BI T8 Data security and data protection

What is IT Security Management, and what three components make up the ICT system?

IT Security Management addresses security-relevant aspects of business IT applications. It views the ICT system as a socio-technical system including:

1. Technology (hardware/software)

2. People (users)

3. Tasks (processes)
   Example: A bank's online system needs secure servers (tech), trained staff (people), and safe transaction steps (tasks).

What are the key tasks of IT Security Management, and how is security achieved?

Key tasks: Achieve strategic IT goals + reduce risks and economic damage.

Process: Systematic engineering (development, setup, and ongoing maintenance).

Example: A hospital updates its patient database (development) and runs daily virus scans (maintenance) to avoid data breach fines

What is the difference between IT Security and Information Security?

• IT Security = Technical infrastructure (computers, networks must run without errors)

• Information Security = Security of applications and processes (the information they handle)
  Example: IT Security = the server room door has a lock. Information Security = the patient file inside says the right diagnosis to the right doctor

ICT Security (whole system)

├── IT Security (tech: computers, networks)

├── Information Security (apps & processes)

└── User Security (people)

↓

Data Security = ICT Security (since data → information)

↓

Data Protection = security of personal data

Example for all: A company laptop (IT Security) runs encrypted payroll software (Information Security). An employee (User Security) uses a strong password. The employee's salary (Data Protection) stays private. That's ICT Security.

What are User Security and Data Protection?

• User Security = Users are responsible for tasks and need protection/support from the IT system

• Data Protection = Security of personal data (a sensitive subset of data security)
  Example (User): An employee gets phishing training so they don't click fake links.
  Example (Data Protection): A social media site encrypts your birthday so hackers can't steal it.

What is the objective of data security, and what two types of data exist?

Objective: Protect data from loss, falsification, and unauthorized access.
Two data types:

• Problem data = actual stored data

• Control data = programs (requests sent to computers)
  Example: A payroll file (problem data) and the software that calculates salaries (control data) both need security. A virus corrupting the program is a control data risk.

What are the two main risk factors to data security, with examples of each?

1. Users (deliberate: theft/sabotage; accidental: incorrect handling)

2. Programs (deliberate: malware/viruses; accidental: faulty calculation methods)
   Example: An employee stealing a USB drive (user, deliberate). A programmer making a wage calculation error (programs, accidental). A flood destroying servers (natural disaster – also a risk).

What are malware and social engineering/phishing?

• Malware = malicious software (viruses, worms, Trojans) with hidden, undesirable functions.

• Social Engineering = manipulating people (the biggest vulnerability). Phishing = fake emails/websites to steal passwords. Spear phishing = targeted attack on a specific person/department.
  Example: An email that looks like your bank asking you to click a link (phishing). A fake IT employee calling for your password (social engineering).

What are DDoS and brute force attacks?

• DDoS (Distributed Denial of Service) = Overload a service using many hijacked computers (botnets/zombies) to make it inaccessible.

• Brute Force = Test all possible password combinations using computer power.
  Example (DDoS): A million hacked home routers all request the same website at once, crashing it.
  Example (Brute Force): A program tries "123456", then "123457", etc., until it cracks your password.

What three types of measures reduce data security risk?

1. Organizational (fences, locks, access controls)

2. Hardware measures (secure devices)

3. Software measures (virus scanners, firewalls)
   Example: A badge to enter server room (organizational). An antivirus program (software). An encrypted hard drive (hardware).

What are the three phases of IT risk management, and what activities belong to each?

Phase	Activities
1. Risk Analysis	Identification + Assessment
2. Risk Planning	Active planning + Passive planning (cause-based & effect-based measures)
3. Risk Control	Monitoring + Reporting + Documentation

Example: A company finds that employees use weak passwords (analysis). They decide to enforce strong passwords and add two-factor authentication (planning). They regularly check compliance (control).

Risks to Data Security

├── Attacks/Risk by Users

│ ├── Deliberate damage (theft, sabotage)

│ └── Accidental damage (incorrect use)

└── Attacks/Damage by Programs

├── Deliberate (malware, viruses, worms, Trojans)

└── Accidental (faulty programs, bad calculations)

└── + Natural disasters (flood, fire, storm)

Example: A virus (program, deliberate) deletes files. A user accidentally saves over the wrong file (user, accidental). A fire burns the server room (natural disaster)

What are the two primary strategic motivators for IT security?

1. Business success – long-term increase of revenues and efficiency

2. Compliance – following legal, regulatory, normative, and contractual obligations
   Example: A bank protects customer data to avoid fines (compliance) and keep customer trust (business success).

What is availability, and how quickly is its violation detected?

Availability = IT system with its technical resources is usable with required quality and time, only by authorized users.
Detection speed: Very fast/immediately – you notice when you cannot access a resource.
Example: A website crashes during Black Friday sales. Users know instantly because they can't log in.

What is integrity, and what are its two subtypes?

Integrity = No unauthorized deletion/alteration of data or impediment of functions.

• Data integrity = Stored/transferred data unchanged since last authorized change

• Functional integrity = Programmed functions not tampered with (no incorrect/incomplete processes)
  Detection speed: Soon (not immediate, but when system malfunctions)
  Example: A hacker changes your bank balance (data integrity violated). A virus alters a payroll program to miscalculate salaries (functional integrity violated).

What is confidentiality?

Prevent unauthorized access to sensitive data and unauthorized information collection. Data is only accessible to authorized entities (users or programs).
Includes: Message content + communication circumstances (who sent/received, when)
Example: Your medical records are only visible to your doctor. A hacker intercepting your email would violate confidentiality.

What is authenticity, and why is it increasingly important?

Authenticity = Reliable proof that computer-supported communication happened with the authorized party. Includes proof of authorship so subsequent denial is impossible (non-repudiation).
Why relevant: Rise of online communication and electronic document exchange via open networks (internet).
Detection speed: Often only noticed during a dispute (e.g., one party denies sending an order).
Example: You order a product online. The seller ships it. You later deny ordering it. A digital signature (authenticity) proves you did.

Match each security objective to how quickly its violation is detected.

Security Objective	Detection Speed	Example
Availability	Very fast / immediately	Can't log in → know right away
Integrity	Soon, when malfunction occurs	Wrong calculation appears days later
Authenticity	Very late (during dispute)	Deny signing a contract months later
Data Protection/Confidentiality	Very late / not at all	Data was viewed but not changed → no trace

Key insight: Confidentiality breaches are hardest to detect because the data remains unchanged

What is data protection, and what laws apply in Germany?

Data protection = prevents processing of personal data to protect citizens' legitimate interests.
German legal framework (see diagram):

• GDPR (EU-wide, directly binding)

• BDSG (German Federal Data Protection Act – supplements GDPR)

• State Data Protection Laws (for state authorities)

• Other laws (Telemedia Act TMG, Telecommunications Act TKG)

• Area-specific regulations (research, schools, associations)
  Example: A hospital storing patient names must follow GDPR + BDSG + possibly state laws

What is the central object of data protection, and what is personal data?

• Central object = Right to informational self-determination – the power to decide the disclosure and use of your personal data (German Constitutional Court).

• Personal data = Information about personal or material circumstances of an identifiable natural person (wage, financial, health data). Applies to electronic + paper files.

• Example: You have the right to say no when a store asks for your phone number. Your salary slip (paper or digital) is personal data.

How do GDPR and BDSG relate to each other?

• GDPR = EU regulation, directly binding since May 25, 2018. Provides uniform framework. Takes precedence in case of contradiction.

• BDSG (2017) = German national supplement/concretization. Adds specifics like:

  • §26: Data processing in employment relationships

  • §38: Mandatory data protection officer for non-public bodies with ≥20 people processing personal data automatically
    Example: A company with 30 employees must appoint a data protection officer (BDSG §38) while following GDPR's core rules.

Full hierarchy of data protection laws in Germany

GDPR (EU-wide, directly binding, supremacy)

↓ supplements & concretizes

BDSG (Federal – e.g., employment §26, officer §38)

↓ alongside

State Data Protection Laws (for state authorities)

↓ plus

Other laws (TMG, TKG)

↓ plus

Area-specific regulations (research, schools, associations)

GDPR Art. 5 Principles: Lawfulness, Purpose limitation, Data minimisation, Accuracy, Storage limitation, Integrity/confidentiality + Accountability

Key concepts: Informational self-determination, Prohibition with reservation of permission,

Privacy by Design, Privacy by Default, Rights to information & erasure

What does the Telemedia Act (TMG) regulate?

All electronic information and communication services not covered by Telecommunications Act (TKG). Mostly internet offers:

• Websites, web shops, social media, streaming services
  Key rules:

• §5: Imprint required + operator responsibility for illegal content

• §6: Prohibits hiding sender/content of emails (anti-spam)
  Example: An online shop must have an imprint with owner's name and address (TMG §5).

What are the six data protection principles in Art. 5 GDPR?

1. Lawfulness, fairness & transparency

2. Purpose limitation (specified, clear, legitimate purposes only)

3. Data minimisation (adequate, relevant, limited to what's necessary)

4. Accuracy (incorrect data must be deleted/corrected)

5. Storage limitation (delete when purpose no longer applies)

6. Integrity & confidentiality (security) – protect against unauthorized/unlawful processing, loss, destruction, damage
   + Accountability = controller must prove compliance
   Example: A newsletter signup asks only for email (minimisation), states "for weekly deals" (purpose limitation), deletes it after unsubscription (storage limitation).

What is the difference between Privacy by Design and Privacy by Default?

Term	Meaning	Timing
Privacy by Design	Data protection built into system during development (e.g., encrypted storage)	Early design phase
Privacy by Default	Default settings are data protection-friendly (e.g., highest privacy as factory setting)	During operation

Example (Design): A messaging app encrypts messages by design.
Example (Default): A social media app defaults to "only friends can see your email" not "public".

What is the "prohibition with reservation of permission"?

Processing personal data is prohibited in principle unless:

• The data subject consents, OR

• One of the listed exceptions applies (e.g., legal obligation, contract performance, vital interests, public task, legitimate interests)
  Example: A doctor cannot share your health data unless you consent or a law requires it (e.g., reporting an infectious disease).

What rights do individuals have under GDPR Chapter 3?

• Right to information (Art. 15): Know what data, purpose, storage period, recipients

• Right to erasure / "right to be forgotten" (Art. 17): Delete data if:

  • Unlawful processing

  • Consent revoked

  • Purpose no longer applies
    Example: You leave a social network. You can ask them to delete all your data (right to be forgotten). You can also ask what data they stored about you (right to information).

What are the three factors for authenticating a user (remote or in-person)?

Factor	Meaning	In-person example	Remote example
Knowledge	Something they know	none	Password, DOB
Possession	Something they have	ID card	Security token, phone
Biometric	Something they are	Appearance, fingerprint	Fingerprint scan, face ID

In-person authentication (bank example): Possession (ID card) + Biometric (appearance) = strong.
Remote problem: Bank cannot see Alice's face or ID. Password solves this but introduces risks (overhearing, interception).

Example: Logging into a bank app – you know your password (knowledge) and have your phone (possession via SMS code) = two-factor authentication (2FA).

Why is integer factorization useful for remote authentication?

Because multiplying two large primes is fast and easy, but factoring the result back into those primes is very slow (thousands of years with current technology).

Example:

• Easy: 53×59=312753×59=3127 (multiplication)

• Hard: Given 3127, find its prime factors 5353 and 5959 (factorization)

Analogy (safebox):

• Anyone can lock the box by saying a large number (public key)

• Only the bank can open it by knowing the prime divisors (private key)

This is the foundation of asymmetric encryption.

Why use hybrid encryption instead of just asymmetric or symmetric alone?

Method	Problem	Solution
Asymmetric only	Slow (high computational complexity)	Use only for small data
Symmetric only	Key distribution problem (how to share secret key securely?)	Use asymmetric to send the symmetric key

Hybrid process (Alice & Bank story):

1. Alice uses asymmetric (bank's public key) to send a session key (temporary symmetric key) securely inside the "safebox"

2. Both now share the same session key

3. Remainder of communication uses symmetric encryption (fast)

4. Session key expires after 1 hour or location change

Example: HTTPS (SSL/TLS) works exactly this way – asymmetric to exchange keys, symmetric for the actual web session.

What is TOR, and how does it provide anonymity?

TOR anonymizes internet traffic by routing it through multiple encrypted layers (like an onion).

Tor client → Entry guard → Middle relay → Exit relay → Destination

• Encrypted by Tor: All traffic inside the network (green in diagram)

• Not encrypted by Tor: Traffic from exit relay to destination (red in diagram – vulnerable at exit node)

Key point: No single node knows both the source and destination. Each relay only knows the previous and next hop.

Example: A journalist in a repressive country uses TOR to visit a news site. The government sees encrypted traffic to an entry guard, not the final destination.

For each attack type, what are the main defenses?

Attack	Defenses
Brute force (passwords)	Block many attempts (firewall), logs, IDS, strong password rules
Malware infection	Antivirus, regular updates, monitoring, logs
Phishing	Email filters, IDS, user training, company rules
Exploitation of vulnerabilities	IDS, logs, regular checks, updates/patches
DDoS (Distributed Denial of Service)	Firewall (rate limiting), network separation, monitoring, emergency plans
Spoofing (fake identity)	Firewall, IDS, logs
Man-in-the-Middle (MitM)	Firewall, IDS, logs

Example: A company uses antivirus (malware defense) + email spam filters (phishing defense) + rate-limiting firewalls (brute force defense) + regular Windows updates (vulnerability defense).

What is an IDS, and what attacks can it detect?

Intrusion Detection System = monitors network/system for suspicious activity.
Detects:

• Unusual login behavior (brute force)

• Unusual communication patterns (phishing, MitM, spoofing)

• Unusual system activity (vulnerability exploitation, malware)

Example: An IDS notices that a user normally logs in from Berlin at 9 AM, but suddenly there are 100 login attempts from Russia at 3 AM. It raises an alert.