are goals and constraints that affect the confidentiality,Integroty and availability

Also known as data confidentiality, this property means that information is not made available or disclosed to unauthorized individuals, entities, or processes. A loss of confidentiality is the unauthorized disclosure of information

This term covers two (2) related concepts:

ensures that data (both stored and is transmitted packets) and programs are changed only in a specified and authorized manner. A loss of data integrity is the unauthorized modification or destruction of information.

ensures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.

ensures that systems work promptly and the service is not denied to authorized users. A loss of availability is the disruption

The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or a message originator. This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source

The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. Because truly secure systems are not yet an achievable goal, it must be possible to trace a security breach to a responsible party. Systems must keep records of their activities to permit later forensic analysis to trace security breaches or to aid in transaction disputes.

defines a general security architecture that is useful to managers as a way of organizing the task of providing security • This standardized architecture defines security requirements.

-are any action that compromises the security of information owned by an organization. - attempt to gain unauthorized access to information resources or services, or cause harm or damage to information systems.

-are technical tools and techniques that are used to implement security services - A process that is designed to detect, prevent, or recover from a security attack.

is a processing or communication service that enhances the security of the data processing systems, and the information transfers of an organization.

are like eavesdropping or monitoring transmissions. The goal of the attacker is to obtain information that is being transmitted.

this type, an attacker will monitor an unprotected communication medium like ,unencrypted email or telephone call and intercept it for sensitive information.

In this type, an attacker monitors communication channels to collect a range of information, including human and machine identities, locations of these identities, and types of encryption used, if applicable.

involve some modification of stored or transmitted data or the creation of false data. There are four categories of active attacks: replay, masquerade, modification of messages, and denial of service.

takes place when one entity pretends to be a different entity. A masquerade attack usually includes one of the other forms of active attack.

involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.

simply means that some portion of a legitimate message is altered or that messages are delayed or reordered to produce an unauthorized effec

prevents or inhibits the normal use or management of communication facilities. Such an attack may have a specific target; for example, an entity may suppress all messages directed to a particular destination (e.g., the security audit service).

security service service is concerned with ensuring that communication is authentic.

SECURITY SERVICE is the ability to limit and control access to host systems and applications via communications links. To achieve this, each entity trying to gain access must first be identified or authenticated so that access rights can be tailored to the individual.

security service is the protection of transmitted data from passive attacks. Concerning the content of data transmission, several levels of protection can be identified. The broadest service protects all user data transmitted between two users over a period.

security service ensures that messages are received as sent, with no duplication, insertion, modification, reordering, or replays

security serveice prevents either a sender or a receiver from denying a transmitted message.

security services means that a system or a system resource is accessible and usable upon demand by an authorized system entity, according to performance specifications for the system; that is, a system is available if it provides services according to the system design whenever users request them.

refers to privacy concerns related to user interaction with Internet services through web servers and mobile apps.

collect information directly from their customers, audience, or other types of users of their services.

compile large amounts of personal data from several data collectors and other data brokers without having direct online contact with the individuals whose information is in the collected data.

category encompasses a broad range. One type of data user is a business that wants to target its advertisements and special offers. Other uses are fraud prevention and credit risk assessmen

are concerned with the vulnerabilities and threats associated with the platform that hosts a website, including the operating system (OS), file and database systems, and network traffic.

are concerned with web software, including any applications accessible via the Web.

are concerned with the browser used from a client system to access a web server.

The execution of mobile applications on a mobile device may involve communication across several networks and interaction with some systems owned and operated by a variety of parties.

Modern mobile devices are typically equipped with the capability to use cellular and Wi-Fi networks to access the Internet and to place telephone calls.

Public app stores include native app stores; these are digital distribution services operated and developed by mobile OS vendors. For Android, the official app store is Google Play, and for iOS, it is simply called the App Store.

Mobile device and OS vendors host servers to provide updates and patches to the OS and apps. Other cloud-based services may be offered, such as storing user data and wiping a missing device

Enterprise mobility management (EMM) is a general term that refers to everything involved in managing mobile devices and related components (e.g., wireless networks).

is a member of the organization who is responsible for deploying, maintaining, and securing the organization’s mobile devices as well as ensuring that deployed devices and their installed apps conform to the organization’s security requirements.

in the organization that employs automated and/or human analyzers to evaluate the security characteristics of an app, including searching for malware, identifying vulnerabilities, and assessing risks.

is to inspect reports and risk assessments from one or more analyzers to ensure that an app meets the security requirements of the organization.

The goal of the project is to identify the most important technical and organizational privacy risks for web applications from the perspectives of both the user (data subject) and the provider (data owner).

Failing to suitable design and implement an application, detect a problem, or promptly apply a fix (patch), which is likely to result in a privacy breach

Failing to prevent the leakage of any information containing or related to user data, or the data itself, to any unauthorized party resulting in loss of data confidentiality

Not informing the affected persons (data subjects) about a possible breach or data leak, resulting in either from intentional or unintentional events; failure to remedy the situation by fixing the cause; not attempting to limit the leaks.

Failing to delete personal data effectively and/or in a timely fashion after the termination of the specified purpose or upon request.

Not providing sufficient information describing how data are processed, such as their collection, storage, and processing.

Collecting descriptive, demographic, or any other user-related data that are not needed for the system. Applies also to data for which the user did not provide consent.

Providing user data to a third party without obtaining the user’s consent. Sharing results either due to transfer or exchanging for monetary compensation or otherwise due to inappropriate use of third-party resources included in websites, such as widgets (e.g., maps, social networking buttons), analytics, or web bugs.

Using outdated, incorrect, or bogus user data and failing to update or correct the data.

Failing to effectively enforce session termination. May result in the collection of additional user data without the user’s consent or awareness.

Failing to provide data transfers over encrypted and secured channels, excluding the possibility of data leakage. Failing to enforce mechanisms that limit the leaking surface (e.g., allowing to infer any user data out of the mechanics of web application operation).

Legitimate mobile apps may be vulnerable to several privacy and security threats, typically due to poor coding practices used in app development or underlying vulnerabilities in the mobile device operating system.

Network traffic needs to be securely encrypted to prevent an adversary from eavesdropping. Apps need to properly authenticate the remote server when connecting to prevent man-in- the-middle attacks and connection to malicious servers

Adversaries can exploit vulnerabilities in mobile device web browser applications as an entry point to gain access to a mobile device.

Third-party software libraries are reusable components that may be distributed freely or offered for a fee to other software vendors. Software development by component or modules may be more efficient, and third-party libraries are routinely used across the industry.