This post is part of a series in which we pull security stories right from the headlines and discuss their relevance to the eight domains of the CISSP® exam.
Read our previous posts in this series:
Name That Domain: Data Breaches
Name That Domain: Risk Management
Name That Domain: Password Best Practices
Name That Domain:
Net Privacy Takes A Hit
For Sale: Your Browsing History
The American Congress passed a bill last week eliminating several Internet privacy rules, which were originally put into place last year by the Federal Communications Commission (FCC) in an effort to protect consumers’ privacy and increase their control over personal information and data. On Monday, President Trump signed the Congressional bill into law – and there’s some concern about what this development means for everyone’s online privacy.
Under the new rules, what can Internet Service Providers (ISPs) do with private citizens’ data? Should privacy-conscious readers pursue technical solutions? Can I, personally, buy Donald Trump’s Google history? This isn’t a political blog, so we’ll leave the legislative analysis to the pundits; however, the content found on the CISSP exam can help us answer a few of these questions.
Domain 1, Security and Risk Management: A Right to Privacy?
When students first begin preparing for the CISSP exam, they are sometimes surprised to see so many sections of the Official (ISC)² Common Body of Knowledge (CBK) devoted to law and governance. The CISSP is a cybersecurity certification, and there’s plenty of attack types, port numbers, and technical acronyms to learn, but the CISSP is mainly a managerial exam – it tests your ability to make security decisions while considering legal, ethical, and monetary constraints.
All future CISSP need to know some basics about privacy law. Over the past few decades, several significant laws have extended 4th Amendment protections to cyberspace. The most significant of these laws is the Electronic Communications Privacy Act (ECPA) of 1986, which makes it illegal to violate the “electronic privacy” of an individual. The Act also protects citizens’ data from being “illegally disclosed” by third parties. Under the terms of this act, ISPs are not permitted to monitor their customers’ email and voicemail communications or disclose the content of these records.
So, can ISPs really sell their customers’ browsing history? The ECPA text is very explicit about the content that providers cannot disclose to third parties: email and voicemail communications. Though privacy advocates would argue Internet browsing records should be protected under the ECPA’s definition of “content,” for now it seems ECPA isn’t enough to challenge the new law.
Domain 4, Network Security and Communication:
How VPNs Work
If you care about your browsing data and want to keep it private, the technical domains of the CISSP exam can provide some guidance. One technical fix is a Virtual Private Network – or VPN – which creates a secure connection path over the network. To understand why using a VPN protects your browsing records from a nosey ISP, you need to understand tunneling. It’s a process that protects the content of your data packets by hiding them inside another protocol’s packets.
Think about your normal Internet browsing habits. If you aren’t using a VPN, your online communications are a lot like mailing a postcard. The postcard’s destination is written on the outside, right next to the message. Your communication isn’t private, because both the address and the content are visible. A VPN, on the other hand, is like an envelope: it protects your content from an untrusted network called the postal service. In this scenario, you create a message (the data packet) and then place it inside the envelope (the tunneling protocol). The postal carrier is like your ISP: he or she can look at the address and see that the letter is going somewhere, but cannot read the message inside.
Domain 8, Software Development Security:
A the new law begins to take effect, security experts are proposing a host of clever technical fixes to foil ISP snooping. Using a VPN is one solution, but a few enterprising programmers are taking a more creative approach. If your ISP doesn’t have a bandwidth cap, you can use a “Data Pollution” plugin. While you check your email or post on Reddit, the plugin runs in the background, executing hundreds of random searches automatically. Meanwhile, your actual activities are buried in all that extraneous junk data.
CISSPs learn about the concept of manual obfuscation in Domain 8, where secure methods of developing software are discussed. Burying your real data in clutter is related to this idea, though obfuscation usually relates to source code. If a programmer wants to keep information secret or conceal an application’s purpose, he or she can deliberately jumble the code or bury critical instructions in chaotic, redundant ones. In theory, this makes it more difficult for a human or machine reading the code to work out which information is valuable and which is not.
So, while your computer is scrolling through every web page on Wikipedia, ISPs won’t notice your midnight Amazon bingeing — at least, in theory.
The Jury is Still Out
It remains to be seen how this law will ultimately affect companies and individuals, but we do know for sure that CISSPs will continue to be in high demand. The questions on the CISSP exam will test your technical knowledge and decision-making skills. Fortunately, the questions are also based on practical scenarios. Whether you’re a CISSP or a CISSP in training, you can test your knowledge of CISSP content just by checking the daily headlines. Just remember that your browsing history may be sold, so browse those headlines carefully.