Digital Security, Ethics & Privacy – Comprehensive Exam Notes

Digital Security: Core Ideas and Risk Landscape

  • Definitions & Scope
    • A risk is any possibility that something might occur resulting in injury or loss.
    • A digital security risk is any event or action that could cause loss of, or damage to, computer/mobile hardware, software, data, information, or processing capability.
    • Digital risks touch four main domains: information, physical health, mental health, and the environment.
  • Key Take-Away: Protection involves understanding threats, recognising attack vectors, and applying layered defences (policy + technology + personal behaviour).

Cybercrimes, Criminal Profiles & Threat Actors

  • Nation-State / State-Sponsored Attackers
    • Government-employed threat actors ("nation-state actors") conduct cyber-warfare to disable or cripple enemy infrastructure (power grids, gov’t networks, etc.).
  • Financially Motivated Actors
    • Steal credit-card numbers, online-bank credentials, Social Security numbers via data-mining (sifting through Big Data for actionable info).
    • Cyber-extortionists threaten to expose data or disrupt networks unless paid.
  • Social Engineering
    • Psychological manipulation to trick victims into revealing info.
    • Classic tactics: hoaxes, phishing, pretexting.
    • Table of principles:
    • Authority – “I’m the CEO.”
    • Intimidation – threats (“Call your supervisor”).
    • Consensus – peer pressure (“Your colleague reset it”).
    • Scarcity – artificial shortage.
    • Urgency – time pressure.
    • Familiarity – false rapport.
    • Trust – leverage relationship.
  • Other Threat-Actor Labels
    • Threat actor – generic term for any attacker.
    • Script kiddies – inexperienced users running pre-made exploit code.
    • Hacker – seeks unauthorised access (sometimes ethical, often not).
    • Cracker – hacker with malicious intent (destroy/steal).
    • Hacktivist – politically / ethically motivated hacker.
    • Cyber-terrorist – targets critical national infrastructure to instil panic.
    • Dark Web – anonymity-focused portion of the web used for illicit trade.
    • Digital detox – intentional break from technology to preserve mental/physical health.

Crimeware, Cybersecurity & Digital Forensics

  • Crimeware – software designed for committing cybercrime (keyloggers, RATs, exploit kits).
  • Cybersecurity – practice of guarding systems & data against digital threats (both unauthorised and illegal access).
  • Digital / Cyber Forensics
    • Process: discovery → collection → analysis of digital evidence.
    • Examiner skillset: legal knowledge, multi-platform technical expertise, communication, policy awareness, continuous learning, problem-solving.

Ethics and Society

  • Ethics – standards that decide right vs. wrong behaviour.
  • Technology Ethics – moral guidelines for using computing tech.
  • Frequent debate topics: information accuracy, intellectual property, green computing.
Information Accuracy
  • Anyone can publish; errors & misinformation abound.
  • Digital editing (e.g., photo manipulation) complicates authenticity.
    • Example given: apple exterior + orange interior composite image.
Intellectual Property Rights (IPR)
  • Protect creators’ ownership.
  • Creative Commons – licensing framework with clear usage rules.
  • Piracy – illegal copying (software, movies, music).
  • Digital Rights Management (DRM) – technical controls to curb infringement.
Green Computing
  • Goal: reduce electricity use & e-waste.
  • Organisational measures: energy-efficient hardware, power-management, recycling programmes, cloud optimisation.

Internet & Network Attacks

  • Higher Risk over Networks – data in transit vulnerable.
  • Malware ("malicious software")
    • Delivers a payload (destructive activity/prank).
    • Infection channels: mainly infected email attachments, drive-by downloads, compromised USBs.
  • Common Malware Types (Table Highlights)
    • Adware – displays ads.
    • Ransomware – locks device/files; demands payment.
    • Rootkit – hides deep, grants remote admin rights.
    • Spyware – secretly collects & transmits user data.
    • Trojan Horse – disguised as legit software; non-replicating.
    • Virus – self-replicating code altering host behaviour.
    • Worm – network-propagating self-copy, consumes resources.
Botnets & Zombies
  • Zombie – compromised device under remote control.
  • Botnet – networked army of zombies executing commands (DDoS, spam, crypto-mining).
  • Bot – automated script performing repetitive tasks.
DoS / DDoS Attacks
  • Denial of Service – flood target server; deny normal service.
  • Distributed DoS – multiple devices (often botnet) launch attack → broader impact.
Back Doors
  • Hidden entry points bypassing authentication.
  • Sometimes inserted intentionally by developers for troubleshooting; abused by malware (rootkits, worms) to spread.
Spoofing
  • Masquerading to appear trusted.
    • IP spoofing – falsify IP address.
    • Email/address spoofing – alter header, sender info.
Best-Practice Defence Checklist
  • Antivirus/anti-malware suites.
  • Personal or network firewall.
  • Vigilance: treat unsolicited messages as suspicious.
  • Safe software downloads.
  • Scan external media.
  • Regular backups & patching.

Secure IT: Protect Yourself & Your Data

  • Digital Footprint – permanent log of online actions; hard to erase.
  • Primary Attack Goals – financial gain via stolen information.
  • High-Risk Activities
    • Online banking, e-commerce, visiting fake websites, oversharing on social media.
Responsible Data Sharing (Table 5-3 Examples)
  • Legitimate vs. illegitimate uses of personal info by schools, hospitals, employers.
Virtual Private Network (VPN)
  • Provides encrypted "tunnel" across public internet; emulates private line.
  • Essential for mobile/remote employees.
Firewalls & Proxy Servers
  • Firewalls – barrier filtering inbound/outbound traffic; OS-level, hardware, or software.
  • Proxy server – intermediary controlling & logging communications, often adding content-filtering.
Acceptable Use Policies (AUP)
  • Define permissible personal use of corporate tech.
  • Must be documented & communicated; include audit/trail requirements.
Access Controls & Audit Trails
  • Principle of least privilege; record unsuccessful & successful access attempts.
Backups (Table 5-4 Summary)
  • Full: everything – quickest restore; longest backup time.
  • Differential: changed since last full – middle ground.
  • Incremental: changed since last backup – fastest backup; slowest restore.
  • Selective: user-chosen files – flexible, harder management.
  • Continuous Data Protection: real-time; costly, storage-heavy.

Wireless Security

Risks on Wi-Fi
  • Eavesdropping, data theft, malware injection.
Safe Practices
  • Verify network SSID; limit sensitive transactions on public Wi-Fi (no banking).
  • Configure home router securely (see Table 5-5):
    • Strong admin password.
    • Disable remote mgmt.
    • Change SSID to non-identifying string.
    • Enable WPA2 with strong pre-shared key.
    • Disable WPS (vulnerable).
    • Use guest network only when necessary.
  • Additional Recommendations
    • Consider leaving SSID broadcast ON (hiding gives minimal security, can attract adversaries).
    • Enable MAC address filtering; place router in secure physical location.
Cloud Data Privacy Concerns
  • Personal risks – diverse international privacy laws.
  • Business risks – contractually state data ownership, security, compliance.

Information Privacy & Authentication Mechanisms

  • Authentication verifies user legitimacy.
  • Methods
    • Something you know – password/passphrase, PIN.
    • Something you have – possessed object (smart card, badge, ATM card).
    • Something you are – biometrics (fingerprint, face, iris, voice, hand geometry, signature, retina).
    • Combination – Two-Factor Authentication (2FA) or Multi-Factor.
    • CAPTCHA – ensures human vs. bot.
    • Encryption & digital signatures – protect data in motion/rest; prove integrity & origin.
Password Fundamentals
  • Username (user ID) uniquely identifies account; password authenticates.
  • Table 5-6 – top 10 weak passwords (e.g., "123456", "password").
  • Password space grows exponentially with length (Table 5-7); e.g., length=6735,091,890,625\text{length}=6 \Rightarrow 735,091,890,625 possibilities.
  • Use password managers to generate & vault strong, unique creds; protect with master password + 2FA.
  • Passphrases – longer, easier-to-remember strings.
Two-Factor Authentication (2FA)
  • Common combo: password + SMS-sent code.
  • Drastically reduces account compromise risk.
CAPTCHA Details
  • "Completely Automated Public Turing test to tell Computers and Humans Apart" – distorted text recognition; blocks automated attacks.
Encryption & Digital Signatures
  • Encryption → ciphertext; decryption with key.
  • Digital signature – encrypted hash verifying sender identity & content integrity, issued via Certificate Authority (CA).
  • Browser hardening: manage cookies, scripts, plug-ins, pop-ups; regularly clear data.
Personal & Financial Data Protection
  • Monitor credit (annual free report); option for free credit freeze/thaw.
  • Watch for identity misuse (loans/credit cards opened fraudulently).
Social Networking Hygiene
  • Limit publicly posted info.
  • Restrict who can view posts; review new security settings immediately.
Privacy Principles & U.S. Laws (Table 5-8 excerpt)
  • Data collection should be minimal, protected, and disclosed only with consent.
  • Key statutes:
    • Children’s Internet Protection Act – shields minors.
    • COPPA – safeguards <13 data.
    • DMCA – anti-circumvention of DRM.
    • FOIA – public gov’t access.
    • HIPAA – health data privacy.
    • PATRIOT Act – expanded surveillance for terrorism cases.
    • Privacy Act – restricts federal use beyond original purpose.
    • FACTA – rules for lenders/credit agencies to curb ID theft.

Establishing Policies to Ensure Safety

Codes & Filtering
  • Code of conduct – written ethical guidelines.
  • IT code of conduct – tech-specific behaviour rules.
  • Content filtering / Web filtering software – blocks problematic sites/keywords.
Employee Monitoring
  • Tools to log email, keystrokes, sites; legality depends on explicit policy.
Disaster Recovery Planning
  1. Emergency Plan – contact lists, evacuation, shutdown, re-entry.
  2. Backup Plan – where backups reside, responsible staff, cloud restore, prioritised app timeline.
  3. Recovery Plan – steps to replace hardware/software & fully resume ops.
  4. Test Plan – simulations, drills, gap analysis.
  • Table 5-9 outlines natural vs. man-made disasters: first actions, potential impacts, plan inclusions (generators, satellite phones, equipment lists).

Ethics & Issues: Digital Inclusion

  • Digital Inclusion – movement ensuring equitable access to networks, devices, data & info.
  • Goals: universal participation in education, government, jobs, healthcare.
  • Barriers
    • Inadequate infrastructure (rural/remote regions).
    • Government censorship/restrictions.
    • Cost of devices/connectivity.
    • Education deficits & lack of awareness of technology’s value.

Quick Formulas / Key Numbers Recap

  • Password search space grows as N=95LN = 95^L where LL = length (assuming 95 printable ASCII chars).
  • Average brute-force attempts ≈ N2\dfrac{N}{2} (Table 5-7 illustrates).