foremost, you should be cautious about what information you post.
• Second, you should be cautious regarding who can view your information.
• Finally, you should pay close attention to information about new or updated security settings.

Privacy Laws

• Information collected and stored about individuals should be limited.
• Once collected, provisions should be made to protect the data.
• Personal information should be released outside the organization collecting the data only when the person has agreed to its disclosure.
• The individual should know that the data is being collected and have the opportunity to determine the accuracy of the data.

​

Information Privacy (11 of 11)

Table 5-8 Some U.S. privacy laws.

How To: Establish Policies to Ensure�Safety (1 of 7)

• Companies establish guidelines for use, occasionally limit access, and possibly oversee employees’ activities for unacceptable actions.
• A code of conduct is a written guideline that helps determine whether a specification is ethical, unethical or allowed or not allowed.
• An IT code of conduct focuses on the acceptable use of technology.

​

Figure 5-14 Sample IT code of conduct.

How To: Establish Policies to Ensure�Safety (2 of 7)

• Content filtering is the process of restricting access to certain materials. Many businesses use content filtering to limit employees’ web access.
• Web filtering software are programs that restrict access to specified websites. Some also filter websites that use specific words.

How To: Establish Policies to Ensure�Safety (3 of 7)

Employee Monitoring

• Employee monitoring involves the use of computers, mobile devices, or cameras to observe, record, and review an employee’s use of technology, including communications such as email messages, keyboard activity (used to measure productivity), and websites visited.
• Many programs exist that easily allow employers to monitor employees.
• If a company does not have a formal email policy, it can read email messages without employee notification.

How To: Establish Policies to Ensure�Safety (4 of 7)

1. Disaster Recovery
• A disaster recovery plan is a written plan that describes the steps an organization would take to restore its computer operations in the event of a disaster.
• Each company and each department within an organization usually has its own.
• It typically contains four components: Emergency plan, Back up plan, Recovery plan, and Test plan
2. Emergency Plan
• An emergency plan specifies the steps and is organized by type of disaster and includes:
• Names and phone numbers of people and organizations to notify
• Computer equipment procedures and employee evacuation procedures
• Return procedures (who can enter the facility and what actions they are to perform)

​

​

​

How To: Establish Policies to Ensure�Safety (5 of 7)

Backup Plan

The backup plan specifies how to use backup files and equipment to resume computer operations, and includes:

• The location of backup data, supplies, and equipment
• Who is responsible for gathering backup resources and transporting them to an alternate computer facility
• The methods by which data will be restored from cloud storage
• A schedule indicating the order and approximate time each application should be up and running

How To: Establish Policies to Ensure�Safety (6 of 7)

Recovery Plan:

The recovery plan specifies the actions to restore full computer operations such as replacing hardware or software.

Test Plan:

The test plan includes simulating various levels of disasters and recording the ability to recover.

How To: Establish Policies to Ensure�Safety (7 of 7)

Table 5-9 Considerations for disaster recovery.

Ethics and Issues: Inclusivity and

Digital Access (1 of 2)

Digital Inclusion

• Digital inclusion is the movement to ensure that all users, regardless of economic or geographic constraints, have access to the devices, data, and infrastructure required to receive high-speed, accurate, reliable information.
• The goal of digital inclusion is to ensure that everyone has access to all the online resources, including education, participation in the local and national government, employment listings and interviews, and health care access.

Ethics and Issues: Inclusivity and

Digital Access (2 of 2)

Some barriers to digital inclusion include:

• Geographic areas that lack the infrastructure necessary to provide reliable Internet access
• Government restrictions or censorship
• Affordable devices or connections
• Lack of education
• Lack of understanding of the value of technology