Among the most powerful and pervasive products of these processes are the concepts of knowledge, information, and the accessibility, transmission, and passing-on of said knowledge and information to contemporaries and succeeding generations alike. The label we humans have given to this is Information Technology (IT) and its most obvious manifestation in our world today is The Internet.

The benefits and freedoms delivered by these technologies and the technologies are as with everything else in the universe, susceptible to damage, degradation, or destruction from a host of very diverse threats. The securing our information technologies is attainable by way of protection of information assets via technology, processes, and training.

It is these threats, risks, vulnerabilities, impacts and counter-measures involved with Information Technology security that we are investigating.

Concepts

• Entity - That which exists or is perceived to exist
• Attack - The direct or indirect; real or perceived, consequences and effects of action(s) perpetrated by one or more entities with the intent to intrude, compromise, degrade, control, or adversely affect; either directly or indirectly, the assets, prerogatives, freedoms and rights of one or more other entities; generally with deliberate malicious intent, manner or purpose
• Security - The state of being safe, protected, and free from worry about possible loss by the assurance that something of value will not be taken away, degraded, or threatened in any manner by attack from without or subversion from within
• Security Measures - The precautions taken to defend, maintain or improve the safety and sanctity of an entity(s) (somebody or something) from attack, danger, or crime be they potential or real
• Security Goals - The predefined targeted levels of protection, precautions, or defensive strategies deemed to be "adequate` and/or "appropriate` for specific 'real world` scenarios. Thus, security goals will vary considerably from one entity to the next but all will have a commonality of providing acceptable, predefined level(s) of security assurance in conjunction with an element of acceptable exposure(s) usually weighted by economic factors such as cost effectiveness.
• Security Policy - A set(s) of organisation-level rules governing acceptable usage of such criteria as, Information Technology Resources, Acceptable Security Practices, Acceptable Operational Procedures, Best Practices Guidelines etc
• Threat - Any entity possessed with the deliberate intent to cause hazard, harm, degradation or unsolicited action to the disadvantage, peril or jeopardy of another entity or asset
• Vulnerability - That which is potentially susceptible to attack by a threat(s)
• Exploit - That which can be taken advantage of by a threat in an unsolicited, unfair or selfish manner; to the advantage or intent of said threat, and/or disadvantage or detriment of that being exploited
• Malicious - Motivated by or resulting from a malevolent desire to cause harm, degradation or pain to others
• Vindictive - Motivated by the malicious desire or intent to harm or degrade a specific target; often as a result of a desire for revenge for some “perceived” wrong or unfairness allegedly perpetrated by the target
• Risk - The chance or statistical probability that a threat will eventuate as well as the jeopardy that such a scenario will impart upon the entity deemed at risk.
• Impact - The amount or type of potential losses that may be incurred should a given threat eventuate
• Zero-Day Vulnerabilities - No patch(s) are available at the time the vulnerabilities are first publicly disclosed
• Auditing - The process of recording; usually to a log file, information regarding network and resource access including which computer(s) and/or user(s) are issuing said access requests. Typically audited criteria include System/Network Resources, Security Events, Unauthorised Access and Communications

Attack Source Categories

Outside - Resources and assets external to an organisation come under attack. The effects and consequences of which are felt by the organisation and other parties. This type of collateral damage can be resultant from malicious intent by the attacker or as a side effect unforeseen by the attacker.

Outside In - A more classical form of attack whereby an external attacker desires to intrude into the targeted system/network by penetrating said system or network defenses in order to execute ill intent.

Inside - The attacker is internal to the target system or network. A very common example of this is authentic users of a system/network attempting inappropriate access of resources, services, or data to which they are not explicitly entitled.

Inside Out - The attacker is inside the target and either instigates a remote malware download and then does its damage or the attacker wishes to propagate from its current host system to other external systems.

Proxy - The attacker focuses on surreptitiously enslaving; usually very large numbers, of unprotected innocent 3RD party machines and then; when ready, will launch an attack from all enslaved machines simultaneously. The intended result is to over-whelm the target by sheer volume. Malicious “botnets” are an example of this attack source category that has gained much notoriety of late.

Diffuse Perimeter - A relatively new category related to the morphing of the “security perimeter” as a result in the recent massive expansion of wireless ad hoc public access networks. Secure resources are now traveling out into an ever more insecure environment where they will encounter wireless networks in places where once there were no freely publicly accessible networks. Now there are many. Airports and transit centers along with the hospitality industry are primary locations from which nefarious activities are launched upon the unsuspecting.

Typical Threats and Vulnerabilities

• Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
• Spoofing
• Man in the Middle Attacks - including SSL injection attacks
• TCP/IP Session Hijacking
• Social Engineering
• Vulnerability Scanning, Sniffing and Eavesdropping
• Password Attacks
• Malicious Code Attacks
• Common Exploits of Wireless Networks
• Phishing, Pharming and Scamming
• Identity Theft
• Data Trading
• Perimeter Related Issues
• Insider Attacks

Until next time when we begin to get down to the nitty-gritty of security enjoy!

So let us take a quick trip through the evolution of PC and IT nasties and the consequences and impacts; both good and bad, that rapidly developing technologies can bring. This discussion will therefore focus on the relationship between technological advancement and the individual's privacy or lack there of.

The Australian Federal Government's Privacy Act 1988

In the early days personal computers were used in isolation and personal computing was based around playing games, word processing, and book keeping.

The OECD - Organisation for Economic Co-operation and Development put forth a number of ideas that after close examination led the Australian Law Reform Commission to making numerous recommendations; some of which the Australian Federal Government acted upon, when introducing the 1988 Privacy Act.

Federal Government Agencies - In responding to the challenges presented by the rapid development of computers and IT this new law (the Privacy Act 1988) was purported to protect personal information collected by federal government agencies while giving individuals a degree of control over its collection and use.

Information Privacy Principles (IPP) - One of the key core components of the Privacy Act 1988 are the Information Privacy Principles which give the individual the right to know what information federal government agencies collect and use along with access rights to their own personal information.

Government 

The Privacy Act 1988 and those protections embodied within it were squarely aimed at regulating government use of personal information and ensuring that government computers were secure. They did not apply to the private sector except when the private sector had dealings with government bodies or agencies.

The Internet 

With the advent of Internet Service Providers (ISP) individual users were able to connect to the World Wide Web (Internet) and “surfing the net” became the in vogue thing to do. For the first time individuals were able to send their personal private information all around the world. One of the provisos of connecting to the Internet was that ISPs required you to supply them with some personal information which most did honestly.

Unique Identifiers

All communications devices; including Network Interface Cards (NIC), contain a globally unique Media Access Control (MAC) Address which allows for machines to communicate since they can precisely and uniquely define sender and receiver.

Cookies 

Cookies are used to collect all sorts of information including our browsing habits and the sites that we visit are placed by 3RD parties onto the individual user's hard drive.

When the user next opens an Internet session these cookies then upload the information that they have collected to the web site or those responsible for placing them on our hard drive. It is important to note that; although these cookies can be of great assistance to the user, they are indeed a double-edged blade and can turn around and bite you.

Malicious Intentions

Intrusions of all sorts have become a worrying concern - malicious code, unsolicited e-mails, and that bandwidth/time hungry monster known as spam became intolerable. In fact; concerns regarding spam became so loud and numerous, that the Australian Government enacted as law the SPAM Act of 2003 giving the Australian Communications and Media Authority (ACMA) the powers to advise people concerning ways of stopping spam such as anti-spam software.

Prevention

Prevention has always proven to be better and more efficient than a cure. Treat the cause and not just the symptom.

No Borders 

With the Internet; not knowing geographical or political boundaries, numerous other malicious practices have become a scourge on the Internet including: phishing, spyware, scams, all forms of malicious code (viruses, worms and Trojan horses etc.), identity theft and identity fraud, insecure e-commerce transactions and cyber-fraud to name but a few.

Protecting Public Infrastructure Transmissions

One of the biggest concerns to citizens; both as private individuals and as collectives of private individuals, is how their personal information that has been collected through computerized technologies such as credit cards transactions, smartcards, phone tracking, customer loyalty programs, GPS - Global Positioning Satellite, RFID - Radio Frequency Identification Devices and digital video surveillance systems is protected.

To illustrate this point here in summary are some early research findings: a survey conducted Roy Morgan Research, in March 2004, to investigate community attitudes towards privacy found that; when using the internet, 62% of respondents are more concerned than usual about the security of their personal details and over 66% are more concerned now, than they were two years ago (relative to the time of the conducting of the survey).

Australian Legislation

The use of computers; and the information passing between them, is regulated by a plethora of laws. Each State and Territory has their own set of laws regulating the use of computers. However; the majority of these laws (particularly early ones) are aimed at prosecuting cases of industrial espionage. Here are some of the Australian laws that provide some protection from the misuse of your personal information in electronic form include:

• The Telecommunications Interception Act 1979
• The Privacy Act 1988
• The Telecommunications Act 1997
• The Corporations Act 2001
• The Federal Privacy Act December 2001 Amendments - These amendments are intended to be applicable and enforceable to many private sector organisations.
• The Spam Act 2003

National Privacy Principles (NPP)

Organisations operating within Australia are now required to comply with a set of National Privacy Principles (NPP) which clearly define the ways in which Personally Identifiable Information (PII) can be collected, used, stored and disclosed. Here are a few of the IT related NPP regulations:

NPP 1.1 - Organisations can collect your personal information only when it is essential for said organisation's ability to deliver its normal day-to-day functions, services, or activities.

NPP 1.2 - Personal information must be collected in a fair and reasonable way.

NPP 1.3 - Organisations are also obligated to provide to the user the following information:

• The organisation's identity and contact details
• Mechanisms by which entities are able to access their own personal data
• Notifications detailing the purpose(s) behind the collection of this information
• Organisation(s) that this information may be passed on or disclosed to
• Any law(s) that require the collection of this information
• Consequences for the individual if all or part of the information is not provided
• In addition online organisations may collect sensitive information; including health information, only after you have formally provided your consent

NPP 2.1 - The use and disclosure of your personal information for a secondary purpose is permitted only when the collecting organisation(s) have complied in full accordance with certain specific exemption clauses detailed in NPP 2.1

NPP 3 - Online organisations must always ensure (verify) that your personal information is kept currently up-to-date and accurate before it is used.

NPP 4.1 - Requires organisations to take reasonable steps to ensure that your personal information is secured against hackers, malicious code, accidental disclosure etc.

NPP 8 - The Right to Expect - Everybody has the right to expect that organisations will permit anonymous on-line transactions if lawful and/or practical for organisations to do so.

NPP 9 - Personal information can only be exported to countries with adequate privacy protection, or if you have consented, or if other specific conditions are met.

The Office of the Privacy Commissioner (The OPC)

The OPC Website provides much information, advice, and tools designed to assist online users and companies to counteract and avoid hacking and employee theft. It also maintains a list of links and URLs; which users and organisations alike can follow, to a suite of tools designed to protect on-line privacy.

Privacy Impact Assessment (PIA)

Government at all levels & Private Sector Organisations alike can avoid interference(s) with privacy through conducting a Privacy Impact Assessment (PIA) to assist them to:

• Analyse the risks to privacy posed by: new projects, technologies or rules
• Proactively address risks before problems occur.

The OPC does not have the power to enforce compliance by online organisations to conduct a PIA. However; taking into consideration the fact that ID theft, ID fraud and cybercrime are reaching epidemic proportions, any online organisation or e-commerce trader which collects personal information and has not gone through a Privacy Impact Assessment or similar risk management process is inviting trouble.

Conclusions and Recommended Preventative Measures

It is not the existence of new and emerging technologies which pose the greatest threat to privacy but the creative uses to which human beings put those technologies that are most apt to do harm. As with all things; "prevention is always better than cure" and privacy related issues are no different. In fact many hold the view that; when it comes to privacy, prevention should always be foremost in mind. Here are a few of the preventative strategies and technologies that are currently in common use today include:

Biometrics

There are numerous ways to use biological individually unique parameters

Password Policy

Develop a “password policy”

Security Monitoring

Dynamic information technology for the security fraud monitoring of ecosystems and environments

Actively Preserve Client Trust

Never lose sight of the fact that trust is the most fundamental principle that is KEY to successful Internet participation

Legislative Requirements 

All relevant legislative requirements should be embedded into new products and services at the design stage

Individual Autonomy

Also needs to be incorporated into the design of new technologies

Value Sensitive Design (VSD) - “Human values, norms and moral considerations” should be incorporated into new technologies at the design phase in order to better facilitate the delivery of more “user friendly” products.

Privacy Preserving Analytics (PPA)

A CISRO technology that allows health researchers to extract health data for research purposes without extracting identifying information. PPA works by analysing and encrypting health data from disparate sources, and encrypting it before it is provided to researchers.

The Influence of Internet

Internet technology has changed the way we think and relate with others. The world has become smaller as almost anyone in the globe can communicate at the extreme end. With computers, wired and wireless networks, cellular phones and other techno-gadgets which can link with each other, communication is easy.

The internet can be used both ways: for productive ends or for bringing destruction to some. Topics discussed in the internet are limitless, from very personal concerns to highly impersonal business transactions.

Intrusion to Privacy

At this age where information technology is prevalent, we cannot help but think how almost everything in one's daily life is exposed. News spreads quickly and there's no stopping of lewd content and gossip. You just have to be choosy in what things you like and things you'd believe.

Positive Benefits

But of course, we cannot deny the fact that timely information can save lives. In the medical field, it is possible for a specialist surgeon to treat his patient from afar. A lost friend can be found. Students in isolated regions get updated with the latest information. People can earn without leaving their homes. And many more things could be gained just from knowing, or learning by staring at that boob tube in front of you. I say "boob tube" because I still have that obsolete CRT when LCDs appear to be the norm.

Electronic Threats

Threats in using the internet always lurk behind. Viruses infect computers and destroy important data. Nasty individuals wait for opportunities to victimize innocent users with their ruse; stealing important information or diverting others' funds to their accounts. Words such as internet scams, phishing and spamming became bywords which were non-existent before.

The Future of Internet

We cannot imagine how far this technology will go in the future. Remember Terminator 3? Will man be able to put a rein to this fast evolving technology? Will it ultimately be towards man's boom or doom? Nobody knows.

Bug Me Not

Bugmenot.com alleviates the need for pointless registrations to sites that only wish to collect your data. You can search bugmenot.com for login information on thousands of sites. Any application that can save you from putting your info out there is a good one in my book. They have even developed an extension for Firefox.

PeerGuardian 2

PeerGuardian 2 is Phoenix Labs' premier IP blocker for Windows. PeerGuardian monitors your internet traffic and stops your computer from establishing connections with unwanted computer systems. You can create your own “block” list or choose list to block that include P2P, spyware, or government systems. The list can be configured to update daily. PeerGuardian's features make it the safest and easiest way to protect your privacy on P2P networks.

McAfee SiteAdvisor

McAfee SiteAdvisor warns you before you interact with a dangerous Web site. Traditional security products focus on trying to clean up problems after they occur.

It also complements and enhances your existing security software by detecting threats which traditional security products often miss, including spyware attacks, online scams, and sites that spam you.

File Shredder 2

File Shredder deletes the unwanted files on your computer past the point of recovery. The Windows delete function merely removes bits from the file that allow the OS to see those files and allow it to overwrite them when needed. Until they are actually overwritten those files remain on your computer ready to be found.

ProxyWay anonymous surfing 2.6

This is a free web proxy server agent which you use together with web applications such as web browsers, Instant Messengersand Internet Relay Chat (IRC), etc.) to ensure your anonymity.

TrueCrypt 4.3

Truecrypt is one of my favorite programs. It allows you to create an encrypted volume that can be stored on your HDD or USB drive. The volume can be mounted and files dragged into the volume are encrypted on the fly. If you store any kind of financial or personal information on your computer you should have it stored in a TrueCrypt volume.

SpyBot

Spybot has been trusted by home users and professionals alike for many years. It has features that will immunize your computer from known spyware programs and trojans. It will also scan for current infections and work o correct any infections it finds.

KeePass Password Safe

KeePass is a free/open-source password manager or safe which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key-disk. So you only have to remember one single master password or insert the key-disk to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

Ccleaner

This program has made a few of my different list. Its just so darn handy. Ccleaner is a freeware optimization and privacy tool. It is lightweight and a great tool for cleaning up all those unused temp files. It also features a great registry cleaning tool. The one thing I live about this tool is that it's such a small install, and its super fast.

ZoneAlarm Firewall

ZoneAlarm Firewall is a free firewall application and one of the most reliable firewalls for your DSL or cable connected computer. It controls all traffic to and from your computer, alerting you when an unknown or untrusted application is trying to connect to an outside source.

Adaware free

With the ability to scan your RAM, Registry, hard drives, and external storage devices for known data-mining, advertising, and tracking components, Ad-Aware 2007 easily can clean your system, allowing you to maintain a higher degree of privacy while you surf the Web.

Mailinator

When you just have to sign up for a website and you don't want to use or abuse your real email address Mailinator comes to your rescue. No sign-up, free to use, Mailinator allows you to obtain a temporary email address and even check it for the confirmations that come in after you sign up.

I hope this list helps you keep your most private information safe. If you like this list you can also check out “10 Free Tools Every IT Pro Needs”