Cyber Security: Ethics and Law Notes

Ethical Hacking

  • Definition: Finding flaws in a company's hardware, software, and/or network with authorization.

  • Purpose: To remedy potential security vulnerabilities before malicious hackers exploit them.

  • Penetration Testing: Assessing the security of specific aspects of an information system within a defined scope.

  • Ethical Hacker Objectives:

    • Stop black hat hackers.

    • Identify threats and vulnerabilities.

    • Create firewalls and security protocols.

  • Certified Ethical Hacker (CEH): A certification to prove proficiency in ethical hacking.

  • White Hat vs. Black Hat Hackers:

    • White Hat: Strengthen cybersecurity, authorized, disclose vulnerabilities to fix them.

    • Black Hat: Personal gain, unauthorized, exploit vulnerabilities.

  • White Hat Hacking Process:

    • Planning: Define scope and goals with the network owner.

    • Information Gathering: Scan for access points.

    • Vulnerability Assessment: Identify security flaws.

    • Penetration Testing: Exploit vulnerabilities to demonstrate potential damage.

    • Reporting and Fixing: Provide remediation advice and retest after fixes.

The Privacy Act 1988 (Australia)

  • Purpose: To protect people’s personal information.

  • Coverage: Businesses with turnover above $3 million and health services.

  • Exemptions: Small businesses, political parties, covert activity, witness protection, whistleblowers.

  • Personal Information: Information that identifies or could identify an individual (name, address, medical records, etc.)

Australian Privacy Principles (APPs)

  • Cornerstone: Privacy protection framework in the Privacy Act 1988.

  • Governs: Standards, rights, and obligations around:

    • Collection, use, and disclosure of personal information.

    • Organization governance and accountability.

    • Integrity and correction of personal information.

    • Individual rights to access their information.

  • Key Concepts:

    • Consideration of personal information privacy (APPs 1 and 2).

    • Collection of personal information (APPs 3, 4 and 5).

    • Dealing with personal information (APPs 6, 7, 8 and 9).

    • Integrity of personal information (APPs 10 and 11).

    • Access to, and correction of, personal information (APPs 12 and 13).

Key Concepts of the Australian Privacy Principles

  • Consideration of Personal Information Privacy: Transparency and options for anonymity.

  • Collection of Personal Information: Gathering only relevant data with user notification.

  • Dealing with Personal Information: Using data only for its intended purpose with proper data handling protocols.

  • Integrity of Personal Information: Data should be accurate, secure (using encryption), and recoverable (through backups).

  • Access to and Correction of Personal Information: Individuals can access and update their information.

Australian Privacy Principles (APPs) - Summary

  • APP 1: Open and transparent management of personal information

  • APP 2: Anonymity and pseudonymity

  • APP 3: Collection of solicited personal information

  • APP 4: Dealing with unsolicited personal information

  • APP 5: Notification of the collection of personal information

  • APP 6: Use or disclosure of personal information

  • APP 7: Direct marketing

  • APP 8: Cross-border disclosure of personal information

  • APP 9: Adoption, use or disclosure of government related identifiers

  • APP 10: Quality of personal information

  • APP 11: Security of personal information

  • APP 12: Access to personal information

  • APP 13: Correction of personal information

Storage and Security (IPP 4)

  • Secure Storage: Prevent data loss or misuse through:

    • Securing computers, servers, and networks.

    • Using antivirus and antispyware software.

    • Appropriate access permissions.

    • Familiarity with legal obligations.

    • Staff familiarity with digital systems and policies.