LEGAL AND SECURITY ISSUES IN ICT

TABLE OF CONTENT

Page | i
UNIT 1................................................................................................................................... 1
SECURITY FUNDAMENTAL .......................................................................................... 1
Information Security Principles ............................................................................................. 8
Security Concepts ................................................................................................................ 12
UNIT 2................................................................................................................................. 16
ACCESS CONTROL FUNDAMENTALS ...................................................................... 16
Subject and Object Definition.............................................................................................. 18
Accountability Process......................................................................................................... 18
Multifactor Authentication................................................................................................... 19
Authentication Mechanisms................................................................................................. 21
UNIT 3................................................................................................................................. 30
TYPES OF INFORMATION SECURITY CONTROLS. ............................................. 30
Logical Controls................................................................................................................... 30
Physical Controls ................................................................................................................. 36
Administrative controls........................................................................................................ 36
UNIT 4................................................................................................................................. 38
LEGAL ISSUES ................................................................................................................. 38
Cyberspace Privacy Laws and Issues .................................................................................. 38
Child Protection Laws.......................................................................................................... 39
Data Protection Laws (Data Protection Act 843) ................................................................ 39
Electronic Communications Laws (Electronic Communications Act 775) ......................... 39
Law of Contract (act 25, 1960) ............................................................................................ 39
Anti-Spam laws .................................................................................................................... 43
Analyse Privacy Policies...................................................................................................... 49

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 UNIT 1
SECURITY FUNDAMENTAL

Information security or InfoSec is the measure taken by organisations to protect information

from cyberattacks and security violations. This is achieved by a range of policy settings, Page | 1
preventing unauthorised access to business information. Information security is evolving as it
protects an organisation from malware, ransomware, phishing, and different virus attacks.
An information security program aims to prevent unauthorized users from accessing,
modifying, manipulating, or destroying enterprise information, thus maintaining its “CIA
triad”- Confidentiality, Integrity, and Availability.
Infosec aims to protect all kinds of enterprise data, including:
• Intellectual property
• Business secrets
• Customer data
o Personal data
o Healthcare information
o Credit cards
• Financial data
• Other types of private information
Information security is often confused with cybersecurity, although the two concepts differ.
Cybersecurity includes network security, application security, cloud security, and so forth. It
protects enterprise assets from threats originating from or via the Internet.
Information security management is broader and includes physical security in addition to
digital security. A cybersecurity program is a subset of your information security strategy.
THREATS TO INFORMATION SECURITY
1. Malware attack
Attacks use many methods to get malware into a user’s device, most often social engineering.
Users may be asked to take an action, such as clicking a link or opening an attachment. In other
cases, malware uses vulnerabilities in browsers or operating systems to install themselves
without the user’s knowledge or consent.
Once malware is installed, it can monitor user activities, send confidential data to the attacker,
assist the attacker in penetrating other targets within the network, and even cause the user’s
device to participate in a botnet leveraged by the attacker for malicious intent.
Malware attacks include:

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 • Trojan virus — tricks a user into thinking it is a harmless file. A Trojan can launch an
attack on a system and can establish a backdoor, which attackers can use.
• Ransomware — prevents access to the data of the victim and threatens to delete or
publish it unless a ransom is paid.
• Wiper malware — intends to destroy data or systems, by overwriting targeted files or Page | 2
destroying an entire file system. Wipers are usually intended to send a political message
or hide hacker activities after data exfiltration.
• Worms — this malware is designed to exploit backdoors and vulnerabilities to gain
unauthorized access to operating systems. After installation, the worm can perform
various attacks, including Distributed Denial of Service (DDoS).
• Spyware — this malware enables malicious actors to gain unauthorized access to data,
including sensitive information like payment details and credentials. Spyware can
affect mobile phones, desktop applications, and desktop browsers.
• Fileless malware — this type of malware does not require installing software on the
operating system. It makes native files such as PowerShell and WMI editable to enable
malicious functions, making them recognized as legitimate and difficult to detect.
• Application or website manipulation — OWASP outlines the top 10 application
security risks, ranging from broken access controls and security misconfiguration
through injection attacks and cryptographic failures. Once the vector is established
through service account acquisition, more malware, credential, or APT attacks are
launched.
2. Social engineering attacks
Social engineering attacks work by psychologically manipulating users into performing actions
desirable to an attacker or divulging sensitive information.
Social engineering attacks include:
• Phishing — attackers send fraudulent correspondence that seems to come from
legitimate sources, usually via email. The email may urge the user to perform an
important action or click on a link to a malicious website, leading them to hand over
sensitive information to the attacker, or expose themselves to malicious downloads.
Phishing emails may include an email attachment infected with malware.
• Spear phishing — a variant of phishing in which attackers specifically target
individuals with security privileges or influence, such as system administrators or
senior executives.
• Malvertising — online advertising controlled by hackers, which contains malicious
code that infects a user’s computer when they click, or even just view the ad.
Malvertising has been found on many leading online publications.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 • Drive-by downloads — attackers can hack websites and insert malicious scripts into
PHP or HTTP code on a page. When users visit the page, malware is directly installed
on their computer; or, the attacker’s script redirects users to a malicious site, which
performs the download. Drive-by downloads rely on vulnerabilities in browsers or
operating systems.
Page | 3
• Scareware security software — pretends to scan for malware and then regularly shows
the user fake warnings and detections. Attackers may ask the user to pay to remove the
fake threats from their computer or to register the software. Users who comply transfer
their financial details to an attacker.
• Baiting — occurs when a threat actor tricks a target into using a malicious device,
placing a malware-infected physical device, like a USB, where the target can find it.
Once the target inserts the device into their computer, they unintentionally install the
malware.
• Vishing — voice phishing (vishing) attacks use social engineering techniques to get
targets to divulge financial or personal information over the phone.
• Whaling — this phishing attack targets high-profile employees (whales), such as the
chief executive officer (CEO) or chief financial officer (CFO). The threat actor attempts
to trick the target into disclosing confidential information.
• Pretexting — occurs when a threat actor lies to the target to gain access to privileged
data. A pretexting scam may involve a threat actor pretending to confirm the target’s
identity by asking for financial or personal data.
• Scareware — a threat actor tricks the victim into thinking they inadvertently
downloaded illegal content or that their computer is infected with malware. Next, the
threat actor offers the victim a solution to fix the fake problem, tricking the victim into
downloading and installing malware.
• Diversion theft — threat actors use social engineers to trick a courier or delivery
company into going to a wrong drop-off or pickup location, intercepting the transaction.
• Honey trap — a social engineer assumes a fake identity as an attractive person to
interact with a target online. The social engineer fakes an online relationship and
gathers sensitive information through this relationship.
• Tailgating or piggybacking — occurs when a threat actor enters a secured building by
following authorized personnel. Typically, the staff with legitimate access assumes the
person behind is allowed entrance, holding the door open for them.
• Pharming — an online fraud scheme during which a cybercriminal installs malicious
code on a server or computer. The code automatically directs users to a fake website,
where users are tricked into providing personal data.
3. Software supply chain attacks

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

A software supply chain attack is a cyber-attack against an organization that targets weak links
in its trusted software update and supply chain. A supply chain is the network of all individuals,
organizations, resources, activities, and technologies involved in the creation and sale of a
product. A software supply chain attack exploits the trust that organizations have in their third-
party vendors, particularly in updates and patching.
Page | 4
This is especially true for network monitoring tools, industrial control systems, “smart”
machines, and other network-enabled systems with service accounts. An attack can be made in
many places against the vendor continuous integration and continuous delivery (CI/CD)
software lifecycle, or even against third-party libraries and components as seen via Apache and
Spring.
Types of software supply chain attacks:
• Compromise of software build tools or dev/test infrastructure.
• Compromise of devices or accounts owned by privileged third-party vendors.
• Malicious apps signed with stolen code signing certificates or developer IDs.
• Malicious code deployed on hardware or firmware components.
• Malware pre-installed on devices such as cameras, USBs, and mobile phones
4. Advanced persistent threats (APT)
When an individual or group gains unauthorized access to a network and remains undiscovered
for an extended period, attackers may exfiltrate sensitive data, deliberately avoiding detection
by the organization’s security staff. APTs require sophisticated attackers and involve major
efforts, so they are typically launched against nation states, large corporations, or other highly
valuable targets.
Common indicators of an APT presence include:
• New account creation — the P in Persistent comes from an attacker creating an identity
or credential on the network with elevated privileges.
• Abnormal activity — legitimate user accounts typically perform in patterns. Abnormal
activity on these accounts can indicate an APT is occurring, including noting a stale
account which was created then left unused for a time suddenly being active.
• Backdoor/trojan horse malware — extensive use of this method enables APTs to
maintain long-term access.
• Odd database activity — for example, a sudden increase in database operations with
massive amounts of data.
• Unusual data files — the presence of these files can indicate data has been bundled into
files to assist in an exfiltration process.
5. Distributed denial of service (DDoS)

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

The objective of a denial of service (DoS) attack is to overwhelm the resources of a target
system and cause it to stop functioning, denying access to its users. Distributed denial of service
(DDoS) is a variant of DoS in which attackers compromise a large number of computers or
other devices and use them in a coordinated attack against the target system.
DDoS attacks are often used in combination with other cyberthreats. These attacks may launch Page | 5
a denial of service to capture the attention of security staff and create confusion, while they
carry out more subtle attacks aimed at stealing data or causing other damage.
Methods of DDoS attacks include:
• Botnets — systems under hacker control that have been infected with malware.
Attackers use these bots to carry out DDoS attacks. Large botnets can include millions
of devices and can launch attacks at devastating scale.
• Smurf attack — sends Internet Control Message Protocol (ICMP) echo requests to the
victim’s IP address. The ICMP requests are generated from ‘spoofed’ IP addresses.
Attackers automate this process and perform it at scale to overwhelm a target system.
• TCP SYN flood attack — attacks flood the target system with connection requests.
When the target system attempts to complete the connection, the attacker’s device does
not respond, forcing the target system to time out. This quickly fills the connection
queue, preventing legitimate users from connecting.
6. Man-in-the-middle attack (MitM)
When users or devices access a remote system over the internet, they assume they are
communicating directly with the server of the target system. In a MitM attack, attackers break
this assumption, placing themselves in between the user and the target server.
Once the attacker has intercepted communications, they may be able to compromise a user’s
credentials, steal sensitive data, and return different responses to the user.
MitM attacks include:
• Session hijacking — an attacker hijacks a session between a network server and a client.
The attacking computer substitutes its IP address for the IP address of the client. The
server believes it is corresponding with the client and continues the session.
• Replay attack — a cybercriminal eavesdrops on network communication and replays
messages later, pretending to be the user. Replay attacks have been mitigated by adding
timestamps to network communications.
• IP spoofing — an attacker convinces a system that it is corresponding with a trusted,
known entity. The system thus provides the attacker with access. The attacker forges
its packet with the IP source address of a trusted host, rather than its own IP address.
• Eavesdropping attack — attackers leverage insecure network communication to access
information transmitted between the client and server. These attacks are difficult to
detect because network transmissions appear to act normally.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 • Bluetooth attacks — Because Bluetooth is often open in promiscuous mode, there are
many attacks, particularly against phones, that drop contact cards and other malware
through open and receiving Bluetooth connections. Usually, this compromise of an
endpoint is a means to an end, from harvesting credentials to personal information.
7. Password attacks Page | 6
A hacker can gain access to the password information of an individual by ‘sniffing’ the
connection to the network, using social engineering, guessing, or gaining access to a password
database. An attacker can ‘guess’ a password in a random or systematic way.
Password attacks include:
• Brute-force password guessing — an attacker uses software to try many different
passwords, in hopes of guessing the correct one. The software can use some logic to
trying passwords related to the name of the individual, their job, their family, etc.
• Dictionary attack — a dictionary of common passwords is used to gain access to the
computer and network of the victim. One method is to copy an encrypted file that has
the passwords, apply the same encryption to a dictionary of regularly used passwords,
and contrast the findings.
• Pass-the-hash attack — an attacker exploits the authentication protocol in a session
and captures a password hash (as opposed to the password characters directly) and then
passes it through for authentication and lateral access to other networked systems. In
these attack types, the threat actor doesn’t need to decrypt the hash to obtain a plain text
password.
• Golden ticket attack — a golden ticket attack starts in the same way as a pass-the-
hash attack, where on a Kerberos (Windows AD) system the attacker uses the stolen
password hash to access the key distribution center to forge a ticket-granting-ticket
(TGT) hash. Mimikatz attacks frequently use this attack vector.
Cyberthreat actors
When you identify a cyberthreat, it’s important to understand who the threat actor is, as well
as their tactics, techniques, and procedures (TTP). Common sources of cyberthreats include:
• State-sponsored — cyberattacks by countries can disrupt communications, military
activities, or other services that citizens use daily.
• Terrorists — terrorists may attack government or military targets, but at times may also
target civilian websites to disrupt and cause lasting damage.
• Industrial spies — organized crime and international corporate spies carry out industrial
espionage and monetary theft. Their primary motive is financial.
• Organized crime groups — criminal groups infiltrate systems for monetary gain.
Organized crime groups use phishing, spam, and malware to carry out identity theft and
online fraud. There are organized crime groups who exist to sell hacking services to

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 others as well, maintaining even support and services for profiteers and industrial spies
alike.
• Hackers — there is a large global population of hackers, ranging from beginner “script
kiddies” or those leveraging ready-made threat toolkits, to sophisticated operators who
can develop new types of threats and avoid organizational defences. Page | 7
• Hacktivists — hacktivists are hackers who penetrate or disrupt systems for political or
ideological reasons rather than financial gain.
• Malicious insider — insiders represent a very serious threat, as they have existing
access to corporate systems and knowledge of target systems and sensitive data. Insider
threats can be devastating and very difficult to detect.
• Cyber espionage — is a form of cyberattack that steal classified, or sensitive intellectual
data to gain an advantage over a competitive company or government entity.
High-Level Definitions of the Network Security Concepts
1. Firewall – A network device that controls network traffic based on predetermined
rules. Firewalls can also be software-based or hardware-based, depending on your
network requirements.
2. Intrusion Detection System (IDS) – A network security system designed to detect
malicious activity within a network. IDS systems can be either network-based or host-
based and are often used in conjunction with other network security mechanisms such
as firewalls.
3. Intrusion Prevention System (IPS) – A network security system designed to prevent
malicious activity within a network by monitoring network traffic for suspicious
patterns and blocking any activities that appear dangerous or potentially malicious.
4. Access Control List (ACL) – A list of rules used to control access to resources on a
network, including specific IP addresses, users, and ports. ACLs can be configured for
either read or write operations on specific network.
5. Network Access Control (NAC) – A network security solution that allows
administrators to restrict access to a network based on the user’s identity, device type,
and other criteria.
6. Virtual Private Networks (VPN) – An encrypted network connection used to securely
connect two or more private networks over a public network such as the Internet.
7. Cryptography – The study of how data is protected through encryption algorithms and
cryptographic protocols.
8. SSL/TLS – Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are
network protocols used to secure network traffic.
9. PKI – Public Key Infrastructure (PKI) is a network security solution that uses public-
key cryptography to authenticate network users and their devices.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 10. NAT – Network Address Translation (NAT) is a network security technique that allows
private networks to use one or more public IP addresses for outgoing traffic.
11. DDoS – Distributed Denial of Service attacks are malicious attempts to overwhelm
network resources with large amounts of network traffic from multiple sources or
locations. Page | 8
12. IPSec – Internet Protocol Security (IPSec) is an internet standard protocol suite for
establishing secure, encrypted connections between network devices.
13. TACACS – Terminal Access Controller Access Control System (TACACS) is a
network security protocol used to authenticate network users and their devices.
14. RADIUS – Remote Authentication Dial-In User Service (RADIUS) is a network
authentication protocol used to securely connect network users with network services
such as VPNs, network access control (NAC), and wireless networks.
15. WPA/WPA2 – Wi-Fi Protected Access (WPA/WPA2) is the most commonly used
wireless network security protocol for encrypting traffic between Wi-Fi access points
and clients.
16. SASL – Simple Authentication and Security Layer (SASL) is a network authentication
protocol used to securely authenticate network users.
17. IPSO – Intrusion Prevention System/Intrusion Detection System (IPSO) is a network
security solution that combines network intrusion detection with network intrusion
prevention capabilities.
18. SIEM – Security Information and Event Management (SIEM) is a network security
solution that consolidates log data from multiple sources into one centralized repository
for monitoring, analysis, and reporting.
19. Endpoint Security – Endpoint security is network security solution designed to protect
network devices from malicious activity and threats, including malware and unsecured
network connections.
UTM – Unified Threat Management (UTM) is a network security solution that combines
multiple network security solutions, such as firewalls, intrusion detection/prevention systems,
antivirus software, and more into one unified platform.
Information Security Principles
Keep the three principles of information security in mind as you put together an information
security program and evaluate platforms to store your company's data. Any platform you use
should deliver on each of the three principles in some way.
1. Confidentiality
Confidentiality is equivalent to privacy and avoids the unauthorized disclosure of information.
It involves the protection of data, providing access for those who are allowed to see it while
disallowing others from learning anything about its content. It prevents essential information

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

from reaching the wrong people while making sure that the right people can get it. Data
encryption is a good example to ensure confidentiality.
TOOLS FOR CONFIDENTIALITY
Encryption
Page | 9
Encryption is a method of transforming information to make it unreadable for unauthorized
users by using an algorithm. The transformation of data uses a secret key (an encryption key)
so that the transformed data can only be read by using another secret key (decryption key). It
protects sensitive data such as credit card numbers by encoding and transforming data into
unreadable cipher text. This encrypted data can only be read by decrypting it. Asymmetric-key
and symmetric-key are the two primary types of encryptions.
Access control
Access control defines rules and policies for limiting access to a system or to physical or virtual
resources. It is a process by which users are granted access and certain privileges to systems,
resources, or information. In access control systems, users need to present credentials before
they can be granted access such as a person's name or a computer's serial number. In physical
systems, these credentials may come in many forms, but credentials that can't be transferred
provide the most security.
Authentication
An authentication is a process that ensures and confirms a user's identity or role that someone
has. It can be done in several different ways, but it is usually based on a combination of-
• Something the person has (like a smart card or a radio key for storing secret keys),
• Something the person knows (like a password),
• Something the person is (like a human with a fingerprint).
Authentication is the necessity of every organization because it enables organizations to keep
their networks secure by permitting only authenticated users to access its protected resources.
These resources may include computer systems, networks, databases, websites and other
network-based applications or services.
Authorization
Authorization is a security mechanism which gives permission to do or have something. It is
used to determine a person or system is allowed access to resources, based on an access control
policy, including computer programs, files, services, data and application features. It is
normally preceded by authentication for user identity verification. System administrators are
typically assigned permission levels covering all system and user resources. During
authorization, a system verifies an authenticated user's access rules and either grants or refuses
resource access.
Physical Security

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

Physical security describes measures designed to deny the unauthorized access of IT assets like
facilities, equipment, personnel, resources, and other properties from damage. It protects these
assets from physical threats including theft, vandalism, fire, and natural disasters.
2. Integrity
Integrity refers to the methods for ensuring that data is real, accurate and safeguarded from Page | 10
unauthorized user modification. It is the property that information has not be altered in an
unauthorized way, and that source of the information is genuine.
TOOLS FOR INTEGRITY
Backups
Backup is the periodic archiving of data. It is a process of making copies of data or data files
to use in the event when the original data or data files are lost or destroyed. It is also used to
make copies for historical purposes, such as for longitudinal studies, statistics or for historical
records or to meet the requirements of a data retention policy. Many applications especially in
a Windows environment, produce backup files using the .BAK file extension.
Checksums
A checksum is a numerical value used to verify the integrity of a file or a data transfer. In other
words, it is the computation of a function that maps the contents of a file to a numerical value.
They are typically used to compare two sets of data to make sure that they are the same. A
checksum function depends on the entire contents of a file. It is designed in a way that even a
small change to the input file (such as flipping a single bit) likely to results in different output
value.
Data Correcting Codes
It is a method for storing data in such a way that small changes can be easily detected and
automatically corrected.
3. Availability
Availability is the property in which information is accessible and modifiable in a timely
fashion by those authorized to do so. It is the guarantee of reliable and constant access to our
sensitive data by authorized people.
TOOLS FOR AVAILABILITY
• Physical Protections
• Computational Redundancies
Physical Protections
Physical safeguard means to keep information available even in the event of physical
challenges. It ensures sensitive information and critical information technology are housed in
secure areas.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

Computational redundancies
It is applied as fault tolerant against accidental faults. It protects computers and storage devices
that serve as fallbacks in the case of failures.
FACTORS THAT AFFECT AVAILABILITY.
Page | 11
Where content can be accessed
The availability of content can vary based on a user's geographic location. A user might need
to be in a certain country to access a particular spreadsheet, or they might need to be physically
located in an office building owned by your company to get access. Additionally, a person
might be able to access a particular piece of content when using a certain device but not another.
How content can be accessed
The way someone accesses content can be determined by their user credentials or information
they provide. You might, for example, require a username and password and enable two-factor
authentication.
When content can be accessed
It might be necessary to set time limits for content. A temporary employee might only have
access to a document during the period of their contract. A vendor might only get to access a
video while working on a project with your company.
Maintaining your company's software and hardware is a crucial part of ensuring availability. If
the software crashes frequently or needs a lot of downtime, it can affect when and how people
access the content. The condition of hardware also influences availability. If someone needs to
print a document or has to use a special computer to access a particular content type, their
overall access to the content is limited.
With Box, employees can access content through the web application, mobile device, or the
desktop application, Box Drive. Both availability and security are crucial. That’s why Box has
a 99.9% SLA, has SSAE 16 Type 2 data centers, and offers zero-trust content access with any
device. With Device Trust, admins can validate device ownership, domain membership, and
other device software and security settings.
BALANCING THE TRIAD
The principles of information security work together to protect your content, whether it's stored
in the cloud or on-premises. The three objectives of the triad are:
1. Protect content.
2. Ensure content accuracy.
3. Keep content accessible.
Upholding the three principles of information security is a bit of a balancing act. It's not likely
that your company can prevent a breach of confidentiality, protect the integrity of your
content, and guarantee that it will always be available 100% of the time. It's important to focus

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

on what you can do to keep the triad in balance so content is as protected, accurate, and
accessible as it can be.
One way to balance the triad is to focus on the risks that are present and how they affect each
principle. Ransomware often affects the availability of your content. It's a type of malware that
encrypts your files, making them unreadable. A hacker who succeeds in installing ransomware Page | 12
on a device renders the device unusable to the owner if the malware remains on it. Recognizing
the ways that ransomware can affect the availability of your content allows you to develop
security plans for combatting it.
You can stop a ransomware attack from limiting access to your content by using a cloud backup
program. The malware might block access to a particular device, but if the content is also stored
in the cloud, your employees can still access it without having to pay the ransom and hope that
the hacker sends a decryption key.
Box Shield can also help. With automated malware detection, content is scanned upon upload.
If malware is detected, the file is classified as malicious, and security controls are put in place
to prevent downloading and local editing, stopping the spread. Users can still view and even
edit the content online, so productivity is not lost. Admins are notified and alerts can be
published to SIEM and CASB tools.
Some risks and threats only affect one principle, but there are cases when a threat can affect
two principles. Confidentiality and integrity often go hand in hand. Someone could get access
to information they shouldn't and alter that information, either to cause harm or to benefit
themselves. A hacker could get vendor payment information and change it so they receive the
payments that were meant for vendors.
Security Concepts
Network security is necessary to protect personal network hardware and clients from unwanted
access, theft, damage, and other problems. The internet is the number one source of security
threats. Control your network to protect it from these threats. The primary goal of network
security is to protect Internet-connected machines from viruses and hackers. Firewalls, routers,
and other devices give you control over your network’s security. Allow unauthorized access to
unidentified individuals by undermining your own network security.
Key Security Concepts:
• Asset: Anything of value to a company is considered an asset. If you are aware of the
assets you are trying to protect, their value, their location, and their vulnerabilities, you
will be more effective in how much time, effort, and money you invest in protecting
those assets. You can make decisions.
• Vulnerability: A security flaw in the hardware, software, or configuration of a device
or process is called a “vulnerability.” Parties responsible for remediating such
vulnerabilities should conduct vulnerability testing on a regular basis.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 • Risk: The likelihood of being targeted by a particular attack, the likelihood of a
successful attack, and overall exposure to a particular threat are all referred to as ‘risk’.
As you can see, there is risk where there is both vulnerability and danger.
• Threat: A particular type of attack source and means is called a “threat”. A threat
analysis is performed to determine how best to protect your system against a particular Page | 13
threat or class of threats.
• Exploit: An exploit is a method or tool used by an attacker to exploit a vulnerability
and damage a target system.
• Countermeasures: Countermeasures are protections that reduce possible risks.
Countermeasures reduce the likelihood that an attacker can exploit a risk by reducing
or eliminating the vulnerability.
Classification by Data:
Some form of data classification is required to protect assets and allocate resources as
efficiently as possible. By determining which data is of value, administrators can focus on
protecting the most valuable data. Without classification, data stewards struggle to effectively
protect data, and IT administrators struggle to allocate resources efficiently.
Where classification of information is a regulatory obligation (required by law), there may be
liability concerns related to maintaining correct data. By properly classifying data and applying
appropriate confidentiality, integrity, and availability controls, data stewards can effectively
protect data based on legal, liability, and ethical standards. If companies take classification
seriously, you’ll find that everyone takes information security seriously too. While there are
global differences in the techniques and terminology used to describe data, some trends are
emerging. Many government agencies, especially the military, often use the following
classification system for their data:
• Unclassified: Information that requires little or no protection with respect to
confidentiality, integrity, or availability.
• Restricted: Information whose disclosure could harm your organization. Although not
used by all countries, this classification is typical of NATO (North Atlantic Treaty
Organization) member states.
• Data that must meet confidentiality standards is considered confidential. This method
has the lowest classification data at this level.
• Secret: Information that you go to great lengths to keep secret because disclosure could
have dire consequences. Usually, far fewer people have access to this data than those
who are authorized to access it.
• Top-secret information spends a great deal of time and often costs a great deal of
money to keep it secret because its disclosure can be so damaging. Usually only a few
people with a need to know have access to sensitive information.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 • SBU: Sensitive but unclassified: A general classification used by governments that,
while embarrassing if disclosed, would not constitute a serious security breach. SBU is
a comprehensive classification that also includes the words “For Official Use Only”.
For a classification system to work, it must play many roles. The most common roles are:
• Owner: The owner (typically the senior manager who manages the business entity) is Page | 14
responsible for the information. Owners organize data, choose administrators, and
control their actions. Owners are responsible for their materials, so it is important that
you regularly review all confidential information.
• Custodian: The custodian is typically a member of her IT team who is responsible for
day-to-day data maintenance. Data owners select security controls because they do not
require technical knowledge, but stewards mark data to ensure it is applied. The
custodian regularly backs up data and ensures the security of backup her media to
maintain data availability. As part of their retention obligations, custodians are also
required to frequently review their data security settings.
• User: User is not responsible for classifying data or organizing classified materials.
Users are responsible for using data in accordance with established operating
procedures to maintain the security of data under their control.
Vulnerability Classification:
It is also essential to understand the shortcomings of operational and security measures. This
understanding makes security design more effective. To better understand the sources of
system vulnerabilities, it may be helpful to categorize them during analysis. The following
general categories can be used to categorize key systems and asset vulnerabilities:
• Faults in policy
• Design flaws
• Protocol shortcomings
• Software weaknesses
• Misconfiguration
• Hostile code
• Human element
This list only includes some vulnerability categories. Multiple vulnerabilities can be identified
for each of these categories. There are several industry initiatives focused on classifying
hazards to the public. The following well-known and freely accessible catalogues can be used
as models for vulnerability analysis.
• Common Vulnerabilities and Exposures (CVE): A publicly available list of known
information security vulnerabilities and exposures. Visit http://cve.mitre.org to find out.
This database enables data exchange between security solutions and provides standard

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 identifiers that serve as benchmark index points for evaluating the coverage of tools
and services.
• The US government’s National Vulnerability Database (NVD) is a standard-
compliant repository of vulnerability management data. This data enables automation
of compliance, security measurement and vulnerability management. NVD maintains a Page | 15
database of product names, impact measurements, security-related software bugs,
configuration errors, and security checklists.
• The standard used to rate and classify security vulnerabilities in the computer and
networking industry is the Common Vulnerability Scoring System (CVSS). The
standard focuses on evaluating one vulnerability against another to help administrators
prioritize tasks. Major industry players such as McAfee, Qualys, Tenable and Cisco
have adopted this standard. See http://www.first.org/cvss for more information,
databases, and calculators. There are several industry initiatives focused on classifying
hazards to the public. The following well-known and freely accessible catalogues can
be used as models for vulnerability analysis.
Classification of countermeasures:
Threats are the most important element to understand, after assets (data) and vulnerabilities.
Organizations use a variety of controls as part of their security architecture to implement
comprehensive protection after considering threat vectors. These security controls can be
categorized in various ways. One of them is the type of control. One of the three categories that
best describes these controls:
• Controls that are primarily administrative in nature: rules and procedures such as
training on security awareness, standards, and practices for security, tests, and audits
for security, background checks on employees and contractors, proper recruiting
procedures, and controls for modification and configuration.
• Technology: hardware, software, electronics, and other controls such as Firewalls,
RFID cards, Systems for Network Admission
Control, RADIUS and TACACS+ servers, equipment for biometric authentication,
systems for preventing intrusion (IPS), ACL-equipped routers, concentrators, and
clients for virtual private networks (VPNs), solutions for one-time passwords (OTP).
• Physical: Mechanical control such as methods for Discontinuous power systems
(UPS), detecting intruders, systems for suppressing fires, Systematic positive airflow,
security personnel, Locks \sSafes \sRacks.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 UNIT 2
ACCESS CONTROL FUNDAMENTALS

Access control is a process of selecting restrictive access to a system. It is a concept in security

to minimize the risk of unauthorized access to the business or organization. In this, users are Page | 16
granted access permission and certain privileges to a system and resources. Here, users must
provide the credential to be granted access to a system. These credentials come in many forms
such as password, key card, the biometric reading, etc. Access control ensures security
technology and access control policies to protect confidential information like customer data.
The access control can be categories into two types-
• Physical access control
• Logical access control
Physical Access Control- This type of access control limits access to buildings, rooms,
campuses, and physical IT assets.
Logical access control- This type of access control limits connection to computer networks,
system files, and data.
The more secure method for access control involves two - factor authentication. The first factor
is that a user who desires access to a system must show credential and the second factor could
be an access code, password, and a biometric reading.
The access control consists of two main components: authorization and authentication.
Authentication is a process which verifies that someone claims to be granted access whereas
an authorization provides that whether a user should be allowed to gain access to a system or
denied it.
Access Control Policies
Discretionary Access Control (DAC)
Discretionary Access Control (DAC) allows the owner of a system or device to manage access
control at his or her own discretion. The holder programs access authorization at his or her
personal discretion. With Mandatory Access Control (MAC) and Role-Based Access Control
(RBAC), access to the information follows an established set of rules. This is the common set-
up for access control and includes setting permissions on files, folders, and shared information.
Access control is implemented in every mode or forum that information is found in your
organization. This consists of electronic data as well as hard-copy files, photographs, displays,
and communication packets. With DAC, an access control list (ACL) is the file that lists the
users who have authorized access to resources and the type of access they are permitted.
In the case of discretionary authentication, an ACL can become extensive if individual users
are added which may complicate system management. There several risks associated with
DAC:

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 • Software might be used or updated by unauthorized personnel.
• Classified information could be exposed accidentally or deliberately by users who don’t
have authorized access.
• Auditing of files might be problematic.
Page | 17
Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is typically included in the operating system being used.
MAC controls are present across most Windows, Unix, Linux, and popular Operating Systems.
Mandatory access control technically performs as multilevel security. Users are placed into
categories and tagged with security labels to show what level of clearance they’re operating
with. It permits licensed or cleared persons a certain level of access. Mandatory controls are
usually fixed codes, and individually assigned to each object or resource.
MAC techniques control the need for ongoing maintenance of ACLs because authorization
decisions are built into the hierarchy. When establishing a MAC policy, clients are not
authorized to change permissions or rights associated with objects.
Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) integrates mandatory and discretionary formats with
advanced applications. Access to information is based on the specific role a user is assigned
within the organization. For instance, employees who work in product development would be
permitted access to confidential information while someone in another department would be
denied access.
RBAC is a level up from DAC and MAC allowing administrators to enforce security policies
that reflect the structure of an organization. RBAC classifies users by common functions and
access needs. When structuring a system of user groups, you can program the access levels for
various resources within the system.
Access to different resources / user group permissions are assigned as roles. When roles are
correlated to a resource, the resource name verifies that role then determines if access is granted
to proceed. A role-based system provides a more comprehensive form of systematic controls.
It requires more development and is a higher investment but has wider flexibility in comparison
to MAC.
NEED OF SECURITY POLICIES
1) It increases efficiency.
The best thing about having a policy is being able to increase the level of consistency which
saves time, money, and resources. The policy should inform the employees about their
individual duties and telling them what they can do and what they cannot do with the
organization sensitive information.
2) It upholds discipline and accountability

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

When any human mistake will occur, and system security is compromised, then the security
policy of the organization will back up any disciplinary action and also supporting a case in a
court of law. The organization policies act as a contract which proves that an organization has
taken steps to protect its intellectual property, as well as its customers and clients.
3) It can make or break a business deal Page | 18
It is not necessary for companies to provide a copy of their information security policy to other
vendors during a business deal that involves the transference of their sensitive information. It
is true in a case of bigger businesses which ensures their own security interests are protected
when dealing with smaller businesses which have less high-end security systems in place.
4) It helps to educate employees on security literacy
A well-written security policy can also be seen as an educational document which informs the
readers about their importance of responsibility in protecting the organization sensitive data. It
involves on choosing the right passwords, to providing guidelines for file transfers and data
storage which increases employee's overall awareness of security and how it can be
strengthened.
Subject and Object Definition
Subject: An entity capable of accessing objects.

• Subject typically represents a process (the process takes on the attributes, such as access
rights, of the user or application)
o Owner: creator of a resource
o Group: group of users; membership in the group is sufficient for certain access rights
o World: Users who are not included in the categories of owner and group may be able
to access the resources with limited permissions.
Object: Resource to which access is controlled.

• An entity that contains and/or receives information.

• E.g.: Records, blocks, pages, segments, files, directories, messages, programs, etc.
Access right: describes the way in which a subject may access an object:

• Read (incl. copy or print); Write (incl. read access; add, modify, or delete); Execute;
Delete; Create; Search (list the files in a directory or search the directory)
Accountability Process
Access control systems are a fundamental part of any organization’s identity proofing system.
Depending on the software or tool, the process is triggered when a person attempts to identify
themselves in the system. Then, your network will perform system checks and grant access if
a user is authorized.
Depending on the arranged limits, you can make changes to the information available and
perform other necessary actions.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

To better understand access control, we can take a deeper look into the four basic elements—
identification, authentication, authorization, and accountability—and how they make the
framework of this fundamental security feature.
Identification
Identification is the starting point, where the users provide information about their identity. Page | 19

dentification is what happens when a user claims an identity, and the process starts for
authentication, authorization, and accountability for that user. A user may identify several
ways, including typing in a username, swiping a card, or scanning his thumb. When a system
issues identification values to users or subjects, it is important that each value is unique, and
usernames should never be shared between users, so that user accountability can be tracked
while in the system. A standard naming scheme should be followed, but care should be taken
that the naming scheme should not describe the user’s position or task (e.g., payroll user).
Authentication
Authentication is making sure the claimed identity is valid. Is the user really who they claim to
be? To do that, often the user claiming an identity must provide additional pieces of information
that corresponds to the identity. For instance, a password or a personal identification number
(PIN) known only to the user is usually required. But sometimes other factors are considered,
including the physical location of the device the user is using for access. There are three
categories or factors of information used to authenticate:
• Something you know (e.g., password, pin, etc.)
• Something you have (e.g., token from cell phone, keys, etc.)
• Something you are (fingerprint, voice recognition, etc.)
Many systems now implement multi-factor authentication, where at least two different pieces
of information from at least two different factor groups above are used to authenticate users.
Employing a second factor in the authentication process represents an additional layer in case
a user’s identification and password has been compromised.
Multifactor Authentication
Multi-factor authentication (MFA) is a multi-step account login process that requires users to
enter more information than just a password. For example, along with the password, users
might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.
A second form of authentication can help prevent unauthorized account access if a system
password has been compromised.
Digital security is critical in today's world because both businesses and users store sensitive
information online. Everyone interacts with applications, services, and data that are stored on
the internet using online accounts. A breach, or misuse, of this online information could have
serious real-world consequences, such as financial theft, business disruption, and loss of
privacy.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

While passwords protect digital assets, they are simply not enough. Expert cybercriminals try
to actively find passwords. By discovering one password, access can potentially be gained to
multiple accounts for which you might have reused the password. Multi-factor authentication
acts as an additional layer of security to prevent unauthorized users from accessing these
accounts, even when the password has been stolen. Businesses use multi-factor authentication
to validate user identities and provide quick and convenient access to authorized users. Page | 20

ADVANTAGES
1. High security level.
2. Unclonable credential.
3. Private key never exposed.
4. Credential can be recovered on wiped devices.
5. Maximum user-friendly UX.
6. Application flexibility.
7. Simple to integrate into 3rd-party systems.
MFA AUTHENTICATION METHODS
Authentication by Knowledge
Knowledge factors are the most used form of authentication. In this form, the user is required
to prove knowledge of a secret to authenticate.
A password is a secret word or string of characters that is used for user authentication. This is
the most used mechanism of authentication. Many multi-factor authentication techniques rely
on password as one factor of authentication. Variations include both longer ones formed from
multiple words (a passphrase) and the shorter, purely numeric, personal identification number
(PIN) commonly used for ATM access. Traditionally, passwords are expected to be
memorized.
Many secret questions such as "Where were you born?" are poor examples of a knowledge
factor because they may be known to a wide group of people or be able to be researched.
Authentication by Possession/Ownership
Possession factors ("something only the user has") have been used for authentication for
centuries, in the form of a key to a lock. The basic principle is that the key embodies a secret
which is shared between the lock and the key, and the same principle underlies possession
factor authentication in computer systems. A security token is an example of a possession
factor.
Disconnected tokens have no connections to the client computer. They typically use a built-in
screen to display the generated authentication data, which is manually typed in by the user.
This type of token mostly uses a "one-time password" that can only be used for that specific
session.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

Connected tokens are devices that are physically connected to the computer to be used. Those
devices transmit data automatically. There are several different types, including card readers,
wireless tags, and USB tokens.
A software token (a.k.a. soft token) is a type of two-factor authentication security device that
may be used to authorize the use of computer services. Software tokens are stored on a general- Page | 21
purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can
be duplicated. (Contrast hardware tokens, where the credentials are stored on a dedicated
hardware device and therefore cannot be duplicated, absent physical invasion of the device.) A
soft token may not be a device the user interacts with. Typically, an X.509v3 certificate is
loaded onto the device and stored securely to serve this purpose.
Authentication by Inherent/Characteristic
Inherence factors authenticate access credentials based on factors that are unique to the user.
These include fingerprints, thumbprints, and palm or handprints. Voice and facial recognition
and retina or iris scans are also types of inherent authentication factors.
When systems can effectively identify users based on their biometric data, inherence can be
one of the most secure types of authentication factors. The drawback is that users may lose
flexibility with how they access their accounts. A system that requires a fingerprint scan to
access can necessarily only be accessed on devices with hardware that supports that specific
authentication factor. This restriction is useful for security but may negatively impact user
convenience.
Other MFA methods.
Location-based authentication. This is a more advanced type of MFA that looks at a user’s
IP address and geolocation. Suppose you typically access your account from an IP address in
location A and suddenly try to access your account from an IP address in location B. In that
case, the program will request another verification, such as a one-time PIN.
Apple usually implements this type of authentication.
Risk-based authentication. Also known as adaptive authentication, this type of multi-factor
authentication analyses context and behaviour when users are trying to access the account, such
as:
• From where is the user trying to access the information?
• When is the user trying to access information?
• What kind of device is used? Is it a device already associated with the account?
Authentication Mechanisms
Authentication Mechanism means any security mechanism including but not limited to a PIN,
password, user number, certificate and/or devices used to identify an Authorised Person or a
Mandated Person.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

Authentication Mechanism means a mechanism used to verify the identity of a system user
including but not limited to user identifications and passwords, tokens, smart cards, or
biometrics.
Authentication Mechanism means confidential authentication information for individual and
for systems (including log-on identifications, addresses, passwords, and personal identification Page | 22
numbers) and where appropriate includes personal authentication devices (including smart
cards and biometric devices), assigned to each Participant pursuant to Rule 3.1.2.
Digital authentication—i.e., authentication that involves electronic credentials and
processes—can be done in-person (e.g., at a physical bank branch or government office) or
remotely (e.g., via a mobile or web service). While remote digital authentication is “online”
(i.e., it requires an internet connection), in-person transactions can be digitally authenticated
using online or offline mechanisms.
Both online and offline authentication mechanisms have a common set of requirements to
protect the person asserting their identity and to offer sufficient assurance to the identity
consumer (a service, person, or relying party). In general, an authentication mechanism should:

• Respond only with a “yes” or “no” depending on the result of the authentication, rather
than sharing and/or exposing PII, except for special circumstances—such as complying
with anti-money laundering (AML) regulations for customer due diligence (CDD)—
subject to a person’s informed consent and comprehensive information security
measures.

• Have known and easily accessible exception handling and grievance redress protocols
in case the authentication mechanism fails (e.g., a false negative biometric result). A
person should never be denied a right, service, or entitlement (or their access made
more difficult) because of a fault of the ID system.

• Facilitate the auditability of transactions, including tamper proof logs, certifying

authentication devices, and identifying relying parties as well as potentially the
individual operator within those organizations.

• Eliminate opportunities for the ID authority or other actors to use transaction metadata
to track or profile the ID holder (e.g., through encryption, hashing, anonymization of
data, decentralization of such data etc.).

• When identity data shared by the ID system and stored by the relying party as part of
the authentication mechanism, ensure that information is secured in order to prevent
loss or compromise.

• Implement security controls to reduce threats such as guessing, eavesdropping, replay

or manipulation of communication by an attacker that could subvert the authentication
mechanism.

• Be mandated by relevant laws and regulations, and the specific relationship between
the ID system and the relying party be governed by a legal agreement (e.g., a
memorandum of understanding) setting out respective responsibilities.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

This section describes some offline and online authentication mechanisms that are commonly
used in foundational ID systems. The choice of which mechanisms to adopt is closely tied to
the types of credentials issued by the ID system and should be appropriate to the intended use
cases for the system and country-specific constraints such as connectivity and digital literacy
(see Section II. Planning Roadmap).

Offline Authentication Page | 23

Offline authentication—used for in-person transactions when connectivity is unavailable or

unnecessary—must provide a means of verifying that the person asserting their identity is who
they claim to be without referring to other systems (e.g. remote identity databases, online
services, etc.) and, if possible, that the credentials they present are genuine. In general, there
are three primary options for offline authentication (summarized in Table 33):

• Manual (non-digital) comparison (i.e., taking an ID card at face

value): Traditionally, authentication processes have involved the manual inspection of
credentials (commonly ID cards) to determine that they are genuine (e.g., via embedded
security features) and assess whether the person or their physical signature resembles
the photo or signature included on the credential. While this method is intuitive and
requires less infrastructure (beyond providing the credentials themselves), it provides a
lower level of assurance and more opportunities for corruption than digital
authentication due to the potential for human error and/or discretion in applying the
procedure. At the same time, this may be appropriate for certain low-risk transactions
and/or the only viable solution in areas with no connectivity or electricity. If security
features are to be a viable method of improving the reliability of authentication, relying
parties need to be aware and appropriately equipped—e.g., I the case of level 2 (covert)
security features, this might require a UV light.

• Digital authentication against data stored on a smartcard: Smartcards are capable

authenticating a person offline with a higher level of assurance. In combination with
card reader (or receiver, in the case of a contactless card) equipped with text input
and/or a biometric scanner (e.g., fingerprint or iris), a comparison can be made between
the presented authenticators (e.g., a PIN or fingerprint) and the data stored in the chip
of the card. Matching can be done by the card’s microprocessor itself or by the reader
and associated software on the connected computer or device (e.g., a tablet or
smartphone). Despite these benefits, however, smartcards can be expensive, and require
purchasing, distributing, and training operators on the use of card readers (e.g., POS
devices). Some smartcards are being developed with their own embedded fingerprint
scanner and power source, but these are very expensive. Smartcards used exclusively
offline are also not necessarily much more secure than non-smartcard, as they could
have been invalidated but continue functioning in isolation from the ID system.
Furthermore, the security and integrity of data on a smartcard cannot be guaranteed
after they have been issued (e.g., in 2018 Estonia had to recall and reissue a significant
proportion of smartcards in circulation because of a security flaw related to the private
key stored on the chip). Indeed, many countries have issued smartcards without
implementing this infrastructure, in which case they offer little benefit over “non-
smart” cards.
• Digital authentication via a 2D barcode: Cards, certificates, or mobile apps with 2D
barcodes (e.g., QR codes) also offer the possibility of digital, offline authentication
when they are combined with readers and software that can match authenticators (e.g.,
PIN, fingerprint, photo) to those stored in the barcode itself or in a record in a local

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 database that the QR code points to. In India, for example, the printed Aadhaar
registration letters (“cards”) now include a secure barcode that contains biographic
information and a low-resolution facial image of the Aadhaar holder to facilitate a
manual comparison. Although QR-code documents may be cheaper than smartcards,
they are less secure. For example, a photo can be taken of a QR code, which would
compromise it. Likewise, they cannot store as much data and are limited to how much Page | 24
physical space they are allotted on the card. The higher density the barcode, the more
likely that scratches or other damage will affect the ability of the data to be read without
errors. Storing a fingerprint template on a QR code, for example, is likely to result in a
very dense QR code and exposes the template to being replicated (e.g., printed on other
cards). Another significant challenge with the use of barcodes for authentication factors
in offline environments is the management of decryption keys: if a decryption key is
widely available then an attacker can reverse engineer an applicable barcode to generate
a fraudulent credential.
Table 33. Offline authentication mechanisms for in-person transactions

Type Mechanism Compatible Credentials System Requirements

Any physical credential

(e.g., a car or receipt)
Visual comparison of that has some
Manual a person to a physical Requires no equipment
information (e.g., a except the credential
credential photo or signature) that itself
can be compared to its
bearer

Physical or virtual cards Input devices (i.e., card

(e.g., on a smartphone) readers, text pads,
Comparison of or certificates with 2D fingerprint scanners, etc.)
authenticators to those barcodes + integrated in or connected
stored on a 2D barcode authenticators (e.g., to local device capable of
PIN, biometric) matching the
Digital authenticators
Comparison of Input devices (i.e., card
authenticators to those Smartcard +
readers with text pads
stored on a smartcard authenticators (e.g.,
and/or fingerprint
chip PIN, biometric)
scanners)

Online Authentication
Where relying parties and users have access to internet and/or mobile network connections,
online authentication can be used for both in-person and remote transactions. The ability to
refer to other systems—such as remote servers, data stored in the cloud, web- and mobile-based
applications, etc.—increases the variety of potential online authentication mechanisms, as
shown in Table 34, and the ability to check the validity of a credential. Ultimately, online
authentication provides a higher level of assurance because it offers more potential

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

authentication factors and a “live” source. At the same time, it may also bring greater data
protection and cybersecurity risks.

The authentication level of assurance provided by online mechanisms varies according to the
specific credentials, authenticators, and protocols used. In addition to choosing authentication
methods with levels of assurance appropriate to the transaction, practitioners must consider
their accessibility and convenience, particularly for vulnerable persons (e.g., low literacy, the Page | 25
elderly, and people with disabilities), and those with unreliable internet or mobile connections.
For example, card-based authentication for remote transactions (e.g., e-services) would require
the purchase and distribution of card and/or biometric readers to each person, which may be a
barrier to adoption.

Table 34. Examples of online authentication mechanisms for in-person and/or remote
transactions

Compatible System
Type Mechanism
Credentials/Authenticators Requirements

Input devices (i.e.,

Comparison of keypad/board
Matching authentication and/or biometric
Numbers, usernames, etc. +
against a factors to scanners) and
authenticators (e.g., PIN,
database (“ID references secure network
biometric, password)
on the cloud”) stored in a connection of
central system relying party to
central system

Input devices (i.e.,

personal card
reader/scanner, text
Using public Smartcard, card with 2D pads and/or
Public key fingerprint
key encryption barcode, SIM card, or mobile
infrastructure scanners), PKI and
to authenticate device + authenticators (e.g.,
(PKI)-based secure network
against a server PIN, biometric)
connection of
relying party to
central system

Device that can receive the

password (e.g., SMS on a OTP infrastructure
Password or mobile phone or
One-time and secure network
PIN generated smartphone/computer to
passwords connection of
on demand for receive an email or
(OTP) relying party to
one-time use smartphone ap that generates central system
an OTP)

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 Compatible System
Type Mechanism
Credentials/Authenticators Requirements

FIDO-certified Page | 26
smartphone (e.g.,
On-device Android,
match Windows) or
FIDO-certified smartphone
(fingerprint, external
(e.g., Android, Windows) or
iris, face, PIN) authenticator such
FIDO external authenticator such
unlocks a as a FIDO Security
authentication as a FIDO Security Key +
private key used Key, plus network
authenticators (biometrics or
to authenticate connection
PIN)
against a server between that
device and the
relying party’s
systems
Federation
Federation is the ability of one organization to accept another organization’s identity
credentials for authentication based on inter-organizational trust. The trusting organization
must be comfortable that the other identity provider has acceptable policies, and that those
policies are being followed. Federation protocols and assurance and trust frameworks facilitate
federation of digital identity between organizations. For federation to be effectively used
globally, agreement and mapping with the ISO defined assurance framework and the adoption
of standards are critical (Source: Catalog of Technical Standards).

Federation can occur at multiple levels:

• A trusting organization can capture and send the credential to the issuing organization
(i.e., an identity provider) for verification, to authenticate an identity. After verification
of the credential, the issuing organization sends a yes/no confirmation and may, when
warranted and consented, send a set of claims giving information about the person,
using federation protocols like SAML (security assertion mark-up language). For
example, service providers in the UK can accept the credentials of multiple identity
providers via the GOV.UK verify system (see Box 38).

• A trusting organization can accept credentials issued by another organization, but still
authenticate and authorize the individual locally. For example, a passport issued one
country is accepted as a valid credential by a receiving country (and could be validated,
for example, through ICAO’s global Public Key Directory or PKD), but the receiving
country’s immigration office still authenticates the holder and requires a visa to
authorize travel.

• A trusting organization can accept specific attributes describing an individual from

another organization. For example, a bank can request credit score from a credit
bureau, rather than maintaining its own registry of credit information.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 • A trusting organization can accept an authorization decision from another organization
(i.e., mutual recognition). For example, a driver’s license authorizing a person to drive
in one location may be accepted by another location.

To establish a framework for federation, practitioners must:

• Establish a trust framework—i.e., a legally enforceable set of specifications, rules, and Page | 27
agreements that govern a multi-party system—that defines legal rules and operational
rules (e.g., service-level agreements or SLAs).

• Determine federation protocols to be used (e.g., SAML or Open ID Connect).

• Determine which attributes—if any—will be shared by the identity provider to the

relying party/service provider upon on successful authentication of the user. (For
example, the combination of Open ID Connect and OAuth protocols allows for sharing
different set of attributes, based on user consent.)

• Establish a secure communication channel between the relying parting (service

provider) and the identity provider to enable an authentication workflow between the
service provider and identity provider application. This is typically done using digital
certificates to secure communication and may also involve passwords (a shared secret)
to authenticate the application.

• Manage the digital identities including expiration, revocation, and renewal.

Authorization
Authorization refers to established rules that determine whether a user has privileges sufficient
to allow them to do some action about a file, data, or a report, etc. For instance, Bob may have
privileges to create, modify, read, and delete files in a certain directory. Whereas Kathy may
only have read privileges in that same directory. Authorization can be more difficult to manage
at scale as compared to identification and authorization. Regarding identification and
authorization, each is binary. The user has a valid id, or he does not. The user provides the
correct password, or she doesn’t. However, authorization may mean both Bob and Kathy have
access to some of the same files, and a mixed number of privileges of what they are allowed to
do. Maintaining authorization rules can be complicated in a sophisticated system which may
have numerous roles which must be accounted for and managed.
Types of Authorization
• Discretionary Access Control (DAC) – DAC determines privileges depending on the
specific user and their access groups. A DAC model allows every object in a system to
be accessed by a particular group or identity. Those in charge of granting authorization
can provide admin permission to other users.
• Mandatory Access Control (MAC) – MAC determines authorization of entities at the
operating system level. MAC commonly governs permissions for threads and
processes, defining which files and memory objects they can access.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 • Role-Based Access Control (RBAC) – RBAC is used to enforce access controls defined
in the DAC or MAC model. RBAC builds on predefined roles and privileges, assigns
users to roles, and configures a system so that only specific roles can access each object.
• Attribute-based Access Control (ABAC) – ABAC is used to enforce access controls in
a policy-based manner. It uses attributes, which can be attached to a user, a resource, Page | 28
an object, or an entire environment. An entity is authorized if the authentication system
finds that all the attributes defined in the policy are true.
Permissions Commonly Used in Authorization
• Role-based permissions—grants permissions based on a group of users with a shared
business role. Role-based permissions specify which resources that group is allowed to
access. This permissions model supports the least privilege access principle, which
states that a system should grant each user the minimal resources they need to perform
their business role.
• Device permissions—grants permissions based on the device that is accessing the
resource. This permission model might grant different permissions for trusted devices
such as a corporate laptop, or non-trusted devices such as a personal mobile device.
Authorization systems should adjust device permissions based on an evaluation of each
device’s security posture.
• Location permissions—grants permissions based on the user or entity’s location.
Authorization systems use this type of permission to limit access to sensitive resources
for users connecting from home or other entities connecting remotely.
Authentication vs Authorization: The Differences
Here’s a quick overview of the differences between authentication and authorization. While
both are important user management components, there are some key differences that must be
considered before implementing them in the right places.
Basic function
• Authentication identifies if users or other entities are who they say they are.
• Authorization determines if a user or entity is allowed to access a particular asset.
How it works
• Authentication requires credentials or other information from an entity that can prove
their identity.
• Authorization uses policies and rules to decide whether to grant access to an
authenticated user.
When it happens
• Authentication happens when the user first connects to a system.
• Authorization happens after successful authentication.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

How it transfers information
• Authentication collects information from the user or entity in the form of text (e.g.,
passwords), unstructured data (e.g., image of the user’s face), or an access token.
• Authorization requires a token proving that the entity is authenticated and additional
information about the entity to apply access rules. Page | 29

Common standards and methods

• Authentication is commonly performed using OpenID Connect (OIDC) or other
protocols (SAML, OAuth, etc) and may involve methods like passwords, access tokens,
and biometric verification.
• Authorization is typically performed using OAuth 2.0 and may involve methods like
Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC
Auditing
Auditing is monitoring a user’s activity while in the system programmatically and recording
that activity in an audit log. A system or application with good auditing built-in will allow a
user to either be held accountable, or exonerated, should they be accused of violating company
policies, procedures, or laws while using the system. A system with good auditing will provide
non-repudiation — this user did these actions at these times in the system, which is critical to
be able to prove responsibility legally. Further, a good auditing system is vital to detect whether
unauthorized or abnormal use of a system is occurring and can also serve to detect the health
and performance of a system. When a breach or system failure has occurred, often the audit
logs are the first thing to check to determine who did what and when, how they were able to
do it, how extensive was the intrusion and whether it is ongoing. The audit logs also hold the
clues for how to mitigate or fix the system to disallow breaches or undesired activity in the
future.
Accountability
Security cannot be enforced unless accountability is maintained. Users must be held
accountable for detrimental and unauthorized use of the system. To prove a person did
something with a system, you need a thorough audit log of activity. For instance, this user
logged in at this time and date from this device at this IP. Further, he performed these actions,
and here are the time and dates of each action. You also need to prove that someone wasn’t
impersonating an individual by employing good authentication. Usernames and passwords can
be compromised, but if your authentication includes multiple factors, then it is much harder for
a user to successfully claim that someone hacked their account and impersonated them.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 UNIT 3
TYPES OF INFORMATION SECURITY CONTROLS.

Logical Controls
Logical controls are preventative controls that apply information technology software’s and Page | 30
systems to prohibit unwanted access to information within a computer system. Nonphysical
access controls are also referred to as logical controls. These will prevent information assets
from being accessed electronically.
Logical controls that can prevent access to an organization’s informational asset include
Authentication of unauthorized users from being permitted to access a company’s systems.
1) User identification (e.g., username and passwords)
2) Password management: Passwords are generated to protect access from outside, unwanted
users of information. This is a method that is applied to only enabling access to those who are
authorized. Passwords have certain characteristics that will allow them to become more
preventative than others.
3) Network firewalls: Parts of computer systems or networks that are designed to block
unauthorized access while permitting outward communication.
4) Data encryption: A security method that applies information that is encoded and can only be
accessed or decrypted by a user with the correct encryption key. Encrypted data will also
sometimes appear scrambled or unreadable to a person or entity accessing it without
permission.
5) Access control lists: Tables that tell a computer operating system who has the right to access
it. Rights very per user and allows them to have a particular objective (e.g., accessing a file
directory or individual file).
6) Digital certificates: A digital certificate is an electronic “password” that allows a person,
organization to exchange data securely over the internet using the public key infrastructure
(PKI).
7) Data encryption: Data encryption is the process of encoding information so that only the
recipient with the ability to decipher the text can do so.
1. Traditional Firewalls
A traditional firewall is designed to police the flow of traffic that goes in and out of a network,
based on port, protocol, source address and destination address.
When we talk about ‘traditional’ firewall features, we’re talking about the functions that
preceded NGFWs – functions such as:
• Packet filtering, which ensures that incoming and outgoing packets are inspected
before they are allowed to pass through. Packets that match the filter’s set of rules are
forwarded; packets that do not are dropped.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 • Stateless inspection or stateful inspection, which refers to the way in which packets
are inspected (more about that below).
• Virtual private network (VPN) support, to keep the private network secure when
users traverse public networks such as the internet.
2. Packet-Filtering Techniques Page | 31

A packet filtering firewall is a network security feature that controls the flow of incoming and
outgoing network data. The firewall examines each packet, which comprises user data and
control information, and tests them according to a set of pre-established rules. If the packet
completes the test successfully, the firewall allows it to pass through to its destination. It rejects
those that don't pass the test. Firewalls test packets by examining sets of rules, protocols, ports,
and destination addresses.
In system networking, packets are formatted units of data carried on packet-switched networks.
These networks can be fault tolerant because they disassemble messages into small pieces, or
packets, and send them separately across the network. When packages pass the firewall and
arrive at their destination, they're reordered to display their information correctly. Done
correctly, packet switching optimizes networks' channel capacity, minimizes transmission
latency, and increases the effectiveness of communications. Packets contain two important
components:
• Headers: Packet headers direct the data to its desired destination. They contain portions
of internet protocol (IP), addressing and any other data required to get the packets where
they're meant to go.
• Payloads: The payload is the user data within the packet. This is the information that's
trying to get to its destination.
TYPES OF PACKET FILTERING
1. Static packet filtering firewall
A static packet filtering firewall requires you to establish firewall rules manually. Similarly,
internal, and external network connections remain either open or closed unless otherwise
adjusted by an administrator. These firewall types allow users to define rules and manage ports,
access control lists (ACLs) and IP addresses. They're often simple and practical, making them
an apt choice for smaller applications or users without a lot of criteria.
2. Dynamic packet filtering firewall
Dynamic firewalls allow users to adjust rules dynamically to reflect certain conditions. You
can set ports to remain open for specified periods of time and to close automatically outside
those established time frames. Dynamic packet filtering firewalls offer more flexibility than
static firewalls because you can set adjustable parameters and automate certain processes.
3. Stateless packet filtering firewall

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

Stateless packet filtering firewalls are the oldest and most established firewall option. While
they're less common today, they do still provide functionality for residential internet users or
service providers who distribute low-power customer-premises equipment (CPE). They protect
users against malware, non-application-specific traffic, and harmful applications. If users host
servers for multi-player video games, email, or live-streamed videos, for example, they often
must manually configure firewalls if they plan to deviate from default security policies. Manual Page | 32
configurations allow different ports and applications through the packet filter.
4. Stateful packet filtering firewall
Unlike stateless packet filtering options, stateful firewalls use modern extensions to track active
connections, like transmission control protocol (TCP) and user datagram protocol (UDP)
streams. By recognizing incoming traffic and data packets' context, stateful firewalls can better
identify the difference between legitimate and malicious traffic or packages. Typically, new
connections must introduce themselves to the firewall before they gain access to the approved
list of allowed connections.
BENEFITS OF PACKET FILTERING FIREWALLS
1. Efficiency
One of the primary advantages of packet filtering firewalls is their efficiency. Routers typically
operate at high speeds, accepting and rejecting packets quickly based on their destinations,
source ports and addresses. Inbound and outbound packets are often only held for a few
milliseconds while the filter determines its destination and legitimacy. Most other firewall
techniques have performance overheads that exceed those of packet filtering firewalls.
2. Transparency
Another benefit is transparency. While users are aware of firewalls when they reject a packet,
packet filters typically operate quickly and discreetly without interfering with user
functionality. Some other techniques require users to configure firewalls for specific clients or
servers manually. In this way, packet filtering firewalls are user-friendly and easy to
incorporate.
3. Affordability
Many routers offer built-in packet filtering, making them inexpensive. By providing built-in
functionality, software routing products and other widely used hardware offer cheap and
affordable security options. Many websites use packet filtering techniques in their routers too.
Packet filtering firewalls' ubiquitous use makes them one of the most affordable security
options.
4. Accessibility
Besides its affordability, the ease of its use makes packet filtering an appealing option. With
this security technique, you can protect an entire network with a single screening router. Users
don't need extensive knowledge, training, or support to operate firewalls because they won't be
aware of packet transmission unless there's a rejection.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

DRAWBACKS OF PACKET FILTERING FIREWALLS
Reduced security
One potential drawback of packet filtering firewalls is their reduced security. Because they're
so accessible and commonly used, hackers have exploited rules and invaded systems. Stateless
packet filtering firewalls can be vulnerable because they test each packet on its own, creating Page | 33
more opportunities for hacks. Hackers can use fake IP addresses in packets to intrude networks
because most packet filters don't provide safety from address spoofing. However, stateful
options remove some of these risks. And, in some applications, security isn't a top priority or
concern.
Inflexibility
Another potential drawback to packet filtering firewalls is their inflexibility. The technique
uses IP address authentications and port numbers rather than contextual clues to identify and
restrict packets. Many programs don't remember previously filtered packets or past invasions,
meaning they don't learn and improve. Where users manually configure rules, taking extra care
to create guidelines that produce desired functionality can remove any issues this may cause.
Inconsistent applicability
In wide-scale applications, the predictable and standardized requirements of packet filters can
be a benefit. For more specific applications requiring heightened security or functionality,
consider exploring more advanced options. Packet filtering firewalls aren't the best option for
all networks. Implementing firewalls with desirable filters can be time-consuming, as can
configuring ACLs. Be sure to research your exact specifications and needs when deciding on
a security option that works best for you.
3. Application Proxies
The Web Application Proxy is a role service in Windows Server Remote Access. It
provides reverse proxy functionality that allows users to access corporate resources outside the
corporate network on any device.
It allows organizations to grant end users conditional access to applications operating inside
the organization. It enforces multi factor authentication and applies access policies to verify
the user’s identity and device before access is granted.
An application proxy or application proxy server receives requests intended for another server
and acts as the proxy of the client to obtain the requested service. You often use an application
proxy server when the client and the server are incompatible for direct connection. For
example, the client cannot meet the security authentication requirements of the server but need
to be permitted some services.
If you access the Internet through an application proxy, some Universal Connection
applications might use the proxy. However, you must ensure that you select a configuration
method that allows the remainder of your service information to connect through Universal
Connection from your system to IBM without going through the application proxy.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

The following list shows the characteristics of an application proxy:
• Breaks the TCP/IP connection between a client and server, while IP forwarding is not
required.
• Hides the internal client IP addresses and only the public IP address of the proxy server
is visible from the external network. Page | 34

• Provides detailed access logs.

• Authenticates uses.
• Caches information
The most common type of proxy is the Hypertext Transfer Protocol (HTTP) proxy. Most HTTP
proxies also handle Hypertext Transfer Protocol Secure (HTTPS) and file transfer protocol
(FTP). The Simple Mail Transfer Protocol (SMTP) mail relay is an example of an application
proxy.
The main drawback of application proxies is that they must support the application for which
they are performing the proxy function. Many TCP/IP applications are not supported by proxy
servers. In addition, application proxies do not typically encrypt service information.
Some Universal Connection applications can flow through a standard HTTP proxy. The HTTP
proxy must support Secure Sockets Layer (SSL) tunnelling and can optionally require HTTP
basic authentication.
The IBM® i operating system includes a service and support HTTP proxy that can be used
specifically for Universal Connection applications if you want one partition or system to
provide connectivity for others.
4. Network Address Translation
NAT stands for network address translation. It’s a way to map multiple private addresses inside
a local network to a public IP address before transferring the information onto the internet.
Organizations that want multiple devices to employ a single IP address use NAT, as do most
home routers. If you’re connecting from your home right now, chances are your cable modem
or DSL router is already providing NAT to your home.
How Does NAT Work?
Let’s say that there is a laptop connected to a home network using NAT. That network
eventually connects to a router that addresses the internet. Suppose that someone uses that
laptop to search for directions to their favorite restaurant. The laptop is using NAT. So, it sends
this request in an IP packet to the router, which passes that request along to the internet and the
search service you’re using. But before your request leaves your home network, the router first
changes the internal IP address from a private local IP address to a public IP address. Your
router effectively translates the private address you’re using to one that can be used on the
internet, and then back again. Now you know that your humble little cable modem or DSL
router has a little, automated translator working inside of it.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

If the packet keeps a private address, the receiving server won’t know where to send the
information back to. This is because a private IP address cannot be routed onto the internet. If
your router were to try doing this, all internet routers are programmed to automatically drop
private IP addresses. The nice thing is, though, that all routers sold today for home offices and
small offices can readily translate back and forth between private IP address and publicly
routed IP addresses. Page | 35

NAT TYPES
There are three different types of NATs. People and organizations use them for different
reasons, but they all still work as a NAT.

• Static NAT
When the local address is converted to a public one, this NAT chooses the same one. This
means there will be a consistent public IP address associated with that router or NAT device.

• Dynamic NAT
Instead of choosing the same IP address every time, this NAT goes through a pool of public IP
addresses. This results in the router or NAT device getting a different address each time the
router translates the local address to a public address.

• PAT
PAT stands for port address translation. It’s a type of dynamic NAT, but it bands several local
IP addresses to a singular public one. Organizations that want all their employees’ activity to
use a singular IP address use a PAT, often under the supervision of a network administrator.
5. Port Address Translation
Port Address Translation (PAT) is an extension of Network Address Translation (NAT) that
permits multiple devices on a LAN to be mapped to a single public IP address to conserve IP
addresses.
PAT is like port forwarding except that an incoming packet with destination port (external port)
is translated to a packet different destination port (an internal port). The Internet Service
Provider (ISP) assigns a single IP address to the edge device. When a computer logs on to the
Internet, this device assigns the client a port number that is appended to the internal IP address,
giving the computer a unique IP address.
If another computer logs on the Internet, this device assigns it the same public IP address, but
a different port number. Although both computers are sharing the same public IP address, this
device knows which computer to send its packets, because the device uses the port numbers to
assign the packets the unique internal IP address of the computers.
To add or edit PAT:
1. To add a service, click Add in the Port Address Translation table.
To edit a service, select the row and click Edit. The fields are open for modification.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

If the web browser displays a warning about the pop-up window, allow the blocked content.
2. Select the Service from the drop-down menu. You can have up to 30 services. (If a
service is not listed, you can modify the list by following the instructions in the Adding
or Editing a Service Name section.)
3. Enter the IP address or the name of the network device where the service resides. Page | 36

4. Click Save.

Physical Controls
Physical controls are the implementation of security measures in a defined structure used to
deter or prevent unauthorized access to sensitive material.
Examples of physical controls are:
• Closed-circuit surveillance cameras
• Motion or thermal alarm systems
• Security guards
• Picture IDs
• Locked and dead-bolted steel doors
• Biometrics (includes fingerprint, voice, face, iris, handwriting, and other automated
methods used to recognize individuals
Administrative controls
Administrative controls (also called work practice controls) are used in the workplace to reduce
or limit the exposure to a specific hazard. This kind of hazard control works by changing how
work is done when elimination, substitution, or the use of engineering controls is not feasible.
In the Hierarchy of Controls, administrative efforts rank fourth for effectiveness and efficiency.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

Administrative controls are not seen as effective as other controls because it is at risk for human
error and is typically used as a temporary solution rather than a sustainable, long-term solution.
Examples of administrative controls include:
• Training: Workers should be trained to identify hazards, monitor hazard exposure, and
safe procedures for working around the hazard. Additionally, employees should know Page | 37
how to protect themselves and their co-workers.
• Procedures: The steps in a job process may need to be rearranged or updated to keep
the worker for encountering the hazard. Developing standardized safe work practices is
an important step.
• Maintenance: Having a maintenance schedule for machines known to be hazardous
can keep everything running smoothly and safely. Preventive maintenance will address
any equipment issues before they become a problem.
• Housekeeping: Sustaining a clean and clutter-free space will greatly reduce the risk of
injury and can minimize the severity of an accident.
• Signs: Wall signs and floor signs can be posted or installed to enforce administrative
controls. Visual cues can remind workers which areas are prohibited from entering,
when breaks need to be taken to limit heat exposure, and much more.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 UNIT 4
LEGAL ISSUES

A legal issue is something that happens that has legal implications and may need the help of a
lawyer to sort out. It is a question or problem that is answered or resolved by the law. Page | 38
Sometimes it is not obvious that a matter will involve the law such as unexpected illness which
might lead to legal questions about employment, mortgages, or insurance for example.
Legal issues can come up in lots of different ways including from planned events in your life,
like buying a home or making a will. They can also appear suddenly, such as family problems,
problems at work or being accused of a crime. Other common legal issues include things like
immigration and asylum, consumer rights, housing problems and issues to do with debt and
money.
Cyberspace Privacy Laws and Issues
Cyberspace can be defined as an intricate environment that involves interactions between
people, software, and services. It is maintained by the worldwide distribution of information
and communication technology devices and networks.
With the benefits carried by the technological advancements, the cyberspace today has become
a common pool used by citizens, businesses, critical information infrastructure, military and
governments in a fashion that makes it hard to induce clear boundaries among these different
groups. The cyberspace is anticipated to become even more complex in the upcoming years,
with the increase in networks and devices connected to it.
REGULATIONS
There are five predominant laws to cover when it comes to cybersecurity:
Information Technology Act, 2000 The Indian cyber laws are governed by the Information
Technology Act, penned down back in 2000. The principal impetus of this Act is to offer
reliable legal inclusiveness to eCommerce, facilitating registration of real-time records with
the Government.
But with the cyber attackers getting sneakier, topped by the human tendency to misuse
technology, a series of amendments followed.
The ITA, enacted by the Parliament of India, highlights the grievous punishments and penalties
safeguarding the e-governance, e-banking, and e-commerce sectors. Now, the scope of ITA
has been enhanced to encompass all the latest communication devices.
The IT Act is the salient one, guiding the entire Indian legislation to govern cybercrimes
rigorously:
Section 43 - Applicable to people who damage the computer systems without permission from
the owner. The owner can fully claim compensation for the entire damage in such cases.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

Section 66 - Applicable in case a person is found to dishonestly or fraudulently committing
any act referred to in section 43. The imprisonment term in such instances can mount up to
three years or a fine of up to Rs. 5 lakhs.
Section 66B - Incorporates the punishments for fraudulently receiving stolen communication
devices or computers, which confirms a probable three-year imprisonment. This term can also Page | 39
be topped by Rs. 1 lakh fine, depending upon the severity.
Section 66C - This section scrutinizes the identity thefts related to imposter digital signatures,
hacking passwords, or other distinctive identification features. If proven guilty, imprisonment
of three years might also be backed by Rs.1 lakh fine.
Child Protection Laws
Cyberspace child protection laws are regulations designed to safeguard children from various
forms of online abuse, exploitation, and harm. These laws aim to establish legal frameworks
that address issues such as child pornography, online grooming, cyberbullying, and the
dissemination of harmful content to minors. They typically encompass both preventive
measures and punitive actions against offenders. Specific provisions may vary across
jurisdictions, but common elements include age verification mechanisms, restrictions on
explicit content, mandatory reporting of child abuse, and penalties for illegal online activities
involving minors. These laws play a crucial role in promoting online safety for children and
holding perpetrators accountable for their actions.
Data Protection Laws (Data Protection Act 843)
AN ACT to establish a Data Protection Commission, to protect the privacy of the individual
and personal data by regulating the processing of personal information, to provide the process
to obtain, hold, use or disclose personal information and for related matters.
DOWNLOAD
Electronic Communications Laws (Electronic Communications Act 775)
An Act that provides for the regulation of electronic communications, the regulation of
broadcasting, the use of electronic-magnetic spectrum and for related matters.
DOWNLOAD
Law of Contract (act 25, 1960)
Click here to download
What is a contract?
A contract is a legally binding agreement between parties to create mutual obligations that
businesses and individuals use to protect their interests. Contracts outline the specific terms of
engagement for a transaction. They can also dictate legal consequences if a party tries to break
the agreement.
Contracts can be written or verbal. Most businesses tend to use written contracts because they
are easier to reference later. Written agreements are also less ambiguous, so they are more
straightforward to enforce.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

Contract law, meanwhile, is the subset of laws specifically regulating how contracts are
created and enforced. These laws cover things like:
• How contracts are formed
• What a document must contain to be considered a contract
Page | 40
• Who is eligible to enter a contract?
• What consequences exist for violating contracts?
• What a contract can require of signatories
Contract law explains when contracts exist, when they’re enforceable, and what the wronged
party can do if the other signatory ignores the terms of the agreement.
Characteristics of a Contract
There are three essential components of any contract: the offer, the acceptance, and the
consideration. If all three of these characteristics aren’t present, a document is not considered
a contract.
1. Offer
The offer is a clear, specific, and voluntary opportunity provided by one party to another party.
The offering party, or offeror, will present particular terms to the offeree. These terms should
include:
• A clear declaration of intent to enter a contract.
• The offeree’s information indicating who is eligible to accept this contract.
• What the offeror intends to provide in the contract, such as goods or services.
• The terms of the agreement, such as what the offeree will provide in return and how the
exchange will take place.
2. Acceptance
Next, contacts must include a clear acceptance of the offer. Acceptance can take three forms:
• Words: Most contracts are accepted through verbal or written statements that the
offeree agrees to enter the contract and abide by its terms.
• Actions: Contracts can also be accepted by acting. For instance, suppose a contract state
that taking an action like clicking a link or using a website constitutes acceptance. After
reading the contract, people who perform those actions agree to the terms by default.
• Performance: Even if a contract doesn’t designate a specific action as constituting
acceptance, it’s possible to accept a contract without words. If a restaurant receives a
food shipment from a supplier and uses it to make food, the restaurant has entered an
implied contract. By using the goods in its normal course of business, the restaurant

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 and supplier can assume a contract was created, and the restaurant owes the supplier
payment for that food.
3. Consideration
The consideration of a contract is the value that is being provided. This value can be:
Page | 41
• Financial, such as a loan
• Property, such as goods delivered.
• Services, such as maintenance or protection from harm
A contract does not need to include a specific type of consideration—there’s no need for money
to be involved at all. If the document dictates that one party will provide something of an
agreed-upon value to another party, consideration exists, and the contractual form is complete.
What Makes Contracts Valid?
There’s more to contracts than the basic structure, though. It’s perfectly possible to create a
contract that meets the definition but is not legally binding. A contract is valid if it both follows
the appropriate structure and meets the following requirements:
Doesn’t violate public policy.
Legal agreements are only valid if they conform to the law. A contract that violates public
policy or requires one party to do something illegal is automatically non-binding. For instance,
if a contract requires one party to ignore local tax laws, that contract violates public policy and
won’t hold up in court.
An unenforceable clause can render part or all an agreement invalid. Some agreements have
provisions stating that any terms that violate local law will be ignored, but the rest of the
contract will remain standing. Still, if the violation is a fundamental part of the agreement, then
the entire contract will usually be considered unenforceable.
All parties are consent.
A fundamental part of the contracting process is confirming that all parties involved are eligible
to consent. This is known as having the “capacity” to enter the contract. Certain groups are
never assumed to have the capacity, including minors or adults with mental limitations.
Other parties may only have the capacity in certain circumstances. A company can enter a
contract if it can prove that it’s a genuine legal entity and the person who will sign the contract
is the company’s authorized signatory. Without these elements, an agreement may be
considered void or voidable.
All parties understand and agree on the terms.
A contract is considered binding when all parties give genuine consent to the terms. It’s only
possible to provide genuine consent if the parties involved understand what the agreement
means, including what they will receive and need to do.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

Mistakes or misrepresentations in the contract prevent parties from giving genuine consent.
Whether an error in the contract is an accidental mistake or a purposeful misrepresentation, it
still means that the misled party can sue to have the contract nullified. The contract’s
nullification would occur because the misled party did not understand the agreement’s actual
terms and therefore could not consent to them.
Page | 42
When Contracts Require Legal Enforcement
Once an enforceable contract is signed, all signatories are bound to the terms of the agreement.
If one party fails to live up to the terms without a valid legal defence, they have breached the
contract.
There are two main ways to be in breach of contract:
1. Failure to perform as promised: If a signatory has agreed to deliver payment by a
specific date and doesn’t, they have failed to fulfil their contractual obligations. This is
a material breach or a failure to accomplish a core element of the contract.
2. Acting to prevent the other party from performing as promised: Suppose the offeree has
agreed to deliver goods to a specific location, but the offeror refuses to let the delivery
vehicles onto the property. In that case, the offeror prevents the offeree from fulfilling
their obligations and is in breach of contract.
When someone breaches a contract, the other party can sue them for compensatory damages.
The wronged party has usually lost something of value because of the other signatory’s actions.
Contract law allows them to tally up the value of what they’ve lost and sue to have the
breaching party compensate them for those losses.
Principles of Contract Interpretation
The legal principles that govern contract interpretation can vary depending on the specific
jurisdiction and the type of contract in question. However, some common legal principles that
are often used to interpret contracts include:
• Plain meaning rule: This principle states that contract terms should be given their
ordinary and plain meaning, as understood by a reasonable person in the context of the
contract.
• Parole evidence rule: This principle restricts the use of evidence outside of the written
contract to interpret its terms. Courts will not consider evidence of prior negotiations,
oral agreements, or other extrinsic evidence if the written contract is clear and
unambiguous.
• Contra proferentem rule: This principle is applied when a contract term is ambiguous
or unclear. It provides that any ambiguities should be resolved against the party that
drafted the contract.
• Course of performance, course of dealing, and usage of trade: These principles may be
used to interpret ambiguous contract terms by looking at how the parties have

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 performed under the contract in the past, how they have dealt with each other in the
past, and the trade customs or practices that are commonly used in the relevant industry.
• Implied terms: In some cases, courts may imply terms into a contract to give effect to
the parties’ intentions or to fill gaps in the contract where terms are missing.
Overall, contract interpretation is a complex and often fact-specific process within contract law Page | 43
that requires a careful analysis of the contract language, the surrounding circumstances, and
the applicable legal principles.
Anti-Spam laws
Anti-spam laws are laws around unsolicited emails that protect citizens from receiving
unwanted spam emails. The CAN-SPAM Act of 2003 pre-empted many of these laws;
however, most email service providers require that all users agree to abide by anti-spam
policies in their terms of service. It’s also important to note that anti-spam laws are often
different depending on the state and country you live in. Be sure to familiarize yourself with
the varied sets of anti-spam rules and legislation within your market before sending any
unsolicited business emails.
CAN-SPAM Act of 2003
The Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM)
Act of 2003 is a law passed in 2003 establishing the United States' first national standards for
the sending of commercial e-mail. The law requires the Federal Trade Commission (FTC) to
enforce its provisions. Introduced by Republican Conrad Burns, the act passed both
the House and Senate during the 108th United States Congress and was signed into law
by President George W. Bush in December 2003.
History
The backronym CAN-SPAM derives from the bill's full name: Controlling the Assault
of Non-Solicited Pornography and Marketing Act of 2003. It plays on the word "canning"
(putting an end to) spam, as in the usual term for unsolicited email of this type. The bill was
sponsored in Congress by Senators Conrad Burns and Ron Wyden.
The CAN-SPAM Act is occasionally referred to by critics as the "You-Can-Spam" Act because
the bill fails to prohibit many types of e-mail spam and preempts some state laws that would
otherwise have provided victims with practical means of redress. It does not require e-mailers
to get permission before they send marketing messages. It also prevents states from enacting
stronger anti-spam protections, and prohibits individuals who receive spam from suing
spammers except under laws not specific to e-mail. The Act has been largely
unenforced, despite a letter to the FTC from Senator Burns, who noted that "Enforcement is
key regarding the CAN-SPAM legislation." In 2004, less than 1% of spam complied with the
CAN-SPAM Act of 2003.
The law required the FTC to report back to Congress within 24 months of the effectiveness of
the act. No changes were recommended. It also requires the FTC to promulgate rules to shield
consumers from unwanted mobile phone spam. On December 20, 2005, the FTC reported that

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

the volume of spam has begun to level off, and due to enhanced anti-spam technologies, less
was reaching consumer inboxes. A significant decrease in sexually explicit e-mail was also
reported.
Later modifications changed the original CAN-SPAM Act of 2003 by (1) Adding a definition
of the term "person"; (2) Modifying the term "sender"; (3) Clarifying that a sender may comply Page | 44
with the act by including a post office box or private mailbox; and (4) Clarifying that to submit
a valid opt-out request, a recipient cannot be required to pay a fee, provide information other
than his or her email address and opt-out preferences, or take any other steps other than sending
a reply email message or visiting a single page on an Internet website.
The mechanics of CAN-SPAM
Applicability
CAN-SPAM, a direct response of the growing number of complaints over spam e-
mails, defines a "commercial electronic mail message" as "any electronic mail message the
primary purpose of which is the commercial advertisement or promotion of a commercial
product or service (including content on an Internet website operated for a commercial
purpose)." It exempts "transactional or relationship messages." The FTC issued final
rules (16 CFR 316) clarifying the phrase "primary purpose" on December 16, 2004. Previous
state laws had used bulk (a number threshold), content (commercial), or unsolicited to define
spam. The explicit restriction of the law to commercial e-mails is widely considered by those
in the industry to essentially exempt purely political and religious e-mail from its specific
requirements. Such non-commercial messages also have stronger First Amendment protection,
as shown in Jaynes v. Commonwealth.
Congress determined that the US government was showing an increased interest in the
regulation of commercial electronic mail nationally, that those who send commercial e-mails
should not mislead recipients over the source or content of them, and that all recipients of such
emails have a right to decline them. However, CAN-SPAM does not ban spam emailing
outright, but imposes laws on using deceptive marketing methods through headings that are
"materially false or misleading". In addition, there are conditions that email marketers must
meet in terms of their format, their content, and labeling. The three basic types of compliance
defined in the CAN-SPAM Act—unsubscribe, content, and sending behavior — are as follows:
Unsubscribe compliance.
• A visible and operable unsubscribe mechanism is present in all emails.
• Consumers opt-out requests are honored within 10 business days.
• Opt-out lists also known as suppression lists are used only for compliance purposes.
Content compliance.
• Accurate "From" lines
• Relevant subject lines (relative to offer in body content and not deceptive)

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 • A legitimate physical address of the publisher or advertiser is present. PO Box
addresses are acceptable in compliance with 16 CFR 316.2 and if the email is sent by a
third party, the legitimate physical address of the entity, whose products or services are
promoted through the email should be visible.
• A label is present if the content is adult. Page | 45
Sending behavior compliance
• A message cannot be sent without an unsubscribe option.
• A message cannot contain a false header.
• A message should contain at least one sentence.
• A message cannot be null.
• Unsubscribe option should be below the message.
There are no restrictions against a company emailing its existing customers or anyone who has
inquired about its products or services, even if these individuals have not given permission, as
these messages are classified as "relationship" messages under CAN-SPAM. But when sending
unsolicited commercial emails, it must be stated that the email is an advertisement or a
marketing solicitation. Note that recipients who have signed up to receive commercial
messages from you are exempt from this rule.
If a user opts out, a sender has ten days to cease sending and can use that email address only
for compliance purposes. The legislation also prohibits the sale or other transfer of an e-mail
address after an opt-out request. The law also requires that the unsubscribe mechanism must
be able to process opt-out requests for at least 30 days after the transmission of the original
message.
Use of automated means to register for multiple e-mail accounts from which to send spam
compound other violations. It prohibits sending sexually oriented spam without the label later
determined by the FTC of "SEXUALLY EXPLICIT." This label replaced the similar state
labeling requirements of "ADV: ADLT" or "ADLT."
CAN-SPAM makes it a misdemeanor to send spam with falsified header information. A host
of other common spamming practices can make a CAN-SPAM violation an "aggravated
offense," including harvesting, dictionary attacks, IP address spoofing, hijacking computers
through Trojan horses or worms, or using open mail relays for the purpose of sending spam.
Criminal offenses
Although according to the law, legitimate businesses and marketers should be conscientious
regarding the aspects mentioned above, there are misinterpretations and fraudulent practices
that are viewed as criminal offenses:
• Sending multiple spam emails with the use of a hijacked computer

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 • Sending multiple emails through Internet Protocol addresses that the sender represents
falsely as being his/her property.
• Trying to disguise the source of the email and to deceive recipients regarding the origins
of the emails, by routing them through other computers.
• Sending multiple spam emails via multiple mailings with falsified information in the Page | 46
header
• Using various email accounts obtained by falsifying account registration information,
to send multiple spam emails.
Private Right of Action
CAN-SPAM provides a limited private right of action to Internet Access Services that have
been adversely affected by the receipt of emails that violate the Act; and does not allow natural
persons to bring suit. A CAN-SPAM plaintiff must satisfy a higher standard of proof as
compared with government agencies enforcing the Act; thus, a private plaintiff must
demonstrate that the defendant either sent the email at issue or paid another person to send it
knowing that the sender would violate the Act. Despite this heightened standard, private CAN-
SPAM lawsuits have cropped up around the country, as plaintiffs seek to take advantage of the
statutory damages available under the Act.
Overriding State Anti-Spam Laws
CAN-SPAM preempts (supersedes) state anti-spam laws that do not deal with false or
deceptive activity. The relevant portion of CAN-SPAM reads:
This chapter supersedes any statute, regulation, or rule of a State or political subdivision of a
State that expressly regulates the use of electronic mail to send commercial messages, except
to the extent that any such statute, regulation, or rule prohibits falsity or deception in any
portion of a commercial electronic mail message or information attached thereto.
Though this move was criticized by some anti-spam activists, some legal commentators praised
it, citing a heavily punitive California law seen as over broad and a wave of allegedly dubious
suits filed in Utah.
CAN-SPAM and the FTC
CAN-SPAM allows the FTC to implement a national do-not-email list similar to the FTC's
popular National Do Not Call Registry against telemarketing, or to report back to Congress
because the creation of such a list is not currently feasible. The FTC soundly rejected this
proposal, and such a list will not be implemented. The FTC concluded that the lack of
authentication of email would undermine the list, and it could raise security concerns.
The legislation prohibits e-mail recipients from suing spammers or filing class-action lawsuits.
It allows enforcement by the FTC, State Attorneys General, Internet service providers, and
other federal agencies for special categories of spammers (such as banks). An individual might
be able to sue as an ISP if (s)he ran a mail server, but this would likely be cost-prohibitive and
would not necessarily hold up in court. Individuals can also sue using state laws about fraud,

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

such as Virginia's that gives standing based on actual damages, in effect limiting enforcement
to ISPs.
The McCain amendment made businesses promoted in spam subject to FTC penalties and
enforcement remedies, if they knew or should have known that their business was being
promoted using spam. This amendment was designed to close a loophole that allowed those Page | 47
running affiliate programs to allow spammers to abuse their programs and encouraged such
businesses to assist the FTC in identifying such spammers.
Senator Corzine sponsored an amendment to allow bounties for some informants. The FTC has
limited these bounties to individuals with inside information. The bounties are expected to be
over $100,000 but none have been awarded yet.
Reaction
Those opposing spam greeted the new law with dismay and disappointment, almost
immediately dubbing it the "You Can Spam" Act. Internet activists who work to stop spam
stated that the Act would not prevent any spam — in fact, it appeared to give federal approval
to the practice, and it was feared that spam would increase as a result of the
law. CAUCE (Coalition Against Unsolicited Commercial Email) stated:
This legislation fails the most fundamental test of any anti-spam law, in that it neglects to tell
any marketers not to spam. Instead, it gives each marketer in the United States one free shot at
each consumer's e-mail inbox and will force companies to continue to deploy costly and
disruptive anti-spam technologies to block advertising messages from reaching their employees
on company time and using company resources. It also fails to learn from the experiences of
the states and other countries that have tried "opt-out" legal frameworks, where marketers must
be asked to stop, to no avail.
AOL Executive Vice President and General Counsel Randall Boe stated:
[CAN-SPAM] not only empowered us to help can the spam, but also to can the spammers as
well. ... Our actions today clearly demonstrate that CAN-SPAM is alive and kicking — and
we're using it to give hardcore, outlaw spammers the boot.
Advertising organizations such as the Data & Marketing Association (DMA) have sought to
weaken implementation of the law in various ways. These include lengthening the time for
honoring opt-outs from 10 business days to 31 calendar days, limiting the validity of opt-out
requests to no more than two to three years, and eliminating rewards to persons who assist
the Federal Trade Commission in enforcement of the act. The DMA has also opposed
provisions requiring the subject line of spam to indicate that the message is an advertisement.
Criminal enforcement
On February 16, 2005, Anthony Greco, 18, of Cheektowaga, New York, was the first person
to be arrested under the CAN-SPAM Act of 2003. After pleading guilty, he was sentenced in
a closed session.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

Within a few months, hundreds of lawsuits had been filed by an alliance of ISPs. Many of these
efforts resulted in settlements; most are still pending. Though most defendants were "John
Does," many spam operations, such as Scott Richter's, were known.
On April 29, 2004, the United States government brought the first criminal and civil charges
under the Act. Criminal charges were filed by the United States Attorney for the Eastern Page | 48
District of Michigan, and the FTC filed a civil enforcement action in the Northern District of
Illinois. The defendants were a company, Phoenix Avatar, and four associated individuals:
Daniel J. Lin, James J. Lin, Mark M. Sadek, and Christopher Chung of West Bloomfield,
Michigan. Defendants were charged with sending hundreds of thousands of spam emails
advertising a "diet patch" and "hormone products." The FTC stated that these products were
effectively worthless. Authorities said they face up to five years in prison under the anti-spam
law and up to 20 years in prison under U.S. mail fraud statutes.
On September 27, 2004, Nicholas Tombros pled guilty to charges and became the first
spammer to be convicted under the Can-Spam Act of 2003. He was sentenced in July 2007 to
three years’ probation, six months house arrest, and a fine of $10,000.
On April 1, 2006, Mounir Balarbi, of Tangier, Morocco, was the first person outside the United
States to have an arrest warrant validated under the CAN-SPAM Act of 2003. Mounir's trial
was held in absentia, and he was sentenced in a closed session.
On January 16, 2006, Jeffrey Goodin, 45, of Azusa, California, was convicted by a jury
in United States district court in Los Angeles in United States v. Goodin, U.S. District Court,
Central District of California, 06-110, under the CAN-SPAM Act (the first conviction under
the Act), and on June 11, 2007, he was sentenced to 70 months in federal prison. Out of a
potential sentence of 101 years, prosecutors asked for a sentence of 94 months. Goodin was
already detained in custody, as he had missed a court hearing.
As of late 2006, CAN-SPAM has been all but ignored by spammers. A review of spam levels
in October 2006 estimated that 75% of all email messages were spam, and the number of spam
emails complying with the requirements of the law were estimated to be 0.27% of all spam
emails. As of 2010, about 90% of email was spam.
On August 25, 2005, three people were indicted on two counts of fraud and one count of
criminal conspiracy. On March 6, 2006, Jennifer R. Clason, 33, of Raymond, New Hampshire,
pled guilty and was to be sentenced on June 5, 2006. She faced a maximum sentence of 5 years
on each of the three counts and agreed to forfeit money received in the commission of these
crimes. On June 25, 2007, the remaining two were convicted of spamming out millions of e-
mail messages that included hardcore pornographic images. Jeffrey A. Kilbride, 41, of Venice,
California, and James R. Schaffer, 41, of Paradise Valley, Arizona, were convicted on eight
counts in U.S. District Court in Phoenix, Arizona. Both were sentenced to five years in prison
and ordered to forfeit $1,300,000. The charges included conspiracy, fraud, money laundering,
and transportation of obscene materials. The trial, which began on June 5, was the first to
include charges under the CAN-SPAM Act of 2003, according to the Department of Justice.
The specific law that prosecutors used under the CAN-Spam Act was designed to crack down
on the transmission of pornography in spam. Two other men, Andrew D. Ellifson, 31,

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

of Scottsdale, Arizona, and Kirk F. Rogers, 43, of Manhattan Beach, California, also pled
guilty to charges under the CAN-SPAM Act related to this spamming operation. Both were
scheduled to be sentenced on June 5, 2006, in Phoenix. After sentencing, Ellifson received a
presidential pardon by President Obama.
Civil enforcement Page | 49
In July 2005, the Federal Trade Commission lodged civil CAN-SPAM complaints against nine
companies alleging that they were responsible for spam emails that had been sent by them or
by their affiliates. Eight of the nine companies, Cyberheat of Tucson, Arizona, APC
Entertainment, Inc., of Davie, Florida, MD Media, Inc., of Bingham Farms, Michigan, Pure
Marketing Solutions, LLC, of Tampa, Florida, TJ Web Productions, LLC, of Tampa, Florida,
and BangBros.com, Inc., RK Netmedia, Inc., and OX Ideas, Inc., LLC, of Miami,
Florida entered stipulated consent decrees. Impulse Media Group, Inc. of Seattle, Washington,
represented by CarpeLaw PLLC, defended the case brought against it.
The Department of Justice asserted that the CAN-SPAM statute imposed strict-liability on
producers such as Impulse Media for the actions of its non-agent, independent-contractor
affiliates. However, the two courts to consider that argument rejected the DOJ's contention. In
March 2008 the remaining defendant, Impulse Media Group, went to trial. At trial, it was
determined that IMG's Affiliate Agreement specifically prohibited spam bulk-email and that if
an affiliate violated that agreement, it would be terminated from the program. In fact, several
affiliates had been terminated for that very reason. After a 2½ day trial, the jury retired to
determine whether Impulse Media should be held liable for the bad acts of its affiliates. Three
and one-half hours later, the jury returned with a verdict that IMG was not liable and that the
emails were the fault of the affiliates.
In March 2006, the FTC obtained its largest settlement to date—a $900,000 consent decree
against Jumpstart Technologies, LLC for numerous alleged violations of the CAN-SPAM
act. However, the FTC has never prevailed at trial with their theory of strict liability.
Analyse Privacy Policies
Opt-In vs. Opt-Out.
What is an Opt-In?
Opt-in is an affirmative action the user takes to allow you to process their personal data. In a
legal sense, opt-in means that the user needs to take affirmative action to opt into your
processing of their data. If the user doesn’t opt to provide their data for processing purposes,
you must not process it. If the user consents to the data processing, you may proceed.
Otherwise, you must not collect or process their data.
For example, when you use cookies on your website, including functionality or advertising
cookies that collect personal data, the opt-in approach requires you to ask for consent before
firing the cookies. Usually, that will be when a user lands on your website for the first time.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

When you do email marketing, opt-in means that the data subject has agreed to receive your
newsletter. You cannot send them emails to the user account if they haven’t opted in to receive
emails.
Moreover, the opt-in must be valid. It is valid if it meets the requirements set by the law. In the
case of obtaining consent according to the GDPR, it must be given freely, specific, informed, Page | 50
and unambiguous. Otherwise, it doesn’t count as an opt-in.
Aside from interacting with the cookie banner, users can opt-in in other ways too. Some
common opt-in methods include cookie consent banners, checkboxes for receiving emails, opt-
in boxes, and others. Sometimes users leave their personal information to have a product
delivered to their home; sometimes they want to be contacted by customer support, sometimes,
they want to receive a freebie from the business.
There are many ways to opt in, but one thing is always common for all - the business must not
use personal data before the opt-in.
Opt-Out
Opt-out is the user’s act of indicating that they don’t want their data processed anymore.
The opt-out assumes that you process some of their data, and they tell you that they don’t want
you to do it in the future.
That may include restriction of processing, withdrawal of previously given consent, deletion
of personal data, prevention of sales of personal data, or any other action that prevents the data
controller, i.e., the business, from doing anything with the personal data they have collected or
processed previously.
Opting out is present in all the data protection laws worldwide, even those that rely on the opt-
in principle. Whenever business processes some personal data, they must provide the user with
opt-out request options. Sometimes businesses rely on legitimate interests, others do direct
marketing in compliant ways, and it is allowed to process some personal data without opt-in.
However, they must provide data subjects with an opportunity to submit opt-out requests, such
as an unsubscribe link or another method.
What’s the Difference: Opt-In vs. Opt-Out
Users can act to either offer (opt-in) or withdraw (opt-out) their consent. Find out the
differences here.
Opt-in and opt-out are some of the most common expressions used in data protection. But what
exactly do they mean? To start, they come in many forms and with multiple meanings.
Opt-in and opt-out are approaches to data privacy on which the two main trends in data
protection laws are based. They describe internet users’ actions concerning their personal data
when accessing a website or an app— such as accepting cookies, requesting to be forgotten,
and so on.
This may sound abstract, but let’s break it down so you can better understand the terms ‘opt-
in’ and ‘opt-out’ and what these mean for your business.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

First, we will explain the differences between the two approaches to data protection. This will
help us understand the importance of opt-in and opt-out in your business’s everyday
operations.
You need to comply with the data protection laws of the country where your business is located,
and the data protection laws where your users come from. That’s why most online businesses Page | 51
need to comply with more than one data privacy law — they never know where the next user
may come from.
International Impact on Privacy Policies
The international privacy laws for data protection follow, or are guided by, the five global
privacy principles of:
1. Notice – advising users, visitors, readers, and users of the policies in place to protect
personal information.
2. Choice and consent – providing people with choices and consent around the use,
storage, management, and collection of personal information.
3. Access and participation – ensuring the information is accessed and used by the correct
people within the right security protocols.
4. Integrity and security – ensuring that the data is secure and that there is no unauthorised
access.
5. Enforcement – ensuring that the service, site, solution, and platform are aligned with
some form of regulation that enforces compliance.
What are the Benefits of International Privacy Regulation?
In 2018, the General Data Protection Regulation (GDPR) broke ground as the most forward-
thinking and extensive legal provision for the protection of personal data and its ongoing
security.
This law is an international privacy law for data protection that impacted any organisation that
processed any personal data (including biometrics) from any EU citizen.
It set the standard and has shaped the trends that dominate this sector today.
Data protection focuses on protecting data and information from both internal and external
threats. It mitigates the risks of fraud, compromise, and corruption, and protects the individual.
As the amount of data being stored and created continues to increase exponentially, increased
data protection has become critical, and indispensable.
This has driven international data protection laws, and offers the following benefits:
1. Valuable data is protected from leaks, loss, and theft.
2. Companies can increase confidence from public, investors and customers.
3. Brand value is inherent and implicit in a robust policy and framework.
4. Good governance improves a company’s competitive advantage.
5. Improvements in automation, digitisation, and innovation due to business process
transformation.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 6. Increased trust and credibility across multiple markets and customers.
7. Deeper understanding of the data, its value, and the benefits it offers.
8. Improved data management and control, resulting in improved innovation and
transformation.
Legality and Ethics of Spyware and Other Malware Page | 52
Before discussing spyware laws, we must first understand the meaning of “spyware,” and how
it can be used. Spyware is a type of software that is specifically designed to gather information
about an individual or organization without their knowledge. It can be installed on a computer
or mobile device and can collect a variety of information, including internet browsing history,
login credentials, and the contents of private conversations and messages. Spyware can be used
for legitimate purposes, such as monitoring the usage of company-owned devices or tracking
the location of a missing phone. However, it can also be used illegally, such as to steal sensitive
information or invade an individual’s privacy.
There are many different types of spyware, including keyloggers, which record everything a
person types on their device; tracking cookies, which follow a person’s internet usage; and
screen capture software, which takes periodic screenshots of a device’s screen. Spyware can
be delivered through a variety of means, including email attachments, malicious websites, and
infected software downloads.
Legal Considerations for Spyware
Spyware laws and the accompanying legal issues are complex and often depend on the specific
circumstances of its use. In many cases, the use of spyware is illegal because it violates an
individual’s privacy. For example, it is illegal to install spyware on someone else’s device
without their knowledge or consent. However, there are also cases where the use of spyware
may be legal, such as when it is used by law enforcement agencies as part of a criminal
investigation.
One federal law that addresses the issue of spyware is the Stored Communications Act (SCA).
The SCA is a part of the Electronic Communications Privacy Act (ECPA) and is designed to
protect the privacy of electronic communications, including emails, text messages, and other
types of digital communication. The SCA prohibits the unauthorized access to, or disclosure
of, stored electronic communications, as well as the unauthorized interception of electronic
communications in transit.
Under the SCA, it is illegal to access someone’s electronic communications without their
permission, unless you are the service provider or have a valid legal reason for doing so. This
means that it is illegal to install spyware on someone’s device or access their electronic
communications without their knowledge or consent.
There are several exceptions to the SCA’s prohibition on unauthorized access to electronic
communications. For example, the SCA allows law enforcement agencies to intercept
electronic communications with a court order or warrant. It also allows service providers to
access customer communications to maintain their systems or protect against fraud or other
illegal activity.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

In addition to the SCA, there are also state laws that address this issue. These laws vary from
state to state and may have different definitions of what constitutes spyware and what is
considered illegal activity. Some states have laws specifically targeted at spyware, while others
address it under more general computer crime laws.
Privacy vs. Civil Liberties Page | 53
The Department of the Interior (DOI) is committed to protecting the privacy, civil liberties,
and other legal rights of the American people to the greatest extent possible consistent with the
DOI mission and operational requirements for the collection, use and sharing of protected
information in the information sharing environment (ISE). DOI fulfils this responsibility
through policy, monitoring, training, and oversight of the Department’s privacy and civil
liberties operations to ensure compliance with federal statutory and policy requirements.
DOI issued the DOI Privacy Policy for the Information Sharing Environment to ensure the
protection of individual privacy while meeting the goal of enhanced information sharing in
accordance with the Intelligence Reform and Terrorism Prevention Act of 2004, the Privacy
Act of 1974, the E-Government Act of 2002, the Information Sharing Environment (ISE)
Privacy Guidelines, and related laws and policies.
As a participant in the ISE, DOI is required to provide redress in a manner that is compatible
with legal authorities and mission requirements to individuals whose privacy, civil rights or
civil liberties may have been affected in the ISE. This includes complaints related to privacy,
civil rights and civil liberties protected by the U.S. Constitution or other laws, including
complaints alleging racial, ethnic, or religious profiling, or retention of information that has
been expunged or determined to have been illegally collected. Redress inquiries will be
investigated, and erroneous information or deficiencies will be corrected to ensure data
integrity and protections for individual privacy, civil rights and civil liberties. DOI uses
existing procedures for complaints or requests to amend records that implicate protected
information, which are outlined in the DOI Privacy Act regulations at 43 CFR 2.246, in
accordance with the Privacy Act of 1974, 5 U.S.C. § 552a, and the DOI ISE Privacy Policy.
Individuals may submit a complaint or a request to correct erroneous information in writing to:
DOI ISE Privacy Official
U.S. Department of the Interior
1849 C Street NW
Room 7112
Washington, DC 20240
A request to amend or correct records must be submitted in writing and be signed by the
requesting individual, must meet the requirements of 43 CFR 2.246, and include the following
information:
• Name

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

 • Address
• Phone number(s) (indicate if a voicemail may be left at this number)
• Email address
• Contact information of any other person(s) representing the individual. Page | 54
• The request must specifically identify the record(s) to be amended.
• The request must provide in detail reasons why the individual believes the record is not
accurate, relevant, timely or complete; and must be accompanied by copies of
documents or evidence in support of the request.
• The request must specify in detail the requested changes to the record; and must include
proposed language if the change involves rewriting the record or adding new language
to the record.
RFID (Radio Frequency ID) Issues
Radio Frequency Identification (RFID) refers to a wireless system comprised of two
components: tags and readers. The reader is a device that has one or more antennas that emit
radio waves and receive signals back from the RFID tag. Tags, which use radio waves to
communicate their identity and other information to nearby readers, can be passive or active.
Passive RFID tags are powered by the reader and do not have a battery. Active RFID tags are
powered by batteries.
RFID tags can store a range of information from one serial number to several pages of data.
Readers can be mobile so that they can be carried by hand, or they can be mounted on a post
or overhead. Reader systems can also be built into the architecture of a cabinet, room, or
building.
Uses
RFID systems use radio waves at several different frequencies to transfer data. In health care
and hospital settings, RFID technologies include the following applications:
• Inventory control.
• Equipment tracking.
• Out-of-bed detection and fall detection.
• Personnel tracking.
• Ensuring that patients receive the correct medications and medical devices.
• Preventing the distribution of counterfeit drugs and medical devices.
• Monitoring patients.
• Providing data for electronic medical records systems.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023

The FDA is not aware of any adverse events associated with RFID. However, there is concern
about the potential hazard of electromagnetic interference (EMI) to electronic medical devices
from radio frequency transmitters like RFID. EMI is a degradation of the performance of
equipment or systems (such as medical devices) caused by an electromagnetic disturbance.
Information for Health Care Professionals Page | 55
Because this technology continues to evolve and is more widely used, it is important to keep
in mind its potential for interference with pacemakers, implantable cardioverter defibrillators
(ICDs), and other electronic medical devices.
Physicians should stay informed about the use of RFID systems. If a patient experiences a
problem with a device, ask questions that will help determine if RFID might have been a factor,
such as when and where the episode occurred, what the patient was doing at the time, and
whether the problem resolved once the patient moved away from that environment. If you
suspect that RFID was a factor, device interrogation might be helpful in correlating the episode
to the exposure. Report any suspected medical device malfunctions to MedWatch, FDA’s
voluntary adverse event reporting system.
FDA Actions
The FDA has taken steps to study RFID and its potential effects on medical devices including:
• Working with manufacturers of potentially susceptible medical devices to test their
products for any adverse effects from RFID and encouraging them to consider RFID
interference when developing new devices.
• Working with the RFID industry to better understand, where RFID can be found, what
power levels and frequencies are being used in different locations, and how to best
mitigate potential EMI with pacemakers and ICDs.
• Participating in and reviewing the development of RFID standards to better understand
RFID’s potential to affect medical devices and to mitigate potential EMI.
• Working with the Association for Automatic Identification and Mobility (AIM) to
develop a way to test medical devices for their vulnerability to EMI from RFID
systems,.
• Collaborating with other government agencies, such as the Federal Communications
Commission (FCC), the National Institute for Occupational Safety and Health (NIOSH)
and the Occupational Safety and Health Administration (OSHA) to better identify
places where RFID readers are in use.

COMPILED BY WWTL STUDENTS (PKCE, ACCE, AMCE) 2023