Skip to main content

Security and Privacy


“Security and Privacy Are Not As Different As People Think”
                     How we're dramatizing a distinction that serves no purpose,
                        And introducing unneeded complexity in the process. S.B





There’s a common belief in InfoSec community that Security and Privacy are related, but that they’re different enough to constantly mention the distinction.
I don’t think the difference should matter much to defenders, and in fact, if you look close enough the distinction nearly vanishes. They are simply different aspects of the unified goal of protecting information.
Security and Privacy are both about preventing unwanted outcomes related to data.
As a society and as consumers we care about controlling who has our information, and we try to make sure those trusted vendors do the right thing with it. That’s privacy in a consumer or public context. But as a security professional—or as a security organization within a company—you are already getting exposed to peoples’ data. The focus at that point is on doing your absolute best to make sure nobody collects or uses it in a way that’s not desirable.
And in that context, there is little difference at all between Privacy and Security. In both cases, you’re trying to avoid bad things happening to the data you’re protecting.
Let’s look at some scenarios to see what I mean.
Consumer risks
          Concern                                                                    Defense
A mobile app shares your sensitive data with a third party
You don’t give them your data
Your router gets hacked and it collects passwords and gives them to an attacker
You update your router or buy another brand
Your home security system has a cloud vulnerability that lets anyone see through your home cameras
You update your router or buy another brand
Your workout app shares your location with unscrupulous third-parties
You complain on Twitter and they change their policy

And now some scenarios that security people might face.
Security professional risks
     Concern                                                                                 Defense

Someone puts your customers’ data in a public-facing database with no password
You make a policy saying people can’t do that anymore
An admin gets phished and an attacker installs malware that extracts customer data from an internal database
You update your phishing and endpoint defenses
Someone compromises a public-facing web application and steals customer data using SQLi
You install a WAF and start doing secure coding
China launches an APT campaign against you and steals a million documents full of your customers’ intellectual property
You install more detection and response mechanisms
Think about how these scenarios are the same and how they’re different. In my mind, they’re all basically the same—i.e., both the consumer and the professionals are trying to protect unauthorized people from having access to data they care about protecting.
That’s Privacy, and it’s also Security.
As it turns out, the value of the word Security is quite informative. It comes from Latin, and “Se” means without, and “Cura” means worry or concern. So providing Security for your people means they’re free to play and work and enjoy life without constantly looking over their shoulder.
The word Security breaks down as “se” and “cura”, which is Latin for “without worry”.
Without Worry is the most attractive description of the goal of security I’ve ever heard, and it applies equally to both Privacy and InfoSec. It also allows us to reduce the discussion to first principles.
  1. There are people and organizations.
  2. They have data they care about.
  3. They want to control how that data is collected, used, and protected.
  4. As security professionals, it’s our job to carry that out.
That’s it.
We’ve just described “Data Security”. We’ve just described “InfoSec”. And we’ve also just described protecting peoples’ Privacy.
All these concepts reduce to avoiding negative outcomes with regard to data we’re trying to protect, so let’s stop drawing thick and sharp lines between them when there’s no reason to do so.
Sawan Bhan
Information Security Aspirant
SCIT (MBA-ITBM)

Comments

Post a Comment

Popular posts from this blog

Tell me how did this happen? AND win a 32 GB persistent boo-table KALI LINUX OS.

How did this happen? Frame a plot/solution via a story (A video/Write-up). The winner would win a 32 GB persistent bootable KALI LINUX OS. Submit the You-tube video link/ Write-up @ hackin2minutes@gmail.com Winner will be announced  LIVE on my you-tube  channel  CYBER WIZARD                                                         Subscribe my Youtube channel :  CYBER WIZARD                                                              Story Professional, coordinated attackers with a plan, breached a server maintained by  Anonym University and walked off with nearly 800,000 records, and have used the information to commit at least 30 acts of identity theft. Anonym officials reported on 19/06/2018, that between June and December of this year, a server containing records on some 3,500 employees was breached. Notification using all campus email was initiated, and the staffers were told to watch for unusual patterns on their credit card statements. The investigation is
Post a Comment
Read more

BLACK-FLAG 2018 CTF(Hacka-thon) by Sawan Bhan

Description : A realistic Boot2Root. Gain access to the system and read the /root/flag.txt Note : Only works in VMware Network : NAT/DHCP Questions :  @bhansawan File : OVF Difficulty to get entry : easy/intermediate Difficulty to get root : intermediate/hard The SCIIT's Server has just been attacked, the IT staff have taken down their windows server and are now setting up a Linux server running Debian. Could there a few weak points in the new unfinished server? Hints: Remember to look for hidden info/files** DOWNLOAD LINK : 
Post a Comment
Read more