Know and understand privacy and confidentiality of data transfer

ICT 0417 – Networks: Privacy and Confidentiality of Data Transfer

Objective

Understand the concepts of privacy and confidentiality when data is transferred over a network, and be able to describe the related hardware, software, security measures, legal/ethical issues and the expectations of IGCSE/AS‑Level exam questions.

1. Network Hardware – The Building Blocks

DevicePrimary FunctionTypical UseKey Security Considerations
RouterRoutes traffic between different networks (e.g., LAN ↔ WAN)Connecting a home/office network to the InternetChange default admin passwords; keep firmware up‑to‑date; enable firewall/NAT; disable remote‑admin ports.
SwitchConnects multiple devices within the same LAN and forwards frames based on MAC addressesOffice floor or data‑centre networkingUse managed switches for VLAN segmentation; disable unused ports; enable port‑security.
HubRepeats incoming signals to all ports (no filtering)Legacy small networks (rare today)Creates a broadcast domain – easy for sniffing; replace with switches wherever possible.
BridgeConnects two LAN segments and filters traffic by MAC addressExtending a LAN without a routerCan be used to create separate security zones; keep firmware current.
Network Interface Card (NIC)Provides a device with a physical or wireless connection to a networkEvery computer, printer, server, etc.Enable MAC‑address filtering where appropriate; keep drivers updated; consider disabling unused interfaces.

2. Types of Networks – Where Data Travels

Network TypeTypical ScopeCommon TopologySecurity Implications
LAN (Local Area Network)Single building or campusStar or extended starPhysical security important; use VLANs & internal firewalls.
WLAN (Wireless LAN)LAN using Wi‑FiStar (access points)Encrypt with WPA2/WPA3; hide SSID only where policy allows; use MAC filtering.
WAN (Wide Area Network)Geographically dispersed sitesMesh or point‑to‑point linksUse VPN or MPLS for confidentiality; monitor for rogue connections.
IntranetPrivate network inside an organisationUsually LAN/WAN comboStrong authentication & role‑based access control (RBAC).
ExtranetControlled access for partners or customersSecure VPN or DMZStrict user authentication, logging and monitoring.
InternetGlobal public networkComplex mesh of many ISPsAll data must be encrypted (TLS/SSL, VPN, IPsec); rely on public‑key infrastructure.

3. Wireless Technologies – Wi‑Fi and Bluetooth

  • Wi‑Fi (IEEE 802.11)

    • Frequency bands: 2.4 GHz (b/g/n) and 5 GHz (a/ac/ax)

    • Security protocols: WEP (obsolete) → WPA → WPA2 → WPA3

    • Best practice: use WPA2‑Personal or WPA3, strong pre‑shared key (≥12 characters), disable WPS, keep AP firmware up‑to‑date.

  • Bluetooth (IEEE 802.15.1)

    • Short‑range: ≤10 m (Classic) or ≤100 m (BLE)

    • Pairing methods: PIN, Just Works, Numeric Comparison, Passkey Entry

    • Security: enable authentication & encryption; avoid “Just Works” for sensitive data; keep device firmware current.

4. Cloud Computing – Service Models & Security

  • Service models

    • IaaS – Infrastructure as a Service (e.g., Amazon EC2)

    • PaaS – Platform as a Service (e.g., Google App Engine)

    • SaaS – Software as a Service (e.g., Microsoft 365)

  • Security considerations

    • Shared‑responsibility model – provider secures the infrastructure; user secures data, access, and applications.

    • Encrypt data at rest (AES‑256) and in transit (TLS 1.2/1.3).

    • Strong identity management: SSO, MFA, regular permission reviews.

    • Check provider compliance with GDPR, ISO 27001, etc.

5. Privacy and Confidentiality of Data Transfer

  • Privacy – the right of individuals to control who can view their personal information.

  • Confidentiality – assurance that data is readable only by authorised recipients.

  • Both are achieved through a blend of technical controls (encryption, authentication, secure protocols) and organisational policies (access control, data classification, staff training).

6. Threat Landscape – Risks to Data Transfer

  • Eavesdropping / Sniffing – capturing unencrypted packets (e.g., with Wireshark).

  • Man‑in‑the‑Middle (MitM) – attacker intercepts and may alter communication.

  • Phishing, Smishing & Vishing – deceptive messages (email, SMS, voice) to obtain credentials.

  • Pharming – DNS or hosts‑file manipulation to redirect users to fake sites.

  • Card fraud & Identity theft – interception of payment or personal data.

  • Malware (viruses, ransomware, spyware, adware) – can exfiltrate, encrypt or monitor data.

  • Hacking / Brute‑force attacks – unauthorised access to devices or accounts.

  • Data breaches – unauthorised access to stored data, often caused by weak passwords, lack of encryption or mis‑configured permissions.

  • Insecure electronic conferencing – unprotected video/voice streams that can be intercepted.

  • Password interception – key‑logging, shoulder‑surfing or insecure transmission of passwords.

  • Anti‑spyware gaps – failure to detect or remove spyware that silently captures keystrokes and screenshots.

7. Measures to Protect Data Transfer

7.1 Encryption – How It Works

Encryption TypeKey ManagementTypical Key LengthCommon UsesStrengths / Limitations
Symmetric (e.g., AES)Same secret key for encrypting and decrypting128, 192, 256 bitsFile encryption, VPN tunnels, bulk data transferVery fast; key‑distribution problem solved by using asymmetric encryption for the key exchange.
Asymmetric (Public‑Key, e.g., RSA, ECC)Public key encrypts; private key decrypts1024–4096 bits (RSA) / 256–521 bits (ECC)Secure key exchange, digital signatures, email encryption (PGP)Provides authentication; slower – normally used only for small data or key exchange.
Hash Functions (e.g., SHA‑256)One‑way; no key required256‑bit outputPassword storage, integrity verification, digital signaturesCannot be reversed; must be combined with a salt for password hashing.

7.2 Secure Communication Protocols

  • HTTPS – HTTP over TLS/SSL (web browsing)

  • FTPS / SFTP – Secure file transfer (TLS or SSH)

  • SSH – Secure remote command line / file copy

  • VPN (IPsec, SSL‑VPN) – Encrypted tunnel over public networks

  • TLS 1.2/1.3 – Underpins most secure protocols; always use the latest version.

  • SMIME / PGP – End‑to‑end email encryption.

7.3 Authentication, Password Security & Interception Countermeasures

  • Strong passwords: minimum 12 characters, mix of upper/lower case, numbers, symbols.

  • Use passphrases or password‑manager generated passwords.

  • Enable Two‑Factor Authentication (2FA) or Multi‑Factor Authentication (MFA) wherever possible.

  • Account lockout after a set number of failed attempts.

  • Transmit passwords only over encrypted channels (HTTPS, SSH, VPN).

  • Deploy anti‑key‑logging tools and educate users about shoulder‑surfing.

  • Regularly review and rotate privileged credentials.

7.4 Network‑Level Defences

  • Firewalls – filter inbound/outbound traffic based on rule‑sets.

  • Intrusion Detection/Prevention Systems (IDS/IPS) – monitor for suspicious patterns.

  • Anti‑malware & anti‑spyware solutions – real‑time scanning, heuristic analysis, regular definition updates.

  • Secure configuration of routers/switches (disable unused services, change default credentials, apply least‑privilege).

  • Segmentation (VLANs, DMZs) to limit lateral movement.

  • Network Access Control (NAC) – ensure only authorised devices can connect.

7.5 Secure Electronic Conferencing

  • Choose platforms that provide end‑to‑end encryption (e.g., Zoom with AES‑256, Microsoft Teams, Cisco Webex).

  • Require meeting passwords and enable waiting rooms.

  • Restrict screen‑sharing to the host unless needed.

  • Store recordings on encrypted drives or compliant cloud services with access control.

  • Advise participants not to share meeting links publicly.

8. Legal and Ethical Frameworks

  • Data Protection Act (UK) & GDPR (EU) – eight principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity & confidentiality, accountability.

  • Fines: up to €20 million or 4 % of global turnover (GDPR) plus reputational damage.

  • Copyright – unauthorised copying or distribution of protected material is illegal; fair dealing may apply for educational use.

  • Ethical handling: obtain informed consent, collect only necessary data, store securely, and dispose of data safely (shredding, secure erase).

  • Exam tip: when a question asks about “audience” or “copyright”, briefly note who may view the data (e.g., staff, customers, public) and the legal need to respect intellectual property.

9. Key Exam Verbs (AO1–AO3)

  • Explain – give a clear description with reasons.

  • Describe – provide details of how something works or is used.

  • Compare – highlight similarities and differences.

  • Evaluate – discuss advantages and disadvantages and make a justified judgement.

  • Analyse – break a situation into components and examine each.

10. Summary Checklist – Planning a Secure Transfer

  1. Identify the data type (personal, confidential, public).

  2. Classify the data and decide the required confidentiality level.

  3. Select an appropriate encryption method (symmetric for bulk, asymmetric for key exchange).

  4. Choose a secure protocol (HTTPS, SFTP, SSH, VPN) and verify TLS version.

  5. Implement strong authentication (strong passwords + 2FA/MFA) and RBAC.

  6. Apply network‑level controls (firewall rules, IDS/IPS, anti‑malware/anti‑spyware, VLANs).

  7. Mitigate password interception (encrypted channels, anti‑key‑logging, user awareness).

  8. Ensure compliance with legal/ethical policies (GDPR, Data Protection Act, copyright).

  9. Document the process, keep logs, and review after any incident.

11. Suggested Classroom Activities

  • Packet‑sniffing demo – Capture traffic on an unencrypted Wi‑Fi network with Wireshark, then repeat using HTTPS; students compare visible data.

  • VPN set‑up – Students configure a site‑to‑site IPsec VPN between two virtual machines and measure latency versus a direct LAN connection.

  • Case‑study analysis – Provide a recent data‑breach article; groups identify privacy/confidentiality failures, map them to the threat list, and propose mitigation measures.

  • Password‑policy workshop – Create strong passphrases, test them with a password‑strength tool, and discuss why simple passwords are vulnerable to interception and brute‑force attacks.

  • Encryption hands‑on – Use an online AES tool to encrypt a short message, then decrypt it using the same key; discuss key‑management and the need for secure key exchange.

  • Anti‑spyware audit – Scan a computer with a reputable anti‑spyware program, review the report, and discuss how spyware can compromise confidentiality.

12. Suggested Diagram – Flow of Encrypted Data via a VPN

Data flow from a client to a server through a VPN tunnel.

  • Client device (NIC) → Wi‑Fi access point (WPA3) → Router (firewall/NAT) → Internet → VPN gateway (IPsec encryption) → Server firewall → Application server.

  • Labels to include:

    • Authentication: username/password + 2FA at VPN gateway.

    • Encryption: TLS 1.3 for HTTPS traffic; IPsec (AES‑256) for the VPN tunnel.

    • Security devices: perimeter firewall, IDS/IPS, anti‑malware on both ends.

    • Access control: RBAC on the application server.