CHAPTER

CHAPTER

11 Security and Privacy

439
440
441
 11.1 Defining Security and Privacy

LEARNING OUTCOMES
4.3.1 Compare and contrast security and privacy in terms of what kind of data is being protected,
what the data is being protected from and how that protection is enforced.

As technology is an integral part of our daily lives, learning how to protect our digital information has
become crucial. Related to the protection of digital information are the concepts of security and privacy.

Security is the practice of protecting the confidentiality, integrity and availability of data. These three
principles are defined in Table 11.1 and described further in sections 11.1.1 to 11.1.3. Security is applicable
to all kinds of data in general, from private messages to public websites, and it is about protecting such
kinds of data from unauthorised access, unauthorised modifications, or disruptions in typical use. We can
think of security as the padlock on the door of a house, keeping intruders out.

Principle Definition

Confidentiality Protection from unauthorised access.

Integrity Protection from unauthorised modification.

Availability Ability to access the data in a timely and uninterrupted fashion.

Table 11.1 Definitions of confidentiality, integrity and availability

Privacy is the practice of protecting Privacy is like

the confidentiality and control curtains, controlling
of personal data. It overlaps with what outsiders see
security, especially in terms of
confidentiality. However, while
security is about protecting data in
general, privacy is about protecting
user identity and especially
personal data (e.g., name, date
of birth, physical address, email
address, IP address, etc.) that may
allow a person to be identified. It
includes the ability to maintain Security is like a
control over how personal data padlock, keeping
is used or shared. We can think intruders out
of privacy as the curtains on the
windows of a house, allowing for
control over what others can see.

Figure 11.1 Privacy and security as features of a house

442
442
 ER MS
The following table compares
security and privacy in terms KEY T
of what kind of data is being Security
protected, what the data The practice of protecting the confidentiality, integrity and availability of
is being protected from data
and how that protection is
enforced. Personal Data
Any data related to a person that may allow that person to be identified

Privacy
The practice of protecting the confidentiality and control of personal data

Factor Security Privacy

Definition Practice of protecting the Practice of protecting the

confidentiality, integrity and confidentiality and control of
availability of data personal data

Kind of Data Data in general Personal data specifically

Being Protected

What Data is • Unauthorised access, • Unauthorised access,

Protected From unauthorised modification, reduced ability to control
reduced ability to access data how personal data is used or
shared
• Malicious and/or illegal acts
• Acts that user may not
consent to even if they are not
malicious or illegal

How Protection • Technical protections (e.g., • Technical protections (e.g.,

is Enforced encryption, see section encryption, see section
11.3.3) 11.3.3)
•Legal protections (e.g., • Legal protections (e.g.,
LEARNING Computer Misuse Act)
OUTCOMES Personal Digital Protection
Act, see section 11.3.4)
• Careful adherence to best
practices and configuration of • Careful understanding
security settings of privacy policies and
configuration of privacy
settings

Table 11.2 Comparison between security and privacy

443
 11.1.1 Confidentiality

Confidentiality is the protection of data from unauthorised

access. It is required for both security and privacy.

Unauthorised access occurs whenever data owned by someone

is used by someone else, such as an intruder or even a member
of the public, without permission. This can lead to many
undesirable consequences.

For individuals, passwords or bank account information can be

used by an intruder to assume the owner’s identity, steal his or
her money, and commit fraud. An intruder can also publicise
private information that can lead to unwanted attention or
bullying. For businesses, the unauthorised disclosure of trade
secrets or customer information can lead to financial losses,
loss of trust and legal consequences.

11.1.2 Integrity

Integrity is the protection of data from unauthorised

modification. It is required for security.

Unauthorised modification occurs when data is intentionally or

accidentally altered or made incomplete without permission.
When this happens, the data is no longer trustworthy and using
the data can lead to many undesirable consequences, especially
when the modified data is used for decision-making.

For example, in banking, the account information for a bank

transaction may be modified such that money is unintentionally
transferred to the account of an intruder. In healthcare, the use
of medical records that have been modified without permission
may lead to incorrect treatments, potentially harming patients.

11.1.3 Availability

Availability is the ability to access data in a timely and

uninterrupted fashion. Its protection is required for security.

Data may become inaccessible to authorised users for many

reasons such as equipment failure, network congestion or
natural disasters. For example, a denial-of-service attack may
try to overwhelm a server with excessive requests such that it
cannot respond or responds very slowly to legitimate requests.
When this happens, an authorised user may not be able to
access data on the server and availability is compromised.

Furthermore, integrity and availability are related.

Unauthorised modification can cause data corruption where
errors and inconsistencies are introduced into the data. When
data is corrupted, it may become unusable such that availability
is also affected.

444
 ER MS
KEY T
Availability
The ability to access data in a timely and uninterrupted fashion

Confidentiality
The protection of data from unauthorised access

Data corruption
The introduction of errors and inconsistencies into data

Denial-of-service attack
A type of attack where a server is overwhelmed with excessive requests such that it cannot respond or
responds very slowly to legitimate requests

Integrity
The protection of data from unauthorised modification

U
DID YO
KNOW?
The effects of data corruption on availability can vary depending on the amount and type of
corrupted data.

If the corrupted data is not needed to read other data, then the availability of only the corrupted
data itself is affected. This situation is more likely if the amount of corrupted data is small. This is like
having smudged cells in a printed table of data – only the smudged data is affected.

Figure 11.2 Only the data in the smudged cells is affected

445
 U
DID YO
KNOW?
On the other hand, if the corrupted data is related to other data, then the availability of both the
corrupted data and its related data may be affected. This is because the corrupted data may contain
information that is required to read or interpret the related data. This situation is more likely if the
amount of corrupted data is large. This is like having smudged headers in a printed table of data.
While the cells of the table are still readable, it is not possible to interpret what the contents mean,
so the data stored in the table is meaningless and effectively unusable.

Figure 11.3 Data in the entire table is effectively unusable due to the smudged header

For example, Figure 11.4 shows a typical error message that a user may get when trying to open a
corrupted file in a word processor.

Figure 11.4 Example of a data corruption error message

When availability is disrupted, undesirable consequences may occur. For example, in business, interruptions
to key systems or data may require halting operations, leading to financial losses. In an emergency, the
inability to access critical information can interfere with the response, endangering lives.

446
 QUICK .1
C K 1 1
CHE
1. In each of the following scenarios, identify which of confidentiality, integrity or availability,
has been the most significantly compromised:

a) A power outage interrupts the Internet access in a building.

b) A passenger on a crowded train reads the contents of an email over the shoulder of another passenger who
is using their phone.

c) A photo sharing site adds a watermark to uploaded photos without the owner’s permission.

2. To use a photo storage service, a user is required to provide their email address and let the service share
the email address with other companies without informing the user. In return, the service lets the user view
their photos online and prevents the photos from being accessed or modified by anyone else.

Assume that the service is reliable and works as advertised.

a) Explain why photos stored on the service may be considered secure.

b) Suggest and explain one way in which the service has poor privacy.

11.2 Threats

LEARNING OUTCOMES
4.3.2 Explain how human actions threaten security and privacy by causing data corruption
(through physical or non-physical means) or exposure of private data.

4.3.7 Explain how adware threatens security and privacy by installing itself without the user’s
knowledge and displaying unwanted advertisements.

4.3.8 Explain how spyware threatens security and privacy by secretly collecting personal
information and transmitting this information to attackers without the user’s knowledge.

4.3.9 Explain how cookies are typically not malicious but can threaten privacy by tracking a user’s
browsing history across multiple web sites.

4.3.10 Explain how phishing threatens security and privacy by using emails and fake websites that
appear to be from reputable companies to steal personal information.

4.3.11 Explain how pharming threatens security and privacy by intercepting requests to legitimate
websites and redirecting them to fake websites while still appearing to use the same address
as the legitimate website.

There are many common threats to the security and privacy of data.

447
 11.2.1 Human Actions

Human actions can threaten security, specifically the integrity of data, by causing data corruption. This
may be malicious or accidental and can happen through either physical or non-physical means, as shown
by the examples in Table 11.3:

Means Threat of Human Actions to Data Integrity

• Data corruption due to exposure of storage media to

physical impact or extreme temperatures (e.g., during
transport)
• Data corruption due to not ejecting storage device properly
before physical removal
Physical

• Overwriting of data due to multiple users working on the

same file that is shared on a network
• Data corruption due to incorrect data entry

Non-physical

Table 11.3 Examples of how human actions can threaten data integrity

Human actions can also threaten privacy through the malicious or accidental exposure of private data.
For example, privacy is compromised when an email containing personal data is sent to unauthorised
recipients.

11.2.2 Adware

Adware is a type of malicious software (also known as malware) that installs itself without the user’s
knowledge and displays unwanted advertisements. The advertisements may appear as separate “pop-up”
windows or be injected into web pages.

U
On its own, displaying unwanted advertisements
DID YO
KNOW?
may not threaten security or privacy. However,
by installing itself without the user’s knowledge,
adware threatens the computer’s integrity
and may leave open the door for other forms
of malware to be installed. To display relevant
advertisements, many examples of adware collect Another definition of “adware” is advertising-
data on the user’s habits without permission (like supported software that is installed knowingly
spyware; see section 11.2.3). The advertisements by the user. The software is usually free-of-
they display may also promote phishing sites charge but shows advertisements to make
(see section 11.2.5) and scams to steal personal money. Note that this is not the definition of
data. In this way, adware can also be considered “adware” used in this textbook.
a threat to security and privacy.

448
 ER MS
KEY T
Adware
A type of malware that installs itself without
the user’s knowledge and displays unwanted
advertisements

Malicious software (or malware)

Software that is intentionally used to damage,
disrupt or gain unauthorised access to a
computer system

Figure 11.5 Adware installs itself without the user’s

knowledge and displays unwanted advertisements

11.2.3 Spyware

Spyware is a type of hidden malware

that secretly collects personal
information about its users and
transmits this information to attackers
without the users’ knowledge. The
collected data can then be used to gain
unauthorised access to even more of
the victim’s data. In this way, spyware is
a threat to both security (specifically the
confidentiality of data) and privacy. Figure 11.6 Spyware secretly collects personal information
and transmits this information to attackers

U MS
DID YO KEY T
ER

KNOW? Spyware
A type of hidden malware
that secretly collects personal
Certain kinds of malware are designed to widen the damage information about its users and
they cause by making multiple copies of themselves. transmits this information to
attackers without the users’
For instance, a “virus” attaches itself to a normally harmless knowledge
program or file and modifies it. When the modified program
is run or a modified file is opened by a user, the virus attaches
copies of itself to any other programs or files it can find, thus
“infecting” them.

Similarly, a “worm” attempts to spread by sending copies of

itself to other computers, but unlike a virus, a worm does not
need to attach itself to an existing program or file.

449
 11.2.4 Cookies

ERMS
KEY T
Cookies are small pieces of data stored by the web browser
when a user visits a website. Each time a user visits a website
that uses cookies, the web browser checks whether it has a
relevant cookie and if so, it sends the information contained in Cookies
that cookie back to the website. The website is thus aware that Small pieces of data stored by the
the user is a repeat visitor and, in some cases, will customise web browser when a user visits a
what appears on the page for the user. On the other hand, if website
no relevant cookie is found, the website may request for a new
cookie to be created.

In general, cookies are not malicious and are needed to keep

track of authentication information to identify which users are
currently logged in. However, they can also be used to keep
track of user movements and preferences within the website,
such as which pages were most recently visited by the user
or how the user wants the site to be presented. Even worse,
advertising companies with advertisements on multiple
websites can also use cookies to keep track of users as they
move from one website to another. In this way, cookies can be
a threat to data privacy.

11.2.5 P is ing

ER MS
Phishing is the use of emails, messages and fake
websites that appear to be from reputable companies KEY T
to steal personal data such as passwords and credit Phishing
card numbers from users. In this way, phishing is a The use of emails, messages and
threat to both security (specifically the confidentiality fake websites that appear to be from
of data) and privacy. Figure 11.7 shows some examples reputable companies to steal personal
of phishing websites, messages and emails. data from users

Figure 11.7 Examples of phishing websites, messages and emails

450
 U
DID YO
N O W ?
K
Phishing is a play on the word “fishing”. The idea is that bait is thrown out with the hope that
while most fish might ignore the bait, some will be tempted into biting. Similarly, phishing
emails are sent to many recipients in the hope that some recipients will eventually fall for the
scam and give away their personal data.

11.2.6 P arming

ER MS
Pharming is a more serious form of phishing. In
pharming, the attacker will attempt to intercept KEY T
requests sent from a computer to a legitimate Pharming
website and redirect the user to a fake website The interception of requests sent from a
to steal personal data or credit card details. Like computer to a legitimate website and the
phishing, pharming is a threat to both security redirection of those requests to a fake website to
(specifically the confidentiality of data) and steal personal data
privacy.

Figure 11.8 Pharming is an attempt to redirect website traffic to a fake website

For example, when victims of pharming enter the web address of their bank into a web browser, they would
be presented with a website that appears to be genuine but is provided by the attacker’s web server. When
they try to log in to the fake website, their usernames, passwords and account details would be recorded
by the attacker, who can then use these details to access the victims’ bank account on the bank’s actual
website.

For pharming to be successful, the attacker must either have malware running on the victim’s computer or
have taken control of a network device such as a router or server. This can occur as the software that runs
on such devices is also susceptible to bugs.

451
 I G
N A
I MAEME
G
M
Can you guess which website is the real one?

QUICK
EC K 11.2
CH
1. In each of the following scenarios, identify the common threat to the security and/or privacy of data that is
being depicted:

a) After visiting a shopping website, a user notices that advertisements for the exact items they viewed are
appearing in other unrelated websites.

b) A user notices that pop-up advertisements for a gambling website appear whenever their computer is
started.

c) A user visits their bank’s website and notices that the website looks suspicious even though the URL is correct.

d) A user notices that a link in an email that appears to be from their bank goes to a URL that misspells the
bank’s name.

e) A portable hard drive cannot be read after it is transported by a delivery service.

f) A user notices unexpected network activity and their computer running more slowly whenever it is connected
to the Internet.

452
 11.3 Defences

LEARNING OUTCOMES

4.3.3 Explain how anti-malware programs enforce security and privacy by preventing malware
from running and removing malware that may be present on a computer.

4.3.4 Explain how firewalls enforce security and privacy by using either hardware or software to
monitor packets and decide which packets should be permitted or blocked based on a set of
configurable rules.

4.3.5 Explain how encryption enforces security and privacy by making encrypted data appear
meaningless without the corresponding secret key.

4.3.6 Explain how the Personal Data Protection Act (PDPA) enforces privacy by legally requiring
organisations to do the following when collecting personal data:
• seek consent from the individual;
• disclose the purpose for collecting data when seeking consent; and
• retain the data for only as long as necessary to fulfil the stated purpose

4.3.12 Describe good computing practices that can mitigate the threats posed by adware, spyware,
cookies, phishing, pharming and human actions.

Multiple forms of defence are available to repel threats and enforce the security and privacy of data.

U
DID YO
N O W ?
K
Multiple forms of defence are needed so threats that manage to overcome weaknesses in one form
of defence can be stopped by the other forms of defence that are present. This is sometimes called
“defence in depth” or the “Swiss cheese model”.

We can imagine each form of defence as a slice of Swiss cheese, with holes that represent weaknesses
in random locations and sizes. As more slices of Swiss cheese (each representing a different form of
defence) are stacked together, it becomes more unlikely for the holes to line up such that a threat
can pass through and cause damage.

Figure 11.9 Threats (red lines) are stopped from passing through multiple layers of defence

453
 11.3.1 Anti- al are Programs

Adware and spyware are examples of malware that need to run on a user’s computer to compromise
security and/or privacy. Anti-malware programs can be used to:

• detect when malware is about to be run and stop it from

ER MS
KEY T
running;
• detect malware that is already running and try to stop it; and
• scan the user’s computer to detect and remove malware. Anti-malware
Software to detect, remove and
While powerful, most anti-malware programs rely on a list of stop malware from running
signatures, or unique identifying characteristics, for each known
version of malware. This list needs to be updated regularly Signature (malware)
to ensure that the protection provided by these programs Identifying characteristics that are
continues to be effective against new malware. For convenience, used to detect a known version of
most anti-malware programs can update this list automatically some malicious software
through the Internet.

U
DID YO
KNOW?
Malware programs that pretend to be legitimate
software are called “Trojan horses”, named after the
story in Greek mythology where Greeks used a wooden
horse to infiltrate the city of Troy and carry out a
surprise attack.

Some especially devious Trojan horses may appear to

be anti-virus and anti-spyware programs. To be safe,
only anti-virus and anti-spyware programs provided
by reputable companies or websites, or as part of the
computer’s operating system, should be trusted.

11.3.2 Fire alls

Computers that are connected to a network are naturally more susceptible to intrusion as unauthorised
access can occur even without the physical presence of an intruder. Hence, computers connected to a
network usually require another layer of defence called a firewall. Just like how a fireproof barrier prevents
fire from spreading and destroying valuable property, a firewall prevents harmful contents from passing
through it to reach other computers connected to the network.

A firewall can be either a device or a computer program. It works by monitoring each piece of data that is
transmitted through a network. Then the data would be either blocked or allowed to pass through, based
on a set of rules configured by an administrator.

454
 Figure 11.10 A firewall protects a network from external threats

When properly configured, a firewall can protect the computers within a network from unauthorised access.
For instance, a firewall can be configured to block the transmission of data (known as traffic) between any
unauthorised senders and/or receivers, especially requests for data coming from anonymous users on the
Internet. This prevents intruders from gaining access to the computers within a network.

As a firewall can also block traffic based on the type of application that is transmitting the data, it can also
stop certain malware such as adware and spyware from sending copies of themselves to other computers
through the network.

Conversely, however, configuring a firewall correctly can be a complex task and a misconfigured firewall
may unintentionally allow an intruder to gain access to computers on the network.

11.3.3 Encryption

Encryption is the process of encoding data so that a

ER MS
secret key is required to read the data. Like passwords,
the secret key is usually provided as a sequence of KEY T
bytes. Before the encrypted data is decoded using the Encryption
secret key, it appears as random, meaningless data. The process of encoding a message so that
a secret key is needed to decode the data
Encryption is often used to protect data from
unauthorised access by allowing only authorised Firewall
users to have the secret key. For instance, websites are A device or computer program that
required to use encryption by default so sensitive data prevents unauthorised access to or from a
such as passwords appear as random, meaningless network
data during transmission and can only be decoded
when they reach their intended destinations.

11.3.4 Personal Data Protection Act PDPA

Often, violations of privacy are not caused by the victim’s direct actions. Instead, these violations occur
indirectly due to the actions of third-party users or services. For instance, social networking sites such as
Facebook, X (formerly Twitter), Instagram and TikTok allow users to share photographs and information
quickly with their family and friends. However, most users may be unaware or do not consider the
repercussions of how such sites retain personal data or share personal data with third-parties.

To safeguard the personal data of users in Singapore, organisations are legally required to comply with the
Personal Data Protection Act (PDPA) that governs the collection, protection and use of personal data.
Specifically, when organisations collect personal data, they must:

• seek consent from the individual;

• disclose the purpose for collecting data when seeking consent; and
• retain the data for only as long as necessary to fulfil the stated purpose

455
 Organisations are prohibited from using personal data for purposes unrelated to those stated at the time
of collection without obtaining further consent. They must also make reasonable efforts to keep personal
data accurate and up-to-date, as well as implement appropriate security measures to prevent unauthorized
access, disclosure, or misuse. To ensure compliance, organisations found to be in violation of the PDPA
may be required to pay heavy fines.

ER MS
KEY T
Personal Data Protection Act (PDPA)
A law that governs the collection,
protection and use of personal data in
Singapore

11.3.5 ood Computing Practices

Besides technical and legal defences, there are several good computing practices that help to protect
against security and privacy threats.

11.3.5.1 Use Strong Pass ords

U
Authentication is the process of DID YO
KNOW?
verifying the identity of a user and the
most common authentication method
is to ask for a secret password or phrase
that is known only to that user. Most
computer users are probably familiar A strong password should have the following elements:
with the process of entering a password
to use a computer or online account.
Such passwords are usually entered
together with a username that identifies
who the user is claiming to be.

Unfortunately, passwords can be a

poor form of authentication if they are
chosen poorly or not kept secret. Avoid
using birth dates and surnames as
passwords as they can be easily guessed
by an intruder. Instead, use hard-to-
guess passwords that are a mixture of
lower-case letters, upper-case letters,
numbers and symbols.
Avoid re-using passwords or leaving them unchanged for a long time as doing so makes it easier for an
intruder to guess the password. Instead, use unique passwords for each computer or online account and
update them at least once every 90 days.

456
11.3.5.2 Use ulti-Factor Aut entication
Passwords are only one form of authentication. In general, authentication may require users to prove their
identity by providing evidence from one or more of the following categories:

1. Something the user knows, such as a password

2. Something the user owns, such as a mobile phone
3. Something unique that is measured from a physical part of the user, such as a thumbprint

Each category of evidence that is used for authentication is called an authentication factor.

More stringent authentication systems often require evidence from more than one authentication factor.
For instance, some banks or organisations may issue a device called a security token to users who wish to
access their accounts online.

Figure 11.11 A security token

To access their account online, the user has to confirm their identity by providing a secret password or
personal identification number (PIN), followed by a one-time password (OTP) generated from the security
token or a mobile phone that the user owns. This kind of authentication that uses evidence from both
something the user knows and something the user owns is called two-factor authentication. Two-factor
authentication is stronger than using only a password as it is much more difficult for an intruder to both
guess a password and steal the user’s security token.

Biometrics is a type of authentication that is based on the measurement of human physical characteristics.
For example, biometrics is used to identify a user by fingerprint or voice. Other common characteristics
used in biometrics include the face, iris, retina, and deoxyribonucleic acid (DNA). Compared to passwords,
the use of biometric identification is more secure as the physical characteristics measured are typically
unique to the individual and cannot
be easily replicated.
ER MS
Figure 11.12 shows some of KEY T
the common human physical
Authentication
characteristics used in biometrics.
The process of verifying the identity of a user

Authentication factor
A category of evidence that is used for authentication: something
the user knows or owns, or something that is measured from a
physical part of the user

Biometrics
A type of authentication based on the measurement of human
physical characteristics

Security token
A device that is used specifically for authentication purposes

Two-factor authentication
A type of authentication that uses evidence from both something
the user knows and something the user owns

457
 100 %

Face DNA Voice Fingerprint

Figure 11.12 Human physical characteristics used in biometrics

11.3.5.3 Identify Scam Attempts

By using deceptive emails, messages and fake websites to steal personal data, phishing attacks typically
serve as the initial stage of many scams that aim to deceive unsuspecting individuals or organisations
and perpetuate further forms of fraud. Hence, it is important to learn how to identify phishing and scam
attempts.

Some tell-tale signs of phishing emails or messages are:

Requests for Personal Data Generic Greetings

The email or message claims to be from a
company or bank and asks for personal data
or confidential information. Most companies
or banks will never ask for such information
via email or chat. When in doubt, call the
company or bank to verify.
The email or message uses a generic greeting
such as “Dear Customer” or “Dear User”. This
is a sign that the email was sent automatically
and not by a person. Alternatively, the email
or message may get your name correct but
get other details of your identity (e.g., your
occupation or country of residence) wrong.

Errors

The email or message has inaccurate

information or grammatical and spelling
errors that suggest it is not from a
legitimate source.

Suspicious Email Addresses

The email or message seems to come from a

fake sender or from an address or contact that
does not match the supposed source. Fake
senders usually use email accounts from free
providers such as Gmail and Yahoo or from sites
that misspell the names of legitimate sites. On
chat platforms, their usernames may be made
up of random letters and numbers.

458
 Suspicious Links

The email or message contains hyperlinks

with destinations that do not match what
the hyperlink text says or are otherwise
unexpected. Before clicking any links, hover
your mouse cursor over the hyperlink and
its destination will usually appear either as
a pop-up or on the status bar.

Urgent Requests

The tone of the email or chat is excessively

urgent or threatening. Phishers often
use such scare tactics to make victims
act before they can think through their
actions properly. Alternatively, the email
or chat may promise a time-sensitive offer
that seems too good to be true. This is to
tempt victims into revealing their personal
information.

Although the above tell-tale signs are

U
DID YO
a good starting point, scammers are
continuously finding new ways to

KNOW?
avoid being detected. For instance,
some scammers can obtain supposedly
private personal data from previous
cyberattacks and craft scam messages
that include personal details to
appear more convincing. To avoid
being deceived, be cautious of any
unexpected emails and messages, even
if they mention details that you would
not expect a stranger to know.

Another common tactic used by

scammers is to take over an email or
chat account via a phishing attack,
then use the stolen account to send a
phishing link to all the account’s known
contacts. This second phishing attack
is more likely to succeed because the
link will appear to come from a trusted
sender. If you ever lose control of an
email or chat account to a scammer,
consider warning your contacts through
other means to block your lost account.

459
 U
DID YO
KNOW? Reported Scam Cases

The scam situation has been on an ev-

er-increasing trend. From 2019 to 2023,
more than 139,000 scam cases were re-
ported in Singapore, with a combined
loss of more than $2.3 billion*.

The top 5 scam types in 2023 were:

• Job Scams (21.3%)

• E-commerce Scams (21.0%)
• Fake Friend Call Scams (14.7%)
• Phishing Scams (12.8%)
• Investment Scams (8.7%)

Contrary to popular belief, majority of Scam Victim Age Profile (2023)

the scam victims were youths, young
adults and adults aged below 50, rather
than the elderly.

What can we do?

We can ACT against scams by performing

three simple steps:

1. Add
2. Check
3. Tell

*Statistics are extracted from the Annual Scams and

Cybercrime Brief 2023 by the Singapore Police Force.

ADD CHECK TELL

• ADD refers to adding • CHECK refers to check- • Tell refers to telling
hardware, software ing with trusted others, authorities and our
and security settings looking out for scam community about
signs and reconsidering scam encounters
decisions. promptly
• For example, adding
ScamShield, privacy • For example, slow • For example, telling
settings, 2FA, strong down to think before your peers and
passwords, and more. responding to request family about scam
for money or personal encounters.
information and check
with trusted others or
official sources

ScamShield is an anti-scam product

developed by the National Crime Download the ScamShield app
Prevention Council and Open on your mobile devices
Government products

460
11.3.5.4 Update Soft are egularly

Malware programs such as adware and spyware can install themselves without the user’s knowledge by
exploiting bugs or unintended behaviour in otherwise legitimate programs that are already running on the
computer. For instance, a flawed web browser may have a bug that allows malware to be installed by just
visiting a website.

To avoid such situations, it is important to update software regularly so that bugs that were discovered
since the last update can be fixed. This is especially important for software that is used to interact with the
Internet, as data from untrusted online sources is more likely to be malicious and can be designed to take
advantage of known bugs.

11.3.5.5 anage Coo ies

Although cookies are not generally malicious, they can be used to keep track of user movements from
one website to another. For users who want to keep their movements on the Internet private, most web
browsers have settings that allow users to manually delete cookies or prevent cookies from being created
by untrusted websites. These settings can also be configured to disable cookies or allow only selected
websites to use cookies.

11.3.5.6 a e egular ac ups

A backup is a copy of data that is made so it can be recovered if the original is lost. By making regular backups
of important files and information, it is possible to limit the damage to data integrity and availability caused
by data corruption or human actions. For instance, if multiple users accidentally overwrite each other’s
work when working on the same file, having a recent backup of the file will allow the overwritten data to be
restored. Ideally, backup copies should also be stored on a separate device from the original (e.g., backing
up local files on an online server), so if the original is lost due to device failure, the backup copy will not be
affected.

461
 QUICK .3
C K 11
CHE
1. In each of the following scenarios, identify the defence against the security and privacy threats that is being
depicted:

a) A password needs to be entered each time to read a confidential document. Without entering the password,
the document appears as meaningless data.

b) A user has a monthly reminder to change their passwords and update the software installed on their
computer.

c) A website is fined for using the personal data of its users for tracking their movements on other sites without
informing the users beforehand.

d) An adware program is blocked from running.

e) A spyware program successfully runs but is not able to send its recorded data to the attacker’s server on the
Internet.

2. A user discovers malware running on a computer even though there is an anti-malware program that is also
running on the same computer. Suggest some reasons to explain how this is possible.

3. A website asks for the user’s consent to share their email address, with a notice that the purpose for collecting
the user’s email address will be provided afterwards. Explain whether the website complies with the PDPA.

4. You receive an unexpected email that advertises a free program from a website you have not heard of before.
The advertisement has links to download the program or to learn more about the product. The program seems
useful, but you do not have any anti-malware protection and want to be sure that the program is not malware.
What should you do?

A Click on the link to download and run the program to try it out.
B Click on the link to learn more about the product.
C Close the email and search trusted sites for more information.
D Reply to the email and ask for more information.

5. State whether each of the following is a measure that can be taken to avoid receiving phishing emails:

a) Set up an email filter to block out unwanted emails.

b) Use the same email address for schoolwork and online games.

c) Configure social networking accounts to keep email address information private.

d) Open email attachments as soon as possible.

462
 11.4 Analysis

LEARNING OUTCOMES
4.3.13 Analyse the effects of anti-malware programs, firewalls, encryption and the PDPA against
the threats posed by adware, spyware, cookies, phishing, pharming and human actions.

Not all defences are equally effective against the different threats to security and privacy that we have
discussed. Table 11.4 summarises the effectiveness of anti-malware programs, firewalls, encryption and
the PDPA against the threats posed by adware, spyware, cookies, phishing, pharming and human actions.

Anti-Malware Firewalls Encryption PDPA

Adware Highly Effective: Somewhat Not Effective: Not Effective:

Effective:
Anti-malware Encryption does Adware is illegal
can detect and Firewalls can not typically and likely to
remove adware prevent some prevent adware ignore legal
adware from from functioning protections such
downloading as the PDPA
advertisements

Spyware Highly Effective: Somewhat Somewhat Not Effective:

Effective: Effective:
Anti-malware Spyware is
can detect and Firewalls can Encryption can illegal and likely
remove spyware prevent some prevent some to ignore legal
spyware from collected data protections such
sending out from being as the PDPA
collected data exploited

Cookies Not Effective: Somewhat Not Effective: Highly Effective:

Effective:
Anti-malware Encryption does PDPA restricts
do not typically Some firewalls not typically how cookies can
block or clear can block cookies prevent cookies be used to collect
cookies from tracking personal data
users

Phishing Somewhat Somewhat Not Effective: Not Effective:

Effective: Effective:
Encryption does Phishing is
Some anti- Firewalls may not help if users malicious and
malware may block access to a give data willingly likely to ignore
block access to a blacklist of known to a phishing site legal protections
blacklist of known phishing sites. such as the PDPA
phishing sites.

463
 Anti-Malware Firewalls Encryption PDPA

Pharming Somewhat Somewhat Not Effective: Not Effective:

Effective: Effective:
Encryption does Pharming is
Anti-malware can Firewalls may not help if users malicious and
stop some forms block access to give data willingly likely to ignore
of pharming that a blacklist of to a spoofed site legal protections
use malware known “fake” IP such as the PDPA
addresses.

Human Highly Effective: Highly Effective: Highly Effective: Highly Effective:

Actions
Anti-malware Firewalls can Encryption PDPA restricts
can prevent prevent malicious prevents data the collection of
installation network from being personal data
of malware intrusions by exploited if it and punishes
as a result of attackers is accidentally violations
carelessness exposed

Table 11.4 Analysis of security and privacy defences against threats

QUICK 1. 4
K 1
C HEC
1. A hardware firewall is installed at the gateway (e.g., the modem) between a home network and the Internet.
Which of the following definitely cannot be prevented by this firewall?

A A home user visiting a well-known phishing site on the Internet.

B An Internet server sending advertisements to a home user.
C Malware running on a home computer copying itself to another home computer.
D Malware running on a home computer sending recorded keypresses to an Internet server.

2. Which of the following scenarios involving unauthorized access cannot be effectively prevented by encryption
alone?

A Data being copied from a stolen hard drive

B Data being intercepted during transmission over the Internet
C Data being sent to an unintended recipient by accident
D Data being viewed by an intruder directly from an authorised user’s screen

3. Human actions can cause data corruption or the exposure of private data. In each of the following scenarios,
identify which defence against security and privacy threats would be most effective against the threat being
depicted:

a) A company collects email addresses for the purpose of advertising their products, but later decides to share
the email addresses with another company without prior notice.

b) A malware program corrupts files and causes them to be unreadable.

c) A user misplaces a memory card containing private data.

d) An intruder connects to a vulnerable computer over the Internet.

464
 W
REVIE N
S TI O
QUE
1. Attackers may use spyware to monitor what you do on your computer. Which one of the following is not likely
to be a sign that your computer is affected by spyware?

A The light next to your computer’s camera cannot be turned off.

B Your computer’s network is disabled and there is no Internet access.
C Your computer seems to function more slowly than usual when it is online.
D Your web browser automatically visits an unfamiliar website at regular intervals.

2. A movie company uses the mobile phone numbers and email addresses of its customers to send electronic
tickets and to promote upcoming movies. As a result of unauthorised access, an attacker manages to access the
company’s collection of mobile phone numbers and email addresses and releases this data to the public.

Suggest how such an incident may negatively affect the company and its customers.

3. Siti receives an email message from a stranger claiming that she has won a cash prize from a lucky draw.
The stranger wants to know her bank account details to transfer the prize money to her. Suggest briefly what
Siti should do.

4. Recently, the customers of a bank received an email with “Transaction Advice” as the subject. The email
contained a hyperlink to a fake website which looked like the bank’s real website. Some customers did not pay
attention to the address of the hyperlink and tried to log in as usual. As a result, their personal information was
stolen.

a) Explain the difference between phishing and pharming.

b) State whether phishing or pharming occurred in this case.

c) Describe two ways in which the bank customers could have avoided getting their personal data stolen.

5. For each of the following threats, identify and explain whether unauthorised access is likely to occur. For each
threat where unauthorised access is likely to occur, suggest one preventive measure that can be taken.

a) Cookies

b) Spyware

465
 ANSWER

Pg. 447-Quick Check 11.1

1. a) Availability
b) Confidentiality
c) Integrity

2. a) The service protects the confidentiality and integrity of the stored photos as only the authorised user can
access or modify them. The service also protects the availability of the stored photos by providing the user
with timely and uninterrupted (i.e., reliable) access to the photos online.
b) To use the service, the user must give up some confidentiality and control of their personal data (i.e., their
email address) as the user cannot control who the service shares their email address with.

Pg. 452-Quick Check 11.2

1. a) Cookies
b) Adware
c) Pharming
d) Phishing
e) Human Actions
f) Spyware

Pg. 462-Quick Check 11.3

1. a) Encryption
b) Good computing practices
c) PDPA
d) Anti-malware
e) Firewalls

2. Some possible answers:

• The anti-malware’s list of signatures is outdated.
• The anti-malware’s list of signatures is incomplete.
• The malware is very new and does not have a signature available for it.

3. The website may not comply with the PDPA as it requires organisations to disclose the purpose for collecting
data when seeking consent and not afterwards.

4. C

5. a) Yes
b) No
c) Yes
d) No

Pg. 464-Quick Check 11.4

1. C

2. D

3. a) PDPA
b) Anti-malware
c) Encryption
d) Firewalls

466
ANSWER

Pg. 465-Review Questions

1. B

2. Possible effects on the company (accept any possible answer):

• Heavy fines due to violation of PDPA
• Loss of reputation and customer trust
Possible effects on its customers (accept any possible answer):
• Threats or harassment from strangers
• Risk of impersonation where an intruder is able to use the revealed mobile number and
address to overcome authentication
• Inconvenience in changing mobile phone numbers and/or addresses

3. Siti should verify the authenticity of the source by checking that the sender is legitimate, and if necessary,
calling the organiser of the lucky draw and asking for proof of the lucky draw results. Even if the result is
legitimate, she should request to receive the cash prize in a manner that will not reveal her personal details to a
stranger. If there is any doubt, she should decline to reveal any personal details and ignore the message.

4. a) Phishing uses email hyperlinks that lead to a fake website with a different address from the real website,
while pharming uses website redirection to show a fake website that uses the same address as the real
website.
b) Phishing
c) Two possible ways (accept any of the following answers):
• The customers could have verified if the email hyperlink’s actual destination matched the real
address of the bank’s website before clicking on it.
• The customers could have contacted the bank directly to verify the identity of the sender and the
authenticity of the email.

5.
Part Threat Unauthorised access likely to Preventive measure
occur? Why?
a) Cookies No -

Cookies are files that store user

information each time a user
visits a website. They are not
malicious in nature and cannot
store information beyond what
is normally provided to a website
through a web browser.
b) Spyware Yes Install anti-malware programs and
download their updates regularly.
Spyware may result in
unauthorised access by sending
personal data and recorded
information to attackers.

467