Information security-

unit 1(Information and security)

Before these I have given handwritten notes.

Internet is a global network that connects billions of computers across the world
with each other and to the World Wide Web. It uses standard internet protocol suite
(TCP/IP) to connect billions of computer users worldwide. It is set up by using
cables such as optical fibers and other wireless and networking technologies. At
present, internet is the fastest mean of sending or exchanging information and data
between computers across the world.

Uses of internet

o Using social media and content sharing.

o Instant messaging, video conferencing, Internet Relay Chat (IRC), Internet
telephony, and email are all examples of electronic communication. These
all are used through the Internet.
o Access to online degree programs, courses, and workshops for education
and self-improvement.
o Searching for jobs: To advertise available positions, submit job applications,
and hire candidates identified on social networking sites like LinkedIn, both
employers and applicants use the Internet.

Web service

A Web service is a method of communication between two electronic devices

over a network. It is a software function provided at a network address over the
Web with the service always-on as in the concept of utility computing. Many
organizations use multiple software systems for management.

A web service is a set of open protocols and standards that allow data to be
exchanged between different applications or systems. Web services can be used
by software programs written in a variety of programming languages and running
on a variety of platforms to exchange data via computer networks such as the
Internet in a similar way to inter-process communication on a single computer.
Any software, application, or cloud technology that uses standardized web
protocols (HTTP or HTTPS) to connect, interoperate, and exchange data
messages – commonly XML (Extensible Markup Language) – across the internet
is considered a web service.
Components of Web Service
XML and HTTP is the most fundamental web services platform. The following
components are used by all typical web services:
SOAP (Simple Object Access Protocol)
SOAP stands for “Simple Object Access Protocol.” It is a transport-independent
messaging protocol. SOAP is built on sending XML data in the form of SOAP
Messages. A document known as an XML document is attached to each
message. Only the structure of the XML document, not the content, follows a
pattern. The best thing about Web services and SOAP is that everything is sent
through HTTP, the standard web protocol.
A root element known as the element is required in every SOAP document. In an
XML document, the root element is the first element. The “envelope” is
separated into two halves. The header comes first, followed by the body. The
routing data, or information that directs the XML document to which client it
should be sent to, is contained in the header. The real message will be in the
body.
UDDI (Universal Description, Discovery, and Integration)
UDDI is a standard for specifying, publishing and discovering a service
provider’s online services. It provides a specification that aids in the hosting of
data via web services. UDDI provides a repository where WSDL files can be
hosted so that a client application can discover a WSDL file to learn about the
various actions that a web service offers. As a result, the client application will
have full access to the UDDI, which serves as a database for all WSDL files.
The UDDI registry will hold the required information for the online service, just
like a telephone directory has the name, address, and phone number of a
certain individual. So that a client application may figure out where it is.
WSDL (Web Services Description Language)
If a web service can’t be found, it can’t be used. The client invoking the web
service should be aware of the location of the web service. Second, the client
application must understand what the web service does in order to invoke the
correct web service. The WSDL, or Web services description language, is used
to accomplish this. The WSDL file is another XML-based file that explains what
the web service does to the client application. The client application will be able
to understand where the web service is located and how to use it by using the
WSDL document.
How Does Web Service Work?
The diagram depicts a very simplified version of how a web service would
function. The client would use requests to send a sequence of web service calls
to a server that would host the actual web service.

Remote procedure calls are what are used to make these requests. Calls to
methods hosted by the relevant web service are known as Remote Procedure
Calls (RPC). Example: Flipkart offers a web service that displays prices for items
offered on Flipkart.com. The front end or presentation layer can be written in .Net
or Java, but the web service can be communicated using either programming
language.
The data that is exchanged between the client and the server, which is XML, is the
most important part of a web service design. XML (Extensible markup language)
is a simple intermediate language that is understood by various programming
languages. It is a counterpart to HTML. As a result, when programs communicate
with one another, they do so using XML. This creates a common platform for
applications written in different programming languages to communicate with
one another.
For transmitting XML data between applications, web services employ SOAP
(Simple Object Access Protocol). The data is sent using standard HTTP. A SOAP
message is data that is sent from the web service to the application. An XML
document is all that is contained in a SOAP message. The client application that
calls the web service can be created in any programming language because the
content is written in XML.
Features/Characteristics Of Web Service
Web services have the following features:
(a) XML Based: The information representation and record transportation layers
of a web service employ XML. There is no need for networking, operating system,
or platform binding when using XML. At the middle level, web offering-based
applications are highly interoperable.
(b) Loosely Coupled: A customer of an internet service provider isn’t necessarily
directly linked to that service provider. The user interface for a web service
provider can change over time without impacting the user’s ability to interact with
the service provider. A strongly coupled system means that the patron’s and
server’s decisions are inextricably linked, indicating that if one interface changes,
the other should be updated as well.
A loosely connected architecture makes software systems more manageable and
allows for easier integration between different structures.
(c) Capability to be Synchronous or Asynchronous: Synchronicity refers to the
client’s connection to the function’s execution. The client is blocked and the
client has to wait for the service to complete its operation, before continuing in
synchronous invocations. Asynchronous operations allow a client to invoke a
task and then continue with other tasks.
Asynchronous clients get their results later, but synchronous clients get their
effect immediately when the service is completed. The ability to enable loosely
linked systems requires asynchronous capabilities.
(d) Coarse-Grained: Object-oriented systems, such as Java, make their services
available through individual methods. At the corporate level, a character
technique is far too fine an operation to be useful. Building a Java application from
the ground, necessitates the development of several fine-grained strategies,
which are then combined into a rough-grained provider that is consumed by
either a buyer or a service.
Corporations should be coarse-grained, as should the interfaces they expose.
Web services generation is an easy approach to define coarse-grained services
that have access to enough commercial enterprise logic.
(e) Supports Remote Procedural Call: Consumers can use an XML-based
protocol to call procedures, functions, and methods on remote objects utilizing
web services. A web service must support the input and output framework
exposed by remote systems.
Enterprise-wide component development Over the last few years, JavaBeans
(EJBs) and.NET Components have become more prevalent in architectural and
enterprise deployments. A number of RPC techniques are used to allocate and
access both technologies.
A web function can support RPC by offering its own services, similar to those of a
traditional role, or by translating incoming invocations into an EJB or.NET
component invocation.
(f) Supports Document Exchanges: One of XML’s most appealing features is its
simple approach to communicating with data and complex entities. These
records can be as simple as talking to a current address or as complex as talking
to an entire book or a Request for Quotation. Web administrations facilitate the
simple exchange of archives, which aids incorporate reconciliation.
The web benefit design can be seen in two ways: (i) The first step is to examine
each web benefit on-screen character in detail. (ii) The second is to take a look at
the rapidly growing web benefit convention stack.

Advantages Of Web Service

Using web services has the following advantages:
(a) Business Functions can be exposed over the Internet: A web service is a
controlled code component that delivers functionality to client applications or
end-users. This capability can be accessed over the HTTP protocol, which means
it can be accessed from anywhere on the internet. Because all apps are now
accessible via the internet, Web services have become increasingly valuable.
Because all apps are now accessible via the internet, Web services have become
increasingly valuable. That is to say, the web service can be located anywhere on
the internet and provide the required functionality.
(b) Interoperability: Web administrations allow diverse apps to communicate
with one another and exchange information and services. Different apps can also
make use of web services. A .NET application, for example, can communicate
with Java web administrations and vice versa. To make the application stage and
innovation self-contained, web administrations are used.
(c) Communication with Low Cost: Because web services employ the SOAP over
HTTP protocol, you can use your existing low-cost internet connection to
implement them. Web services can be developed using additional dependable
transport protocols, such as FTP, in addition to SOAP over HTTP.
(d) A Standard Protocol that Everyone Understands: Web services
communicate via a defined industry protocol. In the web services protocol stack,
all four layers (Service Transport, XML Messaging, Service Description, and
Service Discovery) use well-defined protocols.
(e) Reusability: A single web service can be used simultaneously by several client
applications.
A Threat is a possible security risk that might exploit the vulnerability of a system
or asset. The origin of the threat may be accidental or environmental, human
negligence, or human failure. There are various types of security threats such as
Interruption, Interception, Fabrication, and Modification.

A threat is something that can gain access to, harm, or eliminate an asset by
exploiting a vulnerability, whether purposefully or unintentionally. Threats can be
divided into three categories −

• Floods, storms, and tornadoes are examples of natural disasters.

• Unintentional threats, such as an employee accessing incorrect
information.
• Spyware, virus, adware companies, or the activities of a rogue employee are
all examples of intentional dangers.

Bugs and malware are classified as dangers because they can hurt your firm if you
are exposed to a computerized attack rather than one carried out by humans.

Many firms do cyber threat assessments to determine where they should focus
their monitoring, protection, and remediation efforts. So, if an asset is something
you're attempting to protect, a threat is something you're trying to avoid.

What is an Attack?

An Attack is an intentional unauthorized action on a system. Attacks can be

grouped into two categories −

• Active Attacks − An active attack is an attempt to change system resources

or influence their operation.
• Passive Attacks − A passive attack is an attempt to understand or retrieve
sensitive data from a system without influencing the system resources.

An attack always has a motivation to misuse system and generally wait for an
opportunity to occur.

Types of threats
1. Insider threats
An insider threat occurs when individuals close to an organization who have
authorized access to its network intentionally or unintentionally misuse that
access to negatively affect the organization's critical data or systems.

Careless employees who don't comply with their organizations' business rules
and policies cause insider threats. For example, they may inadvertently email
customer data to external parties, click on phishing links in emails or share their
login information with others. Contractors, business partners and third-party
vendors are the source of other insider threats.

Some insiders intentionally bypass security measures out of convenience or ill-

considered attempts to become more productive. Malicious insiders intentionally
elude cybersecurity protocols to delete data, steal data to sell or exploit later,
disrupt operations or otherwise harm the business.

How to prevent insider threats

The list of things organizations can do to minimize the risks associated with
insider threats include the following:

• Limit employees' access to only the specific resources they need to do

their jobs;
• Train new employees and contractors on security awareness before
allowing them to access the network. Incorporate information about
unintentional and malicious insider threat awareness into regular
security training;
• Set up contractors and other freelancers with temporary accounts that
expire on specific dates, such as the dates their contracts end;
• Implement two-factor authentication, which requires each user to
provide a second piece of identifying information in addition to a
password; and
 • Install employee monitoring software to help reduce the risk of data
breaches and the theft of intellectual property by identifying careless,
disgruntled or malicious insiders.

2. Viruses and worms

Viruses and worms are malicious software programs (malware) aimed at
destroying an organization's systems, data and network. A computer virus is a
malicious code that replicates by copying itself to another program, system or
host file. It remains dormant until someone knowingly or inadvertently activates
it, spreading the infection without the knowledge or permission of a user or
system administration.

A computer worm is a self-replicating program that doesn't have to copy itself to a

host program or require human interaction to spread. Its main function is to infect
other computers while remaining active on the infected system. Worms often
spread using parts of an operating system that are automatic and invisible to the
user. Once a worm enters a system, it immediately starts replicating itself,
infecting computers and networks that aren't adequately protected.

How to preventing viruses and worms

To reduce the risk of these types of information security threats caused by viruses
or worms, companies should install antivirus and antimalware software on all
their systems and networked devices and keep that software up to date. In
addition, organizations must train users not to download attachments or click on
links in emails from unknown senders and to avoid downloading free software
from untrusted websites. Users should also be very cautious when they use P2P
file sharing services and they shouldn't click on ads, particularly ads from
unfamiliar brands and websites.

3. Botnets
A botnet is a collection of Internet-connected devices, including PCs, mobile
devices, servers and IoT devices that are infected and remotely controlled by a
common type of malware. Typically, the botnet malware searches for vulnerable
devices across the internet. The goal of the threat actor creating a botnet is to
infect as many connected devices as possible, using the computing power and
resources of those devices for automated tasks that generally remain hidden to
the users of the devices. The threat actors -- often cybercriminals -- that control
these botnets use them to send email spam, engage in click fraud campaigns and
generate malicious traffic for distributed denial-of-service attacks.

How to prevent botnets

Organizations have several ways to prevent botnet infections:

• Monitor network performance and activity to detect any irregular

network behavior;
• Keep the operating system up to date;
• Keep all software up-to-date and install any necessary security patches;
• Educate users not to engage in any activity that puts them at risk of bot
infections or other malware, including opening emails or messages,
downloading attachments or clicking links from unfamiliar sources; and
 • Implement antibotnet tools that find and block bot viruses. In addition,
most firewalls and antivirus software include basic tools to detect,
prevent and remove botnets.
4. Drive-by download attacks
In a drive-by download attack, malicious code is downloaded from a website via a
browser, application or integrated operating system without a user's permission
or knowledge. A user doesn't have to click on anything to activate the download.
Just accessing or browsing a website can start a download. Cybercriminals can
use drive-by downloads to inject banking Trojans, steal and collect personal
information as well as introduce exploit kits or other malware to endpoints.

How to prevent drive-by download attacks

One of the best ways a company can prevent drive-by download attacks is to
regularly update and patch systems with the latest versions of software,
applications, browsers, and operating systems. Users should also be warned to
stay away from insecure websites. Installing security software that actively scans
websites can help protect endpoints from drive-by downloads.

5. Phishing attacks
Phishing attacks are a type of information security threat that employs social
engineering to trick users into breaking normal security practices and giving up
confidential information, including names, addresses, login credentials, Social
Security numbers, credit card information and other financial information. In
most cases, hackers send out fake emails that look as if they're coming from
legitimate sources, such as financial institutions, eBay, PayPal -- and even friends
and colleagues.

In phishing attacks, hackers attempt to get users to take some recommended

action, such as clicking on links in emails that take them to fraudulent websites
that ask for personal information or install malware on their devices. Opening
attachments in emails can also install malware on users' devices that are
designed to harvest sensitive information, send out emails to their contacts or
provide remote access to their devices.
How to prevent phishing attacks
Enterprises should train users not to download attachments or click on links in
emails from unknown senders and avoid downloading free software from
untrusted websites.

6. Distributed denial-of-service (DDoS) attacks

In a distributed denial-of-service (DDoS) attack, multiple compromised machines
attack a target, such as a server, website or other network resource, making the
target totally inoperable. The flood of connection requests, incoming messages or
malformed packets forces the target system to slow down or to crash and shut
down, denying service to legitimate users or systems.

How to prevent DDoS attacks

To help prevent DDoS attacks, companies should take these steps:

• Implement technology and tools to monitor networks visually and know

how much bandwidth a site uses on average. DDoS attacks offer visual
clues so administrators who understand the normal behaviors of their
networks will be better able to catch these attacks.
• Ensure servers have the capacity to handle heavy traffic spikes and the
necessary mitigation tools necessary to address security problems.
• Update and patch firewalls and network security programs.
• Set up protocols outlining the steps to take in the event of a DDoS
attack occurring.
7. Ransomware
In a ransomware attack, the victim's computer is locked, typically by encryption,
which keeps the victim from using the device or data that's stored on it. To regain
access to the device or data, the victim has to pay the hacker a ransom, typically
in a virtual currency such as Bitcoin. Ransomware can be spread via malicious
email attachments, infected software apps, infected external storage devices and
compromised websites.
 You've been hacked
How to prevent ransomware
To protect against ransomware attacks, users should regularly back up their
computing devices and update all software, including antivirus software. Users
should avoid clicking on links in emails or opening email attachments from
unknown sources. Victims should do everything possible to avoid paying ransom.
Organizations should also couple a traditional firewall that blocks unauthorized
access to computers or networks with a program that filters web content and
focuses on sites that may introduce malware. In addition, limit the data a
cybercriminal can access by segregating the network into distinct zones, each of
which requires different credentials.

8. Exploit kits
An exploit kit is a programming tool that enables a person without any experience
writing software code to create, customize and distribute malware. Exploit kits
are known by a variety of names, including infection kit, crimeware kit, DIY attack
kit and malware toolkit. Cybercriminals use these toolkits to attack system
vulnerabilities to distribute malware or engage in other malicious activities, such
as stealing corporate data, launching denial of service attacks or building
botnets.

How to prevent exploit kits

To guard against exploit kits, an organization should deploy antimalware software
as well as a security program that continually evaluates if its security controls are
effective and provide protection against attacks. Enterprises should also install
antiphishing tools because many exploit kits use phishing or compromised
websites to penetrate the network.

9. Advanced persistent threat attacks

An advanced persistent threat (APT) is a targeted cyberattack in which an
unauthorized intruder penetrates a network and remains undetected for an
extended period of time. Rather than causing damage to a system or network, the
goal of an APT attack is to monitor network activity and steal information to gain
access, including exploit kits and malware. Cybercriminals typically use APT
attacks to target high-value targets, such as large enterprises and nation-states,
stealing data over a long period.

How to prevent APT attacks

Detecting anomalies in outbound data may be the best way for system
administrators to determine if their networks have been targeted.

Indicators of APTs include the following:

• unusual activity on user accounts;

• extensive use of backdoor Trojan horse malware, a method that enables
APTs to maintain access;
• odd database activity, such as a sudden increase in database
operations involving massive amounts of data; and
• the presence of unusual data files, possibly indicating that data that has
been bundled into files to assist in the exfiltration process.

To combat this type of information security threat, an organization should also

deploy a software, hardware or cloud firewall to guard against APT attacks.
Organizations can also use a Web application firewall to detect and prevent
attacks coming from web applications by inspecting HTTP traffic.
10. Malvertising
Malvertising is a technique cybercriminals use to inject malicious code into
legitimate online advertising networks and web pages. This code typically
redirects users to malicious websites or installs malware on their computers or
mobile devices. Users' machines may get infected even if they don't click on
anything to start the download. Cybercriminals may use malvertising to deploy a
variety of moneymaking malware, including cryptomining scripts, ransomware
and banking Trojans.

Some of the websites of well-known companies, including Spotify, The New York
Times and the London Stock Exchange, have inadvertently displayed malicious
ads, putting users at risk.

How to prevent malvertising

To prevent malvertising, ad networks should add validation; this reduces the
chances a user could be compromised. Validation could include: Vetting
prospective customers by requiring legal business paperwork; two-factor
authentication; scanning potential ads for malicious content before publishing an
ad; or possibly converting Flash ads to animated gifs or other types of content.

To mitigate malvertising attacks, web hosts should periodically check their

websites from an unpatched system and monitor that system to detect any
malicious activity. The web hosts should disable any malicious ads.

To reduce the risk of malvertising attacks, enterprise security teams should be

sure to keep software and patches up to date as well as install network
antimalware tools.

Top Mobile Security Threats

Mobile phone security threats generally include application based, web-based,

network-based and physical threats.
1. Application based threat:
The most of application are downloadable and purposed the most common risk
for mobile users; most devices don’t do much on their own, and it is the
applications that make them so awesome and we all download apps. If it comes
to apps the risks run from bugs and basic security risks on the low end of the
scale all the way through malicious apps with no other purpose to commit cyber
crime.
• Malware
• Spyware
• Privacy
• Zero Day Vulnerabilities
2. Web based threat:
According to the nature of mobile use, the fact that we have our devices with us
everywhere we go and are connecting to the Internet while doing so, they face
the number of unique web-based threats as well as the run-of-the-mill threats of
general Internet use.
• Phishing Scams
• Social Engineering
• Drive By Downloads
• Operating System Flaws
3. Network-based threat:
Any mobile devices which typically support a minimum of three network
capabilities making them three-times vulnerable to network-based attack. And a
network often found on a mobile include cellular, WiFi and Bluetooth.
• Network exploits
• WiFi sniffing
• Cross-Platform Attacks
• BOYD
4. Physical Threats:
It is happened any time, unlikely a desktop sitting at your workstation, or even a
laptop in your bag, a mobile device is subject to a number of everyday physical
threats.
• Loss/Theft:
Loss or theft is the most unwanted physical threat to the security of
your mobile device. Any devices itself has value and can be sold on the
secondary market after all your information is stolen and sold.
•

•
• Information security (sometimes referred to as InfoSec) covers the tools
and processes that organizations use to protect information. This includes
policy settings that prevent unauthorized people from accessing business
or personal information. InfoSec is a growing and evolving field that covers
a wide range of fields, from network and infrastructure security to testing
and auditing.

• Information security protects sensitive information from unauthorized

activities, including inspection, modification, recording, and any disruption
or destruction. The goal is to ensure the safety and privacy of critical data
such as customer account details, financial data or intellectual property.

• The consequences of security incidents include theft of private

information, data tampering, and data deletion. Attacks can disrupt work
processes and damage a company’s reputation, and also have a tangible
cost.

• Organizations must allocate funds for security and ensure that they are
ready to detect, respond to, and proactively prevent, attacks such
as phishing, malware, viruses, malicious insiders, and ransomware.

• What are the 3 Principles of Information Security?

• The basic tenets of information security are confidentiality, integrity and

availability. Every element of the information security program must be
designed to implement one or more of these principles. Together they are
called the CIA Triad.

• Confidentiality

• Confidentiality measures are designed to prevent unauthorized disclosure

of information. The purpose of the confidentiality principle is to keep
personal information private and to ensure that it is visible and accessible
only to those individuals who own it or need it to perform their
organizational functions.
 • Integrity

• Consistency includes protection against unauthorized changes (additions,

deletions, alterations, etc.) to data. The principle of integrity ensures that
data is accurate and reliable and is not modified incorrectly, whether
accidentally or maliciously.

• Availability

• Availability is the protection of a system’s ability to make software systems

and data fully available when a user needs it (or at a specified time). The
purpose of availability is to make the technology infrastructure, the
applications and the data available when they are needed for an
organizational process or for an organization’s customers.

Information classification is a process used in information security to categorize

data based on its level of sensitivity and importance. The purpose of
classification is to protect sensitive information by implementing appropriate
security controls based on the level of risk associated with that information.
There are several different classification schemes that organizations can use,
but they generally include a few common levels of classification, such as:
• Public: Information that is not sensitive and can be shared freely with
anyone.
• Internal: Information that is sensitive but not critical, and should only
be shared within the organization.
• Confidential: Information that is sensitive and requires protection, and
should only be shared with authorized individuals or groups.
• Secret: Information that is extremely sensitive and requires the highest
level of protection, and should only be shared with a select group of
authorized individuals.
• Top Secret: Information that if disclosed would cause exceptionally
grave damage to the national security and access to this information is
restricted to a very small number of authorized individuals with a
need-to-know.
 • Information classification also includes a process of labeling the
information with the appropriate classification level and implementing
access controls to ensure that only authorized individuals can access
the information. This is done through the use of security technologies
such as firewalls, intrusion detection systems, and encryption.

What is data privacy?

Data privacy generally means the ability of a person to determine for themselves
when, how, and to what extent personal information about them is shared with or
communicated to others. This personal information can be one's name, location,
contact information, or online or real-world behavior. Just as someone may wish
to exclude people from a private conversation, many online users want to control
or prevent certain types of personal data collection.

As Internet usage has increased over the years, so has the importance of data
privacy. Websites, applications, and social media platforms often need to collect
and store personal data about users in order to provide services. However, some
applications and platforms may exceed users' expectations for data collection
and usage, leaving users with less privacy than they realized. Other apps and
platforms may not place adequate safeguards around the data they collect,
which can result in a data breach that compromises user privacy.

Why is data privacy important?

In many jurisdictions, privacy is considered a fundamental human right, and data

protection laws exist to guard that right. Data privacy is also important because in
order for individuals to be willing to engage online, they have to trust that their
personal data will be handled with care. Organizations use data protection
practices to demonstrate to their customers and users that they can be trusted
with their personal data.

Personal data can be misused in a number of ways if it is not kept private or if

people don’t have the ability to control how their information is used:
 • Criminals can use personal data to defraud or harass users.

• Entities may sell personal data to advertisers or other outside parties

without user consent, which can result in users receiving unwanted
marketing or advertising.

• When a person's activities are tracked and monitored, this may restrict
their ability to express themselves freely, especially under repressive
governments.

For individuals, any of these outcomes can be harmful. For a business, these
outcomes can irreparably harm their reputation, as well as resulting in fines,
sanctions, and other legal consequences.

In addition to the real-world implications of privacy infringements, many people

and countries hold that privacy has intrinsic value: that privacy is a human right
fundamental to a free society, like the right to free speech.

What are the laws that govern data privacy?

As technological advances have improved data collection and surveillance

capabilities, governments around the world have started passing laws regulating
what kind of data can be collected about users, how that data can be used, and
how data should be stored and protected. Some of the most important regulatory
privacy frameworks to know include:

• General Data Protection Regulation (GDPR): Regulates how the

personal data of European Union (EU) data subjects, meaning
individuals, can be collected, stored, and processed, and gives data
subjects rights to control their personal data (including a right to be
forgotten).

• National data protection laws: Many countries, such as Canada, Japan,

Australia, Singapore, and others, have comprehensive data protection
laws in some form. Some, like Brazil's General Law for the Protection of
Personal Data and the UK's Data Protection Act, are quite similar to the
GDPR.
 • California Consumer Privacy Act (CCPA): Requires that consumers be
made aware of what personal data is collected and gives consumers
control over their personal data, including a right to tell organizations
not to sell their personal data.

There are also industry-specific privacy guidelines in some countries: for

instance, in the United States, the Health Insurance Portability and Accountability
Act (HIPAA) governs how personal healthcare data should be handled.

However, many privacy advocates argue that individuals still do not have
sufficient control over what happens to their personal data. Governments around
the world may pass additional data privacy laws in the future.

What are Fair Information Practices?

Many of the existing data protection laws are based on foundational privacy
principles and practices, such as those laid out in the Fair Information Practices.
The Fair Information Practices are a set of guidelines for data collection and
usage. These guidelines were first proposed by an advisory committee to the U.S.
Department of Health, Education, and Welfare in 1973. They were later adopted
by the international Organization for Economic Cooperation and Development
(OECD) in its Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data.

The Fair Information Practices are:

• Collection limitation: There should be limits to how much personal data

can be collected

• Data quality: Personal data, when collected, should be accurate and

related to the purpose it is being used for

• Purpose specification: The use for personal data should be specified

• Use limitation: Data should not be used for purposes other than what
was specified
 • Security safeguards: Data should be kept secure

• Openness: Personal data collection and usage should not be kept

secret from individuals

• Individual participation: Individuals have a number of rights, including

the right to know who has their personal data, to have their data
communicated to them, to know why a request for their data is denied,
and to have their personal data corrected or erased

• Accountability: Anyone who collects data should be held accountable

for implementing these principles

What are some of the challenges users face when protecting their online privacy?

Online tracking: User behavior is regularly tracked online. Cookies often record a
user's activities, and while most countries require websites to alert users of
cookie usage, users may not be aware of to what degree cookies are recording
their activities.

Losing control of data: With so many online services in common use, individuals
may not be aware of how their data is being shared beyond the websites with
which they interact online, and they may not have a say over what happens to
their data.

Lack of transparency: To use web applications, users often have to provide

personal data like their name, email, phone number, or location; meanwhile, the
privacy policies associated with those applications may be dense and difficult to
understand.

Social media: It is easier than ever to find someone online using social media
platforms, and social media posts may reveal more personal information than
users realize. In addition, social media platforms often collect more data than
users are aware of.

Cyber crime: Many attackers try to steal user data in order to commit fraud,
compromise secure systems, or sell it on underground markets to parties who
will use the data for malicious purposes. Some attackers use phishing attacks to
try to trick users into revealing personal information; others attempt to
compromise companies' internal systems that contain personal data.

What are some of the challenges businesses face when protecting user privacy?

Communication: Organizations sometimes struggle to communicate clearly to

their users what personal data they are collecting and how they use it.

Cyber crime: Attackers target both individual users and organizations that collect
and store data about those users. In addition, as more aspects of a business
become Internet-connected, the attack surface increases.

Data breaches: A data breach can lead to a massive violation of user privacy if
personal details are leaked, and attackers continue to refine the techniques they
use to cause these breaches.

Insider threats: Internal employees or contractors might inappropriately access

data if it is not adequately protected.

What are some of the most important technologies for data privacy?

• Encryption is a way to conceal information by scrambling it so that it

appears to be random data. Only parties with the encryption key can
unscramble the information.

• Access control ensures that only authorized parties access systems and
data. Access control can be combined with data loss prevention
(DLP) to stop sensitive data from leaving the network.

• Two-factor authentication is one of the most important technologies for

regular users, as it makes it far harder for attackers to gain unauthorized
access to personal accounts.
These are just some of the technologies available today that can protect user
privacy and keep data more secure. However, technology alone is not sufficient
to protect data privacy.