A cyber attack can be defined as a malicious, deliberate attempt to target one or multiple computer systems. Individuals behind the offensive action use different ways to steal and destroy data from users’ digital devices.  

As technology advances, the risks of cyber attacks also rise. A report by Cisco suggests that today, attackers can launch a cyber attack without human intervention.

Although there are different types of cyber attacks, some of them are more common than others. 

  1. Denial-of-Service Attack and Distributed Denial-of-Service Attack

A denial-of-service attack, also known as DoS, is a type of cyber attack that attacks a system and overwhelms its resources to prohibit it from responding to service requests. This type of attack is launched from a host system infected by malicious software by an attacker.

Although DoS doesn’t provide direct benefits to attackers, it can be a ferocious weapon for business competitors. Apart from that, some hackers use DoS as the first step in session hijacking.

DoS and Distributed Denial-of-Service Attack (DDoS) have different cyber security attacks, including:

  • TCP SYN flood attack: In this, an attacker uses the buffer space during a session of Transmission Control Protocol (TCP). Here, the attacker uses his device to attack a target device and affect its small in-process queue using connection requests. This leads to the device crash.
  • Teardrop Attack: This type of attack targets Internet Protocol (IP) packets and causes these packets to overlap. The attacked system tries to reconstruct packets but fails and eventually crashes. 
  • Smurf Attack: It involves IP spoofing that saturates a network with unusual traffic. Here, ICMP is used to target an IP address.

2. Man-in-the-middle Attack

Popularly known as MitM attack, it is a type of attack where a hacker attempts to prohibit a line of communication between two connections. Different types of MitM attacks include session hijacking, replay, and IP spoofing.

In session hijacking, the hijacker attacks the line between a client and a network server. Here, the system used in the attack uses the attacked device’s IP address to connect with the server.

IP spoofing is a type of attack where the attacker makes the attacked system feel that it has been communicating with a known system. Here, the hacker sends a packet and the IP address of a known system.

The replay attack occurs when a hacker saves the victim’s messages to send them later.

Although there isn’t fool-proof technology to prevent the MitM attack, encryption and digital certificates are effective tools to protect against the attack.

3. Phishing and Spear Phishing Attacks

It is a type of attack where a hacker sends emails to a victim that seem to be sent from trusted sources. Here, the motive is to convince a hacker to influence the victim to do something.

The phishing and spear phishing attack combines technology and engineering. In addition, there could be a file with an email that can harm a system with malware.

To protect a system against a phishing attack, various methods are used. Not accepting the email, not clicking the provided link, and sandboxing are some of the ways to prevent a phishing attack.

4. Password Attack

As the name suggests, it is one of the cyber security threats where attackers try to obtain the passwords of victims. Using social engineering is one of the common ways to get someone’s password.

Brute-force guessing is a type of password attack where a random approach is followed by trying different passwords and hoping that they might work.

In order to stay protected against the brute-force guessing attack, you can make use of the account lockout policy, which locks an account after a few failed attempts to log in.

5. Cross-site Scripting Attacks

Also known as XSS, the type of attack uses third-party Internet resources to run scripts on a victim’s web browser or an application. In this, the hacker injects the malicious JavaScript into the database of a webpage. When the victim asks for a web page, the page comes with the attacker’s script.

To protect against the threat, you can protect data input by users.

6. Drive-by Attack

These are common computer security threats that attack to spread malware. In this, attackers use a malicious script and add it to the HTTP page of a website. This script adds malware to the system of a user who opens the website. 

An effective way to protect against the threat, you must keep your Internet browser up to date and websites that may contain suspicious code.

7. SQL Injection Attack

It is among the most common cyber attacks these days that attack data-driven sites. In the SQL injection attack, a hacker uses a SQL query to enter a victim’s database. The query is used as a data-plane input. The attack helps a hacker to get access to a victim’s database.

If you want to protect your system against the SQL injection attack, avoid suspicious input and rely on stored procedures.

8. Birthday Attack

The type of attack is one of those common cyber attacks that affect the integrity of software or a message. In this attack, two messages with the same message digest (MD) are identified. After that, the attacker replaces the original message with his message.

9. Eavesdropping Attack

It is one of those network security attacks where the Internet traffic is used to attack a victim’s important information like passwords, credit card numbers, and others.

Eavesdropping attack is of two types: Active eavesdropping and passive eavesdropping; in the former type, an attacker poses as a friendly unit to attack a victim. On the other hand, passive eavesdropping helps steal information by listening to a message on a network.

Detecting the attack is one of the most effective cyber security techniques to protect against the eavesdropping attack.

10. Malware Attack

This type of attack is probably the most common type of cyber attack right now. Here, unwanted software is added to the victim’s software. File infectors, macro viruses, ransomware, worms, Trojans, and boot-record infectors are some of the types of malware attacks.

Conclusion

Some cyber attacks can be prevented using advanced cyber threats and security solutions, while for others, you need to stay cautious. Keep your system protected against potential threats using privacy risk assessment solutions. All the best!

Read More
September 15, 2021 0 Comments

In the United States, 45% of respondents to a user data survey from leading encryption label RSA openly admitted that they had been victims of a data breach. With the increasing frequency of data breaches, consumers are more aware of their data- where it lives or who accesses it. With that said- businesses are looking for new ways to collect, analyze and leverage user data with business intent.

Under 15 U.S. Code 41 et seq, the Federal Trade Commission Act broadly authorizes the U.S. (FTC) Federal Trade Commission to enforce actions to protect users against unfair or deceptive applications. Failure to comply with Data Protection Law may lead to fines, lawsuits or legal liabilities. Following Washington and Nevada, even Virginia passed its Consumer Data Protection Act on March 2, 2021.

Data Protection Law

In 2020 alone, data breaches resulting from inadequate data protection measures exposed the sensitive data of over 150 million U.S. residents. In addition, Amazon’s Alexa listening to conversations and Google accessing healthcare information of millions without knowledge has alarmed the public.

In the absence of a comprehensive blanket solution like GDPR, states are now taking these issues into account. In addition, the framework of federal data privacy law is shaping the nation’s future privacy landscape. While there are no comprehensive regulations that govern data privacy in the United States, there’s a complex patchwork of data security and privacy that address financial, healthcare and telecommunication information. 

How does the FTC adjust to the shifting regulatory landscape? 

The Federal Trade Commission (FTC) is an independent agency of the US government whose primary mission is to enforce civil US antitrust law and promote consumer protection.   While the FTC has no explicit policies to regulate website privacy laws , it uses data privacy compliance and enforcement action to protect consumers. The FTC takes action against organizations breaching the Data privacy policies if: 

  • A user/ organization fails to execute a reasonable data security course of actions
  • A user/organization falls short of adhering  to the self-regulatory principles of an organization’s industry. 
  • A user/organization transfers personal data or security representations to consumers in privacy policies. 
  • A user/organization falls short of providing sufficient security for personal data or company data privacy policy. 
  • A user/organization gives away personal information in a manner not disclosed on the privacy policies.  
  • A user/organization breaches consumer data protection and privacy rights by monitoring, storing or sharing information. 
  • A user/organization engages in malpractices.

Many companies earlier relied on sharing raw consumer information or allowing others to quarry the unprocessed data files. However, the new regulations make it hard to approve, consent or provide disclosure when needed. 

Here is a list of Federal laws that administer the collection of information online: 

  • The Children’s Online Privacy Protection Act (COPPA) administers the collection of information about Minors.
  • The Fair Credit Reporting Act (FCRA) regulates the collection and use of credit information. 
  • The Health Insurance Portability and Accountability Act (HIPAA) examines health information. 
  • The Gramm Leach Bliley Act (GLBA) examines personal data collected by banks and financial institutions. 

Here’s a list of the important privacy legislation in the U.S.: 

Laws that are similar to CCPA include-

  • New York Privacy Act (S5642) 
  • Massachusetts Consumer Privacy Bills (S.120) 

Other privacy laws include: 

  • Vermont Act 171 Data Broker regulation 
  • Virginia’s Consumer Data Protection Act 

The United States has numerous sectoral online privacy laws in different states. In addition, U.S. state attorneys general oversee data privacy laws monitoring the storage of personal data of their residents and Social Security numbers. Some apply to governmental entities, and others apply only to private entities and some to both. 

Over the next decade, Europe’s May 2018 launch of GDPR would create a global ripple effect, creating coherent data privacy regulations. 

The California Consumer Privacy Act (CCPA) & The California Privacy Rights Act (CPRA)

CCPA is the most prominent piece of the U.S. legislative act affecting digital privacy rights. Motivated by GDPR, the act allows residents of California unprecedented transparency and accessibility to data accumulated by businesses. In addition, the law focuses on information that is released or sold to third parties, which distinguishes it from GDPR.

In 2020, this was revived by a new stricter legislative act- The California Privacy Rights Act (CPRA). This act will revise many concepts from CCPA and introduce harsher penalties for data compliance regulations. In the case of a suit filed by consumers from $100-$750 per resident in case of data privacy protection breaches or user information theft if not properly protected. In the case of a suit by the State Attorney General- $2500 per violation and $7,500 per intentional violation of privacy. 

Massachusetts Consumer Privacy Bill (S.120)

This state is stranger to data security and privacy breaches, with almost 2,000,000 residents reporting security infringements. The Massachusetts bill is akin to California’s predecessor; they share the same scope, business demands and other power in the hands of the people. Furthermore, this law prevents an array of online accidents and better protects user privacy. 

Under the Massachusetts Consumer Privacy Bill (S.120), users can take legal action against a company if they violate the safety of their personal information. 

New York Privacy Act (S5642)

The New York Privacy Act shares various similarities with the CCPA, but features make it significantly stricter. For example, this law allows private action against companies that breach the online privacy law. Furthermore, forbidding the sharing of personal information to third parties without a documented consent. 

According to the New York Privacy Act, the victim can seek civil penalties up to $15,000 per Data Protection Law infringement. In addition, any user whose rights have been violated can recover damages or seek compensation of $1000.00. 

Virginia’s Consumer Data Protection Act (CDPA)

Virginia’s Consumer Data Protection Act offers Virginia residents more control over how companies use or sell their information. The CDPA is also referred to as “opt-out law”, which means the under-act consumers take action to object to their data collection. The law allows companies to control the data of at least 100,000 consumers during the calendar year. In addition, it processes the personal data of at least 25,000 consumers from the sale of personal data. 

However, large corporations won’t be subject to this data privacy law if they don’t fall within these categories.

Vermont Act 171 Data broker Regulation

The Vermont Act 171 Data broker regulation rules that gather and consumer data to third parties. The regulation considers data as brokered personal information (BPI) if it’s digitally created and organized to be distributed business. 

This privacy protection act holds businesses that plan to sell Vermont-sourced information to the standard of security. 

There is no question that these data privacy regulations are drastically transitioning the way data-driven businesses operate. However, the barriers are not so tall that you can leap over them. So instead, we recommend that you understand how to tap into tools that support your business goals and consumer demand. 

Read More
September 14, 2021 0 Comments

What is GDPR Compliance? 

Not everyone is aware of GDPR, especially when your organization resides outside the EU. However, GDPR is an essential term as it has ramifications for your agency’s security.  

The EU understood a need to change its previous data protection directive and then came up with the GDPR stands for General Data Protection Regulation. GDPR considers the major data privacy regulation in 20 years. 

With its new regulations, it hopes to give consumers control over their personal information. Consumers are in charge of their data. So they have control over who gathers and uses their data. They may easily block access to the person in charge if they don’t like how their data is utilized.

Breach of personal information is an offence and must be dealt with in the same way. Sorry is no longer a way out. Now people face harsh punishments and penalties for data privacy violations.

Transparency might feel overwhelming, but it is the right road for a better user/customer experience. 

How Will GDPR Ensure a Better Customer Experience?

Even though there have been mixed reviews about GDPR, it is still a boon for every organization. Research shows that US organizations are least trusted when it comes to ensuring their customers’ data privacy. GDPR compliance is an asset to eliminate such a contradictory outlook. 

The Following Points Will Explain the Positive Points of GDPR (Including Non-Compliance Pitfalls and Overall GDPR Requirements).

  1. The GDPR applies to every country’s organization, even those not covered under the EU. 

The GDPR replaced the data protection initiative 1995 in 2016 but was enforced by the EU parliament by May 25, 2016. Therefore, the GDPR applies to organizations in other countries, even if not from the EU. 

Any organization that provides products or services to EU data subjects are liable to GDPR. 

   2. The GDPR compliance governs all the personal information of a customer.

All your data that is collected through any conceivable online platform is governed through GDP. It covers everything from your biometric data to your email address.

The following are the list of personal data that comes under GDP:

  • Identity information is collected by every website, such as address, email address, name etc.
  • Data like IP address, RFID tags, and cookie data.
  • Health data
  • ethnic data
  • Governmental thinking
  • Sexual inclination

GDPR also governs all your social media posts, pictures, tweets

  3. The GDPR provides a total of 8 basic rights to every user 

Every customer has some basic rights towards their data, and every organization is obligated to respect those rights. 

  • The right to access:

Every consumer must have access to their personal information. In addition, they have the right to know how the organization is using their data. Therefore, always provide them with a copy of their data.

  • The right to be informed:

Customer’s consent is a must before gathering and processing their data.

  • The right to data portability:

A commonly used and machine-readable format is used while the users transfer their data from one service provider to another.

  • The right to be forgotten:

All the customers have the right to withdraw their personal information whenever they want.

  • The right to object:

Consumers can object to the processing of their data. And as soon as they raise that red flag, all the procedures must stop.

  • The right to restrict processing:

It is wholly up to the customers if they want to carry forward the processing of their data. And if they want it to stop, it must stop.

  • The right to be notified:

After a breach of any user’s data, they are notified about the same within 72 hours of you being aware of the breach. 

  • The right to rectification:

Customers can update, complete and correct their data anytime they want.

4. A representative in the EU is a must if your organization is outside European Union to process EU residents personal data

The GDPR law suggests that to avoid non-compliance, every organization that does not fall under the European Union must designate a representative in the EU. Therefore, GDPR compliance is essential for easily processing customers’ data and bringing more traffic to your website from the European Union. In this way, your organization will be a part of the EU’s data protection companies.

5. There are major consequences of disregarding the GDPR law.

The GDPR requirement includes transparency for ensuring better customer service, and the data compliance regulation will ensure the same. However, some US organizations find it difficult to match the GDPR requirements. But GDPR law will spare no organization. They will be charged with serious compensation in case of non-compliance with the GDPR. Penalties can be as extreme as 4 percent of comprehensive turnover or 24.4 million dollars, whatever is greater.

6. The organizations are required to switch from “OPT-OUT” to “OPT-IN” mode to collect personal data.

GDPR regulation specifies the importance of asking users’ permission before collecting their personal data instead of assuming users’ consent. And it applies to every small detail of the customer. All the organizations are required to protect all the eight rights of the users. Transparency means asking for consent to collect the user’s data and scratch it as per their request.

7.GDPR compliance requires every organization to define and give access to their data protection policies clearly

The GDPR compliance requirements ensure that no organization tries to be smart by covering their data protection policies with legal terms that are untraceable. All the agencies are obligated to provide access and every detail about their data processing of personal data. You are accountable for your vendor’s privacy policies too. So it would be best if you were informed accordingly.

8.A minimum time limit is set to notify a customer about the breach of their personal data according to GDPR.

One of the most important GDPR key facts is that you must notify the user about the breach of their personal data within 72 hours of being informed about the same. It is one of the major steps taken by GDPR compliance companies. The more organizations are ignorant about GDPR compliance, the higher they will face the consequences. 

9.According to GDPR compliance, you are always answerable to the user about their personal data.

It is the right of every consumer to raise a few questions about their personal data. Organizations are committed to providing the user’s information, such as where the data is collected? How is it used? etc., as per their request. The users have the right to rectify their information whenever they want. Organizations are obligated to completely erase their data if the user has invoked their “right to forget”. This process of erasing the user’s data by the company as per their request is called erasure. 

Several data protection act facts will force every company to be at the top.

  • It formulates an improved data management.
  • It provides an increased marketing ROI.
  • It enhances cybersecurity.
  • It builds a better trust relationship between the company and the user.

    10. A Data Protection Officer is required to govern GDPR compliance  

A Data Protection Officer is responsible for regulating all the GDPR requirements. The major task is to oversee a company’s data protection strategy and monitor data storage and data transfer operations. In addition, it is responsible for educating and training employees on regulatory compliance, implementing policies to ensure GDPR compliance, responding to data subject access requests, and serving as the organization’s point of contact with GDPR Supervisory Authorities.

When is a company obligated to hire a Data Protection Officer?

  • Your company has the responsibility to regulate public property and infrastructure.
  • Your company is conducting a large-scale, systematic user data monitoring project.
  • Your company handles a lot of personal user information.

   11. Your Cloud-Based Storage must obey the General Data Protection Regulation

Many organizations have a misconception that their cloud-based storage is not covered under GDPR compliance.  But it is not true. Like other data storage providers like Microsoft Azure, Google Cloud, or Amazon Web Services, Cloud-Based Storage are compelled to abide by GDPR requirements. A Data Protection Officer is beneficial for this task.

  12. Human Rights is the topmost priority of GDPR compliance

The GDPR requirements are designed to safeguard the personal data of the consumers. They prioritize human rights over user experience. GDPR is a big, broad piece of legislation aimed at protecting consumer’s privacy and giving them control over their data. It is accountable for posing various obstacles to all organizations, particularly those whose systems rely entirely on data processing.

Final Words:

GDPR law states that every consumer has the right to know who collects their personal data. When is it collected? How their data is processed. Transparency is the key to a better user experience. GDPR compliance is required of any organization that deals with residents of the European Union, whether it is a member of the EU or not. The users have the right to rectify and erase their information whenever they want. For GDPR, human rights are always the first priority over user experience. 

Read More
September 14, 2021 0 Comments
Hands waving flags of India

India Data Privacy law.

Read More
December 14, 2020 0 Comments