5.4 Risks of digital tech

avatar
Created by
Dylan Tappenden

Cards (20)

  • Security breaches are a big risk, the impact of unauthorised access is often very large
  • Security breaches occur when someone gains unauthorised access to sensitive systems
  • Security breaches can occur due to all kinds of vulnerabilities, including logical and physical
  • Security breach social engineering example:
    A fake employee may use social engineering to bypass levels of access, and shoulder surf to espionage a company by deleting emails and installing backdoors
  • Security breach man-in-the-middle attack example:
    A threat actor could intiate a fake WAP attack, by offering a wireless access point, that allows them to intercept and access traffic. Allowing them to breach a company portal
  • Security breach malicious employee example:
    A malicious employee, could steal sensitive business operations info - that could be seen as unethical - to whistleblow
  • 6 main impacts of a security breach are:
    Financial loss - Improvements to security
    Legal cost - Fines and lawyers must be payed
    Data loss - Sensitive data may have been taken
    Reputation loss - Failing to protect data damages reputation
    Downtime - Less revenue, system outages
    Loss of productivity - time and resources have to be allocated to recovery
  • Privacy breaches occur due to similar vulnerabilities as security breaches, however they target sensitive data as opposed to access to a system
  • Privacy breaches have 3 main consequences:
    Loss of image and repuation, due to distrust of company
    Legal cost of large fines and lawyers
    Financial loss from having to improve security, loss of customers
  • Privacy breach - Vulnerability 1 Unsecure API:
    A common vulnerability that leads to privacy breaches is API. This is because a companies API is how different parts of a backend interact. Therefore if an API can be exploited then it may be possible to access the backend
  • Privacy breach - Attack 1 Unsecure API:
    A threat actor can exploit an unsecure API by using SQL injection, XSS, or another injection attack; allowing for a certain level of unauthorised access to data.
  • Privacy breach - Protection 1 Unsecure API:
    To mitigate an insecure API vulnerability yours and any partners APIs must be made secure, primarily through input validation. Then provide different levels of API and backend to reduce the impact of access.
  • Privacy breach - Vulnerability 2 Excessive access level:
    Another common vulnerability that may lead to privacy breaches is giving employees excessive access to data. Employees may have access to sensitive data that isn't necessary to their jobs.
  • Privacy breach - Attack 2 Excessive access level:
    A threat actor could engage in social engineering or exploit their position in a company to gain access to sensitive data.
  • Privacy breach - Protection 2 Excessive access level:
    Strict access controls that use the principle of least privellege as a model are effective. It may significantly reduce the opportunities of attack, and regular checks can be conducted with greater ease on fewer individiuals. These access controls must be often checked to ensure they follow the principle of least privelege
  • Privacy breach - Vulnerability 3 Untrustworthy data broker:
    Another common vulnerability is careless selling of data. If a business indiscriminately shares and sells sensitive data, such as customer details, to third parties then the use of the data isn't controlled.
  • Privacy breach - Attack 3 Untrustworthy data broker:
    If the data broker is just reckless then they may be vulnerable to threat actors who will may steal sensitive data. However if they're malicious then it is all but guaranteed that privacy will be breached
  • Privacy breach - Protection 3 untrustworthy data broker:
    To mitigate this vulnerability an organisation can establish strict guidelines and protocols for selling customer data. Including vetting third-parties, and ensuring they meet data protection standards. Contracts should be made that outline the purpose and limitations of the data that is sold, with regular compliance checks
  • Organisations must follow the rules and regulations specific to their industry, country, location. If they fail to follow these restrictions then they are subject to severe consequences.
    Therefore a risk of digital environments is not following the laws regarding them
  • System failure is a risk of digital technologies as if a system has an outage or breaks then a data recovery policy must be employed, and company services cannot continue