Chapter 7: Adhering to Standards

Along with all the connected systems, devices, and interactivity, we also see an expansion of the amount of data. With this expansion comes the need to ensure the confidentiality, integrity, and availability of the data. In this chapter, we'll provide an overview of how security standards and laws exist to provide guidelines and best practices to prevent data loss. We'll review some of the guidelines provided by the Federal Information Processing Standards (FIPS) along with the Payment Card Industry Data Security Standard (PCI DSS).

In addition, we'll see that there are strict legislative requirements such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). We'll also see how state guidelines such as the California Consumer Privacy Act (CCPA) necessitate due diligence and due care in securing data. Although most of us use encryption to protect our digital data, we'll discover how malicious actors have found novel ways to use encryption, which include concealing malware and ransomware. Finally, we'll cover how various laws are designed to provide a back-door policy so that government and law enforcement agencies have a method to decrypt digital data.

In this chapter, we're going to cover the following main topics:

• Understanding FIPS and PCI DSS
• Staying compliant
• Leveraging encryption

Understanding FIPS and PCI DSS

Every day more and more information flows across our networks and the internet, over multiple platforms. Along with the volume of data exchanged, there is an increased concern about the security of the data.

In general, you might think that businesses and organizations will do what is necessary to secure our digital data, however, that is not always the case. Over the past decade, billions of high-profile data breaches have occurred, which makes it more evident that organizations need firm guidelines on the way they protect our data.

In this section, we'll take a look at how security laws and standards provide specific guidelines on how to prevent data from being compromised in some way.

Let's start with an overview of FIPS.

Outlining FIPS

When interacting online, users enter information when submitting applications, posting on social media, and purchasing goods and services. Businesses and organizations have a responsibility to secure data and protect information. When dealing with choices as to how to secure the data, there are many resources that provide good practice guidelines. One resource is FIPS. FIPS standards were developed at the National Institute of Standards and Technology (NIST). Please refer to the following link for more information on NIST: https://www.nist.gov/. NIST is a US government agency that provides information on a range of topics that include the following:

• Advanced communications
• Quantum science
• Forensic science
• Cybersecurity

NIST helps industries in providing research in science, standards, and technology. FIPS are in line with federal government requirements for handling digital data. One of the US government standards is the Federal Information Security Management Act (FISMA).

Although the guidelines are designed to provide a road map for US government agencies, the general public is welcome to reference the standards for their own information. Using the government standards can provide confidence in properly handling digital data.

The standards outline several areas that deal with encryption such as hashing, encryption algorithms, and standards when creating a digital signature. Let's review these concepts, starting with the Secure Hash Standard.

Secure Hash Standard (SHS)

A hash algorithm is a one-way function that takes a given input (of any size) and produces a fixed-length output. The output size will depend on the algorithm and is commonly referred to as a message digest or fingerprint. Message digests are used to ensure integrity as any change to the document will change the value.

Important note

A message digest is called a fingerprint because, similar to a fingerprint used in biometrics, the message digest uniquely identifies the message.

Hash algorithms are used in a number of different cryptographic techniques, which include storing a password, verifying the integrity of a file you have downloaded, and blockchain technology.

The SHS outlines the various hash algorithms that are considered to be secure when creating a message digest, and are all in the Secure Hash Algorithm (SHA) family. The following hash algorithms are included: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.

Important note

SHA-1 was one of the early versions of the Secure Hash Algorithm. However, it has been deprecated and is no longer recommended by NIST. For more information, visit https://csrc.nist.gov/projects/hash-functions/nist-policy-on-hash-functions.

Next, let's take a look at the Advanced Encryption Standard.

Advanced Encryption Standard (AES)

AES is the US government standard for encrypting and decrypting data. Also known as the Rijndael algorithm, AES is a symmetric encryption algorithm, in that it uses a single shared key (or secret key). AES is a block cipher that can encrypt a block size of 128 bits using key lengths of either 128, 192, or 256 bits.

Another standard that is defined by FIPS is the Digital Signature Standard, as outlined next.

Digital Signature Standard

A digital signature provides message authentication for digital documents. To provide a consistent secure method of creating a digital signature, the Digital Signature Standard (DSS) became a FIPS government standard in 1994. The standard defines the parameters for proper construction of a digital signature, which include the following:

• The Digital Signature Algorithm (DSA), which specifies how to generate a key pair
• An approved hash algorithm (such as SHA-512) used to create the message digest

The signature can be used on objects such as documents and digital transactions to provide assurance that the object originated from the claimed signatory. In addition, it provides assurance that there were no modifications of the data during transmission.

FIPS has other standards listed, designed to provide guidelines and best practices to prevent data loss. Another set of guidelines is PCI DSS. Let's take a look at this in the next section.

Outlining PCI DSS

One standard that outlines exact requirements for safely handling data is PCI DSS. This specifies the controls that must be in place to securely handle credit card data. Controls include methods to minimize vulnerabilities, employ strong access control, along with consistently testing and monitoring the infrastructure.

Unlike laws that are created by a government, PCI DSS is a standard that was created by a group of major credit card companies in 2006. Some of the card companies involved in this process included MasterCard, Visa, American Express, and Discover. At that time, the card companies felt it was paramount to define guidelines that listed best practice methods to have more control over cardholder data.

PCI DSS documentation is found at https://www.pcisecuritystandards.org/pci_security/. Within the documentation, you will find a list of four main tenets and guidelines, which include the following:

• Reasons why the standards exist
• A definition of the standards
• Methods to secure the data
• Metrics to determine the security level of cardholder data

Let's review each of these, starting with outlining why the standards exist.

Learning why the standards exist

In the early 2000s, more and more businesses were going online. Along with this transition, businesses, organizations, and governments saw the value in accepting credit card data while shopping. However, along with this growth, there came the need to secure digital transactions. PCI DSS was developed to help outline standards that minimize exposure and fraud for anyone that deals with credit cards.

Malicious actors attempt to obtain credit card information, such as account number and other elements necessary to impersonate the cardholder. In addition to digital transactions, credit card theft can occur in many places, which include customer databases, a Point of Sale (POS) terminal at a restaurant, or even records in a filing cabinet. The standards exist as a way of dealing with the threats to the security of cardholder data, whether online or at a brick-and-mortar store.

Next, let's take a look at what the standards outline.

Defining PCI DSS standards

The attack vectors and threats to credit card data can be vast. To address this, PCI DSS standards provide granular details on methods to secure data. Within the framework, there are six categories that describe what is required. The categories list a specific goal, and then define the requirement. To summarize, an organization must do the following in order to protect cardholder data:

• Create and maintain a secure infrastructure by using dedicated appliances and software that monitor and prevent attacks.
• Employ good practice strategies, such as changing passwords from the vendor default, and training users not to open suspicious emails.
• Protect cardholder data using encryption, whether at rest or in motion across a network. In addition, employ proper management of the encryption keys.
• Continuously monitor for vulnerabilities and utilize appropriate anti-malware protection that is continuously updated.
• Provide strong access control methods by using the principle of least privilege, and routinely monitor and test networks.

In addition, the organization must create and maintain appropriate information security policies that define rules of proper behavior.

The goals cover all good practice requirements that any organization should follow.

Summarizing methods to secure the data

PCI DSS compliance relies on a continuous process of assess, remediate, and report. By using the prescribed controls, this ongoing process provides the greatest level of security. The elements in this process are further defined as follows:

• Assess means taking inventory of all assets and locations where cardholder data can be found, such as a POS terminal, websites, and even paper records. Once that is complete, the next step is to identify all vulnerabilities.
• Remediate means taking steps to mitigate or repair the vulnerabilities and enact secure business processes. In addition, merchants should avoid storing any cardholder data if possible.
• Reports of the assessment process and any mitigation details are created and then disseminated to the bank and proper card company.

A company must be vigilant and make efforts to secure the data. However, a company's best effort may not be enough. The only way to tell if they have achieved the goal of being PCI DSS compliant is by completing an assessment and then reporting the results. Let's see what's involved, next.

Measuring the security level

PCI DSS is not a law, therefore there is no government oversight. However, it's imperative that anyone that deals with cardholder data must comply with the guidelines. If a merchant fails to comply and is in violation of the requirements, they can face a substantial fine, and even lose the ability to handle credit card transactions.

The security level will define whether the merchant must complete a self-assessment or have an external auditor assess that the merchant is compliant. In addition, the level defines whether they must complete a Report on Compliance (RoC). Therefore, the first step is to identify how many transactions are done on a yearly basis. Once the transaction value is determined, the merchant is then ranked.

The levels are as follows:

• Level 4: Is a small merchant with under 20,000 transactions a year
• Level 3: Is a merchant with 20,000 to 1 million transactions a year
• Level 2: Is a merchant with 1 to 6 million transactions a year
• Level 1: Is a large merchant with over 6 million transactions a year

The activity required, for each level required to prove compliance with the guidelines, is as follows:

• Level 1: Must have an external auditor perform the assessment by an approved Qualified Security Assessor (QSA)
• Levels 2-4: Can either have an external auditor or submit a self-test that proves they are taking active steps to secure the infrastructure
• Levels 1 or 2: Must complete an RoC

  Important note

  PCI DSS offers a self-validation assessment tool that steps through every aspect of the standard. You can find the link in the Further reading section.

As PCI DSS standards can be complex and overwhelming, vendors provide platforms that help ensure compliance, as outlined in this document by Cisco: https://www.cisco.com/c/en/us/solutions/enterprise-networks/pci-compliance/index.html.

Over the years, there have been numerous data breaches that have resulted in millions of records being compromised, along with exposure of Personally Identifiable Information (PII). As a result, various laws are in place that define controls that must be in place to ensure the security and privacy of personal data. Two such laws are GDPR and HIPAA, as outlined next.

Staying compliant

The number of individuals connecting to the internet is expanding at a rate of approximately 10 percent every year. Along with this expansion, we are also seeing more personal data being collected, curated, and stored for a variety of uses. Data is collected in many different ways, which include the following:

• Vehicles and navigation apps
• Online shopping and banking
• Health care and wearables that monitor fitness level
• Utility companies such as water, electricity, and gas
• Devices on the Internet of Things

Called big data, this digital ocean has the potential to do remarkable things that can improve our lives. Many companies see the value in using this data, for marketing campaigns, managing risk, improving the supply chain, and other applications. The data is fed into apps such as intelligent decision support systems, that optimize artificial intelligence to provide predictive responses.

Because of all of the data being exchanged, governments have enacted laws designed to protect our privacy. In the US and the European Union (EU), there are several laws that deal with the protection of consumer data. In this section, we'll take a look at the key components of HIPAA, GDPR, and the CCPA, which outline specific rules on how to ensure the protection of personal data.

Let's start with a law that safeguards the privacy and security of patient information in the US.

Ensuring the privacy of patient data

In the 1990s, health care facilities began implementing computer technology to store patient data. At that time, someone could walk up to a unit clerk in the hospital and inquire about the status of their neighbor. There were no privacy laws, and the fact that medical records were being computerized made it easy for someone to retrieve the information and share it with anyone.

Concurrently, computerization and networks began to expand, and along with it came concerns about data privacy. This prompted legislative action to protect patient data. In 1996, the US government enacted a federal law to protect the privacy and security of patient data. Called the Health Insurance Portability and Accountability Act (HIPAA), the law provides rigorous requirements for anyone dealing with patient information.

Computerized electronic patient records are referred to as electronic protected health information (e-PHI). With HIPAA, the e-PHI of any patient must be protected from exposure, or the organization can face a hefty fine.

While many refer to HIPAA as the privacy rule, there are actually two components: the privacy rule and the security rule. The privacy rule outlines specifications for assuring the privacy of patient data. The security rule defines methods to put into operation the privacy rule requirements. This is achieved by specifying the technical and non-technical methods to monitor and prevent attacks and protect the infrastructure.

HIPAA outlines the following guidelines that organizations must follow:

• Any and all e-PHI that is generated, obtained, stored, or exchanged must be kept confidential.
• Any and all e-PHI must be kept in an unaltered form, and available to anyone that has the right and privilege to access the data.
• Proactively monitor for threats, mitigate vulnerabilities, and maintain a secure infrastructure by using methods that monitor and prevent attacks.
• Prevent exposure of e-PHI by using technical and non-technical methods that include physical, technical, and administrative safeguards.
• Educate all personnel in the workforce and ensure that everyone involved in handling patient data, from onsite employees to outsourced contract workers, respects the confidentiality of patient data.

It's in everyone's interest for an organization to exercise due diligence and due care in ensuring the privacy of patient data. Violations of privacy affect both the medical provider and the patient. A medical provider can receive a fine from $100 to $50,000 per violation and will most likely suffer from a loss of goodwill. An affected patient could suffer consequences of identity theft, which could have lasting implications.

In addition to HIPAA, there are other laws that govern the treatment of consumer data. Let's investigate GDPR, next.

Giving consumers control of their data

In 2018, the EU enacted the General Data Protection Regulation, which outlines specific requirements on how consumer data is protected. The law affects anyone who does business with residents of the EU and the UK. This comprehensive law focuses on the privacy of consumer data, and more importantly, gives consumers the ability to control how their data is handled.

Some of the components of this law include the following:

• Requiring consent: If a company wants to gather information on your searching and buying patterns, it must obtain your permission to acquire and use your information.
• Sharing information: In addition to obtaining permission to acquire your information, a company must obtain your permission to share your information. For example, if a company obtains your email address, and they want to share it with a sister company, they must first obtain your permission.
• Rescinding consent: Just as the consumer can give consent for a company to use their information, they can opt out at any time. Known as the right to be forgotten rule, this puts control back in the hands of the consumer.
• Global reach: The GDPR affects anyone who does business with residents of the EU and Britain. The statute directly relates to e-commerce, as websites do not have a physical boundary. If you do business with anyone in the EU or the UK, this rule will prevail.
• Restricted data collection: Organizations should collect only the minimal amount of data that is needed to interact with the site.
• Violation reporting: If the company's consumer database is compromised, they must report the breach within 72 hours.

While you are surfing the internet, checking news feeds, and shopping online, websites can collect data about you. This is done using cookies while interacting with a website and is one example of how GDPR impacts the consumer, as discussed next.

Harvesting data

Hypertext Transport Protocol (HTTP) is a stateless protocol that doesn't retain any information about a transaction. In order to retain information about your visit, and make a website more interactive and personalized, websites can use cookies, which are small text files. Within the cookies, there can be information on your browsing habits, items you put in your shopping cart, and possibly PII.

As a result, when you go to a website, you will see a banner with a statement on the use of cookies as shown here:

We use cookies on our site so that we can provide an optimal experience for you, as we provide custom content and advertising. To learn more, visit our Privacy Policy.

Because cookies can harvest information and be shared with other parties, this falls under the GDPR guidelines. Specifically, a company can use consumer data, as long as they have obtained permission.

If a company violates consumer privacy, they can be fined. Knowing this, most companies strive to adhere to the regulations as outlined by the GDPR.

Many countries implement laws that deal with the privacy of an individual. In addition, in the US, there are several states that have enacted their own privacy policy. One state is California, as we'll see next.

Enforcing protection in California

California has long been a leader in technology and laws that deal with the privacy of consumer information. The California Consumer Privacy Act was enacted in 2018 and outlines specific guidelines on how to appropriately handle consumer data.

Companies can store basic data, such as names, email and home addresses, phone numbers, and birthdays. However, depending on the application, the consumer data can also include credit card information, social security numbers, and even Global Positioning Satellite (GPS) coordinates.

In addition to companies sharing and selling consumer data, there is also the threat of a data breach, which can expose the PII of millions of consumers. The CCPA is similar to GDPR; the law lists specific regulations that affect anyone who does business with California residents.

The requirements of the CCPA include the following:

• Transparency in what data is being stored
• The right for consumers to easily opt out and be wiped from the company's database
• The ability to request that their data not be shared or sold to third parties
• If there is a data breach, the company can be fined $100 to $750 per consumer

Many have grown weary of the vast amounts of exposed data, so laws such as the CCPA are a welcome relief. While these are a few examples of laws that protect consumer data, experts predict that more laws will require more measures aiming to protect the network, data, and consumer privacy.

As outlined, there are many ways we can use encryption. Most of the time it is used to protect our data from unauthorized access. However, malicious actors have found ways to leverage encryption for their own purposes. Let's investigate these concepts in the next section.

Leveraging encrypted data

The cryptographic algorithms and protocols developed over the years were primarily focused on securing data. However, like a two-edged sword, encryption can be used for malicious reasons.

In this section, we'll review how we use cryptographic techniques to help secure and protect our data. We'll then examine ways cybercriminals use encryption, such as concealing malware or holding our data hostage. In addition, we'll discuss how government and law enforcement agencies seek to decode encrypted data on phones or computers during an investigation.

Let's start with reviewing ways that cryptographic techniques help secure our data.

Securing our data

Today, there are many things that threaten the security of our data. As a result, we remain vigilant in protecting our networks and data from attacks or unauthorized access. On any network, there are several goals or services we strive to provide, such as confidentiality, integrity, authentication, and non-repudiation.

Some of the security services we use help ensure the data is not modified, lost, or accessed in an unauthorized manner. Cryptography helps protect our passwords, wireless transmissions, email, and e-commerce transactions.

However, malicious actors are finding ways to use encryption that can threaten the security and integrity of our systems. Next, let's take a look at how criminals use encryption to slip malware onto a network undetected.

Concealing malware

Imagine, when monitoring your network using Wireshark, a packet analysis tool, you might see traffic as shown in the following screenshot:

Figure 7.1 – TOR activity on a network

The traffic appears innocent, as we can see Transmission Control Protocol (TCP) traffic along with Transport Layer Security (TLS) traffic. TLS is used when communicating with a website using HTTPS. However, upon further investigation, we see that a malicious actor is using The Onion Router (TOR) to communicate. TOR is an internet-based system that encrypts traffic.

Because TOR uses encryption, this masks the fact that, in this case, the malicious actor is delivering malware designed to infect systems with cryptojacking malware. Cryptojacking is malicious cryptomining, which uses the victim's resources to mine cryptocurrency.

When using an encrypted communication channel (such as TOR) the malicious actor can do the following:

• Deliver malware undetected and infect a system.
• Set up communication with a command and control (C&C) server.
• Mine the victim's machine and send results back to the server.

All of this is done in plain sight, as the activity is undetected, therefore difficult for antimalware protection to analyze.

Important note

We'll learn more about TLS in Chapter 9, Exploring IPsec and TLS.

Using encryption to conceal malware continues to be a threat. In 2021, over 25% of malware communicates using TLS, and the numbers continue to rise.

In addition to using encryption to deliver malware, malicious actors use encryption to lock out users and hold a system hostage.

Holding files ransom

Ransomware is a form of malware that holds data hostage until a payment or ransom is paid. Unlike a worm, which can move throughout a system without a transport agent, ransomware gets onto a system by getting a victim to perform some action. The action can be clicking on a link, opening a file, or going to a website.

Encrypting ransomware works in the following manner:

1. The malicious actor will use a carefully written phishing or spear-phishing email to get past the spam filters.
2. The email gets into a user's inbox with the hope that the user will open the email and perform some action, such as opening an infected Adobe PDF or Microsoft Excel file.
3. Once the ransomware is released, it can complete any number of different actions, such as spawning child processes, encrypting files, deleting shadow copies, blocking access to your system, and stopping applications from running.
4. The ransomware immediately attempts to communicate with the C&C server to receive further instructions.
5. Soon afterward, the C&C server will display a message demanding a ransom that if the victim does not pay, the malicious actor will destroy the decryption key. In addition, they can unleash malware designed to delete all the files on the system.

The victim may pay the fine, however, there is no guarantee that the malicious actor will release the files. Therefore, it's best to take steps to avoid a ransomware attack.

While not acting in a malicious manner, another issue related to encryption is forcing individuals to expose their private information. Let's discuss this next.

Exposing private information

Over the years, it has become more important to protect our digital transmissions from prying eyes. A couple of examples where data transmissions could be intercepted include the following:

• Phone conversations: Almost all voice traffic is digitized and transmitted over the internet using Voice over Internet Protocol (VoIP). This makes it very easy for anyone to eavesdrop on unencrypted traffic to hear a phone conversation.
• Email: Email is critical to business and is also used by a large majority of those who are online. Similar to VoIP, anyone can read unencrypted email messages.

In the US, cryptography is legal. Therefore, to secure our digital data, we use encryption. However, a government official or law enforcement agency might want to view the contents of your email or listen to your phone call. As a result, there might be a law or statute that allows the government to decrypt your data. Let's explore this concept, next.

Gaining access to encrypted data

If law enforcement or government officials need to gain access to encrypted data, there may be a legitimate reason. For example, they might request access to internet traffic so they can monitor for unlawful activity, such as child exploitation or human trafficking. However, for a government law official to listen in on conversations, they would need to obtain a warrant, so they could monitor for possible illegal activity.

Over the years, various bills were submitted to Congress to allow backdoor access to someone's encrypted conversations or email during an investigation. In addition, there have been several accounts of government or law enforcement agencies attempting to force a user to provide a key to decrypt data. Some of the bills and government activity aimed at being able to view encrypted data include the following:

• In 1993, the US government proposed the use of a Clipper Chip, which enabled law enforcement to decode encrypted voice traffic.
• In 1994, US Congress passed the Communications Assistance for Law Enforcement Act (CALEA), which provided the ability to wiretap phone systems.
• In 2018, FBI Director James Comey tried to force Apple's hand to decrypt data held on an iPhone.

We use encryption for a number of different reasons. One is that we want to ensure the confidentiality of our data and keep private data private. However, if someone has a way to provide back door access to view our data, it's not possible to provide any security at all.

Summary

In this chapter, we covered how various laws and standards provide specific guidelines and best practices to prevent data from being compromised in some way. We reviewed key components of FIPS and PCI DSS, outlined why the standards exist, and how they are used to ensure the protection of data. We then reviewed how, in the US and the EU, there are several laws that deal with the protection of consumer data.

We discussed how key components of HIPAA, GDPR, and the CCPA outline specific rules on how to ensure the protection of personal data. Finally, we covered different ways we can leverage the use of encryption. We know that we use encryption to secure our data and prevent unauthorized access. However, we learned how malicious actors use encryption in a malicious way, to conceal malware in a stream of encrypted data, or encrypt and lock files until a ransom is paid.

In the next chapter, we'll outline some common attacks on encrypted data along with some advanced attacks that can threaten the effectiveness of cryptographic techniques. We'll then learn how the public key infrastructure can also be a target and suffer from attacks such as a TLS strip, along with other exploits. Finally, we'll review the fact that our current encryption algorithms have protected our data for decades. However, we'll see how quantum computing may be able to decrypt data with ease and render current encryption algorithms obsolete.

Questions

Now it's time to check your knowledge. Select the best response, then check your answers with those found in the Assessment section at the end of the book:

1. The _____ outlines the various hash algorithms that are considered to be secure to used when creating a message digest and all in the Secure Hash Algorithm (SHA) family.

   a. AES

   b. SHS

   c. PCI DSS

   d. SSL

2. _____ specifies the controls that must be in place to securely handle credit card data.

   a. AES

   b. SHS

   c. PCI DSS

   d. SSL

3. _____ is a law that outlines rigorous requirements for anyone dealing with patient information.

   a. e-PHI

   b. PCI DSS

   c. GDPR

   d. HIPAA

4. In 2018, the EU enacted the _____, which outlines specific requirements on how consumer data is protected.

   a. e-PHI

   b. PCI DSS

   c. GDPR

   d. HIPAA

5. _____ is a form of malware that holds data hostage until a payment or ransom is paid.

   a. Ransomware

   b. Clipper Chip

   c. PGP

   d. e-PHI

6. Almost all voice traffic is digitized and transmitted over the internet using _____, which makes it very easy for anyone to eavesdrop on unencrypted traffic to hear phone conversations.

   a. Clipper Chip

   b. VoIP

   c. PGP

   d. SHS

7. In 1994, the US Congress passed the _____, which provided the ability to wiretap phone systems.

   a. CALEA

   b. SHS

   c. GDPR

   d. HIPAA

Further reading

Please refer to the following links for more information:

• For a list of current standards for the FIPS, visit https://www.nist.gov/itl/current-fips.
• Visit https://csrc.nist.gov/publications/detail/fips/186/5/draft to review the Digital Signature Standard (DSS).
• For a complete list of all the parameters that are assessed during a PCI DSS compliance check, visit https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1604781332907.
• To view the PCI DSS Self-Assessment Questionnaire D, visit https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1_SAQ_D_ServiceProvider_rev1-1.pdf.
• Find out more on HIPAA at https://www.hhs.gov/hipaa/index.html.
• Go to https://thenextweb.com/contributors/2019/01/30/digital-trends-2019-every-single-stat-you-need-to-know-about-the-internet/ to find a variety of statistics about the internet.
• Visit https://www.malwarebytes.com/cryptojacking/ to learn more about cryptojacking.
• To understand the implication of sharing data under the GDPR, visit https://21ilab.com/blog/gdpr-consent-in-company-groups/.
• To read how much malware is communicating using TLS, visit https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/.
• To read more on ways the US government wants to build backdoor access into encrypted devices, read https://cdt.org/insights/issue-brief-a-backdoor-to-encryption-for-government-surveillance/.
• To see a list of countries that impose restrictive laws that govern the use of cryptographic techniques, visit https://www.comparitech.com/blog/vpn-privacy/encryption-laws/.