Q.

What are the challenges and shortcomings in the method of using data
encryption for data protection?

Ans:
Encryption helps deal with two common data protection vulnerabilities in
today’s global economy, which is that the work force that is constantly on the
move and the rise of remote work assignment as companies become more
globalized. It prevents stealing of data in case device gets into wrong hands
as the data gets encrypted.
However, as it is a technology it has its own challenges, shortcomings and
boundaries which we can examine as follows:
1) Lack of technological awareness: Simply put, if the user isn’t
technically sound on how to access the device or retrieve encrypted
data, it is pointless. From a consumer point of view, also consumers
appear to lack a foundation of knowledge about how their data is being
used and appear unaware of the tools available to them to protect their
data.

2) Law enforcement agencies don’t like a lot of encryption. For example,

the instance of FBI being unable to hack through an iPhone of an
international suspect, drew a lot of controversy with voices both for and
against it.

3) Data encryption incurs more cost and requires additional resources than
other methods of data protection. Organizations cannot run ad-
hoc/discovery-based queries with its methodology. This increases your
total cost of ownership and distracts your organization from more
important and strategic initiatives.

4) Although encrypted email is technically possible, it requires significant

effort on both sides, including managing digital certificates and using
specialized software.
 5) Data Encryption, obviously is a great way to protect your sensitive
data. But sometimes it gets hard to recover your own data due to
overprotective data access mechanisms. For example, the more
encryption keys you have for a particular data source, the more difficult
it is to gain access to your data.

Q. What is physical security?

Physical security is the protection of personnel, hardware, software, networks
and data from physical actions and events that could cause serious loss or
damage to an enterprise, agency or institution. This includes protection from
fire, flood, natural disasters, burglary, theft, vandalism and terrorism.

What are the different types of physical security? Give examples.

The three main types of physical security are:
1. Physical access control: It consists of the system and techniques used
to restrict access to a security perimeter. This establishes a physical
barrier to certain areas and prevents trespassing and unauthorized entry
in to the perimeter guarded by the barrier.
Examples of physical access control include: fencing, mantraps,
security guards, guard dogs, locks and biometric access control
2. Technical control: It includes use of technology and/or equipment
used for monitoring purposes thus preventing theft and unauthorized
access to company’s systems.
Examples of technical control include: surveillance cameras, alarms,
intrusion detection sensors, heat sensors etc
3. Administrative control: It includes use of restricted access, limited
access, hierarchy and logs within and organization to ensure only
authorized personnel can access certain areas as well as to track and
record usage of devices/systems.
 Examples of administrative control include: restricted areas, access
logs, emergency procedures, pre- & post- employment procedures.
4. Security related to Internet of Things: The internet of things (IoT)
brings in new challenges in terms of physical security as smart devices
connected to business systems via the internet may be located outside
of established secure perimeters. Hence, these smart devices can not be
dealt with using any of the other methods described above. Device
location will play a key role in keeping equipment safe.
Examples of safety for IoT include: motion sensors, tracking signals,
tamper-proof locks

Q. Describe the Marriott data breach case.

Between 2014 and September 2018, hackers had access to a database

containing the personal data of "500 million customers who made a
reservation" in one of Starwood's hotels.
The Marriott hotel group bought Starwood in the autumn of 2016, making it
the world's largest hotel group.
The attack is believed to have taken place in 2014 on Marriott’s
Starwood reservation system, but it was only on November 30 that Marriott
announced that its entire hotel chain was affected by the massive cyber
security breach. The group was unaware of the attack in progress for the past
four years. The data breach was not discovered until September 2018 when
one of the security measures on its server alerted IT staff to unauthorized
access to the database.
Much of the stolen data poses a potential threat to victims, including the risk
of financial fraud or identity theft. Marriott has confirmed the specific type of
data retrieved from their servers: names, address, phone numbers, emails,
account information, passport information, date of birth, gender and
encrypted credit card information.
Marriott has also hinted that there could be a chance that hackers also seized
the keys to the credit card information, which means that the attackers are
carrying out transactions without notifying the victims. All data can be used
either against Marriott international or against the customers themselves.
The information stolen on the Starwood guest server database can be sold or
acquired by other hotel chains and tech companies. For many thing's, for
example create a target advisement, adapted with age, relationship, birthday
etc...
Of the victims, 7 million were UK residents and 30 million were EU
residents. Therefore, data protection authorities in EU Member States can
refer to the DPMR to determine the sanction to be applied.

Marriott international was fined £100 million for this “mega-breach”, thus
impacting the group’s turnover for several years.
To this date, this cyber-attack on a customer database is the largest ever
recorded and its repercussions reach far over the £100m fine for the hotel
chain.