MIDTERM DP

Security objectives

These are goals and constraints that affect the confidentiality, integrity, and availability of your data and application.

Confidentiality

This property means that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Data integrity

It ensures that data and programs are changed only in a specified and authorized manner.

System integrity

It ensures that a system performs its intended function in an unimpaired manner.

Availability

It ensures that systems work promptly and the service is not denied to authorized users.

Authenticity

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or a message originator.

Accountability

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

Security attacks

These are any action that compromises the security of information owned by an organization.

Security mechanisms

These are technical tools and techniques that are used to implement security services.

Security service

It is a processing or communication service that enhances the security of the data processing systems, and the information transfers of an organization.

Passive attacks

It is like eavesdropping or monitoring transmissions. The goal of the attacker is to obtain information that is being transmitted.

Release of message contents

An attacker will monitor an unprotected communication medium like unencrypted email or telephone call and intercept it for sensitive information.

Traffic analysis

An attacker monitors communication channels to collect a range of information, including human and machine identities, locations of these identities, and types of encryption

Active attacks

It involves some modification of stored or transmitted data or the creation of false data.

masquerade

It takes place when one entity pretends to be a different entity.

Replay

It involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.

Data modification

It simply means that some portion of a legitimate message is altered or that messages are delayed or reordered to produce an unauthorized effect.

denial-of-service attack

It prevents or inhibits the normal use or management of communication facilities.

Authentication

It is to ensure the recipient that the message is from the source that it claims to be from.

Access control

It is the ability to limit and control access to host systems and applications via communications links.

Data confidentiality

It is the protection of transmitted data from passive attacks.

Data integrity

It ensures that messages are received as sent, with no duplication, insertion, modification, reordering, or replays

Nonrepudiation

It prevents either a sender or a receiver from denying a transmitted message.

Availability service

It means that a system or a system resource is accessible and usable upon demand by an authorized system entity

Online privacy

It refers to privacy concerns related to user interaction with Internet services through web servers and mobile apps.

Data collectors

collect information directly from their customers, audience, or other types of users of their services.

Data brokers

compile large amounts of personal data from several data collectors and other data brokers without having direct online contact with the individuals whose information is in the collected data.

data users

This category encompasses a broad range. One type of _____ is a business that wants to target its advertisements and special offers. Other uses are fraud prevention and credit risk assessment.

WWW

It is fundamentally a client/server application running over the Internet.

Web server security and privacy

It is concerned with the vulnerabilities and threats associated with the platform that hosts a website, including the operating system (OS), file and database systems, and network traffic.

Web application security and privacy

It is concerned with web software, including any applications accessible via the Web.

Web browser security and privacy

It is concerned with the browser used from a client system to access a web server.

Cellular and Wi-Fi infrastructure

Modern mobile devices are typically equipped with the capability to use cellular and Wi-Fi networks to access the Internet and to place telephone calls. Cellular network cores also rely upon authentication servers to use and store customer authentication information.

Public application stores (public app stores)

These stores invest considerable effort in detecting and thwarting malware and ensuring that the apps do not cause unwanted behavior on mobile devices.

Device and OS vendor infrastructure

Mobile device and OS vendors host servers to provide updates and patches to the OS and apps. Other cloud-based services may be offered, such as storing user data and wiping a missing device.

Enterprise mobility management (EMM)

It is a general term that refers to everything involved in managing mobile devices and related components (e.g., wireless networks).

app vetting

The process of evaluation and approval or rejection of apps within an organization

administrator

It is a member of the organization who is responsible for deploying, maintaining, and securing the organization’s mobile devices

auditor

It inspects reports and risk assessments from one or more analyzers to ensure that an app meets the security requirements of the organization.

Web application privacy

The goal of the project is to identify the most important technical and organizational privacy risks for web applications from the perspectives of both the user (data subject) and the provider (data owner).

Web application vulnerabilities

Failing to suitable design and implement an application, detect a problem, or promptly apply a fix (patch), which is likely to result in a privacy breach.

User-side data leakage

Failing to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality.

Insufficient data breach response

Not informing the affected persons (data subjects) about a possible breach or data leak, resulting in either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.

Insufficient deletion of personal data

Failing to delete personal data effectively and/or in a timely fashion after the termination of the specified purpose or upon request.

Non-transparent policies, terms, and conditions

Not providing sufficient information describing how data are processed, such as their collection, storage, and processing.

Collection of data not required for the primary purpose

Collecting descriptive, demographic, or any other user-related data that are not needed for the system. Applies also to data for which the user did not provide consent.

Sharing of data with a third party

Providing user data to a third party without obtaining the user’s consent.

Outdated personal data

Using outdated, incorrect, or bogus user data and failing to update or correct the data.

Missing or insufficient session expiration

Failing to effectively enforce session termination. May result in the collection of additional user data without the user’s consent or awareness.

Insecure data transfer

Failing to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage.

Mobile app privacy

Legitimate mobile apps may be vulnerable to several privacy and security threats, typically due to poor coding practices used in app development or underlying vulnerabilities in the mobile device operating system.

Insecure network communications

Network traffic needs to be securely encrypted to prevent an adversary from eavesdropping.

Web browser vulnerabilities

Adversaries can exploit vulnerabilities in mobile device web browser applications as an entry point to gain access to a mobile device.

Vulnerabilities in third-party libraries

Third-party software libraries are reusable components that may be distributed freely or offered for a fee to other software vendors.