InfoAssurance_L4_Midterm

Online privacy

refers to privacy concerns related to user interaction with Internet services through web servers and mobile apps.

Data collectors

collect information directly from their customers, audience, or other types of users of their services.

Data brokers

compile large amounts of personal data from several data collectors and other data brokers without having direct online contact with the individuals whose information is in the collected data.

Data brokers

repackage and sell the collected information to various data users, typically without the permission or input of the individuals involved.

Data users

category encompasses a broad range. One type of data user is a business that wants to target its advertisements and special offers.

Web server security and privacy

are concerned with the vulnerabilities and threats associated with the platform that hosts a website, including the operating system (OS), file and database systems, and network traffic.

Web application security and privacy

are concerned with web software, including any applications accessible via the Web.

Web browser security and privacy

are concerned with the browser used from a client system to access a web server.

Cellular and Wi-Fi infrastructure

Modern mobile devices are typically equipped with the capability to use cellular and Wi-Fi networks to access the Internet and to place telephone calls. Cellular network cores also rely upon authentication servers to use and store customer authentication information.

Public application stores (public app stores)

these are digital distribution services operated and developed by mobile OS vendors.

Google Play

For Android, the official app store is ______

App Store

For iOS, it is simply called the ________.

Device and OS vendor infrastructure

Mobile device and OS vendors host servers to provide updates and patches to the OS and apps. Other cloud-based services may be offered, such as storing user data and wiping a missing device.

Enterprise mobility management systems

is a general term that refers to everything involved in managing mobile devices and related components (e.g., wireless networks).

Enterprise mobility management systems

is much broader than just information security; it includes mobile application management, inventory management, and cost management.

Administrator

is a member of the organization who is responsible for deploying, maintaining, and securing the organization’s mobile devices as well as ensuring that deployed devices and their installed apps conform to the organization’s security requirements.

App testing facility

The administrator submits the app to an ________________ in the organization that employs automated and/or human analyzers to evaluate the security characteristics of an app, including searching for malware, identifying vulnerabilities, and assessing risks.

Threats from Application

The first step in developing privacy by design and privacy engineering solutions for online privacy is to define the threats to online privacy.

Web application privacy

The Open Web Application Security Project (OWASP) top 10 privacy risks project provides a list of the top privacy risks in web applications.

Web application vulnerabilities

Failing to suitable design and implement an application, detect a problem, or promptly apply a fix (patch), which is likely to result in a privacy breach

User-side data leakage

Failing to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality.

User-side data leakage

Leakage may be introduced due to either intentional malicious breach or mistake (e.g., caused by insufficient access management controls, insecure storage, duplication of data, or a lack of awareness).

Insufficient data breach response

Not informing the affected persons (data subjects) about a possible breach or data leak, resulting in either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.

Insufficient deletion of personal data

Failing to delete personal data effectively and/or in a timely fashion after the termination of the specified purpose or upon request.

Non-transparent policies, terms, and conditions

Not providing sufficient information describing how data are processed, such as their collection, storage, and processing.

Non-transparent policies, terms, and conditions

Failure to make this information easily accessible and understandable for non-lawyers.

Collection of data not required for the primary purpose

Collecting descriptive, demographic, or any other user-related data that are not needed for the system.

Collection of data not required for the primary purpose

This applies also to data for which the user did not provide consent.

Sharing of data with a third party

Providing user data to a third party without obtaining the user’s consent.

Sharing of data with a third party

Sharing results either due to transfer or exchanging for monetary compensation or otherwise due to inappropriate use of third-party resources included in websites, such as widgets (e.g., maps, social networking buttons), analytics, or web bugs.

Outdated personal data

Using outdated, incorrect, or bogus user data and failing to update or correct the data.

Missing or insufficient session expiration

Failing to effectively enforce session termination. May result in the collection of additional user data without the user’s consent or awareness.

Insecure data transfer

Failing to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage.

Insecure data transfer

Failing to enforce mechanisms that limit the leaking surface (e.g., allowing to infer any user data out of the mechanics of web application operation).

Mobile app privacy

Legitimate mobile apps may be vulnerable to several privacy and security threats, typically due to poor coding practices used in app development or underlying vulnerabilities in the mobile device operating system.

Insecure network communications

Network traffic needs to be securely encrypted to prevent an adversary from eavesdropping.

Web browser vulnerabilities

Adversaries can exploit vulnerabilities in mobile device web browser applications as an entry point to gain access to a mobile device.

Vulnerabilities in third-party libraries

Third-party software libraries are reusable components that may be distributed freely or offered for a fee to other software vendors.

Vulnerabilities in third-party libraries

Software development by component or modules may be more efficient, and third-party libraries are routinely used across the industry.