Cyber Science and Ethical Hacking

CS-150

Privacy Issues-Fundamental Concepts of Privacy, Data Privacy Attacks, Privacy

Policies and their Specifications, Privacy in different domains-Medical, Financial

Lecture 16 and 17

Prepared by Gamma Cluster

Department of Computer Science and Engineering,
Chitkara University, Punjab
 Index

1. Privacy Issues-Fundamental Concepts of Privacy

2. Data Privacy Attacks
3. Privacy Policies and their Specifications
4. Privacy in different domains-Medical, Financial
Privacy Issues-Fundamental Concepts of
Privacy

Data privacy as a type of “information security that deals

with the proper handling of data concerning consent, notice,
sensitivity and regulatory concerns.”
Or
Data privacy refers to appropriate use of data provided to
corporations for agreed purposes.

On its most basic level,

data privacy is a consumer’s understanding of their rights as to how their personal

information is collected, used, stored and shared. The use of personal information must be
explained to consumers in a simple and transparent manner and in most cases, consumers
must give their consent before their personal information is provided.
Privacy Issues-Fundamental Concepts of
Privacy

Data privacy fundamentals entail the proper use and handling of data with sensitive
information.

This typically includes personal, health, or

financial data about an individual or organization.
It should not be confused with data security,
which is the process of protecting data from being
viewed, altered, or stolen by unauthorized users.
Data Privacy Attacks

It is a sequence of stages required for an attacker to successfully infiltrate a

network and exfiltrate data from it. Each stage demonstrates a specific goal
along the attacker’s path.
1. Reconnaissance
Reconnaissance attacks
A reconnaissance attack, as the name implies, is the efforts of an threat actors
to gain as much information about the network as possible before launching
other more serious types of attacks. Quite often, the reconnaissance attack is
implemented by using readily available information
Its objective
Reconnaissance Attacker will focus on “who”, or the network: “Who” will
likely focus on privileged individuals (either for system access, or access to
confidential data “Network” will focus on architecture and layout; tools,
devices and protocols; and critical infrastructure. It is like a robber
understanding the behaviour of the victim and breaking into the victim’s
house
Data Privacy Attacks

Types of reconnaissance attack:

• Passive reconnaissance
A hacker looks for information not related to victim domain. He
just knows the registered domain to the target system so he can
use commands (eg. Telephone directory) to fish information about
the target
• Active reconnaissance
A hacker uses system information to gain unauthorized access to
protected digital or electronic materials, and may go around
routers or even firewalls to get it.
Data Privacy Attacks

2. Weaponization
Cyber attack: hacker’s weaponised everyday devices with malware
“Hackers used hundreds of thousands of internet-connected devices that had previously
been infected with a malicious code – known as a “botnet” or, jokingly, a “zombie
army” – to force an especially potent distributed denial of service (DDoS) attack.” The
Guardian reports. https://www.theguardian.com/technology/2016/oct/22/cyber-attack-
hackers-weaponised-everyday-devices-with-malware-to-mount-assault
What are the more well-known cyber weapons?
• Botnet A network of computers forced to work together on the command of an
unauthorized remote user. This network of robot computers is used to attack other
systems.
• DDOS Distributed Denial of Service attacks is where a computer system or network is
flooded with data traffic, so much that the system can’t handle the volume of requests
and the system or network shuts down.
• Malware Malicious software is injected into a system or network to do things the
owner would not want done. Examples include: Logic bombs, worms, viruses, packet
sniffers (eavesdropping on a network).
Data Privacy Attacks

3. Delivery
Attacker sends malicious payload to the victim by means such as
email, which is only one of the numerous intrusion methods the
attacker can use. There are over 100 delivery methods possible.
Its main Objective:
Attackers launch their intrusion (weapons developed in the
previous step)
Two basic methods:
• Adversary-controlled delivery, which involves direct
hacking into an open port
• Adversary-released delivery, which conveys the malware to
the target through phishing
Data Privacy Attacks

4. Exploitation
Once attackers have identified a vulnerability in your system, they
exploit the weakness and carry out their attack. During the
exploitation phase of the attack, the host machine is compromised
by the attacker and the delivery mechanism typically will take one
of two actions:
• Install malware (a dropper) allowing attacker command execution.
• Install malware (a downloader) and download additional malware
from the Internet, allowing attacker command execution.
Once a foothold is established inside the network, the attacker will
typically download additional tools, attempt privilege escalation,
extract password hashes, etc
Data Privacy Attacks

5. Installation
“A vulnerability in Valve's Source SDK, a library used by game
vendors to support custom mods and other features, allows a
malicious actor to execute code on a user's computer, and optionally
install malware, such as ransomware, cryptocurrency miners,
banking trojans, and others.”

What are the other possible malwares?

Possible malwares include ransomware and remote-access Trojans
and other unwanted applications. Installation of either a web shell on
a compromised web server or a backdoor implant on a compromised
computer system enables adversaries to bypass security controls and
maintain access in the victim’s environment.
Data Privacy Attacks

6. Command and Control

Ransomware uses command and control
connections to download encryption
keys before hijacking your files.

For example,
remote-access Trojans open a command and control connection to allow remote access to your system. This
allows persistent connectivity for continued access to the environment as well as a detective measure for
defender activity.
How is it done?
Command and control of a compromised resource is usually accomplished via a beacon over an allowed
path out of the network. Beacons take many forms, but in most cases they tend to be:
• HTTP or HTTPS-based
• Made to look like benign traffic via falsified HTTP headers In cases that use encrypted communication,
beacons tend to use self-signed certificates or use custom encryption over an allowed path
Data Privacy Attacks
7 Actions
Action refers to the how the attacker accomplish his final goal. The attacker's final goal
could be anything from extracting a ransom from you in exchange for decrypting your
files to exfiltrating customer information out of the network.
In the latter example, data-loss prevention solutions can stop exfiltration before the data
leaves your network. In other attacks, endpoint agent software can identify activity that
deviates from established baselines and notify IT that something is amiss. This is the
elaborate active attack process that can take months, and thousands of small steps, in
order to achieve.
Will these cyber attack tactics work
for an organization?

Building security and visibility for computers cannot be done overnight. Take
smaller measures, completing stages as you are able. Do a check of your web
presence to see what information it could give an attacker. Have each of your sites
do an inventory of all computers so you can update them all. Implement layered
security to decrease the possibility that threats will slip through unnoticed. Create a
policy for dealing with malware events. Educate your staff about what to do with
unexpected, suspicious emails
Privacy policies and their specifications

A privacy policy is a document contained on a website that explains how a website

or organization will collect, store, protect, and utilize personal information
provided by its users.
In general, the personal information includes:
• Names
• Dates of birth
• Addresses (postal and email)
• Payment details (credit card numbers)
• Location (IP address, geolocalization)
• Social Insurance Numbers
What is a privacy policy?

A privacy policy is a legal document that discloses the way a party gathers,
uses, discloses, and manages a customer or client’s data. It fulfils a legal
requirement to protect a customer or client’s privacy.

Such privacy policy must provide the following:

1. clearly and easily accessible statements of its practices and policies;
2. clearly state the type of personal and sensitive personal data or information
collected by the business;
3. purpose of collection and usage of such information;
4. about disclosure of information including sensitive personal data or
information collected; and
5. Reasonable security practices and procedures adopted by it.
Elements of a privacy policy

The following are the main elements which shall be consisted of a privacy
policy, are as follows:
1. Consent: The most crucial component of a privacy policy is ‘consent’. In
this regard, the Supreme Court in K.S. Puttuswamy has made important
observations.
2. Purpose of information collected.
3. Disclosure of information.
4. Security practices.
Need?

It’s Required by Law

In most countries by law, require that you have a privacy policy in place if you collect
personal information from your users.
• US
The California Online Privacy Protection Act (CalOPPA) dictates that if you collect any
personal information from any California-based users, such as email addresses, GPS
location, phone numbers, or mailing addresses, you are required to have a legal statement
available for users to review that discloses the privacy practices of your business.
Due to the wide-reaching nature of internet and technology, the CalOPPA Act in effect
means that if you collect any kind of personal information, even if it's only an email
address, you should have that legal statement as required by CalOPPA in place because
California residents are likely to be using your websites or apps.
Canada, Australia or Europe aren't different in this regard.
 Need?

It's required by third-party services you may use

Many third-party services that are designed to enhance your website or app, such as
Google AdWords or Google Analytics, are actively requiring you to have a Privacy Policy
that contains certain information about your use of their services, plugins, SDKs, and so
on.
Google Analytics requires a Privacy Policy because is stores cookies on a user's PC,
which are then used to collect data about the user

Users are interested in their privacy

People care a lot about their privacy, especially when it comes to the use of their personal
information online. Most users want to feel secure before providing private information,
such as the home address.

It helps to be transparent
Private Policy includes

1. Personal Information
2. Collection Process
3. Usage
4. Security
5. Storage and Sharing
6. Cookies
7. Opting out and data subject rights
8. Contact information
9. Other
Privacy policies and their specifications

• Personal information
Logically, your privacy policy should start by telling your users exactly what type of
personal data you wish to collect, whether directly or indirectly/automatically, from names
to location and phone numbers to email addresses, list it out.
• Collection Process
You should be transparent and explain how you intend to collect personal data from your
users. If you are collecting usage data, tracking geographical location, or using any third-
party services, for advertising and retargeting purposes, for example, you should mention
it, as your users may not realize that you are collecting data in the background.
• Usage
At this point, your users know that you will be collecting their personal information but
what will you be doing with it?
If you are operating an eCommerce website, for example, you should specify that personal
information will be used to process payments and ship products to customers. In that case,
there is a good chance that their personal information may be processed by a third party:
an online payment processing service provider or your shipping partner, for example. This
should all be disclosed to your customers.
Privacy policies and their specifications

• Security
You should let your users know how you intend to protect their personal information from
unauthorized access, which you could do by explaining your processes and where the
information is stored.
• Storage & Sharing
Your users should know where you will be storing their data, for how long it will be retained,
and if it will be transferred internationally (this could be the case if your servers are located
abroad, for example).
there are many other types of third parties – affiliate companies, social media networks, service
providers – make sure that you consider all of them before writing your privacy policy.
• Cookies
If you are using cookies, you should disclose it in your privacy policy as well as a link to the
page on your website where your cookie policy is hosted.
Privacy policies and their specifications

• Opting Out & Data Subject Rights

You should explain that sharing personal information is not mandatory and that users can
limit what they share, opt-out, or revoke their consent at any time.
This section should detail all the rights that users hold over their data, which can be country
or region-specific, under the GDPR, for example, users have the right to request a copy of all
the data that has been collected about them.
• Contact Information
You should encourage your website visitors to contact you should they have any questions or
concerns in regard to your privacy policy. Include your email address, street address, and
phone number, along with the contact details of your data protection officer if your website is
subject to the GDPR.
• Other
Depending on the nature of your business, you may need to add some additional terms to
your privacy policy. You will want to study applicable laws as well as the terms and
conditions of all the third-party services that you use, as some require that you have specific
clauses in your policy.
Where to Display Your Privacy Policy?
Example
Examples
Airbnb
• Its privacy policy can be found in the Help Center and can be accessed through a hyperlink
in its website footer:
• Holiday rental platform Airbnb operates all over the globe and has customers located in
various jurisdictions.

Wayfair
• Online furniture retailer, Wayfair, operates one of the biggest eCommerce websites on the
Internet, shipping furniture to customers across the United States and internationally.
• Reference to its privacy policy appears in its website footer, with a link to a separate,
dedicated page:
Examples
OFX
• Your responsibility does not stop once you have a privacy policy in place. It will
need to be updated from time to time to keep up with legislative and business
changes.
• Australian online foreign exchange and payments company OFX recently sent this
email notice to its customers, following changes to its privacy policy:
Privacy in Medical domain

• The amount of cyberattacks

against businesses is on the rise,
with healthcare organizations
targeted more frequently
• Healthcare organizations store a
lot of sensitive data within their
networks, given the nature of
their business. Patient records,
for example, usually contain
information ranging from
security numbers, credit card
numbers to information regarding
insurance claims. These have
become a big attraction for
healthcare data theft and
misappropriation.
Privacy in Medical domain
Privacy in Medical domain
A variety of technologies are available to maintain the security and privacy of volumes
of healthcare data. The following are the most extensively utilized technologies:
1. Authentication
The act of verifying or confirming that assertions made by or about the subject are
authentic is known as authentication. It performs critical responsibilities in any
company, such as securing access to corporate networks, safeguarding user identities,
and guaranteeing that the user is who he claims to be.
for example, are cryptographic protocols
2. Encryption
Healthcare providers must guarantee that the encryption method is effective, user-
friendly for both patients and healthcare professionals, and expandable to accommodate
new electronic health records.
Privacy in Medical domain

3. Data Masking
Masking substitutes an unidentifiable value for sensitive data items. Since it isn’t a true
encryption method, the original value cannot be recovered from the disguised value. It
follows a de-identification method that involves masking or suppressing personal identifiers
like name and social security number as well as suppressing or generalizing quasi-identifiers
like date of birth and zip codes. As a result, data masking is one of the most widely used
methods for live data anonymization.
4. Access Control
Users can enter an information system after being authenticated, with limited access
determined by a control policy, often based on the privileges and rights of each practitioner
allowed by the patient or a trusted third party. As a result, it is a superior and adaptable
system for granting permissions to users.
5. Train employees on data security
Employees receive data security training to learn how to protect data from destruction, fraud,
and disclosure. Since data security can be jeopardized accidentally or on purpose,
information security training should address unintentional data mishandling and malevolent
attempts. Workplace data security training should be formal and follow a set of guidelines.
All employees should be aware that protecting company data is not just the responsibility of
the IT department. It is also their obligation. Since data breaches can happen offline, data
privacy training should also cover physical security with appropriate policies.
Privacy in financial domain
POTENTIAL BANKING SYSTEMS INTRUSIONS
Distributed Denial-of-Service Attack
Denial of Service (DoS) is ranked as FBI’s third highest threat after terrorism and espionage.
Financial institutions that facing DoS attack could experience great lose of money due to losing
clients and customer. It is also required high cost to repair the damage done by the attack.
Distributed Denial of Service (DDoS) is the most common attack that could happen in the
banking system. DDoS involve hundreds or more ‘zombie’ computers to launch the attack to
the targeted system.
Data Breach
Financial institutions have to aware about threats that would affect the system security in their
organization. A data breach, one of the threat exists allows the information and data to go out
from the system, making it viewable to others
Data breach happens when there are loopholes in the banking system, enables those
unauthorized individual to get access to the system itself. It is due to the lack of security
assessment, and also resulting from poor security system
Privacy in financial domain

For example
in security data breach, a case where involves five Connecticut banks are resulting from
security data breach, affected from New Jersey company that processes credit card
payments, according to the newspaper and internet reports. The effect of the data breach
takes a great number of losses for the financial institution, where their credit card
companies such as Visa and MasterCard contacted them about the breach, according to
the internet site BankinfoSecurity.com. The banks that affected with the breach are
Litchfield Bancorp, Apple Valley Bank of Cheshire, Dime bank of Norwich, Liberty
Bank of Middletown, Chelsea Groton Bank and other 230 financial institutions
Privacy in financial domain

Malware
Malware is software program that design to alter and modify the computer’s system without
the authority of the user or owner, and this malware move from computer to computer and
network to network. Malware can be including viruses, Trojan horses, worms, script attacks
and also rogue internet code
The malware attack can influence the confidentiality, integrity and availability of the banking
system.
An example for a malware attack is ATM breaches in Russia and Ukraine. Trustwave, a
Chicago-based provider of information security and card industry have uncovered malware
while investigate ATMs in Russia and Ukraine, for over few month. During the attack, about
20 ATMs were infected by the malware, allowing the attackers to steal data, PINs and also
money. In the case, they were certain that the attackers was an inside work, because the
attackers needs the physical access to the ATM in order to install the malware, and execute it.
Ti would also seem that the attackers could be someone who gets a copy of the key to the
ATM, opens the machine and loads the malware into the system
Privacy in financial domain

TCP/IP Spoofing
TCP/IP spoofing is one of the common forms of on-line camouflage. In IP spoofing, an
attacker gains unauthorized access to a computer or a network by making it appear that a
malicious message has come from a trusted machine by “spoof” the IP address of the
machine
Another possible threat for spoofing is it can lead into confidential data breach. One
possible example is Rocky Mountain Bank, which have sent confidential and sensitive
information to the wrong Gmail account [13]. The biggest loss in this example is the
customer’s trust towards the bank’s service. The confidentiality and the integrity of the
information have been violate, thus it also violates the customers trust to the bank
Privacy in financial domain
Banking and financial services industry has cyber
security department. This cyber security
department deploy some of common security
measures in order to secure systems. These
security measures include
• Secured Socket Layers (SSL – for secure
connection),
• vulnerability and assessment testing of
systems,
• database encryption,
• Firewalls (to control flow of traffic),
• Intrusion detection systems (IDS),
• Network intrusion prevention systems (NIPS),
quarantining unknown systems,
• Domain Name systems (DNS),
• password protection mechanism and
• SMS alerts to customers.
All of these devices and security systems are to
secure cloud architecture infrastructure in banking
and financial services, however, there are still
threats and vulnerabilities due to external agents or
accidental errors by internal staff; and so the data
privacy and systems security remains a key
concern.
Questions

1. What are meant by data privacy and discuss the fundamental concept of
privacy.
2. Explain difference between data security and data privacy ?
3. List and elaborate the various privacy attacks ? Explain one example.
4. Discuss in detail the privacy in medical domain?
5. What is meant by privacy in financial sector and explain various intrusion
systems in financial sector with example?
6. Explain the common security measures for security used in financial or banking
field?
THANK YOU