Through your work in this module, you should have gained a robust and multifaceted understanding of privacy concerns, and gained experience using ethical principles to think through privacy issues in a cybersecurity context. Next, we’ll be turning to data ethics to think about moral issues in the acquisition and use of user data.

Before going on to the next module, take a minute and write down:

• Something about privacy that makes sense to you now that didn’t before, or
• Something about privacy that you thought made sense before that you realize now does not, or
• Something that you’re still trying to figure out about privacy.

An aspect of privacy that makes more sense to me is the privacy paradox and how people still care about maintaining privacy despite deciding to post on social media. Grimmelmann’s Introduction to the Myths of Privacy of Facebook opened me to a new perspective on social media and why people feel inclined to share their lives, while also acknowledging privacy as essential for them and wanting to stay somewhat private. Due to how culture has embraced peering into the lives of celebrities and popular figures, and social media was another vehicle for that same thing, people felt inclined to share about their own lives for some sense of fame. Social media can also be a way for people’s lives to have structure by information being delegated to one singular place. Finally, a majority of users will use and perceive the platform not as a place that has millions of people, but as a place for smaller communities, or connecting with people that they know, wanting privacy as compared to large exposure. These reasons are why people make posts but still want a sense of privacy. Regarding the concept, I always had the idea that social media users had little care when it came to their privacy due to the amount of information that they were willing to expose to millions of people, but now I have a clearer understanding of the concept and privacy overall.

People deserve to have privacy due to it being a fundamental aspect of society. From how what we do on our own, to the information about us, many things about life are given privacy because not everything needs to be seen by everyone.

Privacy allows people to express themselves without the knowledge of being seen. If people were only allowed to exist by being seen by others, then it would restrict people from being able to do things on their own or have private experiences with personal figures that don’t need to be made public. Privacy is also necessary for protecting personal information like an address or social security number that could have a large negative impact on someone’s life if it were to get out.

In the case of the Ashley Madison hack, while there is complexity in what is considered immoral, privacy is still something that should be a given regardless. People are entitled to do what they want to on the Internet, even if it’s a frowned-upon subject. While I don’t like the idea of a site like Ashley Madison, and The Impact Team that hacked the site didn’t, it isn’t grounds for people’s information to be out in the open for everyone to see. Privacy isn’t allowed for some and not for others, it’s given to everyone.

Of the options given, face-to-face courses and video presentations are the most beneficial in teaching cybersecurity knowledge, in my opinion. This is because of the interaction between the professor and students and the guidance that’s provided in its structure. A face-to-face course forces students to be engaged by having it be the primary source of information, and a video presentation can do the same for people who have that preference. While other methods like online courses, self-study, and textbooks can be helpful as well, there are restrictions. For example, doing online courses and self-study can give the students direct control over the rate at which they learn, but there is little to no interaction, and there can be a sense of aimlessness when there is a pile of assignments that need to be done but there is no structure for it. For textbooks, while they can be dense with useful information, at the same time, that density can be overwhelming to the brain if it is primarily text the information will then start to blend and not be retained as easily.

Regarding recommendations to improve teaching cybersecurity knowledge, a primary method is emphasizing hands-on activities or labs. This form of teaching can be effective by directly applying the concepts being taught, which can retain the information more. This also helps students to better grasp concepts and use them in real-world situations.

What avenues should an aspiring information security professional use in acquiring professional credentials?  Cite resources and references that back up your recommendations.  You can watch the following videos to help answer this topic:

• Expect Career Success with CompTIA Security+ [Alternate Link]

• Top 10 IT Certifications for Security Cleared Professionals[Alternate Link]

• DoDD 8140 – Cyberspace Workforce Management [Alternate Link]

For starting information security professionals, several paths can be taken to acquire professional credentials. For example, one path is certifications such as the CompTIA Security+ or Certified Information Systems Security Professional, which cover a broad amount of information security. It lays a foundation in knowledge, and these foundational certifications are industry standards that will make potential employees stand out. Furthermore, there are certifications for specific areas such as the Certified Ethical Hacker that delve much deeper into ethical hacking for those interested in information security. This shows particular knowledge that can further separate professionals and provide opportunities for specific positions.

Another pathway is via programs in post-secondary education. While there is a large investment in both resources and time, a degree can be a useful credential for entry-level positions and is a reputable source of certification in many fields of information security. While there are many other methods for gaining professional credentials, paths such as certifications and degrees in post-secondary education are effective starting points that provide a wealth of foundational experience.

https://www.forbes.com/advisor/education/certifications/cybersecurity-certification-for-beginners/

https://www.forbes.com/advisor/education/certifications/degree-certificate-bootcamp/

I believe the most critical information system components of HIPAA’s Security Rule that need to be criticized are workforce security, workstation and device security, and encryption. Suppose there are no restrictions on employee accessibility or little training in cybersecurity policy. In that case, that leaves electronic Private Health Information (ePHI) susceptible to being changed or leaked, which compromises both confidentiality and integrity. Ensuring a proper foundational understanding of cybersecurity for staff, as well as higher awareness of the value of ePHI to cybercriminals will improve the ability to maintain the information’s security. Next, devices with poor security or access protocols allow for little protection and unauthorized access to ePHI, which is why secure protocols and role-based access control can limit how many people can access information, improving security. Furthermore, effective encryption techniques are also beneficial in protecting devices that store ePHI by scrambling information to unauthorized users, but without it, information is left in understandable text to anyone who can get to it.

https://fortifiedhealthsecurity.com/blog/do-you-meet-hipaas-3-areas-of-security/

https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

While organizations outside of federal ones don’t need to comply with the NIST CSF, it is still an effective framework for having a solid cybersecurity foundation. As technologies vary with organization and risks, the NIST CSF mitigates the issue by having general standards overlapping several industries and business levels. Frameworks like the NIST CSF provide plans to improve an organization’s cybersecurity foundation and make them more aware of vulnerabilities, cyber-attacks, and how to reduce cyber-related challenges.

However, organizations can mitigate risks without the framework, but it will provide more challenges. It forces the organization to make its cybersecurity structure and adds extra costs to maintain it in the form of up-to-date technology and experienced staff. This leads to a difficult foundation to build in an organization, unlike a structured cybersecurity framework that provides a broad but very beneficial foundation for different kinds of organizations.

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf

https://www.datalinknetworks.net/dln_blog/why-does-my-business-need-to-be-nist-compliant

There are multiple ways to help prevent or mitigate malware attacks. For example, having anti-virus software, encryption, and firewalls create strong barriers for malware to go through. Intrusion detection systems, intrusion prevention systems, and ensuring that a system is patched and updated are more methods for keeping a system secure before an attack can happen. Outside of software, having an effective security policy, and having employees understand a basic foundation of cybersecurity through training also mitigate the potential for attacks. Enabling two-factor authentication and a strong password policy can also mitigate the potential for further damage if an attack happens. While all of these methods and techniques range in their effectiveness depending on the situation, a structured layering of them creates a very strong barrier of security for malicious attacks to break.

However, even with layers of security, some attacks still manage to get through in different ways. An example of this was the 2020 SolarWinds supply chain attack. The hackers managed to get in not by targeting SolarWinds’ network directly but through a third-party supplier’s network, which then allowed them to inject malicious code into their update, and when that update was sent out, it led to thousands of users being compromised, and the potential for further spread. The attack was an example of how all sectors and ties to a business need efficient layers of security to prevent large cyber-attacks.

https://www.fortinet.com/resources/cyberglossary/solarwinds-cyber-attack

There have been several cybersecurity enhancements in IPv6, due to being a necessary improvement on IPv4. The first is IPsec, which provides confidentiality, integrity, authentication, and encryption for packets and packet traffic. Another feature is its much larger, 128-bit address space, which can protect against address scanning and exhaustion. Quality of life features like improved Network Address Translation, Stateless Address Autoconfiguration, and Secure Neighbor Discovery also streamline connectivity, improve network security significantly, and protect against spoofing and impersonation. These and many other features are at the forefront of IPv6’s foundation.

However, while IPv6 is a beneficial tool for business and maintaining security, implementation has been difficult in the public and private sectors. A primary concern is implementation and the difficulties that come with it. The first difficulty would be cost, as organizations may not feel the amount of time and resources to implement it would be worthwhile. The next sector would be implementing it onto legacy hardware and software, which have the potential to cause system and additional security issues. If the implementation is not handled with care, there will be even further challenges, which is why IPv6 hasn’t been as integrated into the public and private sectors.

https://cybersecurity-magazine.com/ipv6-security-part-2/

https://www.tutorialspoint.com/the-slow-adoption-of-ipv6-and-dnssec

The best value that should be assessed when evaluating the work of an information asset to an organization is replacement cost. While the risk of loss of data and the income of an organization is important, when a breach occurs, there will be an immediate effect that needs to be mitigated. Depending on the breach, it could cost millions of dollars to repair and further halts the possibility of generating income to mediate it. However, both replacement cost and lost revenue should still accounted for within a framework, even if they will fluctuate depending on the organization and how finances are focused. 

The likelihood value of a vulnerability that no longer requires consideration will be low but never zero. Any assets that exist within an organization have the potential to be exploited in some way. This means that while there may be little reason to consider it, the risk of it being exploited will always exist, and that possibility is something to look over. Acceptable risk is a part of any organization but needs to still be accounted for.

https://facilio.com/blog/replacement-asset-value/

https://www.pratum.com/blog/443-risk-assessment-likelihood-impact