Literature Review by 886960

Mitigating personal information exposure on the web.

Tackling the issue of personal information exposure on the web can be broken down into two categories: companies taking responsibility for ensuring data protection of their customers; and what individual users can do to reduce their own exposure on the web.

Brute force and dictionary attacks rose by 400% in 2017 (eSentire, 2017) which shows that user passwords are still deemed high value targets by hackers. Sergey Ignatchenko (Ignatchenko, 2015, p12-16) focuses on mitigating these types of attacks. He suggests that enforcing longer passwords will reduce the exposure to brute force attacks. His research shows that a password with length of 8 characters will take a single GPU (graphics processing unit) ~2.5 days ($40), whereas a 12 character long password will take ~100,000 years (£580M) using the same hardware. Sergey also points out that corporations can use intentionally slow hashing algorithms (PBKDF2, bcrypt and scrypt) which costs attackers considerably more time to break the hash. Older hashing algorithms no longer provide the same level of security.

Downloading digital content to a device comes with an inherent risk of malware infection by various means (ransomware, keylogger, worms). Smith (2016, p.139-140, p.223-234) explains how one-way hashing functions can be used to verify the integrity and security of downloaded content from the internet. Smith describes how hackers can substitute subverted versions of downloadable files with legitimate files. Smith also states how careful users can use hashing procedure to compare their hash value with the publishers hash to verify file integrity.

Smith (2016, p.139-140, p.223-234) also points out that individual users can inhibit certain types of malware simply by being logged into a computer as a regular user instead as an administrator. If a user visits a malicious page or mistakenly downloads malware using an administrator account then the malware can use administrator privileges to infest the host device. Users can halt deep malware intrusion (keystroke loggers or worms) by regularly using a regular user account on their device rather than an administrator account.

Many researchers (Mather, Kumaraswamy, Latif, 2009, p.72-75, p.130) argue that using encryption techniques to protect data at rest is the primary means of preventing information exposure. Furthermore, Mather points out that regulations such as ISO/IEC 20072 should be followed by businesses to implement suitable security controls, despite not being a certified standard. Research conducted by the authors also identified other recommended practices to secure client information on cloud based services (ISO 27001, ITIL). The vulnerabilities that malware poses still remain a major threat to cloud services. Kim D. and Solomon M. described a simple fix to breach of personal information systems: to separate private data and encrypt sensitive data at rest (Kim, Solomon, 2018, p39, p75, p103-107).

Malcolm W. Harkins, (former Intel Vice President & Chief Security & Privacy Officer) explains how Intel gave additional data security and privacy training to employees with specific roles. Intel wanted to change the behavioural approach to handling sensitive information (Harkins, 2016, p69-74). Harkins also details how large MNCs are raising awareness of phishing, identity theft and exploitation attacks. This notion of providing additional training to minimise personal information exposure was also found by a group of researchers (Mather, Kumaraswamy, Latif, 2009, p.72-75, p.130). Harkins also includes data collected from the CEB (Corporate Executive Board) in 2011, which found that most corporations do not provide enough information security training. The CEB collected over 300,000 employee responses. This research emphasizes that organisations need to use an understanding of psychology to tailor their awareness efforts. Furthermore, D. Kim and M. Solomon found that malware infection can be prevented by enforcing appropriate education systems for staff and end users (Kim, Solomon, 2018, p.39, p.75, p.103-107).

To increase cybersecurity awareness amongst company employees (and end users), the NCSA (National Cyber Security Alliance) published a set of steps to spot and avoid phishing scams (NCSA, 2018). The guide contains information for different corporate position. This ties in with similar research conducted by former intel employees (Harkins, 2016, p.69-74).

A study conducted by three researchers (Cheng, TCE; Lam, DYC; Yeung, ACL, 2006, p.20-21) into perceived customer adoption of internet banking in Hong Kong found that the level of security available to protect their personal information is a determining factor in the adoption of internet banking. In particular, the study recommends that banks bring higher security/authentication standards into online banking to reassure users that their data is safe from brute force attacks.

A paper published through the IEEE (Tassabehji, Kamala, 2009) researched how biometric user authentication can be introduced into online banking. Data found by their survey of 375 undergraduates and postgraduates (101 usable) supported the authors opinions that biometric user authentication should be a desired method of preventing unauthorised access to sensitive personal information. Biometrics provide a more secure way to protect against unauthorised access to personal information due to the unique nature of biometrics itself. - you can misplace a password or username but you cannot misplace your biometric signature. Findings from Financial Fraud Action UK in 2017 (FFA UK, 2017, p.24-37) show a decrease in online banking fraud from the previous year, with one reason being the investment banks have made into user authentication and security. Through innovations in modern technology the cost and availability of biometric scanners is much more appealing - device manufacturers are contributing to a more secure world.

Personal information exposure can be prevented /minimised through the use of high level authentication techniques using the latest available technology (Tassabehji, Kamala, 2009). Password protection involving one-way hashing also provides excellent protection against popular attacks (eSentire, 2017). Corporations such as Intel are also taking big steps to educating the corporate workforce to prevent internal information exposure. (Harkins, 2016, p.69-74)