Ch 15 - Emerging Issues Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q

IOT and Big Data Facts and Background

A

Big Data is a term used to describe the nearly ubiquitous collection of data about individuals from multitudinous sources, coupled with the low costs to store such data and the new data mining techniques used to draw connections and make predictions based on this collected information.

IOT: The data analyzed by analytics programs, algorithms, machine learning, and other data mining techniques—the underpinnings of the term Big Data—are often gathered by devices collectively known as IoT. The next evolution of interaction with computer devices combines sensors almost anywhere with connection to the Internet.

The number of sensors connected to the Internet is now counted in the tens of billions.

By 2025, it is estimated that amount of data will double every 12 hours.

Big Data is characterized by the “three Vs”: velocity (how fast the data is coming in), volume (the amount of data coming in), and variety (what different forms of data are being analyzed).

Microsoft’s CEO Satya Nadella proposed a list of AI design principles, including several that focus on privacy issues: “AI must be designed to help humanity, AI must be designed for intelligent privacy, AI must be transparent, and AI needs algorithmic accountability so humans can undo unintended harm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Friends and Family Test

A

would the managers feel comfortable if data on themselves and their family and friends were in the database, subject to possible breach?

For instance, would managers at the bank feel comfortable with their own family’s data going into the ACF database?

If not, that is a reason to take greater precautions from cybersecurity perspective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Means of preventing Big Data Breach

A
Data minimization
Segmentation
De-identification
Collection, purpose and use limitations (FIPPS)
Access controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Direct and indirect identifiers

A

Direct identifiers = data that identify an individual with little or no additional effort.
Examples: address, phone number

Indirect identifiers = data such as age or gender that can increase the likelihood of identifying an individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

De-id terms: pseud, de-id, anon

A
  • Pseudonymous data: Information from which the direct identifiers have been eliminated. Indirect identifiers remain intact.
  • De-identified data: Direct and known indirect identifiers have been removed.
  • Anonymous data: Direct and indirect identifiers have been removed or technically manipulated to prevent re-identification.

These categories do not result from a single method or from reducing the identifiability of data. Instead, reduction of the risk of re-identification results from a collection of techniques that can be applied to different kinds of data with differing levels of effectiveness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Blurring

A

This technique reduces the precision of disclosed data to reduce the certainty of individual identification.

For example, date of birth is highly identifying (because a small portion of people are born on a particular day of a particular year), but year of birth is less identifying.

Similarly, a broader set of years (such as 1971-1980, or 1981-1990) is less identifying than year of birth.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Masking

A

Masking. This technique masks the original values in a data set with the goal of data privacy protection. One way this may be accomplished is to use perturbation—make small changes to the data while maintaining overall averages—to make it more difficult to identify individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Differential Privacy

A

This technique uses a mathematical approach to ensure that the risk to an individual’s privacy is not substantially increased as a result of being part of the database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

FTC Characterization of a Data Broker in 2014

A

The FTC characterized the data broker industry as: collecting consumer data from numerous sources, usually without consumers’ knowledge or consent; storing billions of data elements on nearly every U.S. consumer; analyzing data about consumers to draw inferences about them; and combining online and offline data to market to consumers online.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

FTC broad categories of products offered by data brokers - 2014

A

(1) marketing (such as appending data to customer information that a marketing company already has),
(2) risk mitigation (such as information that may reduce the risk of fraud) and
(3) location of individuals (such as identifying an individual from partial information).

For each of these segments of the industry, the FTC suggested that data brokers engage in data minimization practices, review collection practices carefully as they relate to children and teens, and take reasonable precautions to ensure that downstream users did not use the data for discriminatory or criminal purposes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

FTC Report on Big Data (2016)

A

The agency expressed its understanding that Big Data brought with it significant benefits coupled with significant risks. Examples of the benefits identified included providing healthcare tailored to individual patients, enhancing educational opportunities by tailoring the experience to the individual student, and increasing equal access to employment. Examples of the risks included: exposing sensitive information; reinforcing existing disparities; and creating new justifications for exclusion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

IOT Background

A

In 2016, estimates for the number of IoT devices in use topped 15 billion worldwide,

with spending on these devices approaching $1 trillion globally.3

By 2020, the number of wearable device shipments is estimated to be more than 200 million.

much of IoT—such as temperature, traffic statistics, and sensors around industrial production—often does not implicate PII.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

IOT devices share 2 characteristics that are important for privacy and security discussions

A

(1) the devices interact with software running elsewhere (often in the cloud) and function autonomously and
(2) when coupled with data analysis, the devices may take proactive steps and make decisions about or suggest next steps for users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Concerns regarding privacy and cybersecurity wrt IOT devices stem from

A

(1) limited user interfaces in the products;
(2) lack of industry experience with privacy and cybersecurity;
(3) lack of incentives in the industries to deploy updates after products are purchased; and
(4) limitations of the devices themselves, such as lack of effective hardware security measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Wearables - Issues

A

Most of this information is not protected by HIPAA, because HIPAA applies only to the activities of covered entities such as providers and health insurance plans

Challenges include:

  1. Right to forget - hard to remember to delete
  2. impact of location disclosure - stalking
  3. Screens read by tose nearby
  4. video/audio recording without knowledge - e.g. google glasses.
  5. lack of control of data - how will it be used?
  6. Automatic syncing with social media - without controls
  7. Facial recognition.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

FPF Best Practices for Wearables

A
  1. access, deletion, and correction rights;
  2. opt-in consent for sharing with third parties;
  3. sharing of data for scientific research purposes, with informed consent;
  4. compliance with leading app platform standards and global privacy frameworks;
  5. strong data security requirements; and strong requirements for de-identification.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Connected Cars

A
  • Examples:
    a vehicle that wirelessly alerts the dealership when tires need to be rotated.

app from a car insurance company that records braking habits.

  • Privacy experts raise concerns that these configurations place sensitive information at risk to unauthorized access or hacking. The complexity of these issues has led to a situation where numerous federal agencies are considering regulating connected cars: the National Highway Traffic Safety Administration (NHTSA), FTC, and the Federal Communications Commission (FCC).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Smart Homes: Privacy Issues

A
  • Smart thermostats - ransomware

Smart TVs - not effectively secured. Overhear conversations?

Communication systems - hacking into home wifi networks

security systems - hackers use to break in?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Smart Cities: Basics and examples

A

primarily refers to municipalities and other government entities using sensors to monitor functions and improve government services.

Examples:
wireless sensors in lighting
garbage collection
parking meters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Smart Cities: DHS Report

A

Highlighted 3 themes in cyber risks that arise when integrating with city infrastructure:

  • Changing seams - btw legacy and new system, and urban and rural systems - boundaries disappearing
  • Inconsistent adoption
  • Increased automation
    can lead to more threat vectors, cascading failures, and removal of manual overrides.

Surveillance and big brother aspect comes into play with smart cities, bc are governmental led.

Service-surveillance spectrum

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Broadband Internet Technical Advisory Group reccs on IOT and privacy/security (2016)

A
  • IoT devices should follow security and encryption best practices
  • For devices that can be customized by the users, the company should test the IoT devices in different possible configurations
  • IoT devices should be designed to facilitate automated, secure software updates
  • IoT devices should be secured by default by the inclusion of a password
  • IoT devices should be shipped originally with reasonably up-to-date software
  • IoT devices should be shipped with a privacy policy that is understandable and easy to find
  • IoT devices should communicate with restrictive rather than permissive protocols
  • IoT devices should continue to function if Internet connectivity is disrupted or if cloud back-up fails

Note: Real risk from IOT is not individual device compromised, but that IOT will allow for network attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

FTC Report on IOT (2015) - Internet of Things: Privacy and Security in a Connected World

A
  • Volume and personal nature of data in IOT heightens the need for protection.

If no consumer interface, no choice available. So, consider choice at point of sale, video tutorials, choice during set up, dashboards and icons, email/text

Security risks identified:

  • lax security that could allow intruders access to personal information collected by the devices,
  • security vulnerabilities on a consumer’s device that could lead to attacks on networks connected to the device,
  • and security issues with the devices that could place physical safety at issue, such as changes to instructions for an insulin pump or to a lock on a front door to a house.

In response, FTC urged:

  • security by design
  • deploy seucrity
  • vendor management
  • security at several levels
  • access controls
  • monitor throughout lifecycle
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Pseudonymous data:

A

Information from which the direct identifiers have been eliminated. Indirect identifiers remain intact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

De-identified data:

A

Direct and known indirect identifiers have been removed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Anonymous data:

A

Direct and indirect identifiers have been removed or technically manipulated to prevent re-identification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Differential privacy:

A

<p>an approach for analyzing database content without disclosing information about the user.</p>

<p>*Not sure if it works: there is criticism around this method.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

HTTP Strict Transport Security (HSTS):

A

mechanism to force the use of HTTPS instead of HTTP

28
Q

Machine learning policies:

A

<p>security assertion markup language (SAML) used for single sign on by many internet companies (Google etc).</p>

29
Q

Threats:

A

<ol><li>phishing,</li><li>SQL injection,</li><li>cross-site scripting,</li><li>spam</li></ol>

30
Q

Tracking technologies:

A

<ol><li>cookies,</li><li>beacons,</li><li>locally shared objects,</li><li>browser fingerprinting,</li><li>history sniffing,</li><li>super cookies</li></ol>

31
Q

<p>Right to be forgotten:</p>

A

(European data protection Article 17 / 19 working party)

32
Q

Sources of ads:

A

<ol><li>search,</li><li>display from the publisher (ads of the publisher of the page you are visiting) &</li><li>third party (from third parties other than the publisher).</li></ol>

33
Q

Types of internet ads:

A

<ol><li>inventory ads (not personalized),</li><li>premium (on prestigious websites),</li><li>contextual (based on the page content),</li><li>demographic (tuned based on age / gender),</li><li>psychographic (interest / intend based) &</li><li>behavioral (based on the what the web history).</li></ol>

34
Q

<p>Why should you beware of location tracking?</p>

A

<p>It's not possible to prevent tracking of GPS signal in some situations.</p>

35
Q

2 most Important principles for security & privacy:

A

<ol><li>least privilege access</li><li>segmentation of duties</li></ol>

36
Q

<p>Authentication factors:</p>

A

<p>something you know / you are / where you are / something you have.</p>

37
Q

Beware of all the non-nominal cases for data access:

A

remote work, backup systems, former employees, network transfers, personal devices (bring your own devices - BYOD policies) and their theft, printers, co-location in data-centers, mergers and acquisitions… All these cases introduce specific vulnerabilities that must be addressed.

38
Q

SSL negotiates:

A. a private link and transfers the data across it.
B. a secure link and blocks all traffic.
C. a secure link and transfers the data across it.
D. a public link and transfers the data across it.

A

C. a secure link and transfers the data across it.

SSL, or Secure Sockets Layer, was the original encryption protocol developed for HTTP. SSL was replaced by TLS, or Transport Layer Security, some time ago. SSL handshakes are now called TLS handshakes, although the “SSL” name is still in wide use.

The SSL or TLS handshake enables the SSL or TLS client and server to establish the secret keys with which they communicate. … SSL or TLS then uses the shared key for the symmetric encryption of messages, which is faster than asymmetric encryption.

What Is an SSL/TLS Handshake? An SSL/TLS handshake is a negotiation between two parties on a network – such as a browser and web server – to establish the details of their connection.
During the SSL connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the client’s list that matches any one of the load balancer’s ciphers is selected for the SSL connection.

The handshake itself uses asymmetric encryption – two separate keys are used, one public and one private. Since asymmetric encryption systems have much higher overhead, they are not usable to provide full-time, real-world security. Thus, the public key is used for encryption and the private key for decryption during the handshake only, which allows the two parties to confidentially set up and exchange a newly-created “shared key”. The session itself uses this single shared key to perform symmetric encryption, and this is what makes a secure connection feasible in actual practice (the overhead is vastly lower). So the full and correct answer to “Is SSL/TLS encryption asymmetric or symmetric?” is “First one, then the other.”

39
Q

SSL was originated by:

A. Netscape
B. Internet Explorer
C. Safari
D. Opera

A

A. Netscape

40
Q

Which of the following is not defined as part of SSL?

A. change cipher spec protocol
B. security protocol
C. alert protocol
D. handshake protocol

A

B. security protocol

41
Q

—- is a logical server/client link that offers a suitable type of service.

A. SSL interaction
B. SSL session
C. SSL connection
D. SSL record

A

C. SSL connection

42
Q

HTTP, IMAP, POP3 and SMTP use —- to establish secure connections.

A. SSL
B. TLS
C. TCP
D. TSL

A

B. TLS

43
Q

Which of the following is NOT a common web browser privacy tool?

A. privacy modes
B. object controls
C. cookie controls
D. malware detection

A

D. malware detection

44
Q

—- describe browser mechanisms which allow users to decide which other mechanisms should be blocked or allowed.

A. privacy modes
B. browser record
C. object controls
D. cookie controls

A

C. object controls

45
Q

—- in web browsers reduce local storage of personal information.

A. privacy modes
B. object controls
C. cookie controls
D. browser record

A

A. privacy modes

46
Q

Which of the following browser’s privacy mode blocks the referring URL from being sent?

A. Chrome’s Incognito
B. IE8 InPrivate Browsing
C. Firefox 3.5’s Private Browsing
D. Safari’s Private Browsing

A

B. IE8 InPrivate Browsing

47
Q

In which of the following browsers are new cookies NOT deleted at the end of the session?

A. IE 8
B. Firefox 3.5
C. Safari
D. Opera 10

A

D. Opera 10

48
Q

Which of the following web browsers block third-party cookie default settings?

A. Chrome
B. IE 8
C. Safari
D. Opera 10

A

C. Safari

49
Q

Which of the following web browsers automatically prevents deleted cookies from being reset?

A. Chrome
B. Firefox
C. Safari
D. IE 8

A

B. Firefox

50
Q

Which of the following statements is NOT true of object controls?

A. They allow users to manually block individual objects.
B. They do not support automatic blocking of objects.
C. They have restrictions on which objects can be blocked.
D. They can block basic text, images and other objects.

A

B. They do not support automatic blocking of objects.

51
Q

There are seven types of identity knowledge linked to degrees of identifiability. Which of the following is NOT one of those seven types of identity knowledge?

A. locatability
B. pseudo-anonymity
C. pattern knowledge
D. gender categorization

A

D. gender categorization

52
Q

Ethnicity, religion, age, region, sexual orientation and linguistic patterns are classified under which type of identity knowledge?

A. pseudo-anonymity
B. real anonymity
C. socal categorization
D. symbols of eligibility/non-eligibility

A

C. socal categorization

53
Q

—- refers to a property associated with an individual, such as height, weight, eye color or employer.

A. Identifier
B. Attribute
C. Charateristic
D. Authenticator

A

B. Attribute

54
Q

Both —- and —- can be authenticated.

A. identifiers; attributes
B. characteristics; authenticators
C. individuals; organizations
D. attributes; traits

A

A. identifiers; attributes

55
Q

Pseudonymizing technologies link transactions by the same agent to:

A. the same legal name.
B. the same public identity.
C. the same pseudonym identity.
D. none of the above.

A

C. the same pseudonym identity.

56
Q

—-_ ensures that a purchaser will not have his/her purchase history tracked.

A. Anonymizing
B. Pseudonymizing
C. Authenticating
D. Encrypting

A

A. Anonymizing

57
Q

The Tor network uses —- in a multilayered way.

A. anonymizing
B. pseudonymizing
C. routing
D. cryptography

A

D. cryptography

58
Q

Tor protects users against:

A. phishing
B. spyware and adware
C. traffic analysis
D. web bugs

A

C. traffic analysis

59
Q

Tor focuses on protecting data:

A. storage
B. collection
C. analysis
D. transport

A

D. transport

60
Q

The process of masking original data by scrambling source information is referred to as:

A. data randomization
B. data re-identification
C. data de-identification
D. data anonymization

A

C. data de-identification

61
Q

A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?

composition of the board

cultures of the different countries

A

cultures of the different countries

62
Q

The impact of an incident is an indication of:

A

Incident severity

The severity of an incident is directly tied to its effect on the organization, whether a single person, group, department, or entire organization

63
Q

An organization experiencing a malware-related incident is unable to isolate the malware. What should they do next?

get help from trained personnel with forensics analysis tools

wipe hard drives of affected systems and reinstall the OS

Obtain advanced anti-malware tools to identify malware

shut down affected systems and rebuild them on alternate hardware or VMs

A

get help from trained personnel with forensics analysis tools

64
Q

Data Brokers

A

Entities that collect, aggregate and sell individuals’ personal data, derivatives and inferences from disparate public or private sources. FTC report calls for transparency from brokers of where their data comes from.

65
Q

Internet of Things (IoT)

A

A term used to describe the many devices that are connected to the internet. Any device that is built with a network interface can be assigned an IP address to allow for automation and remote access. FTC report discusses the benefits and risks of IoT with privacy principles connected to technology.

66
Q

Artificial Intelligence (AI)

A

A process where machines learn from experience, adjusting to new inputs, and potentially performing tasks previously done by humans. It is a field of computer science dedicated to simulating intelligent behavior in computers.