Privacy Trends

00 01 02 03 04 05 06 07 08 09 10 11 12 Privacy and Security

Privacy Trends

It’s critical that we step back and assess the significance of these attacks in their full context. This is not ‘espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency. While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under.

— Brad Smith, president, Microsoft (in response to the FireEye hack)

Misinformation Moats

Mid-future optimistic scenario Pervasive hacking and threats of cyberwarfare inspire a new wave of cybersecurity solutions. Borrowing from tactics used in national elections, cybersecurity companies design strategic layers of misinformation to protect their clients’ intellectual property. These moats lie just inside firewalls and act as a second barrier against hackers. Misinformation moats are filled with bad data, misleading information, and even malicious software. When hackers access the moat, they think they’ve found what they’re looking for, leaving the true payload protected.

Cybersecurity Terms Every Executive Should Know

Access control Authentication Botnet Brute force attack Crypto A selective restriction that controls A verification process that confirms A botnet is a group of computers that This type of attack is a laborious, me- Cryptography (or “crypto”) is the art what data users and user groups can the identity of a user based on specific are being controlled by a third party, thodical process where a hacker uses and science of encrypting data—as access, see, share, and edit. information. and are being used for any number software to automatically guess every well as breaking encryption. (The of nefarious purposes. For example, password it can to gain unauthorized term is also used as shorthand for the Adware Backdoor malware installed on your computer entry into a network or computer. cryptocurrency market and its various Software that automatically generates Developers intentionally install back- can run undetected in the background tokens.) online ads; it can also include spyware doors into firmware so that manufac- while hackers use your machine as part Bug that tracks your browsing habits. It’s turers can safely upgrade our devices of a large spamming network. A flaw or problem in a program that CxO spoofing because of adware that many people are and operating systems. The challenge is can be harmless or might allow hackers Cybercriminals digitally impersonate a turning to ad blocking software. that backdoors can also be used surrep- Breach to exploit a system. company’s executive leadership team to titiously to access everything from our The moment a hacker gains access to a gain access to IP, data, or other sensitive Air gap webcams to our personal data. device or network via a vulnerability. Cloud information. A system that is physically separated Data storage or computing services that and isolated from all other computers, Black hat Bring Your Own Device (BYOD) are accessed using remote servers. Cyberattack networks, and the internet. A malicious hacker; someone who A policy that authorizes employees to An attempt by a bad actor to gain access hacks for personal gain. use their own devices on the company Cookie to a computer system, device, or net- Anonymous network or to access company data. A small file sent from your comput- work for the purpose of collecting data, A collective of hackers, best known Bot er’s web browser to a server. Cookies monitoring activity, or causing damage. for its use of the Guy Fawkes mask and Bots are automated programs that Browser hijacking help websites recognize you when you distributed denial-of-service (DDoS) perform a simple task. Some—simple This attack changes a user’s default return, and they also help third parties Dark web attacks. Anonymous typically uses the chatbots, for example—are complete- homepage and search engine without track their audience. Encrypted networks that are not hashtag #Ops when announcing a new ly harmless. Other bots can be pro- permission, often in order to gain clicks easily accessible by outsiders. Users are campaign. Past ops included a take- grammed to repeatedly guess passwords to websites for ad revenue or to inflate Cracking anonymized. Illegal activities are often down of the Church of Scientology and so that a hacker can break into a a page’s ranking. A basic term that describes breaking carried out on the dark web, such as the Westboro Baptist Church. website. into a security system. Anyone “crack- selling company data. ing” a system is doing so maliciously.

Cybersecurity Terms Every Executive Should Know

Data leakage Doxing Exploit InfoSec Man-in-the-middle (MitM) attacks The unauthorized access of information When hackers root out and publish The general term for leveraging a vul- An abbreviation for “information secu- This occurs when a hacker imperson- resulting in leaks, theft, or loss. personally identifying information nerability in a piece of code, software, rity,” InoSec can refer to the companies ates a trusted connection in order to about someone online. hardware, or a computer network. and professionals who work within steal data or information or to alter Denial-of-service attack (DoS) cybersecurity. communications between two or more This is when a hacker sends so many Dump Firewall people. These are especially common in requests to a website or network that The term for a trove of data released by A system of software and hardware Jailbreak businesses. the traffic temporarily overwhelms the hackers. that’s designed to prevent unautho- A way of removing the restrictive servers, and the site or network goes rized access to a computer or computer manufacturer’s code from a device so Metadata down. Dumpster diving network. that you can reprogram it to function as This is the data that explains what’s Hackers search through garbage look- you desire. in another set of data, such as a JPEG Digital certificate ing for information that will help with Hacker photo, email, or webpage. These authenticate and approve the an exploit. Organizations and individu- This term means different things to Keys identity of a person, organization, or als who don’t consistently use a shred- different people. People who tinker The code that, just like a physical key, is Password managers service. der are particularly vulnerable to this with code, to purposely manipulate it, used to lock or unlock a system, en- These third-party tools let you remem- method. are hackers. Some are good, and some crypted message, or software. ber one master password to unlock a Distributed denial-of-service are bad. In popular culture, “hacker” database of all your other passwords. attack (DDoS) Encryption has taken on an reductive, distinctly Malware You can still use a completely different This is a DoS using a battalion of ma- Using special code or software to scram- negative connotation. Any software program that’s designed password for every site and service chines. ble data so that it cannot be read by a to manipulate a system, by stealing in- you use. While password managers third party, even if it is intercepted. Hacktivist formation, augmenting code, or install- are a good idea in theory, many are DNS hijacking Someone who hacks for social or politi- ing a rogue program. Rootkits, keylog- cloud-based. If a hacker gains access to This attack changes a computer’s set- End-to-end encryption cal reasons. gers, spyware, and everyday viruses are your password manager, you’re in big tings to ignore a domain name system When an encrypted message is scram- examples of malware. trouble. So, if you do use one, make sure (DNS) or to use a DNS that’s controlled bled on both ends, as it is sent and again Honeypot to use a complicated password at least by malicious agents. as it is received. A system or network designed to look 36 characters long with lots of special like a high-value target but instead characters, numbers, and capital letters. built to attract hackers, watch their work, and learn from their techniques.

Cybersecurity Terms Every Executive Should Know

Patch Plaintext Rootkit Spoofing Vulnerability An after-market fix to address techno- This is text without any formatting. Rootkits are malware designed for root In general, any time data is changed A weakness in computer software that logical vulnerabilities. In the context of cybersecurity, it also access. Often undetected, rootkits start to mimic a trusted source, it’s being hackers can exploit for their own gain. refers to text that isn’t encrypted. running when you start your comput- spoofed. Changing the “from” section Penetration testing er, and they stay running until you turn or header of an email to make it look White hat The practice of trying to break into Ransomware your machine off. as though it was sent by someone else Not all hackers are bad. White hat your own computer or network, in or- This is malware that allows a hacker to is an example of spoofing. Hackers hackers work on highlighting vulner- der to test the strength of your security. break into your computer or network Screen Scraper spoof emails by impersonating people abilities and bugs in order to fix them and then take away your access until A device or virus that captures private you know and then launch phishing and protect users. PGP (Pretty Good Privacy) you pay a specified fee or perform a or personal data by logging information attacks. You may have seen PGP numbers certain action. that is sent to a visual display. Worm showing up in Twitter and Facebook Verification Worms are a certain kind of invasive bios. PGP is a basic method of encrypt- RAT (Remote Access Tool) Social Engineering Ensuring that data, and its originators, malware that spreads like a virus. ing email (and other data). In order RATs are Remote Access Tool. If you’ve An attack that manipulates users into are authentic. to receive and read the message, your used a remote login service to access performing specific actions or divulg- Zero-day exploits intended recipient must use a private your office computer while away from ing personal or account information. Virtual private networks (VPNs) In the hacking community, zero-days key to decode it. work, you’ve used a RAT. But RATs These threats are common in compa- VPNs use encryption to create a pri- (also written as “0day”) are prized tools can be malicious, too; just imagine a nies and often result in data breaches. vate channel for accessing the internet. because they are undisclosed vulnera- Phishing hacker using a RAT to take over your They are necessary when connecting bilities that can be exploited. Once the We’ve all seen a phishing attack at least workstation. Spearphishing to public networks, including those at flaw is revealed, programmers have once. They usually come in the form of A more targeted form of phishing to airports, hotels, and coffee shops. zero days to do anything about it. an email from a trusted contact. Once Root smaller groups, typically within social you open the message or attachment, The root is the central nervous system networks or work environments. Virus Zombie your computer, your data, and the of a computer or network. It can install Malware intended to steal, delete, or A computer, connected device, or net- network you’re on become vulnerable new applications, create files, and delete ransom your files. Mimicking the flu, work that’s been infected by malware to attack. user accounts, among other things. this type of malware spreads, quite and is now being used by the hacker, Anyone with root access has ubiquitous literally, like a virus. probably without the primary user’s and unfettered access. knowledge.

Application

STRATEGY INNOVATION R & D RISK

Privacy and security are not issues Those who work in innovation have a Privacy and security should be top of Cyber espionage is a growing threat, specific to the CIO, CTO, CISO, or IT unique set of skills that could aid in a mind among R&D teams, but within and successful companies are clear departments. How companies collect, company’s approach to privacy and many companies, R&D units struggle targets: Criminals want to steal valu- use, and store data; the technology security. One of the biggest challenges to keep pace with the changing tech- able IP from the world’s best business- acquisitions business units make; the faced by companies is that they do nology landscape. This results in pet es. Chief risk management officers vendors and partners selected; and not think creatively about adversaries projects taking up too much time, even and those who work in risk-related investments made in security all affect or next-order outcomes. For example, when they don’t lead to desired re- positions can play a critical role in pro- the future of a company. Responsi- before a company launches a new sults—or moving too quickly on projects tecting a company’s most important bilities should be shared across the product, it would be useful to host a without considering their security or assets by championing data auditing, organization, as the evolving nature of workshop to deeply investigate all of privacy implications. The cadence of promoting proper data governance security and privacy directly impact the possible ways the product could R&D teams must be adjusted to ac- and management, and advocating for corporate strategic initiatives in a vari- unintentionally cause harm—or bring commodate emerging privacy and a risk-driven approach in departments ety of areas, like digital transformation, harm to the business. security considerations. that rely on data. growing operating income, internation- al expansion, and more. Nearly every aspect of a chief strategy officer’s work intersects with privacy and security.

Key Questions We recommend using this report to support your strategic foresight activity in the coming year. Every executive team should begin by asking these questions about security and privacy:

1 2 3

Is our company’s board What parts of our Will our current of directors briefed business make us a approach to data regularly by our CISO? target for attacks? collection, storage, encryption (and, if Is our board fully When was the last time applicable, reselling) engaged in issues we audited the systems cause future problems? ? related to privacy and that keep those parts of cybersecurity? our business safe? What assumptions must hold true for our current strategy to succeed?

How will we make needed changes?

Selected Sources

https://world-at-home.tanium.com/ https://www.commerce.senate. gov/2018/9/examining-safe- https://msrc-blog.microsoft. guards-for-consumer-data-privacy com/2020/12/13/customer-guid- ance-on-recent-nation-state-cyber-at- https://news.bloomberglaw.com/pri- tacks/ vacy-and-data-security/tech-giants- tell-congress-they-back-privacy-lawin- https://www.csis.org/programs/stra- theory-1-1/ tegic-technologies-program/signifi- cant-cyber-incidents

https://googleprojectzero.blogspot. com/

https://www.pewresearch. org/internet/2019/11/15/ameri- cans-and-privacy-concerned-con- fused-and-feeling-lack-of-control-over-their-personal-information/

https://public.tableau.com/en-us/gal- lery/staying-cyber-secure-while-work- ing-home