Data Security and Privacy:
Introduction to Data Security: Importance, common security threats.
Data Privacy: Privacy concerns in the digital age, protecting personal information online.
2. CONTENTS: MODULE 4
• Data Security and Privacy:
• Introduction to Data Security:
• Importance, common security threats.
• Data Privacy:
• Privacy concerns in the digital age, protecting personal information
online.
5. Data:
• Data refers to raw and unorganized facts or
figures that have no meaning on their own.
• It can be in the form of numbers, text,
images, audio, or any other representation
of facts.
• Data is often represented in a binary
format (0s and 1s) in computer systems,
making it machine-readable.
• Example: The numbers 5, 12, and 8 are
data because they are just individual values
without any context or significance.
Information:
• Information is the meaningful and useful
interpretation of data.
• It is derived from data through analysis,
processing, and organizing to give it context
and relevance.
• Information provides answers to questions,
solves problems, or adds value to our
understanding of a particular subject.
• Example: If we take the numbers 5, 12, and 8
and interpret them as the ages of three
people, then we have information. For
instance, "5" could be the age of a child, "12"
could be the age of a teenager, and "8" could
be the age of another child.
7. It is defined as the protection from unknown, unwanted or external
access to data.
It refers to protection from a data breach, corruption, modification
and theft.
The strategies to set up data security include data encryption, data
confidentiality etc.
The protection requiring components of data security include
software, user and storage devices, hardware, organization’s policies
and procedures and access and administrative controls.
9. Data security is the practice of protecting digital information
from unauthorized access, corruption or theft throughout its
entire lifecycle.
When properly implemented, robust data security strategies
will not only protect an organization’s information assets
against cybercriminal activities, but they'll also guard against
insider threats and human error, which remain among the
leading causes of data breaches today.
Data security involves deploying tools and technologies that
enhance the organization’s visibility into where its critical data
resides and how it is used.
11. Data security has many overlaps with data privacy. The same
mechanisms used to ensure data privacy are also part of an
organization’s data security strategy.
The primary difference is that data privacy mainly focuses on
keeping data confidential, while data security mainly focuses on
protecting from malicious activity.
Example, encryption could be a sufficient measure to protect
privacy, but may not be sufficient as a data security measure.
Attackers could still cause damage by erasing the data or double-
encrypting it to prevent access by authorized parties.
12. COMMON SECURITY THREATS
1. Malware attack
2. Social engineering attacks
3. Distributed denial of service (DDoS)
4. Man-in-the-middle attack (MitM)
5. Password attacks
https://www.exabeam.com/information-
security/cyber-security-threat/
13. MALWARE ATTACK
• Attacks use many methods to get malware into a user’s
device, most often social engineering. Users may be
asked to take an action, such as clicking a link or opening
an attachment. In other cases, malware uses
vulnerabilities in browsers or operating systems to install
themselves without the user’s knowledge or consent.
• Once malware is installed, it can monitor user activities,
send confidential data to the attacker, assist the attacker
in penetrating other targets within the network, and even
cause the user’s device to participate in a botnet
leveraged by the attacker for malicious intent.
14. MALWARE ATTACK: MALWARE ATTACKS INCLUDE
• Trojan virus — tricks a user into thinking it is a harmless file. A Trojan can launch an attack on a system and can
establish a backdoor, which attackers can use.
• Ransomware — prevents access to the data of the victim and threatens to delete or publish it unless a ransom is paid.
Learn more in our guide to ransomware prevention.
• Wiper malware — intends to destroy data or systems, by overwriting targeted files or destroying an entire file
system. Wipers are usually intended to send a political message, or hide hacker activities after data exfiltration.
• Worms — this malware is designed to exploit backdoors and vulnerabilities to gain unauthorized access to operating
systems. After installation, the worm can perform various attacks, including Distributed Denial of Service (DDoS).
• Spyware — this malware enables malicious actors to gain unauthorized access to data, including sensitive information
like payment details and credentials. Spyware can affect mobile phones, desktop applications, and desktop browsers.
• Fileless malware — this type of malware does not require installing software on the operating system. It makes native
files such as PowerShell and WMI editable to enable malicious functions, making them recognized as legitimate and
difficult to detect.
• Application or website manipulation — OWASP outlines the top 10 application security risks, ranging from broken
access controls and security misconfiguration through injection attacks and cryptographic failures. Once the vector is
established through service account acquisition, more malware, credential, or APT attacks are launched.
15. SOCIAL ENGINEERING ATTACKS
• Social engineering attacks work by psychologically manipulating users into performing actions desirable to an attacker, or divulging
sensitive information.
• Social engineering attacks include:
• Phishing— attackers send fraudulent correspondence that seems to come from legitimate sources, usually via email. The email may
urge the user to perform an important action or click on a link to a malicious website, leading them to hand over sensitive information to
the attacker, or expose themselves to malicious downloads. Phishing emails may include an email attachment infected with malware.
• Spear phishing — a variant of phishing in which attackers specifically target individuals with security privileges or influence, such as
system administrators or senior executives.
• Malvertising— online advertising controlled by hackers, which contains malicious code that infects a user’s computer when they
click, or even just view the ad. Malvertising has been found on many leading online publications.
• Drive-by downloads — attackers can hack websites and insert malicious scripts into PHP or HTTP code on a page. When users visit
the page, malware is directly installed on their computer; or, the attacker’s script redirects users to a malicious site, which performs the
download. Drive-by downloads rely on vulnerabilities in browsers or operating systems. Learn more in the guide to drive-by downloads.
• Scareware security software — pretends to scan for malware and then regularly shows the user fake warnings and detections.
Attackers may ask the user to pay to remove the fake threats from their computer or to register the software. Users who comply transfer
their financial details to an attacker.
• Baiting — occurs when a threat actor tricks a target into using a malicious device, placing a malware-infected physical device, like a
USB, where the target can find it. Once the target inserts the device into their computer, they unintentionally install the malware.
Cont…
16. SOCIAL ENGINEERING ATTACKS
• Vishing — voice phishing (vishing) attacks use social engineering techniques to get targets to divulge financial or personal
information over the phone.
• Whaling — this phishing attack targets high-profile employees (whales), such as the chief executive officer (CEO) or chief financial
officer (CFO). The threat actor attempts to trick the target into disclosing confidential information.
• Pretexting — occurs when a threat actor lies to the target to gain access to privileged data. A pretexting scam may involve a
threat actor pretending to confirm the target’s identity by asking for financial or personal data.
• Scareware — a threat actor tricks the victim into thinking they inadvertently downloaded illegal content or that their computer is
infected with malware. Next, the threat actor offers the victim a solution to fix the fake problem, tricking the victim into
downloading and installing malware.
• Diversion theft — threat actors use social engineers to trick a courier or delivery company into going to a wrong drop-off or
pickup location, intercepting the transaction.
• Honey trap — a social engineer assumes a fake identity as an attractive person to interact with a target online. The social
engineer fakes an online relationship and gathers sensitive information through this relationship.
• Tailgating or piggybacking — occurs when a threat actor enters a secured building by following authorized personnel. Typically,
the staff with legitimate access assumes the person behind is allowed entrance, holding the door open for them.
• Pharming — an online fraud scheme during which a cybercriminal installs malicious code on a server or computer. The code
automatically directs users to a fake website, where users are tricked into providing personal data.
17. DISTRIBUTED DENIAL OF SERVICE (DDOS)
• The objective of a denial of service (DoS) attack is to
overwhelm the resources of a target system and cause it to
stop functioning, denying access to its users. Distributed denial
of service (DDoS) is a variant of DoS in which attackers
compromise a large number of computers or other devices,
and use them in a coordinated attack against the target system.
• DDoS attacks are often used in combination with other
cyberthreats. These attacks may launch a denial of service to
capture the attention of security staff and create confusion,
while they carry out more subtle attacks aimed at stealing data
or causing other damage.
18. DISTRIBUTED DENIAL OF SERVICE (DDOS):
METHODS OF DDOS ATTACKS
• Botnets — systems under hacker control that have been infected with malware. Attackers use these bots to
carry out DDoS attacks. Large botnets can include millions of devices and can launch attacks at devastating
scale.
• Smurf attack — sends Internet Control Message Protocol (ICMP) echo requests to the victim’s IP address.
The ICMP requests are generated from ‘spoofed’ IP addresses. Attackers automate this process and perform it
at scale to overwhelm a target system.
• TCP SYN flood attack — attacks flood the target system with connection requests. When the target system
attempts to complete the connection, the attacker’s device does not respond, forcing the target system to
time out. This quickly fills the connection queue, preventing legitimate users from connecting.
19. MAN-IN-THE-MIDDLE ATTACK (MITM)
• When users or devices access a remote system
over the internet, they assume they are
communicating directly with the server of the
target system. In a MitM attack, attackers break
this assumption, placing themselves in between
the user and the target server.
• Once the attacker has intercepted
communications, they may be able to compromise
a user’s credentials, steal sensitive data, and
return different responses to the user.
20. MAN-IN-THE-MIDDLE ATTACK (MITM): MITM ATTACKS
• Session hijacking — an attacker hijacks a session between a network server and a client. The attacking computer
substitutes its IP address for the IP address of the client. The server believes it is corresponding with the client and
continues the session.
• Replay attack — a cybercriminal eavesdrops on network communication and replays messages at a later time,
pretending to be the user. Replay attacks have been largely mitigated by adding timestamps to network
communications.
• IP spoofing — an attacker convinces a system that it is corresponding with a trusted, known entity. The system thus
provides the attacker with access. The attacker forges its packet with the IP source address of a trusted host, rather
than its own IP address.
• Eavesdropping attack — attackers leverage insecure network communication to access information transmitted
between the client and server. These attacks are difficult to detect because network transmissions appear to act
normally.
• Bluetooth attacks — Because Bluetooth is often open in promiscuous mode, there are many attacks, particularly
against phones, that drop contact cards and other malware through open and receiving Bluetooth connections.
Usually this compromise of an endpoint is a means to an end, from harvesting credentials to personal information.
21. PASSWORD ATTACKS
• A hacker can gain access to the password information of an individual by ‘sniffing’ the connection to the network,
using social engineering, guessing, or gaining access to a password database. An attacker can ‘guess’ a password in
a random or systematic way
• Brute-force password guessing — an attacker uses software to try many different passwords, in hopes of
guessing the correct one. The software can use some logic to trying passwords related to the name of the
individual, their job, their family, etc.
• Dictionary attack — a dictionary of common passwords is used to gain access to the computer and network of
the victim. One method is to copy an encrypted file that has the passwords, apply the same encryption to a
dictionary of regularly used passwords, and contrast the findings.
• Pass-the-hash attack — an attacker exploits the authentication protocol in a session and captures a password
hash (as opposed to the password characters directly) and then passes it through for authentication and lateral
access to other networked systems. In these attack types, the threat actor doesn’t need to decrypt the hash to
obtain a plain text password.
• Golden ticket attack — a golden ticket attack starts in the same way as a pass-the-hash attack, where on a
Kerberos (Windows AD) system the attacker uses the stolen password hash to access the key distribution center to
forge a ticket-granting-ticket (TGT) hash. Mimikatz attacks frequently use this attack vector.
22. FAQS
• Question 1. What is data security?
• a) The process of encrypting data
• b) The process of protecting data from unauthorized access, use, disclosure, modification,
or destruction
• c) The process of storing data in a secure location
• d) The process of backing up data regularly
Answer: b) The process of protecting data from unauthorized access, use, disclosure,
modification, or destruction
23. FAQS
• Question 2. Why is data security important?
• a) To prevent data from being lost
• b) To ensure data is always available
• c) To protect sensitive information from unauthorized access
• d) To increase the speed of data transfer
Answer: c) To protect sensitive information from unauthorized access
24. FAQS
• Question 3. Which of the following is a common security threat?
• a) Firewall
• b) Antivirus software
• c) Malware
• d) Data encryption
Answer: c) Malware
25. FAQS
• Question 4. What is malware?
• a) A type of hardware used for data storage
• b) A type of software used for data analysis
• c) A malicious software designed to harm or exploit computer systems
• d) A network protocol used for data transmission
Answer: c) A malicious software designed to harm or exploit computer systems
26. FAQS
• Question 5. What is phishing?
• a) A fishing technique used by digital marketers
• b) An online game
• c) A cyber attack where attackers trick individuals into revealing sensitive information
• d) A social media platform for sharing photos
Answer: c) A cyber attack where attackers trick individuals into revealing sensitive
information
27. FAQS
• Question 6. What is ransomware?
• a) A type of secure encryption for data protection
• b) A software that provides free online storage
• c) Malicious software that blocks access to a computer system until a ransom is paid
• d) An online privacy advocacy group
Answer: c) Malicious software that blocks access to a computer system until a ransom is paid
28. FAQS
• Question 7. What is "social engineering" in the context of data privacy?
• a) The process of creating and maintaining social media profiles
• b) A strategy to protect personal data from hackers
• c) A method used by cybercriminals to manipulate individuals into revealing sensitive
information
• d) The use of social media platforms for advertising
Answer: c) A method used by cybercriminals to manipulate individuals into revealing
sensitive information
29. DATA PRIVACY
• Privacy concerns in the digital age
• Protecting personal information online
30. PRIVACY CONCERNS IN THE DIGITAL AGE
• Privacy is about choice, the choice to reveal or not to reveal, details about yourself and your life.
• Everyday, we find ourselves in situations where we disclose to individuals and organizations, various pieces of
information about who we are, what we do, and how we do it.
• When we enter our place of work, we may “clock in” showing what time we arrived. When we hand over our
bank card to the coffee shop at lunchtime to buy our lunch, the bank now knows that we were at that shop and
spent ₹100 at 12 noon on Tuesday. On our way home we make a call to our partner to let them know our arrival
time, the phone company then knows our location and which number was called.
• It was this digitization of processes and tasks that required us to reveal personal information, which brought
privacy into the spotlight.
31. PRIVACY CONCERNS IN THE DIGITAL AGE
Concepts of Privacy
In a digital age, the concept
of privacy itself hasn’t
changed. We, as individuals,
still want to retain control
over who has access to our
personal information.
In fact, as our online
presence has become
ubiquitous, and we’ve all
settled into our digital lives,
this need to retain privacy
and ownership of our data
has increased.
32. IDENTITY THEFT
• The fact that our lives have become more and more digital means we're more exposed than ever to
identity theft. For those who don't know, identify theft is exactly what it sounds like: someone assumes
your identity and then does what they please with it.
• Not only is this terrifying, but it can wreak havoc on your finances. If someone can act as you to
withdraw cash or open a credit line, it can often be challenging to have those things reversed, meaning
you have no choice but to accept the consequences.
• In theory, data privacy should help to reduce the threat of identity theft. With less of our data being
collected, those looking to do us harm would have fewer access points, as well as fewer ways of
learning about us so that they can scam us. Of course, there are other issues at play, but in this case,
data privacy is also a question of personal security.
33. OWNERSHIP OF INFORMATION AND CONSENT
• One big issue that comes up a lot when we talk about privacy in the digital age is the "ownership of information."
In other words, who owns the data collected about us?
• According to the law, we do. That's right. Every click, post, or photo, by rights, is ours, and no one else can have it.
So, why then is all this data being collected? It's simple: we agree to give it up.
• "What?!" You may be thinking. "I never agreed to give up my data." In reality, you did. Remember when you
downloaded that app, signed up for that service, or made an account on that social media platform? At some
point, you scrolled to the bottom of the screen and clicked a box that says you agree to that
company/organization/website's privacy terms and conditions.
• In this agreement, you effectively give away your rights of ownership as it relates to your data.
34. FREEDOM TO BE
• Another concern many people have around digital privacy is the concept of "being left alone." Before
the internet, privacy was respected by leaving people to their devices and giving people the choice of
when and how they want to let their privacy be invaded.
• However, in the digital world, no such luxury is possible. The way things are set up, you are surrendering
your privacy when you step foot into a digital space.In the digital space, we don't seem too concerned
about this.
• Now, the question becomes, is it possible for people to use the internet and "be left alone." Perhaps,
but some considerable changes would need to be made in how we do things.
• There are plenty of people out there who want to use digital technologies but who don't want to
surrender this information, and their concerns must at least be listened to if not addressed.
35. PERSONAL AUTONOMY
• One of the primary reasons all this data is collected about you is that marketers and advertisers can sell you more
stuff.
• Some people think this approach is better since it makes it more likely they'll see ads for products and services
relevant to them. However, this begs the question of autonomy. In other words, with so much targeted marketing,
how much freedom is left for us to decide for ourselves?
• Today's marketing's hyper-targeted nature means we may only be exposed to a few options before making a
purchase. This could be seen as bad for competition.
• Of course, the counter to this is that we are all free to do our own research and look into the products out there of
our own accord. If even our search results are conditioned by past web activity, how much freedom do we actually
have?
• Again, there is no clear-cut answer, but we must also consider freedom of choice as we consider privacy in the
digital age.
36. LOSS OF COMPETITION
• All of this data collection and lack of privacy can hurt competition in our markets. To be more specific,
not only does it hurt it by limiting the number of options people are exposed to, but it also hurts firms'
abilities to reach their customers.
• In essence, if you don't have access to the data out there, you're going to be left at a pretty severe
disadvantage. This means big corporations are going to be in a better position than smaller companies.
This has always been true to an extent, but the gap does seem to be widening. To crunch the data out
there, you need some pretty intense machinery and staff to handle it, not something every firm has.
• Therefore, while all this digitization and data collection has certainly helped businesses, we need to ask
if it's the best thing for the overall economy. So much data is out there and being traded so openly and
freely.
37. SURVEILLANCE AND BIG BROTHER
• Surveillance refers to the systematic monitoring of individuals, activities, or information for various
purposes, such as maintaining security, gathering intelligence, or ensuring compliance with laws and
regulations. Surveillance can take different forms, including physical observation, the use of cameras,
monitoring internet activities, and analyzing data from various sources.
• While surveillance can be employed for legitimate reasons, concerns about privacy and potential
abuses of power have arisen as technology advancements enable more extensive and intrusive
surveillance capabilities.
• The phrase "Big Brother is watching you" represents the idea of pervasive government surveillance and
the loss of individual privacy. Today, "Big Brother" is used metaphorically to describe any authority or
entity that monitors and controls people's actions and behaviors, often without their knowledge or
consent.
38. PROTECTING PERSONAL INFORMATION ONLINE
Strong Passwords: Use strong and unique passwords for your online accounts. Avoid using
common words or easily guessable information. Consider using a password manager to generate and
store complex passwords securely.
Two-Factor Authentication (2FA): Enable two-factor authentication whenever possible. This adds
an extra layer of security by requiring a second verification step, such as a code sent to your phone, in
addition to your password.
Update Software: Keep your operating system, apps, and antivirus software up to date. Software
updates often include security patches that protect against known vulnerabilities.
Limit Personal Information Sharing: Be cautious about sharing sensitive personal information
on social media or public platforms. Review your privacy settings and consider restricting access to
your profile.
Be Cautious with Emails: Avoid clicking on suspicious links or downloading attachments from
unknown senders. Phishing emails can lead to data breaches or install malware on your device.
Use Secure Wi-Fi Networks: Only connect to trusted and password-protected Wi-Fi networks.
Avoid using public Wi-Fi for sensitive activities like online banking or accessing personal accounts.
Cont…
39. PROTECTING PERSONAL INFORMATION ONLINE
Secure Your Devices: Set up a strong PIN, password, or biometric authentication (fingerprint/face
recognition) on your mobile devices to prevent unauthorized access.
Review App Permissions: Check the permissions requested by apps on your device and consider if
they are necessary. Be cautious about granting access to sensitive information or features.
Clear Cookies and Browser History: Regularly clear cookies and browsing history on your web
browser to minimize tracking of your online activities.
Read Privacy Policies: Before using any online service or website, read and understand their
privacy policies to know how they handle your data.
Encrypt Your Data: Use encryption tools to protect sensitive files and data on your devices. This
prevents unauthorized access even if your device is lost or stolen.
Be Mindful of Smart Devices: If you have smart devices (e.g., smart speakers, cameras, etc.),
review their privacy settings and consider disabling any features that might compromise your privacy.
40. FAQS
• Question 1. What is data privacy?
• a) Sharing personal information with everyone
• b) Protecting personal information from unauthorized access
• c) Using personal information for targeted advertising
• d) Selling personal information to third parties
Answer: b) Protecting personal information from unauthorized access
41. FAQS
• Question 2. Why is data privacy important in the digital age?
• a) To make targeted advertisements more effective
• b) To track users' online activities
• c) To protect personal information from data breaches and misuse
• d) To increase website traffic
Answer: c) To protect personal information from data breaches and misuse
42. FAQS
• Question 3. Which of the following is a privacy concern in the digital age?
• a) Using strong passwords
• b) Securely storing personal information
• c) Data breaches and identity theft
• d) Encrypting sensitive files
Answer: c) Data breaches and identity theft
43. FAQS
• Question 4. Why should individuals regularly review and update their privacy settings on
social media?
• a) To increase social media followers
• b) To customize the appearance of their social media profile
• c) To limit who can access and view their personal information
• d) To increase the visibility of their posts
Answer: c) To limit who can access and view their personal information
44. FAQS
• Question 5. What is the role of cookies in data privacy concerns?
• a) They are delicious treats that websites offer to visitors
• b) They track users' online activities and collect information about their browsing
behavior
• c) They protect personal information from hackers
• d) They encrypt sensitive data for security purposes
Answer: b) They track users' online activities and collect information about their browsing
behavior
45. FAQS
• Question 6. What is a data broker?
• a) A government agency that regulates data privacy
• b) A company that collects and sells personal information to third parties
• c) A software for data storage and management
• d) A type of data encryption method
Answer: b) A company that collects and sells personal information to third parties