TJ3 Glossary - Shadowsarespooky/TechJournal GitHub Wiki

Data Security and Principles

Apple or Android Phone?

  • Android is more customizable
  • Apple is better used as a public phone with a public number
  • Android is better used as a personal phone for a private number

How your data is used

  • Your phone’s location data is collected and sold to companies
  • Companies use this data to send ads, or choose where to set up new stores
  • You can put your phone on airplane mode to hide your location at night, so that they can’t see where you sleep
  • Applications you download can collect data and force target ads

OSINT - Open Source Intelligence

Personal data is stored in public databases, social media, and all over the internet. You can search yourself on the internet and find out what information has been shared on the internet or is readily available to be seen. Data-Abstractions

  • Bit-level data: storage, transfer, and bit level operations (input/output, processing).
  • System-level data: roles and authorized resources to be used for reading, writing, executing data on files or in the system.
  • Personal level data: SSN, usernames/passwords, address, credit card information/history, medical billing/history, personal files.
  • Policy-level data: Rules and procedures of how to protect data on all levels

Data-McCumber Cube

  • McCumber Cube: represents design guide for securing data in every level of abstraction
  • Security Goals
  • Information States
  • Countermeasures

Security Goals

Data Hacks

  • Game Consoles, Computers, Mobile devices, your information on the internet you access on these devices are stored on databases that hackers can steal usernames, passwords, email addresses, etc. This breach breaks confidentiality.
  • An infected computer used for automating and monitoring was sent damage-inducing instructions to make the computer damage the production while sending false feedback to the main controller. False feedback is a break of integrity.
  • A ransomware crypto worm that targeted Microsoft Windows computers by encrypting data and demanding ransom payments in Bitcoin cryptocurrency to provide the decryption key. Encrypting the data compromises availability.

Confidentiality per Data Abstraction Level

  • Disclosure of bit-level data: system encryption keys, physical layer network traffic
  • Unauthorized access to system-level data: access rights, data/network/transport/application layer network traffic, web certificates
  • Personal-level data: names, addresses, emails, birth dates, usernames, passwords

Integrity per Data Abstraction Level

  • Bit-level data deception: hash collisions
  • System-level data deception: privilege escalation, traffic impersonation, domain hijacking
  • Personal-level data deception: user spoofing, email spoofing

Availability per Data Abstraction Level

  • Disruption/Destruction of bit-level data: corrupted drives, corrupted physical layer traffic
  • Disruption/Destruction of system-level data: denial of access, denial of system resources (ransomware), traffic denial of service
  • Personal-level data: file destruction and usurpation, deletion of accounts

Takeaway

  • Attackers can target individual and different points and times, while a defender must ensure protection at all points and times.

Information States

  • Data in Rest, In Transit, Processing
  • Data Hacks
  • Abstraction Levels

Controls

Rules for Data Protection

  • Rules/Laws are introduced and enforced at local, state, and federal levels
  • Policies used by people and organizations are implemented as laws to protect the CIA of personal information
  • Enforcing these policies at all levels, local, state, and national serves as deterrents to cybercriminals, adversaries, and hackers.

Federal Cybersecurity Laws Examples:

    • HIPPA
    • CFAA
  • Other Cyber security Laws
    • GDPR - In the EU
    • CCPA - State of California
  • Cybersecurity Policies - Acceptable Use Policy
  • Policy Implementation: Controls