{"appState":{"pageLoadApiCallsStatus":true},"categoryState":{"relatedCategories":{"headers":{"timestamp":"2023-01-10T08:01:02+00:00"},"categoryId":33537,"data":{"title":"Cybersecurity","slug":"cybersecurity","image":{"src":null,"width":0,"height":0},"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"parentCategory":{"categoryId":33512,"title":"Technology","slug":"technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"}},"childCategories":[],"description":"Batten down the (virtual) hatches with these rock-solid strategies for protecting your privacy and security.","relatedArticles":{"self":"https://dummies-api.dummies.com/v2/articles?category=33537&offset=0&size=5"},"hasArticle":true,"hasBook":true,"articleCount":52,"bookCount":14},"_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"relatedCategoriesLoadedStatus":"success"},"listState":{"list":{"count":10,"total":52,"items":[{"headers":{"creationTime":"2023-01-09T22:21:25+00:00","modifiedTime":"2023-01-09T22:21:25+00:00","timestamp":"2023-01-10T00:01:03+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"Cybersecurity All-in-One For Dummies Cheat Sheet","strippedTitle":"cybersecurity all-in-one for dummies cheat sheet","slug":"cybersecurity-all-in-one-for-dummies-cheat-sheet","canonicalUrl":"","seo":{"metaDescription":"This Cheat Sheet includes tips for protecting your personal and work data, a list of password-cracking software professionals, and more.","noIndex":0,"noFollow":0},"content":"To cyber-protect your personal and business data, make sure everyone at home and at work recognizes that they are a target.\r\n\r\nPeople who believe that hackers want to breach their computers and phones and that cyber criminals want to steal their data act differently than people who do not understand the true nature of the threat. Many businesses use security awareness programs to improve security related behaviors.","description":"To cyber-protect your personal and business data, make sure everyone at home and at work recognizes that they are a target.\r\n\r\nPeople who believe that hackers want to breach their computers and phones and that cyber criminals want to steal their data act differently than people who do not understand the true nature of the threat. Many businesses use security awareness programs to improve security related behaviors.","blurb":"","authors":[{"authorId":33198,"name":"Joseph Steinberg","slug":"joseph-steinberg","description":" <p><b>Joseph Steinberg</b> is a master of cybersecurity. He is one of very few people to hold the suite of security certifications including: CISSP<sup>&#174;</sup>, ISSAP<sup>&#174;</sup>, ISSMP<sup>&#174;</sup>, and CSSLP<sup>&#174;</sup>. Joseph has written several books on cybersecurity, including the previous edition of <i>Cybersecurity For Dummies</i>. He is currently a consultant on information security, and serves as an expert witness in related matters.</p> ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/33198"}},{"authorId":8984,"name":"Kevin Beaver","slug":"kevin-beaver","description":" <p><b>Kevin Beaver </b>is an information security guru and has worked in the industry for more than three decades as a consultant, writer, and speaker. He earned his master&#8217;s degree in Management of Technology at Georgia Tech.</b></p> ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/8984"}},{"authorId":34698,"name":"Ira Winkler","slug":"ira-winkler","description":"","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/34698"}},{"authorId":34680,"name":"Ted Coombs","slug":"ted-coombs","description":" <p><b>Ted Coombs</b> is a direct descendant of King Edward of England, a former world record holder for most miles roller skated in a day, and a longtime technology guru and author. He&#8217;s written over a dozen technology books on a wide array of topics ranging from database programming to building an internet site. Along the way he helped create early artificial intelligence tools and served as cybersecurity professional focused on computer forensics. ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/34680"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[],"relatedArticles":{"fromBook":[],"fromCategory":[{"articleId":291466,"title":"Security Awareness For Dummies Cheat Sheet","slug":"security-awareness-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/291466"}},{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":296574,"slug":"cybersecurity-all-in-one-for-dummies","isbn":"9781394152858","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/139415285X/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/139415285X/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/139415285X-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/139415285X/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/139415285X/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/cybersecurity-all-in-one-for-dummies-cover-9781394152858-203x255.jpg","width":203,"height":255},"title":"Cybersecurity All-in-One For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"<p><p><b><b data-author-id=\"33198\">Joseph Steinberg</b></b> is a master of cybersecurity. He is one of very few people to hold the suite of security certifications including: CISSP<sup>&#174;</sup>, ISSAP<sup>&#174;</sup>, ISSMP<sup>&#174;</sup>, and CSSLP<sup>&#174;</sup>. Joseph has written several books on cybersecurity, including the previous edition of <i>Cybersecurity For Dummies</i>. He is currently a consultant on information security, and serves as an expert witness in related matters.</p> <p><b><b data-author-id=\"8984\">Kevin Beaver</b> </b>is an information security guru and has worked in the industry for more than three decades as a consultant, writer, and speaker. He earned his master&#8217;s degree in Management of Technology at Georgia Tech.</b></p> <p><b><b data-author-id=\"34680\">Ted Coombs</b></b> is a direct descendant of King Edward of England, a former world record holder for most miles roller skated in a day, and a longtime technology guru and author. He&#8217;s written over a dozen technology books on a wide array of topics ranging from database programming to building an internet site. Along the way he helped create early artificial intelligence tools and served as cybersecurity professional focused on computer forensics.</p>","authors":[{"authorId":33198,"name":"Joseph Steinberg","slug":"joseph-steinberg","description":" <p><b>Joseph Steinberg</b> is a master of cybersecurity. He is one of very few people to hold the suite of security certifications including: CISSP<sup>&#174;</sup>, ISSAP<sup>&#174;</sup>, ISSMP<sup>&#174;</sup>, and CSSLP<sup>&#174;</sup>. Joseph has written several books on cybersecurity, including the previous edition of <i>Cybersecurity For Dummies</i>. He is currently a consultant on information security, and serves as an expert witness in related matters.</p> ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/33198"}},{"authorId":8984,"name":"Kevin Beaver","slug":"kevin-beaver","description":" <p><b>Kevin Beaver </b>is an information security guru and has worked in the industry for more than three decades as a consultant, writer, and speaker. He earned his master&#8217;s degree in Management of Technology at Georgia Tech.</b></p> ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/8984"}},{"authorId":34698,"name":"Ira Winkler","slug":"ira-winkler","description":"","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/34698"}},{"authorId":34680,"name":"Ted Coombs","slug":"ted-coombs","description":" <p><b>Ted Coombs</b> is a direct descendant of King Edward of England, a former world record holder for most miles roller skated in a day, and a longtime technology guru and author. He&#8217;s written over a dozen technology books on a wide array of topics ranging from database programming to building an internet site. Along the way he helped create early artificial intelligence tools and served as cybersecurity professional focused on computer forensics. ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/34680"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781394152858&quot;]}]\" id=\"du-slot-63bcaabfa356c\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781394152858&quot;]}]\" id=\"du-slot-63bcaabfa46b0\"></div></div>"},"articleType":{"articleType":"Cheat Sheet","articleList":[{"articleId":0,"title":"","slug":null,"categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/"}}],"content":[{"title":"Protecting your data from Internet scams","thumb":null,"image":null,"content":"<p>The following tips help you protect your data and keep yourself and your family safe from Internet scams:</p>\n<ul>\n<li><strong>Protect your devices.</strong> At a minimum, run security software on every device you use to access sensitive information. Configure your devices to auto-lock, and to require a strong password to unlock them. Don’t leave your devices in insecure locations, and install software only from reputable sources, such as official app stores and official vendor and reseller websites.</li>\n<li><strong>Protect data.</strong> Encrypt all sensitive data and back up often. If you’re unsure as to whether something should be encrypted, it probably should be. If you’re unsure as to whether you back up frequently enough, — you, like most people, probably are not.</li>\n<li><strong>Use safe connections.</strong> Never access sensitive information over free public Wi-Fi and consider avoiding using such Internet access altogether, especially from any device on which you perform sensitive activities or access sensitive information.The connection provided by your cellular service is likely far more secure than any public Wi-Fi, and such connections can usually be shared by multiple devices if you turn on your phone’s “mobile hotspot” feature.</li>\n<li><strong>Use proper authentication and passwords.</strong> Every person accessing an important system should have their own login credentials. Do not share passwords for online banking, email, social media, and so on with your children or significant other. Get everyone their own login. Make sure you use strong, unique passwords for your most sensitive systems.</li>\n<li><strong>Share wisely. </strong>Do not overshare information on social media or using any other platforms. Crooks look for such data and use it to social engineer people. Oversharing exposes yourself and your loved ones to increased risks of being targeted by scammers or of having your identities stolen.</li>\n</ul>\n"},{"title":"Managing cybersecurity in your organization","thumb":null,"image":null,"content":"<p>The following tips can help you communicate effectively about cybersecurity challenges in your organization:</p>\n<ul>\n<li>Treat security awareness and training as a business investment.</li>\n<li>Train users on an ongoing basis to keep security fresh in their minds.</li>\n<li>Include information privacy and security tasks and responsibilities in everyone’s job descriptions.</li>\n<li>Tailor your content to your audience whenever possible.</li>\n<li>Create a social engineering awareness program for your business functions and user roles.</li>\n<li>Keep your messages as nontechnical as possible.</li>\n<li>Develop incentive programs for preventing and reporting incidents.</li>\n<li>Lead by example.</li>\n</ul>\n"},{"title":"Preventing social engineering attacks in the workplace","thumb":null,"image":null,"content":"<p>These tips help prevent social engineering attacks in the workplace:</p>\n<ul>\n<li><strong>Never divulge any information unless you can validate that the people requesting the information need it and are who they say they are.</strong> If a request is made over the telephone, verify the caller’s identity, and call back.</li>\n<li><strong>Never click an email link that supposedly loads a page with information that needs updating.</strong> This is particularly true for unsolicited emails, which can be especially tricky on mobile devices because users often don’t have the benefit of seeing where the link would take them.</li>\n<li><strong>Encourage your users to validate shortened URLs from bit.ly and other URL-shortening services if they’re unsure of their safety or legitimacy.</strong> Websites such as <a href=\"http://www.checkshorturl.com\" target=\"_blank\" rel=\"noopener\">CheckShortURL</a> and <a href=\"http://wheregoes.com\" target=\"_blank\" rel=\"noopener\">WhereGoes</a> offer this service.</li>\n<li><strong>Be careful when sharing sensitive personal information on social networking sites, such as Facebook or LinkedIn.</strong> Also, be on the lookout for people claiming to know you or wanting to be your friend. Their intentions might be malicious.</li>\n<li><strong>Escort all guests within the building.</strong> This may not match your company’s culture or be realistic, but it can certainly help minimize social engineering risks.</li>\n<li><strong>Never open email attachments or other files from strangers, and be very careful even if they come from people you know.</strong> This measure alone could prevent untold security incidents, breaches, and ransomware infections.</li>\n<li><strong>Never give out passwords or other sensitive information.</strong> Even your own colleagues don’t need to know unless there’s an otherwise compelling business reason behind it.</li>\n<li><strong>Never let a stranger connect to one of your Ethernet network ports or internal wireless networks, even for a few seconds.</strong> Someone with ill intent can place a network analyzer or install malware, or set up a backdoor that can be accessed remotely when they leave.</li>\n<li><strong>Develop and enforce media-destruction policies.</strong> These policies (for computer media and documents) help ensure that data is handled carefully and stays where it should be. A good source of information on destruction policies is <a href=\"http://www.pdaconsulting.com/datadp.htm\" target=\"_blank\" rel=\"noopener\">PDAconsulting</a>.</li>\n<li><strong>Use cross-cut paper shredders.</strong> Better still, hire a document-shredding company that specializes in confidential document and media destruction.</li>\n</ul>\n"},{"title":"Sample questions for a security awareness interview","thumb":null,"image":null,"content":"<p>Following, are some general questions you should ask everyone you interview when creating a security awareness program. You also need to ask questions specific to the person’s job function and relationship or the influence they have to their awareness person.</p>\n<ul>\n<li>What are the biggest problems you see?</li>\n<li>What are the security strengths you see?</li>\n<li>Do you have any specific concerns?</li>\n<li>(If someone has been with the organization for a while) What has worked best within the company to change behaviors?</li>\n<li>(If someone is new to the organization) Have you seen anything in your past organizations that you think would work here?</li>\n<li>What have been the parts of the current awareness program that you like?</li>\n<li>What did you not like?</li>\n<li>Do you see other departments communicate well with employees? How do they do that?</li>\n<li>Do you think the organization places importance on security?</li>\n<li>Do you think your line manager expects certain things of you?</li>\n<li>What happens if adhering to security guidelines causes you to take longer to do your job?</li>\n<li>What prevents you from following good awareness practices?</li>\n<li>How do you prefer to receive awareness information?</li>\n<li>What information do you need?</li>\n<li>What information do you want to see?</li>\n<li>Can you offer any guidance to the awareness program?</li>\n</ul>\n"},{"title":"Password-cracking software for security professionals","thumb":null,"image":null,"content":"<p>Password-cracking tools can be used for both legitimate security assessments and malicious attacks. You want to find password weaknesses before the bad guys do.</p>\n<p>You can try to crack your organization’s operating system and application passwords with various password-cracking tools:</p>\n<ul>\n<li><a href=\"https://web.archive.org/web/20190731132754/http:/www.hoobie.net/brutus/\" target=\"_blank\" rel=\"noopener\"><strong>Brutus</strong></a>: Cracks logins for HTTP, FTP, Telnet, and more</li>\n<li><a href=\"https://web.archive.org/web/20160214132154/http://www.oxid.it/cain.html\" target=\"_blank\" rel=\"noopener\"><strong>Cain &amp; Abel</strong></a>: Cracks LM and NT LanManager (NTLM) hashes, Windows RDP passwords, Cisco IOS and PIX hashes, VNC passwords, RADIUS hashes, and lots more. (<em>Hashes</em> are cryptographic representations of passwords.)</li>\n<li><a href=\"https://www.elcomsoft.com/edpr.html\" target=\"_blank\" rel=\"noopener\"><strong>Elcomsoft Distributed Password Recovery</strong></a>: Cracks Windows, Microsoft Office, PGP, Adobe, iTunes, and numerous other passwords in a distributed fashion, using up to 10,000 networked computers at one time. This tool uses the same graphics processing unit (GPU) video acceleration as the Elcomsoft Wireless Auditor tool, which allows for cracking speeds up to 50 times faster.</li>\n<li><a href=\"https://www.elcomsoft.com/ppa.html\" target=\"_blank\" rel=\"noopener\"><strong>ElcomSoft Proactive Password Auditor</strong></a>: Runs brute-force, dictionary, and rainbow cracks against extracted LM and NTLM password hashes.</li>\n<li><a href=\"https://www.elcomsoft.com/pspr.html\" target=\"_blank\" rel=\"noopener\"><strong>ElcomSoft Proactive System Password Recovery</strong></a>: Recovers practically any locally stored Windows passwords, such as login passwords, WEP/WPA passphrases, SYSKEY passwords, and RAS/dial-up/VPN passwords.</li>\n<li><a href=\"https://www.elcomsoft.com/esr.html\" target=\"_blank\" rel=\"noopener\"><strong>ElcomSoft System Recovery</strong></a>: Cracks or resets Windows user passwords, sets administrative rights, and resets password expirations, all from a bootable CD. This tool is great for demonstrating what can happen when laptop computers don’t have full disk encryption.</li>\n<li><a href=\"http://www.openwall.com/john\" target=\"_blank\" rel=\"noopener\"><strong>John the Ripper</strong></a>: Cracks hashed Linux/Unix and Windows passwords.</li>\n<li><a href=\"https://github.com/gentilkiwi/mimikatz\" target=\"_blank\" rel=\"noopener\"><strong>Mimikatz</strong> </a>: For past the hash exploits and extracting passwords from memory on Windows systems.</li>\n<li><a href=\"https://ophcrack.sourceforge.io/\" target=\"_blank\" rel=\"noopener\"><strong>Ophcrack</strong> </a>: Cracks Windows user passwords, using rainbow tables from a bootable CD. Rainbow tables are pre-calculated password hashes that can speed the cracking process by comparing these hashes with the hashes obtained from the specific passwords being tested.</li>\n<li><a href=\"https://www.openwall.com/passwords/windows-pwdump\" target=\"_blank\" rel=\"noopener\"><strong>pwdump</strong> </a>: Extracts Windows password hashes from the SAM (Security Accounts Manager) database.</li>\n<li><a href=\"https://project-rainbowcrack.com\" target=\"_blank\" rel=\"noopener\"><strong>RainbowCrack</strong></a>:  Cracks LanManager (LM) and MD5 hashes quickly by using rainbow tables.</li>\n<li><a href=\"https://www.kali.org/tools/hydra/\" target=\"_blank\" rel=\"noopener\"><strong>Hydra</strong> </a>: Cracks logins for HTTP, FTP, IMAP, SMTP, VNC, and many more.</li>\n</ul>\n<p class=\"article-tips warning\">When trying to crack passwords, the associated user accounts may be locked out, which could interrupt your users. Be careful if intruder lockout is enabled in your operating systems, databases, or applications. If intruder lockout is enabled, you might lock out some or all computer/network accounts, resulting in a denial of service situation for your users.</p>\n"}],"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0},"sponsorAd":"","sponsorEbookTitle":"","sponsorEbookLink":"","sponsorEbookImage":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"Two years","lifeExpectancySetFrom":"2023-01-09T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":296631},{"headers":{"creationTime":"2017-05-15T18:08:25+00:00","modifiedTime":"2022-10-19T13:57:48+00:00","timestamp":"2022-10-19T15:01:03+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"What is General Data Protections Regulation (GDPR)?","strippedTitle":"what is general data protections regulation (gdpr)?","slug":"general-data-protections-regulation-gdpr","canonicalUrl":"","seo":{"metaDescription":"How is the EU protecting the data of its citizens? Find out more about the General Data Protections Regulation (GDPR).","noIndex":0,"noFollow":0},"content":"The General Data Protections Regulation (GDPR) is a ruling intended to protect the data of citizens within the European Union (EU). The GDPR was a move by The Council of the European Union, European Parliament, and European Commission to provide citizens with a greater level of control over their personal data.\r\n\r\nAfter several years of refining and debating, the regulation was officially approved by European Parliament on April 14, 2016. The EU then allowed a two-year transition period for organizations to reach compliance. As of May 25, 2018, the GDPR's heavy fines kicked in, to be levied against any business not meeting the guidelines.\r\n\r\n<a href=\"https://www.dummies.com/wp-content/uploads/gdpr.png\"><img class=\"aligncenter wp-image-239608 size-full\" src=\"https://www.dummies.com/wp-content/uploads/gdpr.png\" alt=\"gdpr\" width=\"535\" height=\"356\" /></a>\r\n<h2 id=\"tab1\" >Who is affected by the GDPR?</h2>\r\nThe GDPR has far-reaching implications for all citizens of the EU and businesses operating within the EU, regardless of physical location. If businesses hope to offer goods or services to citizens of the EU, they will be subject to the penalties imposed by the GDPR. In addition, any business that holds personal data of EU citizens can be held accountable under the GDPR.\r\n\r\nWhat sort of data falls under the GDPR?\r\n<ul>\r\n \t<li>Name</li>\r\n \t<li>Photo</li>\r\n \t<li>Email address</li>\r\n \t<li>Social media posts</li>\r\n \t<li>Personal medical information</li>\r\n \t<li>IP addresses</li>\r\n \t<li>Bank details</li>\r\n</ul>\r\n<p class=\"article-tips tip\">The GDPR covers any information that can be classified as personal details or that can be used to determine your identity. Parental consent is required to process any data relating to children ages 16 and under.</p>\r\nThe regulation specifies the entities impacted by the GDPR. The wording specifically includes data processors and data controllers. What does this mean? Information that is stored in a “cloud” or in a separate physical location is still subject to penalties. Regardless of who has determined how your information will be used and who actually uses it, fines can still be imposed for misuse if it concerns the data of EU citizens.\r\n<h2 id=\"tab2\" >Penalties for not complying with GDPR</h2>\r\nBusinesses that fail to comply with GDPR are subject to fines. This can mean different things for businesses, depending on the level of infraction. On the high end, businesses may be required to pay up to 4 percent of their global turnover, or 20 million euros, whichever is highest. Companies may also be fined 2 percent for not taking appropriate measures to keep records in order. Ultimately, the fine depends on the nature of the infraction.\r\n<h2 id=\"tab3\" >Data breaches and the GDPR</h2>\r\nA data breach is any situation where an outside entity gains access to user data without the permission of the individual. Data breaches often involve the malicious use of data against users.\r\n\r\nIf a data breach should occur, the GDPR specifies that companies must provide adequate notification. The affected company has 72 hours to notify the appropriate data protection agency and must inform affected individuals “without undue delay.”\r\n<h2 id=\"tab4\" >Uncertain politics and the GDPR</h2>\r\nIn an uncertain political climate, many companies and citizens are concerned about how they will be affected by the GDPR given the undetermined nature of <a href=\"https://www.dummies.com/article/academics-the-arts/political-science/british-government/what-is-brexit-220858/\">Brexit</a>. Companies operating in the United Kingdom are encouraged to take measures to comply with the GDPR. Although these companies may not be subject to the GDPR, <a href=\"http://EUGDPR.org\" target=\"_blank\" rel=\"noopener\">EUGDPR.org</a> states that “The UK Government has indicated it will implement an equivalent or alternative legal mechanisms.”\r\n<p class=\"article-tips remember\">If you believe you will be operating in the UK but not in other EU countries, you are still encouraged to prepare for the GDPR as the UK is expected to follow suit with similar data protection legislation.</p>","description":"The General Data Protections Regulation (GDPR) is a ruling intended to protect the data of citizens within the European Union (EU). The GDPR was a move by The Council of the European Union, European Parliament, and European Commission to provide citizens with a greater level of control over their personal data.\r\n\r\nAfter several years of refining and debating, the regulation was officially approved by European Parliament on April 14, 2016. The EU then allowed a two-year transition period for organizations to reach compliance. As of May 25, 2018, the GDPR's heavy fines kicked in, to be levied against any business not meeting the guidelines.\r\n\r\n<a href=\"https://www.dummies.com/wp-content/uploads/gdpr.png\"><img class=\"aligncenter wp-image-239608 size-full\" src=\"https://www.dummies.com/wp-content/uploads/gdpr.png\" alt=\"gdpr\" width=\"535\" height=\"356\" /></a>\r\n<h2 id=\"tab1\" >Who is affected by the GDPR?</h2>\r\nThe GDPR has far-reaching implications for all citizens of the EU and businesses operating within the EU, regardless of physical location. If businesses hope to offer goods or services to citizens of the EU, they will be subject to the penalties imposed by the GDPR. In addition, any business that holds personal data of EU citizens can be held accountable under the GDPR.\r\n\r\nWhat sort of data falls under the GDPR?\r\n<ul>\r\n \t<li>Name</li>\r\n \t<li>Photo</li>\r\n \t<li>Email address</li>\r\n \t<li>Social media posts</li>\r\n \t<li>Personal medical information</li>\r\n \t<li>IP addresses</li>\r\n \t<li>Bank details</li>\r\n</ul>\r\n<p class=\"article-tips tip\">The GDPR covers any information that can be classified as personal details or that can be used to determine your identity. Parental consent is required to process any data relating to children ages 16 and under.</p>\r\nThe regulation specifies the entities impacted by the GDPR. The wording specifically includes data processors and data controllers. What does this mean? Information that is stored in a “cloud” or in a separate physical location is still subject to penalties. Regardless of who has determined how your information will be used and who actually uses it, fines can still be imposed for misuse if it concerns the data of EU citizens.\r\n<h2 id=\"tab2\" >Penalties for not complying with GDPR</h2>\r\nBusinesses that fail to comply with GDPR are subject to fines. This can mean different things for businesses, depending on the level of infraction. On the high end, businesses may be required to pay up to 4 percent of their global turnover, or 20 million euros, whichever is highest. Companies may also be fined 2 percent for not taking appropriate measures to keep records in order. Ultimately, the fine depends on the nature of the infraction.\r\n<h2 id=\"tab3\" >Data breaches and the GDPR</h2>\r\nA data breach is any situation where an outside entity gains access to user data without the permission of the individual. Data breaches often involve the malicious use of data against users.\r\n\r\nIf a data breach should occur, the GDPR specifies that companies must provide adequate notification. The affected company has 72 hours to notify the appropriate data protection agency and must inform affected individuals “without undue delay.”\r\n<h2 id=\"tab4\" >Uncertain politics and the GDPR</h2>\r\nIn an uncertain political climate, many companies and citizens are concerned about how they will be affected by the GDPR given the undetermined nature of <a href=\"https://www.dummies.com/article/academics-the-arts/political-science/british-government/what-is-brexit-220858/\">Brexit</a>. Companies operating in the United Kingdom are encouraged to take measures to comply with the GDPR. Although these companies may not be subject to the GDPR, <a href=\"http://EUGDPR.org\" target=\"_blank\" rel=\"noopener\">EUGDPR.org</a> states that “The UK Government has indicated it will implement an equivalent or alternative legal mechanisms.”\r\n<p class=\"article-tips remember\">If you believe you will be operating in the UK but not in other EU countries, you are still encouraged to prepare for the GDPR as the UK is expected to follow suit with similar data protection legislation.</p>","blurb":"","authors":[{"authorId":8941,"name":"Ashley Watters, Abshier House","slug":"ashley-watters-abshier-house","description":"","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/8941"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[{"label":"Who is affected by the GDPR?","target":"#tab1"},{"label":"Penalties for not complying with GDPR","target":"#tab2"},{"label":"Data breaches and the GDPR","target":"#tab3"},{"label":"Uncertain politics and the GDPR","target":"#tab4"}],"relatedArticles":{"fromBook":[],"fromCategory":[{"articleId":291466,"title":"Security Awareness For Dummies Cheat Sheet","slug":"security-awareness-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/291466"}},{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":0,"slug":null,"isbn":null,"categoryList":null,"amazon":null,"image":null,"title":null,"testBankPinActivationLink":null,"bookOutOfPrint":false,"authorsInfo":null,"authors":null,"_links":null},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[null]}]\" id=\"du-slot-6350112f4bbd1\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[null]}]\" id=\"du-slot-6350112f4d500\"></div></div>"},"articleType":{"articleType":"Articles","articleList":null,"content":null,"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0},"sponsorAd":"","sponsorEbookTitle":"","sponsorEbookLink":"","sponsorEbookImage":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Explore","lifeExpectancy":"One year","lifeExpectancySetFrom":"2021-12-17T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":239606},{"headers":{"creationTime":"2019-09-23T20:43:11+00:00","modifiedTime":"2022-10-19T13:55:46+00:00","timestamp":"2022-10-19T15:01:03+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"Cybersecurity For Dummies Cheat Sheet","strippedTitle":"cybersecurity for dummies cheat sheet","slug":"cybersecurity-for-dummies-cheat-sheet","canonicalUrl":"","seo":{"metaDescription":"Learn about the common scams that cyber criminals use to target online shoppers and how to cyber-protect yourself and your data.","noIndex":0,"noFollow":0},"content":"<span class=\"TextRun Highlight SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">Some scams cyber-criminals use to target online shoppers seem to persist for years. This likely indicates that people are continuously falling prey to the scams, thereby encouraging criminals to keep using the same forms of trickery over and over. </span></span>\r\n\r\n<span class=\"TextRun Highlight SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">Look here to discover some</span> <span class=\"NormalTextRun SCXW223555244 BCX0\">straightforward tips on how to keep yourself — and your loved ones — safe when using the i</span><span class=\"NormalTextRun SCXW223555244 BCX0\">nternet to shop,</span><span class=\"NormalTextRun SCXW223555244 BCX0\"> as well as how to avoid </span></span><span class=\"TextRun SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">common cybersecurity mistakes</span></span><span class=\"TextRun Highlight SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">.</span></span><span class=\"EOP SCXW223555244 BCX0\" data-ccp-props=\"{\"201341983\":1,\"335559685\":1022,\"335559739\":220,\"335559740\":220}\"> </span>\r\n\r\n[caption id=\"attachment_264355\" align=\"alignnone\" width=\"535\"]<img class=\"size-full wp-image-264355\" src=\"https://www.dummies.com/wp-content/uploads/cybersecurity-graphic.jpg\" alt=\"cybersecurity graphic\" width=\"535\" height=\"334\" /> © GoodStudio/Shutterstock.com[/caption]","description":"<span class=\"TextRun Highlight SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">Some scams cyber-criminals use to target online shoppers seem to persist for years. This likely indicates that people are continuously falling prey to the scams, thereby encouraging criminals to keep using the same forms of trickery over and over. </span></span>\r\n\r\n<span class=\"TextRun Highlight SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">Look here to discover some</span> <span class=\"NormalTextRun SCXW223555244 BCX0\">straightforward tips on how to keep yourself — and your loved ones — safe when using the i</span><span class=\"NormalTextRun SCXW223555244 BCX0\">nternet to shop,</span><span class=\"NormalTextRun SCXW223555244 BCX0\"> as well as how to avoid </span></span><span class=\"TextRun SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">common cybersecurity mistakes</span></span><span class=\"TextRun Highlight SCXW223555244 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW223555244 BCX0\">.</span></span><span class=\"EOP SCXW223555244 BCX0\" data-ccp-props=\"{\"201341983\":1,\"335559685\":1022,\"335559739\":220,\"335559740\":220}\"> </span>\r\n\r\n[caption id=\"attachment_264355\" align=\"alignnone\" width=\"535\"]<img class=\"size-full wp-image-264355\" src=\"https://www.dummies.com/wp-content/uploads/cybersecurity-graphic.jpg\" alt=\"cybersecurity graphic\" width=\"535\" height=\"334\" /> © GoodStudio/Shutterstock.com[/caption]","blurb":"","authors":[{"authorId":33198,"name":"Joseph Steinberg","slug":"joseph-steinberg","description":" <p><b>Joseph Steinberg</b> is a master of cybersecurity. He is one of very few people to hold the suite of security certifications including: CISSP<sup>&#174;</sup>, ISSAP<sup>&#174;</sup>, ISSMP<sup>&#174;</sup>, and CSSLP<sup>&#174;</sup>. Joseph has written several books on cybersecurity, including the previous edition of <i>Cybersecurity For Dummies</i>. He is currently a consultant on information security, and serves as an expert witness in related matters.</p> ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/33198"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[],"relatedArticles":{"fromBook":[{"articleId":266359,"title":"User-Specific Cybersecurity Policies","slug":"user-specific-cybersecurity-policies","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/266359"}},{"articleId":266350,"title":"Types of Social Engineering Attacks","slug":"types-of-social-engineering-attacks","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/266350"}},{"articleId":266345,"title":"Types of Malware Cybersecurity Professionals Should Know","slug":"types-of-malware-cybersecurity-professionals-should-know","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/266345"}},{"articleId":266228,"title":"Getting End Users to Comply with Cybersecurity Efforts in Small Businesses","slug":"getting-end-users-to-comply-with-cybersecurity-efforts-in-small-businesses","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/266228"}},{"articleId":266223,"title":"Cybersecurity Job and Career Options","slug":"cybersecurity-job-and-career-options","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/266223"}}],"fromCategory":[{"articleId":291466,"title":"Security Awareness For Dummies Cheat Sheet","slug":"security-awareness-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/291466"}},{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":281675,"slug":"cybersecurity-for-dummies","isbn":"9781119867180","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119867185/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119867185/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119867185-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119867185/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119867185/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/9781119867180-203x255.jpg","width":203,"height":255},"title":"Cybersecurity For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"<p><b><b data-author-id=\"33198\">Joseph Steinberg</b></b> is a master of cybersecurity. He is one of very few people to hold the suite of security certifications including: CISSP<sup>&#174;</sup>, ISSAP<sup>&#174;</sup>, ISSMP<sup>&#174;</sup>, and CSSLP<sup>&#174;</sup>. Joseph has written several books on cybersecurity, including the previous edition of <i>Cybersecurity For Dummies</i>. He is currently a consultant on information security, and serves as an expert witness in related matters.</p>","authors":[{"authorId":33198,"name":"Joseph Steinberg","slug":"joseph-steinberg","description":" <p><b>Joseph Steinberg</b> is a master of cybersecurity. He is one of very few people to hold the suite of security certifications including: CISSP<sup>&#174;</sup>, ISSAP<sup>&#174;</sup>, ISSMP<sup>&#174;</sup>, and CSSLP<sup>&#174;</sup>. Joseph has written several books on cybersecurity, including the previous edition of <i>Cybersecurity For Dummies</i>. He is currently a consultant on information security, and serves as an expert witness in related matters.</p> ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/33198"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119867180&quot;]}]\" id=\"du-slot-6350112f41d50\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119867180&quot;]}]\" id=\"du-slot-6350112f425a1\"></div></div>"},"articleType":{"articleType":"Cheat Sheet","articleList":[{"articleId":264345,"title":"Cyber-Protect Yourself and Your Family on the Internet","slug":"","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/264345"}},{"articleId":264348,"title":"Avoid Common Cybersecurity Mistakes","slug":"","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/264348"}},{"articleId":264351,"title":"Common Cyber Scams Targeting Online Shoppers","slug":"","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/264351"}}],"content":[{"title":"Cyber-protect yourself and your family on the internet","thumb":null,"image":null,"content":"<p><span data-contrast=\"auto\">To cyber-protect yourself and your family, make sure everyone in your family knows that they are a target. People who believe that hackers want to breach their computers and phones and that cyber criminals want to steal their data act differently than people who do not understand the true nature of the threat.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1022,&quot;335559739&quot;:220,&quot;335559740&quot;:220}\"> </span></p>\n<p><span data-contrast=\"auto\">The following tips help you protect your data and keep yourself and your family safe from Internet scams:</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1022,&quot;335559739&quot;:220,&quot;335559740&quot;:220}\"> </span></p>\n<ul>\n<li><b><span data-contrast=\"auto\">Protect your devices.</span></b><span data-contrast=\"auto\"> At a minimum, run security software on every device you use to access sensitive information. Configure your devices to auto-lock, and to require a strong password to unlock them. Don’t leave your devices in insecure locations, and install software only from reputable sources, such as official app stores and official vendor and reseller websites.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Protect data.</span></b><span data-contrast=\"auto\"> Encrypt all sensitive data and back up often. If you’re unsure as to whether something should be encrypted, it probably should be. If you’re unsure as to whether you back up frequently enough, — you, like most people, probably are not.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Use safe connections.</span></b><span data-contrast=\"auto\"> Never access sensitive information over free public Wi-Fi and consider avoiding using such Internet access altogether, especially from any device on which you perform sensitive activities or access sensitive information. The connection provided by your cellular service is likely far more secure than any public Wi-Fi, and such connections can usually be shared by multiple devices if you turn on your phone’s “mobile hotspot” feature.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Use proper authentication and passwords.</span></b><span data-contrast=\"auto\"> Every person accessing an important system should have their own login credentials. Do not share passwords for online banking, email, social media, and so on with your children or significant other. Get everyone their own login. Make sure you use strong, unique passwords for your most sensitive systems.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Share wisely. </span></b><span data-contrast=\"auto\">Do not overshare information on social media or using any other platforms. Crooks look for such data and use it to social engineer people. Oversharing exposes yourself and your loved ones to increased risks of being targeted by scammers or of having your identities stolen.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:220,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n</ul>\n"},{"title":"Avoid common cybersecurity mistakes","thumb":null,"image":null,"content":"<p><span data-contrast=\"auto\">Here are some of the common cybersecurity mistakes people make. These mistakes make hacking easier than it should be, and therefore, also help criminals commit cybercrimes.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1022,&quot;335559739&quot;:220,&quot;335559740&quot;:220}\"> </span></p>\n<ul>\n<li><b><span data-contrast=\"auto\">Thinking it cannot happen to you:</span></b><span data-contrast=\"auto\"> Every person, business, organization, and government entity is a potential target for hackers. People who think they do not have anything of value and “why would hackers want to attack me?” often act without proper diligence and learn quite quickly how wrong their perspective is.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Using weak passwords:</span></b><span data-contrast=\"auto\"> Despite ubiquitous warnings not to do so, a large number of people still use </span><a href=\"https://www.dummies.com/article/technology/cybersecurity/4-ways-hackers-crack-passwords-256039/\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"auto\">weak passwords</span></a><span data-contrast=\"auto\">, such as “123456” or “password” — as evidenced by the lists of compromised passwords publicized on the Internet after various breaches. If you use  the same password on a sensitive site that you used elsewhere, or use another form of weak password on a sensitive site, you dramatically increase the risk to yourself of an account being compromised.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Not using multifactor authentication when it is available:</span></b><span data-contrast=\"auto\"> All major social media platforms, Google, Amazon, and most major financial institutions offer some form of multifactor authentication capabilities. Multifactor authentication can, in the case of a password compromise, make all the difference between an account being breached and it remaining secure — yet, even today, many people still refuse to take advantage of the security benefits provided by multifactor authentication even when the features are offered for free.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Not running proper security software:</span></b><span data-contrast=\"auto\"> Modern security software dramatically increases the odds of a person fending off a whole slew of potential cybersecurity problems, including malware, breaches, spam overloads, and others. Yet, many people still do not run such software on each and every one of their computers (including laptops, tablets, and smartphones), while others run software but fail to keep it up to date, thereby undermining the potency of their product to protect against the latest (and, often, the most dangerous) threats.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Not keeping software up to date:</span></b><span data-contrast=\"auto\"> Many operating system and software updates contain fixes for security vulnerabilities discovered by researchers (or hackers) in prior releases. If you do not keep your software up to date, you’re likely to leave your devices vulnerable to attack. Worse yet, once a vendor publicly describes a vulnerability that it has fixed, criminals may seek to create exploit scripts to search for, and target, unpatched machines.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Failing to exercise good judgment:</span></b><span data-contrast=\"auto\"> The weakest link in the cybersecurity chain is almost always a human being. Whether it be by clicking a link that should not have been clicked, sending money to a fraudster who sent a bogus email impersonating one’s boss, installing a rogue app, downloading a pirated copy of a movie, or through some other imprudent action, human error often opens a cyber can of worms, and provides criminals with the ability to inflict far more harm that they would have been able to on their own.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Not learning the basics:</span></b><span data-contrast=\"auto\"> People who suffer from a medical condition, or whose loved ones do, typically learn about the condition to ensure that proper treatment is administered and that unnecessary danger does not result. When it comes to cybersecurity, however, many folks choose to remain ignorant, thinking that, somehow, if they pretend that there is no danger to them, such will be the reality.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Not hiring a pro:</span></b><span data-contrast=\"auto\"> When serious cybersecurity incidents occur, people (often individuals or small business owners) often try to address them on their own. Doing so is not much different than trying to treat a serious medical condition without going to the doctor or defending yourself in criminal court without a lawyer. Hackers, malware designers, and other cybercriminals are skilled and arm themselves with significant knowledge. If you’re locked in a de facto battle against them, you want a pro on your side, too.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:220,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n</ul>\n"},{"title":"Common cyber scams targeting online shoppers","thumb":null,"image":null,"content":"<p><span data-contrast=\"auto\">Cyber-criminals use some common scams to target online shoppers, but you can protect yourself from internet scams easily.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1022,&quot;335559739&quot;:220,&quot;335559740&quot;:220}\"> </span></p>\n<p>One simple technique: If you ever receive any communication from a retailer, shipper, or any other party related to an online shopping order, an amazing deal, or other matter that you want to look into, do not click links in the message or open associated attachments. Open a web browser, go to the website of the relevant “sender,” locate its contact information, and contact it directly to ask about the message you received.</p>\n<p>The following are common cyber scams that target online shoppers:</p>\n<ul>\n<li><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1022,&quot;335559739&quot;:220,&quot;335559740&quot;:220}\"> </span><b><span data-contrast=\"auto\">“There are problems with your order” emails (or text messages):</span></b><span data-contrast=\"auto\"> Criminals often send mass emails that appear to come from an online retailer and that inform recipients that a problem is preventing the store from shipping the order and that the recipient must take action to receive the order. Such emails often contain a link to a bogus website that collects, at a minimum, login information, such as usernames and passwords, for the retailer’s website.<br />\nSuch scam emails aren’t normally targeted — they simply impersonate major retailers. Criminals rely on the fact that a large number of people who receive such an email message are likely to have placed an order with the impersonated retailer in the not-so-distant past.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">“There are problems with your payment method” emails (or text messages):</span></b><span data-contrast=\"auto\"> Similar to the preceding scam, criminals send mass emails (or text messages) that appear to come from an online retailer and that inform recipients that a problem occurred with the payment method used to pay for an order — with instructions that the recipient submit new payment information via some web page.<br />\nRecipients who had, in fact, recently placed orders, are likely to be caught off-guard, and some will likely click through. Of course, the page that collects that new payment information — sometimes along with login credentials to the retailer’s site — is simply a tool for stealing credit and debit card numbers, along with potentially other data as well.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Delivery-service problem emails: </span></b><span data-contrast=\"auto\">Criminals send emails that appear to come from a major delivery service and that inform the recipients that an issue of some sort occurred with a delivery, and that the recipient must take action to have delivery reattempted.<br />\nOf course, these messages either deliver malware via attachments or direct users to phishing or malware-spreading websites; they certainly do not help people get any items delivered.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Bogus deal emails, social media posts, or web links: </span></b><span data-contrast=\"auto\">Criminals frequently either send via email or post to social media or deal websites all sorts of “amazing” offers, which often seem too good to be true. A 5-inch Samsung OLED television for $100?! A brand new 13-inch Mac laptop for $200?! While some such deals may be legitimate — and, if they are advertised by a major reseller, you can check on the website of the relevant seller to determine that — the overwhelming majority are not.<br />\nIf the seller is a major reseller and the deal is not legit, the email may link to a bogus site or be spreading malware. If the seller is a firm that you have never heard of, the whole store may be a scam — collecting payments, for example, and never shipping the goods for which the payments were made, shipping defective goods, or shipping stolen goods.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:110,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n<li><b><span data-contrast=\"auto\">Fake invoice emails:</span></b><span data-contrast=\"auto\"> Criminals send what appear to be invoices from online stores for purchases costing significant amounts and note the sale amounts were charged to the recipients’ credit cards.<br />\nThese “invoices” scare people into thinking that they somehow unintentionally placed an order, were charged more than they expected for some item, or were somehow defrauded by someone using their credit card number. This can lead the recipients to contact the seller by clicking links that the sender, of course, conveniently included within the invoice message.<br />\nThese links, however, bring the user to a site that either captures information, installs malware, or both. Sometimes the invoices that are sent via email are included as attachments and, you guessed it, contain malware.</span><span data-ccp-props=\"{&quot;201341983&quot;:1,&quot;335559685&quot;:1440,&quot;335559739&quot;:220,&quot;335559740&quot;:220,&quot;335559991&quot;:1440,&quot;469777462&quot;:[1340,1440],&quot;469777927&quot;:[0,0],&quot;469777928&quot;:[4,1]}\"> </span></li>\n</ul>\n"}],"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0},"sponsorAd":"","sponsorEbookTitle":"","sponsorEbookLink":"","sponsorEbookImage":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Solve","lifeExpectancy":"Six months","lifeExpectancySetFrom":"2021-12-06T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":264354},{"headers":{"creationTime":"2018-10-10T12:02:16+00:00","modifiedTime":"2022-06-23T14:39:39+00:00","timestamp":"2022-09-14T18:19:44+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"4 Ways Hackers Crack Passwords","strippedTitle":"4 ways hackers crack passwords","slug":"4-ways-hackers-crack-passwords","canonicalUrl":"","seo":{"metaDescription":"Learn the different ways hackers break into passwords and the various tools available to you for protecting your passwords.","noIndex":0,"noFollow":0},"content":"Hackers use a variety of means to gain passwords. One of the most common ways for hackers to get access to your passwords is through <a href=\"https://www.dummies.com/computers/pcs/computer-security/the-dangers-of-social-engineering/\" target=\"_blank\" rel=\"noopener\">social engineering</a>, but they don’t stop there. Check out the following tools and vulnerabilities hackers exploit to grab your password.\r\n<h2 id=\"tab1\" >Keystroke logging</h2>\r\nOne of the best techniques for capturing passwords is remote <em>keystroke logging</em> — the use of software or hardware to record keystrokes as they’re typed.\r\n<p class=\"article-tips warning\">Be careful with keystroke logging. Even with good intentions, monitoring employees raises various legal issues if it’s not done correctly. Discuss with your legal counsel what you’ll be doing, ask for her guidance, and get approval from upper management.</p>\r\n\r\n<h3>Logging tools used by hackers</h3>\r\nWith keystroke-logging tools, you can assess the log files of your application to see what passwords people are using:\r\n<ul>\r\n \t<li>Keystroke-logging applications can be installed on the monitored computer. Check out <a href=\"https://www.veriato.com/products/veriato-cerebral-insider-threat-detection-software\" target=\"_blank\" rel=\"noopener\">Veriato's Cebral</a>, as one example. Dozens of such tools are available online.</li>\r\n \t<li>Hardware-based tools fit between the keyboard and the computer or replace the keyboard.</li>\r\n</ul>\r\n<p class=\"article-tips warning\">A keystroke-logging tool installed on a shared computer can capture the passwords of every user who logs in.</p>\r\n\r\n<h3>Countermeasures against logging tools</h3>\r\nThe best defense against the installation of keystroke-logging software on your systems is to use an antimalware program or a similar endpoint protection software that monitors the local host. It’s not foolproof but can help. As with physical keyloggers, you’ll need to inspect each system visually.\r\n<p class=\"article-tips warning\">The potential for hackers to install keystroke-logging software is another reason to ensure that your users aren’t downloading and installing random shareware or opening attachments in unsolicited emails. Consider locking down your desktops by setting the appropriate user rights through local or group security policy in Windows.</p>\r\nAlternatively, you could use a commercial lockdown program, such as <a href=\"http://www.fortresgrand.com/\" target=\"_blank\" rel=\"noopener\">Fortres 101</a> for Windows or <a href=\"http://www.faronics.com/products/deep-freeze/enterprise\" target=\"_blank\" rel=\"noopener\">Deep Freeze Enterprise</a> for Windows, Linux, and macOS X. A different technology that still falls into this category is Carbon Black’s “positive security” allow listing application, called <a href=\"https://www.carbonblack.com/products/cb-protection\" target=\"_blank\" rel=\"noopener\">Cb Protection</a>, which allows you to configure which executables can be run on any given system. It’s intended to fight off advanced malware but could certainly be used in this situation.\r\n<h2 id=\"tab2\" >Weak password storage</h2>\r\nMany legacy and stand-alone applications — such as email, dial-up network connections, and accounting software — store passwords locally, which makes them vulnerable to password hacking. By performing a basic text search, you can find passwords stored in clear text on the local hard drives of machines. You can automate the process even further by using a program called <a href=\"https://www.mythicsoft.com/\" target=\"_blank\" rel=\"noopener\">FileLocator Pro</a>.\r\n<h3>How hackers search for passwords</h3>\r\nYou can try using your favorite text-searching utility — such as the Windows search function, <code>findstr</code>, or <code>grep</code> — to search for <em>password</em> or <em>passwd</em> on your computer's drives. You may be shocked to find what’s on your systems. Some programs even write passwords to disk or leave them stored in memory.\r\n<p class=\"article-tips remember\">Weak password storage is a criminal hacker’s dream. Head it off if you can. This doesn’t mean that you should immediately run off and start using a cloud-based password manager, however. As we’ve all seen over the years, those systems get hacked as well!</p>\r\n\r\n<h3>Countermeasures against weak passwords</h3>\r\nThe only reliable way to eliminate weak password storage is to use only applications that store passwords securely. This practice may not be practical, but it’s your only guarantee that your passwords are secure. Another option is to instruct users not to store their passwords when prompted.\r\n\r\nBefore upgrading applications, contact your software vendor to see how it manages passwords, or search for a third-party solution.\r\n<h2 id=\"tab3\" >How hackers use network analyzers to crack passwords</h2>\r\nA network analyzer sniffs the packets traversing the network, which is what the bad guys do if they can gain control of a computer, <a href=\"https://www.dummies.com/programming/certification/network-based-hacker-attacks/\" target=\"_blank\" rel=\"noopener\">tap into your wireless network</a>, or gain physical network access to set up their network analyzer. If they gain physical access, they can look for a network jack on the wall and plug right in.\r\n<h3>Finding password vulnerabilities with network analyzers</h3>\r\nThe image below shows how crystal-clear passwords can be through the eyes of a network analyzer. This shows how Cain & Abel can glean thousands of passwords going across the network in a matter of a couple of hours. As you can see in the left pane, these clear text password vulnerabilities can apply to FTP, web, Telnet, and more. (The actual usernames and passwords are blurred to protect them.)\r\n\r\n[caption id=\"attachment_256040\" align=\"aligncenter\" width=\"535\"]<img class=\"wp-image-256040 size-full\" src=\"https://www.dummies.com/wp-content/uploads/cain-abel-ethical-hacking.jpg\" alt=\"\" width=\"535\" height=\"304\" /> Using Cain & Abel to capture passwords going across the network.[/caption]\r\n<p class=\"article-tips remember\">If traffic isn’t tunneled through some form of encrypted link (such as a virtual private network, Secure Shell, or Secure Sockets Layer), it’s vulnerable to attack.</p>\r\nCain & Abel is a password-cracking tool that also has network analysis capabilities. You can also use a regular network analyzer, such as the commercial products <a href=\"https://www.liveaction.com/products/omnipeek-network-protocol-analyzer/\" target=\"_blank\" rel=\"noopener\">Omnipeek</a> and <a href=\"https://www.tamos.com/products/commview\" target=\"_blank\" rel=\"noopener\">CommView</a>, as well as the free open-source program <a href=\"https://www.wireshark.org/\" target=\"_blank\" rel=\"noopener\">Wireshark</a>. With a network analyzer, you can search for password traffic in various ways. To capture POP3 password traffic, for example, you can set up a filter and a trigger to search for the PASS command. When the network analyzer sees the PASS command in the packet, it captures that specific data.\r\n\r\nNetwork analyzers require you to capture data on a hub segment of your network or via a monitor/mirror/span port on a switch. Otherwise, you can’t see anyone else’s data traversing the network — just yours. Check your switch’s user guide to see whether it has a monitor or mirror port and for instructions on how to configure it. You can connect your network analyzer to a hub on the public side of your firewall. You’ll capture only those packets that are entering or leaving your network — not internal traffic.\r\n<h3>Countermeasures against network analyzers</h3>\r\nHere are some good defenses against network analyzer attacks:\r\n<ul>\r\n \t<li><strong>Use switches on your network, not hubs.</strong> Ethernet hubs are things of the past, but they are still used occasionally. If you must use hubs on network segments, a program like <a href=\"http://sniffdet.sourceforge.net/\" target=\"_blank\" rel=\"noopener\">sniffdet</a> for Unix/Linux-based systems and <a href=\"https://vidstromlabs.com/freetools/promiscdetect/\" target=\"_blank\" rel=\"noopener\">PromiscDetect</a> for Windows can detect network cards in <em>promiscuous mode</em> (accepting all packets, whether they’re destined for the local machine or not). A network card in promiscuous mode signifies that a network analyzer may be running on the network.</li>\r\n \t<li><strong>Make sure that unsupervised areas, such as an unoccupied lobby or training room, don’t have live network connections.</strong> An Ethernet port is all someone needs to gain access to your internal network.</li>\r\n \t<li><strong>Don’t let anyone without a business need gain physical access to your switches or to the network connection on the public side of your firewall.</strong> With physical access, a hacker can connect to a switch monitor port or tap into the unswitched network segment outside the firewall and then capture packets.</li>\r\n</ul>\r\n<p class=\"article-tips warning\">Switches don’t provide complete security because they’re vulnerable to ARP poisoning attacks.</p>\r\n\r\n<h2 id=\"tab4\" >How hackers break weak BIOS passwords</h2>\r\nMost computer BIOS (basic input/output system) settings allow power-on passwords and/or setup passwords to protect the computer’s hardware settings that are stored in the CMOS chip. Here are some ways around these passwords:\r\n<ul>\r\n \t<li>You usually can reset these passwords by unplugging the CMOS battery or by changing a jumper on the motherboard.</li>\r\n \t<li>Password-cracking utilities for BIOS passwords are available on the Internet and from computer manufacturers.</li>\r\n</ul>\r\nIf gaining access to the hard drive is your ultimate goal, you can remove the hard drive from the computer and install it in another one, and you’re good to go. This technique is a great way to prove that BIOS/power-on passwords are <em>not</em> effective countermeasures for lost or stolen laptops.\r\n<p class=\"article-tips tip\">Check <a href=\"https://www.cirt.net/passwords\" target=\"_blank\" rel=\"noopener\">cirt.net</a> for a good list of default system passwords for various vendor equipment.</p>\r\nTons of variables exist for hacking and hacking countermeasures depending on your hardware setup. If you plan to hack your own BIOS passwords, check for information in your user manual, or refer to the <a href=\"http://searchenterprisedesktop.techtarget.com/tutorial/BIOS-password-hacking\" target=\"_blank\" rel=\"noopener\">BIOS password-hacking guide</a>. If protecting the information on your hard drives is your ultimate goal, full (sometimes referred to as <em>whole</em>) disk is the best way to go.\r\n\r\nThe good news is that newer computers (within the past five years or so) use a new type of BIOS called unified extensible firmware interface (UEFI), which is much more resilient to boot-level system cracking attempts. Still, a weak password may be all it takes for the system to be exploited.\r\n<h2 id=\"tab5\" >Weak passwords in limbo</h2>\r\nBad guys often exploit user accounts that have just been created or reset by a network administrator or help desk. New accounts may need to be created for new employees or even for security testing purposes. Accounts may need to be reset if users forget their passwords or if the accounts have been locked out because of failed attempts.\r\n<h3>Password weaknesses in user account</h3>\r\nHere are some reasons why user accounts can be vulnerable:\r\n<ul>\r\n \t<li>When user accounts are reset, they’re often assigned an easily cracked or widely-known password (such as the user’s name or the word <em>password</em>). The time between resetting the user account and changing the password is a prime opportunity for a break-in.</li>\r\n \t<li>Many systems have default accounts or unused accounts with weak passwords or no passwords at all. These accounts are prime targets.</li>\r\n</ul>\r\n<h3>Countermeasures against passwords in limbo</h3>\r\nThe best defenses against attacks on passwords in limbo are solid help-desk policies and procedures that prevent weak passwords from being available at any given time during the new-account-generation and password-reset processes. Following are perhaps the best ways to overcome this vulnerability:\r\n<ul>\r\n \t<li>Require users to be on the phone with the help desk or to have a help-desk member perform the reset at the user’s desk.</li>\r\n \t<li>Require that the user immediately log in and change the password.</li>\r\n \t<li>If you need the ultimate in security, implement stronger authentication methods, such as challenge/response questions, smart cards, or digital certificates.</li>\r\n \t<li>Automate password reset functionality via self-service tools on your network so that users can manage most of their password problems without help from others.</li>\r\n</ul>","description":"Hackers use a variety of means to gain passwords. One of the most common ways for hackers to get access to your passwords is through <a href=\"https://www.dummies.com/computers/pcs/computer-security/the-dangers-of-social-engineering/\" target=\"_blank\" rel=\"noopener\">social engineering</a>, but they don’t stop there. Check out the following tools and vulnerabilities hackers exploit to grab your password.\r\n<h2 id=\"tab1\" >Keystroke logging</h2>\r\nOne of the best techniques for capturing passwords is remote <em>keystroke logging</em> — the use of software or hardware to record keystrokes as they’re typed.\r\n<p class=\"article-tips warning\">Be careful with keystroke logging. Even with good intentions, monitoring employees raises various legal issues if it’s not done correctly. Discuss with your legal counsel what you’ll be doing, ask for her guidance, and get approval from upper management.</p>\r\n\r\n<h3>Logging tools used by hackers</h3>\r\nWith keystroke-logging tools, you can assess the log files of your application to see what passwords people are using:\r\n<ul>\r\n \t<li>Keystroke-logging applications can be installed on the monitored computer. Check out <a href=\"https://www.veriato.com/products/veriato-cerebral-insider-threat-detection-software\" target=\"_blank\" rel=\"noopener\">Veriato's Cebral</a>, as one example. Dozens of such tools are available online.</li>\r\n \t<li>Hardware-based tools fit between the keyboard and the computer or replace the keyboard.</li>\r\n</ul>\r\n<p class=\"article-tips warning\">A keystroke-logging tool installed on a shared computer can capture the passwords of every user who logs in.</p>\r\n\r\n<h3>Countermeasures against logging tools</h3>\r\nThe best defense against the installation of keystroke-logging software on your systems is to use an antimalware program or a similar endpoint protection software that monitors the local host. It’s not foolproof but can help. As with physical keyloggers, you’ll need to inspect each system visually.\r\n<p class=\"article-tips warning\">The potential for hackers to install keystroke-logging software is another reason to ensure that your users aren’t downloading and installing random shareware or opening attachments in unsolicited emails. Consider locking down your desktops by setting the appropriate user rights through local or group security policy in Windows.</p>\r\nAlternatively, you could use a commercial lockdown program, such as <a href=\"http://www.fortresgrand.com/\" target=\"_blank\" rel=\"noopener\">Fortres 101</a> for Windows or <a href=\"http://www.faronics.com/products/deep-freeze/enterprise\" target=\"_blank\" rel=\"noopener\">Deep Freeze Enterprise</a> for Windows, Linux, and macOS X. A different technology that still falls into this category is Carbon Black’s “positive security” allow listing application, called <a href=\"https://www.carbonblack.com/products/cb-protection\" target=\"_blank\" rel=\"noopener\">Cb Protection</a>, which allows you to configure which executables can be run on any given system. It’s intended to fight off advanced malware but could certainly be used in this situation.\r\n<h2 id=\"tab2\" >Weak password storage</h2>\r\nMany legacy and stand-alone applications — such as email, dial-up network connections, and accounting software — store passwords locally, which makes them vulnerable to password hacking. By performing a basic text search, you can find passwords stored in clear text on the local hard drives of machines. You can automate the process even further by using a program called <a href=\"https://www.mythicsoft.com/\" target=\"_blank\" rel=\"noopener\">FileLocator Pro</a>.\r\n<h3>How hackers search for passwords</h3>\r\nYou can try using your favorite text-searching utility — such as the Windows search function, <code>findstr</code>, or <code>grep</code> — to search for <em>password</em> or <em>passwd</em> on your computer's drives. You may be shocked to find what’s on your systems. Some programs even write passwords to disk or leave them stored in memory.\r\n<p class=\"article-tips remember\">Weak password storage is a criminal hacker’s dream. Head it off if you can. This doesn’t mean that you should immediately run off and start using a cloud-based password manager, however. As we’ve all seen over the years, those systems get hacked as well!</p>\r\n\r\n<h3>Countermeasures against weak passwords</h3>\r\nThe only reliable way to eliminate weak password storage is to use only applications that store passwords securely. This practice may not be practical, but it’s your only guarantee that your passwords are secure. Another option is to instruct users not to store their passwords when prompted.\r\n\r\nBefore upgrading applications, contact your software vendor to see how it manages passwords, or search for a third-party solution.\r\n<h2 id=\"tab3\" >How hackers use network analyzers to crack passwords</h2>\r\nA network analyzer sniffs the packets traversing the network, which is what the bad guys do if they can gain control of a computer, <a href=\"https://www.dummies.com/programming/certification/network-based-hacker-attacks/\" target=\"_blank\" rel=\"noopener\">tap into your wireless network</a>, or gain physical network access to set up their network analyzer. If they gain physical access, they can look for a network jack on the wall and plug right in.\r\n<h3>Finding password vulnerabilities with network analyzers</h3>\r\nThe image below shows how crystal-clear passwords can be through the eyes of a network analyzer. This shows how Cain & Abel can glean thousands of passwords going across the network in a matter of a couple of hours. As you can see in the left pane, these clear text password vulnerabilities can apply to FTP, web, Telnet, and more. (The actual usernames and passwords are blurred to protect them.)\r\n\r\n[caption id=\"attachment_256040\" align=\"aligncenter\" width=\"535\"]<img class=\"wp-image-256040 size-full\" src=\"https://www.dummies.com/wp-content/uploads/cain-abel-ethical-hacking.jpg\" alt=\"\" width=\"535\" height=\"304\" /> Using Cain & Abel to capture passwords going across the network.[/caption]\r\n<p class=\"article-tips remember\">If traffic isn’t tunneled through some form of encrypted link (such as a virtual private network, Secure Shell, or Secure Sockets Layer), it’s vulnerable to attack.</p>\r\nCain & Abel is a password-cracking tool that also has network analysis capabilities. You can also use a regular network analyzer, such as the commercial products <a href=\"https://www.liveaction.com/products/omnipeek-network-protocol-analyzer/\" target=\"_blank\" rel=\"noopener\">Omnipeek</a> and <a href=\"https://www.tamos.com/products/commview\" target=\"_blank\" rel=\"noopener\">CommView</a>, as well as the free open-source program <a href=\"https://www.wireshark.org/\" target=\"_blank\" rel=\"noopener\">Wireshark</a>. With a network analyzer, you can search for password traffic in various ways. To capture POP3 password traffic, for example, you can set up a filter and a trigger to search for the PASS command. When the network analyzer sees the PASS command in the packet, it captures that specific data.\r\n\r\nNetwork analyzers require you to capture data on a hub segment of your network or via a monitor/mirror/span port on a switch. Otherwise, you can’t see anyone else’s data traversing the network — just yours. Check your switch’s user guide to see whether it has a monitor or mirror port and for instructions on how to configure it. You can connect your network analyzer to a hub on the public side of your firewall. You’ll capture only those packets that are entering or leaving your network — not internal traffic.\r\n<h3>Countermeasures against network analyzers</h3>\r\nHere are some good defenses against network analyzer attacks:\r\n<ul>\r\n \t<li><strong>Use switches on your network, not hubs.</strong> Ethernet hubs are things of the past, but they are still used occasionally. If you must use hubs on network segments, a program like <a href=\"http://sniffdet.sourceforge.net/\" target=\"_blank\" rel=\"noopener\">sniffdet</a> for Unix/Linux-based systems and <a href=\"https://vidstromlabs.com/freetools/promiscdetect/\" target=\"_blank\" rel=\"noopener\">PromiscDetect</a> for Windows can detect network cards in <em>promiscuous mode</em> (accepting all packets, whether they’re destined for the local machine or not). A network card in promiscuous mode signifies that a network analyzer may be running on the network.</li>\r\n \t<li><strong>Make sure that unsupervised areas, such as an unoccupied lobby or training room, don’t have live network connections.</strong> An Ethernet port is all someone needs to gain access to your internal network.</li>\r\n \t<li><strong>Don’t let anyone without a business need gain physical access to your switches or to the network connection on the public side of your firewall.</strong> With physical access, a hacker can connect to a switch monitor port or tap into the unswitched network segment outside the firewall and then capture packets.</li>\r\n</ul>\r\n<p class=\"article-tips warning\">Switches don’t provide complete security because they’re vulnerable to ARP poisoning attacks.</p>\r\n\r\n<h2 id=\"tab4\" >How hackers break weak BIOS passwords</h2>\r\nMost computer BIOS (basic input/output system) settings allow power-on passwords and/or setup passwords to protect the computer’s hardware settings that are stored in the CMOS chip. Here are some ways around these passwords:\r\n<ul>\r\n \t<li>You usually can reset these passwords by unplugging the CMOS battery or by changing a jumper on the motherboard.</li>\r\n \t<li>Password-cracking utilities for BIOS passwords are available on the Internet and from computer manufacturers.</li>\r\n</ul>\r\nIf gaining access to the hard drive is your ultimate goal, you can remove the hard drive from the computer and install it in another one, and you’re good to go. This technique is a great way to prove that BIOS/power-on passwords are <em>not</em> effective countermeasures for lost or stolen laptops.\r\n<p class=\"article-tips tip\">Check <a href=\"https://www.cirt.net/passwords\" target=\"_blank\" rel=\"noopener\">cirt.net</a> for a good list of default system passwords for various vendor equipment.</p>\r\nTons of variables exist for hacking and hacking countermeasures depending on your hardware setup. If you plan to hack your own BIOS passwords, check for information in your user manual, or refer to the <a href=\"http://searchenterprisedesktop.techtarget.com/tutorial/BIOS-password-hacking\" target=\"_blank\" rel=\"noopener\">BIOS password-hacking guide</a>. If protecting the information on your hard drives is your ultimate goal, full (sometimes referred to as <em>whole</em>) disk is the best way to go.\r\n\r\nThe good news is that newer computers (within the past five years or so) use a new type of BIOS called unified extensible firmware interface (UEFI), which is much more resilient to boot-level system cracking attempts. Still, a weak password may be all it takes for the system to be exploited.\r\n<h2 id=\"tab5\" >Weak passwords in limbo</h2>\r\nBad guys often exploit user accounts that have just been created or reset by a network administrator or help desk. New accounts may need to be created for new employees or even for security testing purposes. Accounts may need to be reset if users forget their passwords or if the accounts have been locked out because of failed attempts.\r\n<h3>Password weaknesses in user account</h3>\r\nHere are some reasons why user accounts can be vulnerable:\r\n<ul>\r\n \t<li>When user accounts are reset, they’re often assigned an easily cracked or widely-known password (such as the user’s name or the word <em>password</em>). The time between resetting the user account and changing the password is a prime opportunity for a break-in.</li>\r\n \t<li>Many systems have default accounts or unused accounts with weak passwords or no passwords at all. These accounts are prime targets.</li>\r\n</ul>\r\n<h3>Countermeasures against passwords in limbo</h3>\r\nThe best defenses against attacks on passwords in limbo are solid help-desk policies and procedures that prevent weak passwords from being available at any given time during the new-account-generation and password-reset processes. Following are perhaps the best ways to overcome this vulnerability:\r\n<ul>\r\n \t<li>Require users to be on the phone with the help desk or to have a help-desk member perform the reset at the user’s desk.</li>\r\n \t<li>Require that the user immediately log in and change the password.</li>\r\n \t<li>If you need the ultimate in security, implement stronger authentication methods, such as challenge/response questions, smart cards, or digital certificates.</li>\r\n \t<li>Automate password reset functionality via self-service tools on your network so that users can manage most of their password problems without help from others.</li>\r\n</ul>","blurb":"","authors":[{"authorId":8984,"name":"Kevin Beaver","slug":"kevin-beaver","description":" <p><b>Kevin Beaver </b>is an information security guru and has worked in the industry for more than three decades as a consultant, writer, and speaker. He earned his master&#8217;s degree in Management of Technology at Georgia Tech.</b></p> ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/8984"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[{"label":"Keystroke logging","target":"#tab1"},{"label":"Weak password storage","target":"#tab2"},{"label":"How hackers use network analyzers to crack passwords","target":"#tab3"},{"label":"How hackers break weak BIOS passwords","target":"#tab4"},{"label":"Weak passwords in limbo","target":"#tab5"}],"relatedArticles":{"fromBook":[{"articleId":256048,"title":"Validate Data to Prevent Web Attacks: Input Hacks","slug":"validate-data-to-prevent-web-attacks-input-hacks","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/256048"}},{"articleId":256044,"title":"Best Practices for Minimizing Hacking of Email Systems","slug":"best-practices-for-minimizing-hacking-of-email-systems","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/256044"}},{"articleId":255983,"title":"Ethical Hacking: Improving Cybersecurity in Your Databases","slug":"ethical-hacking-improving-cybersecurity-in-your-databases","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/255983"}},{"articleId":255968,"title":"The Dangers of Social Engineering","slug":"the-dangers-of-social-engineering","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/255968"}},{"articleId":255963,"title":"How to Prevent Hacker Attacks: 4 Ways to Gather Public Information","slug":"how-to-prevent-hacker-attacks-4-ways-to-gather-public-information","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/255963"}}],"fromCategory":[{"articleId":291466,"title":"Security Awareness For Dummies Cheat Sheet","slug":"security-awareness-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/291466"}},{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":281732,"slug":"hacking-for-dummies","isbn":"9781119872191","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119872197/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119872197/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119872197-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119872197/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119872197/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/9781119872191-203x255.jpg","width":203,"height":255},"title":"Hacking For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"<p><b><b data-author-id=\"8984\">Kevin Beaver</b> </b>is an information security guru and has worked in the industry for more than three decades as a consultant, writer, and speaker. He earned his master&#8217;s degree in Management of Technology at Georgia Tech.</b></p>","authors":[{"authorId":8984,"name":"Kevin Beaver","slug":"kevin-beaver","description":" <p><b>Kevin Beaver </b>is an information security guru and has worked in the industry for more than three decades as a consultant, writer, and speaker. He earned his master&#8217;s degree in Management of Technology at Georgia Tech.</b></p> ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/8984"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119872191&quot;]}]\" id=\"du-slot-63221b4095614\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119872191&quot;]}]\" id=\"du-slot-63221b4095fac\"></div></div>"},"articleType":{"articleType":"Articles","articleList":null,"content":null,"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0},"sponsorAd":"","sponsorEbookTitle":"","sponsorEbookLink":"","sponsorEbookImage":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"One year","lifeExpectancySetFrom":"2021-12-14T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":256039},{"headers":{"creationTime":"2019-12-22T20:09:51+00:00","modifiedTime":"2022-03-15T20:59:52+00:00","timestamp":"2022-09-14T18:19:27+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"GDPR For Dummies Cheat Sheet","strippedTitle":"gdpr for dummies cheat sheet","slug":"gdpr-for-dummies-cheat-sheet","canonicalUrl":"","seo":{"metaDescription":"This cheat sheet answers some questions about a few major misunderstandings regarding GDPR requirements for non-EU organizations and Article 27.","noIndex":0,"noFollow":0},"content":"The <a href=\"https://www.dummies.com/education/politics-government/general-data-protections-regulation-gdpr/\" target=\"_blank\" rel=\"noopener\">General Data Protection Regulation</a> (GDPR) was designed to streamline data protection laws across Europe as well as provide for some consistency across the European Union (EU). Although it's been in place since May 2018, it still causes a lot of confusion. This cheat sheet answers some questions about a few major misunderstandings: Does the GDPR apply to non-EU organizations? Can non-EU organizations be fined for non-compliance? Do you need an Article 27 representative?\r\n\r\n[caption id=\"attachment_266834\" align=\"alignnone\" width=\"556\"]<img class=\"size-full wp-image-266834\" src=\"https://www.dummies.com/wp-content/uploads/gdpr-concept-image.jpg\" alt=\"GDPR concept image\" width=\"556\" height=\"371\" /> © Wright Studio/Shutterstock.com[/caption]","description":"The <a href=\"https://www.dummies.com/education/politics-government/general-data-protections-regulation-gdpr/\" target=\"_blank\" rel=\"noopener\">General Data Protection Regulation</a> (GDPR) was designed to streamline data protection laws across Europe as well as provide for some consistency across the European Union (EU). Although it's been in place since May 2018, it still causes a lot of confusion. This cheat sheet answers some questions about a few major misunderstandings: Does the GDPR apply to non-EU organizations? Can non-EU organizations be fined for non-compliance? Do you need an Article 27 representative?\r\n\r\n[caption id=\"attachment_266834\" align=\"alignnone\" width=\"556\"]<img class=\"size-full wp-image-266834\" src=\"https://www.dummies.com/wp-content/uploads/gdpr-concept-image.jpg\" alt=\"GDPR concept image\" width=\"556\" height=\"371\" /> © Wright Studio/Shutterstock.com[/caption]","blurb":"","authors":[],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[],"relatedArticles":{"fromBook":[{"articleId":267867,"title":"GDPR and Data Security","slug":"gdpr-and-data-security","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267867"}},{"articleId":267864,"title":"The GDPR and Data Subject Access Rights (DSARs)","slug":"the-gdpr-and-data-subject-access-rights-dsars","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267864"}},{"articleId":267861,"title":"How to Create and Communicate Your Opt-In Wording","slug":"how-to-create-and-communicate-your-opt-in-wording","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267861"}},{"articleId":267858,"title":"Data Protection: When to Use Opt-In Wording","slug":"data-protection-when-to-use-opt-in-wording","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267858"}},{"articleId":267854,"title":"How to Create and Communicate Your Cookie Policy","slug":"how-to-create-and-communicate-your-cookie-policy","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267854"}}],"fromCategory":[{"articleId":291466,"title":"Security Awareness For Dummies Cheat Sheet","slug":"security-awareness-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/291466"}},{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":282224,"slug":"gdpr-for-dummies","isbn":"9781119546092","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119546095-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/gdpr-for-dummies-cover-9781119546092-203x255.jpg","width":203,"height":255},"title":"GDPR For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"<p><p><b><b data-author-id=\"33258\">Suzanne Dibble</b></b> is a business lawyer who has advised huge multi&#45;national corporations, private equity&#45;backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. See more at suzannedibble.com</p>","authors":[{"authorId":33258,"name":"Suzanne Dibble","slug":"suzanne-dibble","description":" <p><b>Suzanne Dibble</b> is a business lawyer who has advised huge multi&#45;national corporations, private equity&#45;backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. See more at suzannedibble.com ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/33258"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119546092&quot;]}]\" id=\"du-slot-63221b2fc7367\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119546092&quot;]}]\" id=\"du-slot-63221b2fc7dd4\"></div></div>"},"articleType":{"articleType":"Cheat Sheet","articleList":[{"articleId":0,"title":"","slug":null,"categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/"}}],"content":[{"title":"Does the GDPR apply to non-EU organizations?","thumb":null,"image":null,"content":"<p>One of the sources of confusion regarding the GDPR is whether or not non-EU organizations meet GDPR requirements. There are two scenarios where the GDPR may apply to you:</p>\n<ul>\n<li>Your business is established within the EU.</li>\n<li>Your business is established outside of the EU but you either:\n<ul>\n<li>Offer goods or services to data subjects who are in the European Union, or</li>\n<li>You monitor the behavior of data subjects, as far as that behavior takes place within the EU.</li>\n</ul>\n</li>\n</ul>\n<p>So, is your business established in the EU?</p>\n<p>This is a straightforward enough question to answer if your business is entirely based in Spain, France or Italy, but what if your main business is located outside of the EU and you have a very small presence in an EU country?</p>\n<p>What does “established” actually mean? We have to look at the “effective and real exercise of activity through stable arrangements” to see what that means.</p>\n<p>The following factors by themselves do not determine establishment within the EU:</p>\n<ul>\n<li>Your organization has a single server in an EU country.</li>\n<li>Your website is accessible by people within the EU.</li>\n<li>You have an Article 27 Representative in the EU.</li>\n<li>You use a data processor within the EU (a service provider who processes personal data on your behalf and under your instruction, in other words).</li>\n<li>Your data subjects (the individuals whose personal data you hold) are based in the EU.</li>\n</ul>\n<p>Equally, the place of incorporation of your business or the fact that you have a branch or subsidiary in certain countries is not the deciding factor in where your business is established.</p>\n<p>Yet, if you have just one sales agent, one employee, or other such representative in an EU country and this constitutes an effective and real exercise of activity through stable arrangements, then you will have an establishment within an EU country.</p>\n<p>You don’t have to be processing personal data within the EU for the GDPR to apply. If you are processing personal data “in the context of the activities” of the EU establishment (remember that this may be a single sales rep), then GDPR will apply to you whether the processing takes place within the EU or not.</p>\n<p>Hence, if your business is mainly based outside of the EU and this is where the processing of personal data takes place, but you have an establishment within the EU and the processing carried out is in the context of the activities of the entity based outside of the EU, then the GDPR will apply regardless of the fact that the processing is being carried out outside of the EU.</p>\n<p>For the processing of personal data to be “in the context of the activities of the establishment,” there needs to be an inextricable link between the activities of the establishment based outside the EU (the one carrying out the processing) and the establishment based in the EU. Inextricable means that the two establishments are connected and cannot be separated.</p>\n<p>If processing by a non-EU entity is inextricably linked to the activities of an establishment in the EU, then the GDPR applies to all processing (even of data subjects outside of the EU), even though the EU establishment isn’t carrying out (or taking any part in) the data processing itself.</p>\n<p>If you have decided you definitely don’t have an establishment in the EU, then you need to look at whether you:</p>\n<ul>\n<li>Offer goods or services to data subjects who are in the European Union; or</li>\n<li>Monitor the behavior of data subjects, as far as that behaviour takes place within the EU.</li>\n</ul>\n<p>In terms of offering goods or services, it is irrelevant whether payment is made for these or not.</p>\n<p>When considering whether you’re offering goods or services to data subjects within the EU, you need to look at whether it was actually an active part of your business plan to offer goods or services to data subjects within the EU. If you have a few one-off sales in the EU or sign-ups to your newsletter from data subjects in the EU, for example, you may not be subject to the GDPR.</p>\n<p>The following factors are considered in determining whether you are offering goods or services in such a way that the GDPR applies to you:</p>\n<ul>\n<li>Your text is in an EU language.</li>\n<li>You&#8217;re displaying prices in an EU currency.</li>\n<li>You&#8217;ve enabled the ability for people to place orders in EU languages.</li>\n<li>You make references to the country of EU users or customers.</li>\n<li>You have advertisements directed to people within EU member states.</li>\n<li>You display telephone numbers with international codes.</li>\n<li>You&#8217;re using a domain of the European member state (for example, .de or .eu).</li>\n<li>You mention clients or customers in European member states.</li>\n</ul>\n<p>This list isn’t exhaustive and all circumstances need to be considered.</p>\n<p>The data processing must relate to data subjects located in the EU at the moment when the goods or services are offered or when the behavior is monitored. The citizenship, place of residence, or other legal status of the data subject has no relevance.</p>\n<p>One example is that of an app offered by a United States-based start-up that provides city mapping and targeted advertising for tourists from the US visiting European cities such as London, Paris and Rome. These US citizens who are in the EU when the service is offered and their behavior is monitored are “in the EU” and therefore the GDPR applies to this data processing. If, however, a US tourist downloads a US news app that targets US residents while on vacation in a country within the EU, this data processing is not subject to the GDPR.</p>\n<p>If you monitor or profile EU individuals’ behavior, where that behavior is occurring within the EU, then the GDPR applies to you.</p>\n<p>Monitoring includes the tracking of individuals online to create profiles, particularly where this is in order to make decisions concerning that individual or for analyzing or predicting the individual’s preferences, behaviors, and attitudes. For example, if you’re using cookies to track an individual’s activity on the Internet and that individual is within the EU, the GDPR applies to you.</p>\n"},{"title":"Can non-EU organizations be fined for non-compliance?","thumb":null,"image":null,"content":"<p>You will no doubt have heard of the headline fines introduced by the GDPR — a maximum of 20 million euros (about $24 million USD) or 4 percent of your worldwide turnover for the previous financial year, whichever is the higher.</p>\n<p>In 2019, British Airways faced a £183 million (about $229.72 million USD) fine and Marriott faced a £99 million (about $124 million USD) fine for security breaches. Google was fined 50 million euros (about $57 million USD) for a failure to follow the principles of the GDPR. Many other serious investigations into GDPR compliance failures are ongoing.</p>\n<p>But if your business is mainly based outside of the EU, you may be thinking, &#8220;Well, why should I bother complying with the GDPR, as surely EU regulators can’t take action against my business?&#8221;</p>\n<p>Such an approach may not be the smartest. Let’s look at the reasons why.</p>\n<h3>The regulatory consequences and the huge fines</h3>\n<p>Article 50 of the GDPR anticipates attempts by non-EU organizations to avoid compliance and makes specific provision for the EU’s data protection authorities to establish international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data.</p>\n<p>As was demonstrated by the United Kingdom’s enforcement notice against a Canadian company with no physical presence in the EU that was not in compliance with the GDPR, EU regulators will not be shy to take action against organizations outside of the EU.</p>\n<h3>Your EU customer and prospects won’t trust you</h3>\n<p>Aside from the regulatory consequences, your customers and prospects are much more informed about the GDPR than they were when it came to the old data protection laws and may not trust you with their personal data if they see examples of non-compliance.</p>\n<p>Supervisory authorities have run public awareness campaigns, so your prospects and customers in the EU will be much more savvy about their rights and how you should be complying with the GDPR. They will know, for example, that you should be providing them with your Privacy Notice and if you don’t do so, they will be suspicious and may decide not to entrust you with their personal data. In many cases, EU customers will vote with their feet and will move to a new supplier who is compliant with the GDPR.</p>\n<h3>Your EU customers will leave you</h3>\n<p>If you are processing personal data on behalf of data controllers within the EU — perhaps because you are an email services provider, a technology company, a marketing company or similar — and the data controllers transfer the personal data to you for to process in some way, then you need to comply with the GDPR. If not, the data controller is not legally allowed to hire you as they must only appoint data processors who put measures in place to comply with the GDPR.</p>\n<h3>Your US customers care about data protection</h3>\n<p>According to a 2018 survey by Acxiom, 82 percent of people in the US are concerned about the issue of online privacy. This was the highest percentage out of all ten countries surveyed, including Spain, Canada, Australia, the UK, Singapore, France, Argentina, Germany, and the Netherlands.</p>\n<p>Although organizations established outside of the EU only need to comply with the GDPR in relation to data subjects within the EU, you might want to think about complying with it for all of your data subjects.</p>\n<p>The GDPR is the gold standard of data protection, so if you need to comply for your EU customers and prospects, why not have one tier of data protection rather than a lesser standard for your US data subjects. You can use this to your competitive advantage by advertising the fact that you care about their personal data.</p>\n<h3>It isn’t as onerous to comply as you think</h3>\n<p>You might think that complying with the GDPR is a time consuming and expensive thing to do, but if you have the right resources and your business is relatively straightforward, it need be neither of these things.</p>\n"},{"title":"Do you need an Article 27 representative?","thumb":null,"image":null,"content":"<p>If you do not have an establishment within the EU and the GDPR applies to you, you’re required to appoint a representative in writing.</p>\n<p>A representative can be a person or organization that acts as a liaison between your organization and EU supervisory authorities who investigate and enforce data protection matters.</p>\n<p>You don’t have to appoint a representative if your processing of personal data meets all three of these criteria:</p>\n<ul>\n<li>It’s occasional.</li>\n<li>It doesn’t include processing of special category data or criminal convictions data on a large scale.</li>\n<li>It’s unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing.</li>\n</ul>\n<p>Special category data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.</p>\n<p>The representative represents your organization with respect to your obligations under the GDPR, with the following two main responsibilities:</p>\n<ul>\n<li>To receive correspondence from supervisory authorities and data subjects on all issues related to the processing of personal data.</li>\n<li>To make available to the supervisory authority, at their request, your Article 30 processing records.</li>\n</ul>\n<p>Article 30 processing records are certain records of processing that you, as a data controller or a data processor, are obliged to keep.</p>\n<p>Representatives are typically law firms or consultants and must be established within an EU member state where your relevant data subjects are. For example, if you’re established in the United States and have no data subjects in Ireland, you cannot appoint a representative in Ireland because you speak the same language.</p>\n<p>After the UK leaves the EU, if you have data subjects within the UK, you will also need to appoint a UK Representative.</p>\n"}],"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0},"sponsorAd":"","sponsorEbookTitle":"","sponsorEbookLink":"","sponsorEbookImage":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Solve","lifeExpectancy":"Six months","lifeExpectancySetFrom":"2021-12-07T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":266833},{"headers":{"creationTime":"2022-03-14T15:16:06+00:00","modifiedTime":"2022-03-14T15:18:42+00:00","timestamp":"2022-09-14T18:19:24+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"Security Awareness For Dummies Cheat Sheet","strippedTitle":"security awareness for dummies cheat sheet","slug":"security-awareness-for-dummies-cheat-sheet","canonicalUrl":"","seo":{"metaDescription":"Here's a summary of the key components to a cybersecurity awareness program, including how to to get buy-in from leaders and colleagues.","noIndex":0,"noFollow":0},"content":"Security awareness is much more complicated than just making users “aware.” Implementing an effective security awareness program means that you aren’t just providing information — rather, you’re specifically improving security related behaviors","description":"Security awareness is much more complicated than just making users “aware.” Implementing an effective security awareness program means that you aren’t just providing information — rather, you’re specifically improving security related behaviors","blurb":"","authors":[{"authorId":34698,"name":"Ira Winkler","slug":"ira-winkler","description":"","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/34698"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[],"relatedArticles":{"fromBook":[],"fromCategory":[{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":290632,"slug":"security-awareness-for-dummies","isbn":"9781119720928","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119720923/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119720923/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119720923-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119720923/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119720923/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/9781119720928-203x255.jpg","width":203,"height":255},"title":"Security Awareness For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"","authors":[{"authorId":34698,"name":"Ira Winkler","slug":"ira-winkler","description":"","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/34698"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119720928&quot;]}]\" id=\"du-slot-63221b2cb5783\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119720928&quot;]}]\" id=\"du-slot-63221b2cb6212\"></div></div>"},"articleType":{"articleType":"Cheat Sheet","articleList":[{"articleId":0,"title":"","slug":null,"categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/"}}],"content":[{"title":"Tips for creating effective security awareness programs","thumb":null,"image":null,"content":"<p>The following tips are essential to creating an effective security awareness program:</p>\n<ul>\n<li><strong>Remember that awareness is a cybersecurity function.</strong> The purpose of a security awareness program is to reduce risk by modifying user behaviors. Risk reduction through awareness is just one part of a comprehensive cybersecurity program.</li>\n<li><strong>Avoid claims of perfection and platitudes.</strong> Never claim that you’re creating the human firewall or other forms of perfection. No security countermeasure has delivered perfection, and claims to that effect ruin your credibility — especially when the inevitable happens. You are simply reducing risk.</li>\n<li><strong>Deserve more.</strong> Prove that you’re providing a return on investment and reducing losses while enabling capabilities. You prove the worth of an awareness program by collecting and reporting metrics.</li>\n<li><strong>Consider subcultures.</strong> Many awareness programs are created as a monolith — a single program for everyone. Different parts of your organization, such as people from different demographics, might need different communications tools. You determine this need by knowing whether parts of your organization have different communication styles and different business interests.</li>\n</ul>\n"},{"title":"Basic components of a security awareness program","thumb":null,"image":null,"content":"<p>A security awareness program has three basic components:</p>\n<ul>\n<li><strong>Topics</strong> are the specific awareness issues you’re trying to improve — for example, phishing, physical security, and password security.</li>\n<li><strong>Communications tools</strong> are how you deliver messages — for example, posters, phishing simulations, newsletters, and security ambassador programs.</li>\n<li><strong>Metrics</strong> are tools to determine whether and where the awareness program is having success, and they can come in many forms, such as the number of incidents experienced, attendance at events, likeability measures, or phishing messages reported.</li>\n</ul>\n"},{"title":"Metrics that show what's working, and what isn't","thumb":null,"image":null,"content":"<p>Metrics are critical for showing the success of an awareness program, especially when competing for funding and resources. In a mature program, metrics are used to constantly tune a program by showing what’s working and what isn’t.</p>\n<p>Metrics come in these four categories, each one with a different purpose and value:</p>\n<ul>\n<li><strong>Likeability metrics:</strong> Fundamentally, this metric measures how much users like your content. To collect likeability metrics, survey users about how much they like the materials you produce.</li>\n<li><strong>Engagement metrics:</strong> This metric shows how users consume the data provided in a program. How many read the newsletters? How many show up at events? How many complete the required or recommended training?</li>\n<li><strong>Behavioral metrics:</strong> This metric demonstrates actual changes of behaviors and the success of awareness efforts. To collect this metric, measure specific behaviors and track improvement over time. How many users report phishing messages? What is the percentage of secured desks at the end of the day? What are the number of links blocked on web content filters?</li>\n<li><strong>Return on investment (ROI):</strong> ROI are the most valuable metrics. These metrics assign a financial value to the savings of improved behaviors. For example, if improved awareness reduced phishing incidents by 10 percent, what is the cost savings for the response and recovery? If improved awareness reduces lost computers and USB drives, what are the savings from the reduced losses?</li>\n</ul>\n"},{"title":"Gamification to reward effective behavior","thumb":null,"image":null,"content":"<p><em>Gamification</em> is a reward system that rewards people for practicing desired behaviors. Frequent flier programs and other loyalty programs are examples of gamification. People buy from an organization and receive rewards for it. This encourages the behaviors.</p>\n<p>Get more from your awareness program by incorporating gamification to reward positive security related behaviors.</p>\n"},{"title":"Security ambassadors to promote awareness efforts","thumb":null,"image":null,"content":"<p><em>Security ambassadors,</em> frequently called <em>security champions,</em> are other employees who work in parts of the company and serve as representatives for the awareness program and support awareness efforts locally. They can organize events, spread awareness program messages, answer questions, and otherwise serve as an extension of the awareness team.</p>\n<p>Security ambassadors can be quite valuable for a security awareness program, so invest first in identifying the right people to fill the role and then training them and providing the appropriate resources to support and communicate with them.</p>\n"},{"title":"Quarterly awareness programs that reinforce knowledge","thumb":null,"image":null,"content":"<p>Most awareness programs have an annual schedule, where an awareness manager generally plans for the year and features one topic per month over the course of the year. This straightforward strategy allows for more than sufficient planning. Instead, plan three months at a time.</p>\n<p>Also, as opposed to focusing one topic per month, distribute information about three topics throughout the three-month period. This serves to reinforce the topics for an extended period. Shorter plans also allow for more versatility, such as updating the topics and tools used.</p>\n"}],"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0},"sponsorAd":"","sponsorEbookTitle":"","sponsorEbookLink":"","sponsorEbookImage":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"One year","lifeExpectancySetFrom":"2022-03-14T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":291466},{"headers":{"creationTime":"2020-04-07T19:45:07+00:00","modifiedTime":"2022-03-01T21:36:53+00:00","timestamp":"2022-09-14T18:19:19+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"Penetration Testing For Dummies Cheat Sheet","strippedTitle":"penetration testing for dummies cheat sheet","slug":"penetration-testing-for-dummies-cheat-sheet","canonicalUrl":"","seo":{"metaDescription":"Are you sure you're secure? Learn about basic penetration testing terminology, common pen testing tools, and sought-after certifications.","noIndex":0,"noFollow":0},"content":"Penetration (pen) testing is used by many organizations to ensure that the security controls they put in place actually work. Pen testing and security are complicated topics and can be intimidating. This cheat sheet covers basic pen testing terminology you need to know, the most commonly used pen testing tools, and a list of commonly sought-after certifications in the field of pen testing.\r\n\r\n[caption id=\"attachment_269927\" align=\"alignnone\" width=\"556\"]<img class=\"size-full wp-image-269927\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing.jpg\" alt=\"penetration testing concept\" width=\"556\" height=\"371\" /> © Den Rise/Shutterstock.com[/caption]\r\n\r\n ","description":"Penetration (pen) testing is used by many organizations to ensure that the security controls they put in place actually work. Pen testing and security are complicated topics and can be intimidating. This cheat sheet covers basic pen testing terminology you need to know, the most commonly used pen testing tools, and a list of commonly sought-after certifications in the field of pen testing.\r\n\r\n[caption id=\"attachment_269927\" align=\"alignnone\" width=\"556\"]<img class=\"size-full wp-image-269927\" src=\"https://www.dummies.com/wp-content/uploads/penetration-testing.jpg\" alt=\"penetration testing concept\" width=\"556\" height=\"371\" /> © Den Rise/Shutterstock.com[/caption]\r\n\r\n ","blurb":"","authors":[{"authorId":33354,"name":"Robert Shimonski","slug":"robert-shimonski","description":" <p><b>Robert Shimonski</b> is an ethical hacker and a professional IT leader who has led numerous efforts to architect, design, strategize and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for over 25 years and has written his books from the trenches of experience. ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/33354"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[],"relatedArticles":{"fromBook":[{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}},{"articleId":270923,"title":"Top 10 Myths About Pen Testing","slug":"top-10-myths-about-pen-testing","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270923"}}],"fromCategory":[{"articleId":291466,"title":"Security Awareness For Dummies Cheat Sheet","slug":"security-awareness-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/291466"}},{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":281813,"slug":"penetration-testing-for-dummies","isbn":"9781119577485","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119577489-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119577489/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/penetration-testing-for-dummies-cover-9781119577485-203x255.jpg","width":203,"height":255},"title":"Penetration Testing For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"<p><p><b><b data-author-id=\"33354\">Robert Shimonski</b></b> is an ethical hacker and a professional IT leader who has led numerous efforts to architect, design, strategize and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for over 25 years and has written his books from the trenches of experience.</p>","authors":[{"authorId":33354,"name":"Robert Shimonski","slug":"robert-shimonski","description":" <p><b>Robert Shimonski</b> is an ethical hacker and a professional IT leader who has led numerous efforts to architect, design, strategize and implement enterprise solutions that must remain secure. Rob has been involved in security and technology operations for over 25 years and has written his books from the trenches of experience. ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/33354"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119577485&quot;]}]\" id=\"du-slot-63221b2747bbc\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119577485&quot;]}]\" id=\"du-slot-63221b274844a\"></div></div>"},"articleType":{"articleType":"Cheat Sheet","articleList":[{"articleId":0,"title":"","slug":null,"categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/"}}],"content":[{"title":"Penetration testing terminology","thumb":null,"image":null,"content":"<p>One of the key factors for being successful in pen testing are the important terms are used day to day in the field. This is a list of well-known terminology:</p>\n<ul>\n<li><strong>Cybercrime:</strong> Conducting a cybercrime is the act of conducting criminal activities such as theft, destruction, and identify theft (for example) using technology such as computer systems and networks. Hackers generally attack systems to exploit them conducting criminal activity. As an ethical hacker you will legally conduct the same hacking, only ethically for a company’s betterment and defense, not the contrary.</li>\n<li><strong>Penetration testing: </strong>Penetration (pen) testing is the act of conducting a security exploit against a system ethically and legally to identify a weakness once completed. Pen testing is an entire methodology used to conduct security analysis that attempts to circumvent security applied to a system.</li>\n<li><strong>Vulnerability testing and scanning: </strong>To know what exploits, weaknesses, and vulnerabilities exist, you must conduct a scan of a system, network, or infrastructure to identify them. A vulnerability assessment is the analysis of what is identified when a vulnerability test (or scan) is conducted. Usually the tool(s) used are uploaded with current vulnerability definitions that allow the system to more readily find current weaknesses in systems.</li>\n<li><strong>Reconnaissance:</strong> The act of reconnaissance is the subvert nature of finding a penetration point. By checking out an attack vector, probing a system and identifying a possible entry point, you can conduct a pen test to test real-world and real-time situations that may need to be fixed.</li>\n<li><strong>Infiltration and exfiltration:</strong> Infiltration takes place once a penetration has been established. You have successfully found an opening into a secure system and entering the system (likely undetected) is the beginning of an advanced persistent threat type test or APT. The theft of and leaving with and unauthorized transfer of information from an information system is exfiltration. Conducting both of these measures is part of an advanced or extended portion of the basic penetration test.</li>\n<li><strong>Incident handling and response:</strong> Incident response is the movement of a group of security professionals to handle an unauthorized security event on protected systems. The incident handling portion is what an incident response team does to protect the chain of evidence and mitigate or neutralize the threat. Pen testing allows for incidents to be found prior to having to respond to them and when they are found, they can be added to a risk register for handling.</li>\n<li><strong>Risk register management: </strong>Risk handling, management, and lowering risk through documentation of known risks in a risk register is part of an overall security program. Pen testing allows for the development of known risks to be identified or allows for known risks to be closed on the register by fixing them and running pen tests to ensure that there is no longer a threat.</li>\n</ul>\n"},{"title":"Commonly used pen testing tools","thumb":null,"image":null,"content":"<p>In the field of pen testing, there are many, many tools you can use. A few are:</p>\n<ul>\n<li><a href=\"http://www.tenable.com/\" target=\"_blank\" rel=\"noopener\">Nessus </a>is the foundation of most pen tester’s toolkits. Its focus is vulnerability scanning and assessment. You can quickly identify weaknesses to exploit in your organization or enterprise. From there, you can choose other functions within Nessus to further test or other tools to pen test and exploit those weaknesses.</li>\n<li><a href=\"http://www.kali.org/\" target=\"_blank\" rel=\"noopener\">Kali Linux</a> is a toolset that’s part of a Debian-based Linux distribution, purpose-made for pen tests, vulnerability scans, and forensics. Although you can download and install the toolset natively to Linux, you can also download the Linux distro into a virtual machine (VM) for ease of use. Kali is a set of tools bundled together by type and organized in a way that allows you to access what you need quickly and effectively. Originally called Backtrack (when Offensive Security got their start), this tool has evolved into one of the most used pen test applications of all time.</li>\n<li><a href=\"http://www.wireshark.org/\" target=\"_blank\" rel=\"noopener\">Wireshark</a> is a tool that can look at the data and show an analyst the various communication paths that exist, including those that may not be authorized. The tool is primarily used to capture data from your network so you can analyze it. Wireshark is a tool that requires you to be able to decode information that you capture with it.</li>\n<li><a href=\"https://nmap.org/\" target=\"_blank\" rel=\"noopener\">Nmap</a> is a network mapper or mapping tool that allows you to identify a scope of a network or infrastructure, map it, and then launch a series of exploits against it (or systems on it) as part of a penetration test. You can look at the topology map after you finish mapping the network and it can provide you with places you may want to secure from hackers looking for jump-off points to get around your network and into other areas or secure hosts.</li>\n</ul>\n"},{"title":"Pen testing certifications","thumb":null,"image":null,"content":"<p>Professional organizations and vendors both offer industry standard, generalized and specialized certification programs, as well as those based on specific vendor tools. Some of them mix the two. Here are the most popular among the list with details on how to obtain them:</p>\n<ul>\n<li><strong>CompTIA PenTest+: </strong><a href=\"http://www.comptia.org/\" target=\"_blank\" rel=\"noopener\">CompTIA PenTest+</a> is a multiple choice and hands-on test that tests your ability to conduct a penetration test using tools such as Nmap. It also covers other skills required of penetration testers such as the ability to conduct vulnerability tests as well as how to plan, manage, and conduct a targeted assessment and test. According to <a href=\"https://dummies-wp-admin.dummies.com/programming/certification/the-2019-comptia-a-exams/\" target=\"_blank\" rel=\"noopener\">CompTIA</a>, the PenTest+ exam also includes management skills used to plan, scope, and manage weaknesses, not just exploit them.</li>\n<li><strong>EC-Council Certified Ethical Hacker (CEH): </strong>The Certified Ethical Hacker (CEH) exam and certification is brought to you by the <a href=\"https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/\" target=\"_blank\" rel=\"noopener\">EC-Council</a> and builds strength and branding around the ethical hacking profession. The test is a vendor neutral exam that covers how to conduct an assessment and find vulnerabilities, conduct exploits or penetration testing of systems, conduct scans to find weaknesses; identify and locate attack vectors; conduct penetrations such as SQL injection, system hacks, packet sniffing and capture, reconnaissance, and cover tracks; use malware for penetration; conduct a variety of web-based attacks such as cross-site scripting, cryptography attacks, and many more.</li>\n<li><strong>SANS GPEN: </strong>The <a href=\"http://www.sans.org/\" target=\"_blank\" rel=\"noopener\">SANS</a> organization’s <a href=\"http://www.giac.org/\" target=\"_blank\" rel=\"noopener\">Global Information Assurance Certification (GIAC)</a> group has a suite of certifications that are very well designed and test your ability to not only know the details of pen testing, but also how to apply it in the real world. The <a href=\"https://www.giac.org/certification/penetration-tester-gpen\" target=\"_blank\" rel=\"noopener\">Global Information Assurance Certification Penetration Tester (GPEN)</a> validates your ability to properly conduct a penetration test, using best practice techniques and methodologies according to GIAC. The certified GPEN will be able to show the requisite knowledge required to conduct exploits, engage in reconnaissance, and conduct a detailed pen test project from the ground up.</li>\n<li><strong>Offensive Security Certified Professional (OSCP): </strong>The <a href=\"https://www.offensive-security.com/pwk-oscp/\" target=\"_blank\" rel=\"noopener\">Offensive Security Certified Professional</a> test is highly focused on the Kali Linux distro. Kali and its very deep toolset of ethical hacking tools are the foundation of the OSCP’s fully hands on pen test certification.</li>\n</ul>\n"}],"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0},"sponsorAd":"","sponsorEbookTitle":"","sponsorEbookLink":"","sponsorEbookImage":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"Six months","lifeExpectancySetFrom":"2021-12-14T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":269926},{"headers":{"creationTime":"2016-03-27T16:46:48+00:00","modifiedTime":"2022-02-24T18:48:58+00:00","timestamp":"2022-09-14T18:19:13+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"Hacking For Dummies Cheat Sheet","strippedTitle":"hacking for dummies cheat sheet","slug":"hacking-for-dummies-cheat-sheet","canonicalUrl":"","seo":{"metaDescription":"Not all hacking is bad. It reveals security weaknesses or flaws in your computing setups. This Cheat Sheet provides you with quick references to tools and tips ","noIndex":0,"noFollow":0},"content":"Not all hacking is bad. It reveals security weaknesses or flaws in your computing setups. This Cheat Sheet provides you with quick references to tools and tips and alerts you to commonly hacked targets — information you need to make your security testing efforts easier.","description":"Not all hacking is bad. It reveals security weaknesses or flaws in your computing setups. This Cheat Sheet provides you with quick references to tools and tips and alerts you to commonly hacked targets — information you need to make your security testing efforts easier.","blurb":"","authors":[{"authorId":8984,"name":"Kevin Beaver","slug":"kevin-beaver","description":" <p><b>Kevin Beaver </b>is an information security guru and has worked in the industry for more than three decades as a consultant, writer, and speaker. He earned his master&#8217;s degree in Management of Technology at Georgia Tech.</b></p> ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/8984"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[],"relatedArticles":{"fromBook":[{"articleId":256048,"title":"Validate Data to Prevent Web Attacks: Input Hacks","slug":"validate-data-to-prevent-web-attacks-input-hacks","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/256048"}},{"articleId":256044,"title":"Best Practices for Minimizing Hacking of Email Systems","slug":"best-practices-for-minimizing-hacking-of-email-systems","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/256044"}},{"articleId":256039,"title":"4 Ways Hackers Crack Passwords","slug":"4-ways-hackers-crack-passwords","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/256039"}},{"articleId":255983,"title":"Ethical Hacking: Improving Cybersecurity in Your Databases","slug":"ethical-hacking-improving-cybersecurity-in-your-databases","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/255983"}},{"articleId":255968,"title":"The Dangers of Social Engineering","slug":"the-dangers-of-social-engineering","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/255968"}}],"fromCategory":[{"articleId":291466,"title":"Security Awareness For Dummies Cheat Sheet","slug":"security-awareness-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/291466"}},{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":281732,"slug":"hacking-for-dummies","isbn":"9781119872191","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119872197/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119872197/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119872197-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119872197/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119872197/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/9781119872191-203x255.jpg","width":203,"height":255},"title":"Hacking For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"<p><b><b data-author-id=\"8984\">Kevin Beaver</b> </b>is an information security guru and has worked in the industry for more than three decades as a consultant, writer, and speaker. He earned his master&#8217;s degree in Management of Technology at Georgia Tech.</b></p>","authors":[{"authorId":8984,"name":"Kevin Beaver","slug":"kevin-beaver","description":" <p><b>Kevin Beaver </b>is an information security guru and has worked in the industry for more than three decades as a consultant, writer, and speaker. He earned his master&#8217;s degree in Management of Technology at Georgia Tech.</b></p> ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/8984"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119872191&quot;]}]\" id=\"du-slot-63221b21c8fe8\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119872191&quot;]}]\" id=\"du-slot-63221b21c9b59\"></div></div>"},"articleType":{"articleType":"Cheat Sheet","articleList":[{"articleId":139435,"title":"Hacking Tools You Can’t Live Without","slug":"hacking-tools-you-cant-live-without","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/139435"}},{"articleId":139437,"title":"Common Security Weaknesses that Criminal Hackers Target","slug":"common-security-weaknesses-that-criminal-hackers-target","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/139437"}},{"articleId":139436,"title":"Commonly Hacked Ports","slug":"commonly-hacked-ports","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/139436"}},{"articleId":139439,"title":"Tips for Successful IT Security Assessments","slug":"tips-for-successful-it-security-assessments","categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/139439"}}],"content":[{"title":"Hacking tools you can’t live without","thumb":null,"image":null,"content":"<p>As an IT information security professional, your toolkit is the most critical item you can possess against hacking — other than hands-on experience and common sense. Your hacking tools should consist of the following (and make sure you’re never on the job without them):</p>\n<ul class=\"level-one\">\n<li>\n<p class=\"first-para\"><b>Password cracking software,</b> such as ophcrack and Proactive Password Auditor</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Network scanning software, </b>such as Nmap and NetScanTools Pro</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Network vulnerability scanning software,</b> such as LanGuard and Nessus</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Network analyzer software, </b>such as Cain &amp; Abel and CommView</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Wireless network analyzer and software</b>, such as Aircrack-ng and CommView for WiFi</p>\n</li>\n<li>\n<p class=\"first-para\"><b>File search software,</b> such as FileLocator Pro</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Web application vulnerability scanning software,</b> such as Acunetix Web Vulnerability Scanner and Probely</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Database security scanning software, </b>such as SQLPing3</p>\n</li>\n<li>\n<p class=\"first-para\"><b>Exploit software, </b>such as Metasploit</p>\n</li>\n</ul>\n"},{"title":"Common security weaknesses that criminal hackers target","thumb":null,"image":null,"content":"<p>Information security professionals should know the common flaws that criminal hackers and malicious users first check for when hacking into computer systems. Weaknesses, such as the following, should be on your shortlist when you perform your security tests:</p>\n<ul class=\"level-one\">\n<li>\n<p class=\"first-para\">Gullible and overly-trusting users</p>\n</li>\n<li>\n<p class=\"first-para\">Unsecured building and computer room entrances</p>\n</li>\n<li>\n<p class=\"first-para\">Discarded documents that have not been shredded, computers with drives that have not been wiped, and storage devices that have not been destroyed</p>\n</li>\n<li>\n<p class=\"first-para\">Network perimeters with little to no firewall protection</p>\n</li>\n<li>\n<p class=\"first-para\">Poor, inappropriate, or missing file and share access controls</p>\n</li>\n<li>\n<p class=\"first-para\">Unpatched systems that can be exploited by malware or free tools, such as Metasploit</p>\n</li>\n<li>\n<p class=\"first-para\">Web applications with weak authentication mechanisms and input validation challenges</p>\n</li>\n<li>\n<p class=\"first-para\">Guest wireless networks that allow the public to connect into the production network environment</p>\n</li>\n<li>\n<p class=\"first-para\">Laptop computers with no full disk encryption</p>\n</li>\n<li>\n<p class=\"first-para\">Mobile devices with easy to crack passwords or no passwords at all</p>\n</li>\n<li>\n<p class=\"first-para\">Weak or no application, database, and operating system passwords</p>\n</li>\n<li>\n<p class=\"first-para\">Firewalls, routers, and switches with default or easily guessed passwords</p>\n</li>\n</ul>\n"},{"title":"Commonly hacked ports","thumb":null,"image":null,"content":"<p>Common ports, such as TCP port 443(HTTPS), may be locked down or protected by a web application firewall, but other ports may get overlooked and be vulnerable to hackers. In your security tests, be sure to check these commonly hacked TCP and UDP ports:</p>\n<ul class=\"level-one\">\n<li>\n<p class=\"first-para\">TCP port 21 — FTP (File Transfer Protocol)</p>\n</li>\n<li>\n<p class=\"first-para\">TCP port 22 — SSH (Secure Shell)</p>\n</li>\n<li>\n<p class=\"first-para\">TCP port 23 — Telnet</p>\n</li>\n<li>\n<p class=\"first-para\">TCP port 25 — SMTP (Simple Mail Transfer Protocol)</p>\n</li>\n<li>\n<p class=\"first-para\">TCP and UDP port 53 — DNS (Domain Name System)</p>\n</li>\n<li>\n<p class=\"first-para\">TCP port 80—HTTP (Hypertext Transport Protocol)</p>\n</li>\n<li>\n<p class=\"first-para\">TCP port 110 — POP3 (Post Office Protocol version 3)</p>\n</li>\n<li>\n<p class=\"first-para\">TCP and UDP port 135 — Windows RPC</p>\n</li>\n<li>\n<p class=\"first-para\">TCP and UDP ports 137–139 — Windows NetBIOS over TCP/IP</p>\n</li>\n<li>\n<p class=\"first-para\">TCP port 1433 and UDP port 1434 — Microsoft SQL Server</p>\n</li>\n</ul>\n"},{"title":"Tips for successful IT security assessments","thumb":null,"image":null,"content":"<p>You need successful security assessments to protect your systems from hacking. Whether you’re performing security tests against your own systems or for those of a third party, you must be prudent and pragmatic to succeed. These tips for security assessments will help you succeed in your role as an information security professional:</p>\n<ul class=\"level-one\">\n<li>\n<p class=\"first-para\">Set goals and develop a plan before you get started.</p>\n</li>\n<li>\n<p class=\"first-para\">Get permission to perform your tests.</p>\n</li>\n<li>\n<p class=\"first-para\">Have access to the right tools for the tasks at hand. You can use free tools, but you usually get what you pay for!</p>\n</li>\n<li>\n<p class=\"first-para\">Test at a time that’s best for the business.</p>\n</li>\n<li>\n<p class=\"first-para\">Keep the key players in the loop during your testing.</p>\n</li>\n<li>\n<p class=\"first-para\">Understand that it’s not possible to detect <i>every</i> security vulnerability on every system.</p>\n</li>\n<li>\n<p class=\"first-para\">Study criminal behaviors and tactics. The more you know about how the bad guys work, the better you’ll be at testing your systems for security vulnerabilities.</p>\n</li>\n<li>\n<p class=\"first-para\">Don’t overlook nontechnical security issues; they’re often exploited first.</p>\n</li>\n<li>\n<p class=\"first-para\">Make sure that all your testing is above board approved before getting started.</p>\n</li>\n<li>\n<p class=\"first-para\">Treat other people’s confidential information at least as well as you would treat your own.</p>\n</li>\n<li>\n<p class=\"first-para\">Bring critical vulnerabilities you find to the attention of management and other necessary parties, and implement the appropriate countermeasures as soon as possible.</p>\n</li>\n<li>\n<p class=\"first-para\">Don’t treat every vulnerability discovered in the same manner. Not all weaknesses are bad. Evaluate the context of the issues found before you declare that the sky is falling. It’s almost always a handful of vulnerabilities that creates the majority of risks.</p>\n</li>\n<li>\n<p class=\"first-para\">*Show management and customers that security testing is good business and you’re the right professional for the job. Vulnerability and penetration testing is an investment to meet business goals; it helps find what really matters and comply with the various laws and regulations that help the organization over the long term.</p>\n</li>\n</ul>\n"}],"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0},"sponsorAd":"","sponsorEbookTitle":"","sponsorEbookLink":"","sponsorEbookImage":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"One year","lifeExpectancySetFrom":"2022-02-24T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":207422},{"headers":{"creationTime":"2022-01-10T18:52:05+00:00","modifiedTime":"2022-01-10T18:52:05+00:00","timestamp":"2022-09-14T18:19:01+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"Cloud Security For Dummies Cheat Sheet","strippedTitle":"cloud security for dummies cheat sheet","slug":"cloud-security-for-dummies-cheat-sheet","canonicalUrl":"","seo":{"metaDescription":"This handy cheat sheet summarizes the keys to building security into your network and mitigating the risk of a data breach.","noIndex":0,"noFollow":0},"content":"So many computing resources have migrated to the cloud because of ease of use, accessibility, cost, maintainability, and getting your computing closer to your clients (edge computing). With all of these advantages comes additional responsibilities.\r\n\r\nCloud service providers do provide some security for your applications and data, but you share responsibility with them. Primarily, those responsibilities include managing access to your cloud resources and maintaining the security of your applications.\r\n\r\nWhile it may seem that having responsibility for two things is not a lot of work, it’s quite a challenge. Following, are the essentials of cloud security.","description":"So many computing resources have migrated to the cloud because of ease of use, accessibility, cost, maintainability, and getting your computing closer to your clients (edge computing). With all of these advantages comes additional responsibilities.\r\n\r\nCloud service providers do provide some security for your applications and data, but you share responsibility with them. Primarily, those responsibilities include managing access to your cloud resources and maintaining the security of your applications.\r\n\r\nWhile it may seem that having responsibility for two things is not a lot of work, it’s quite a challenge. Following, are the essentials of cloud security.","blurb":"","authors":[{"authorId":34680,"name":"Ted Coombs","slug":"ted-coombs","description":" <p><b>Ted Coombs</b> is a direct descendant of King Edward of England, a former world record holder for most miles roller skated in a day, and a longtime technology guru and author. He&#8217;s written over a dozen technology books on a wide array of topics ranging from database programming to building an internet site. Along the way he helped create early artificial intelligence tools and served as cybersecurity professional focused on computer forensics. ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/34680"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[],"relatedArticles":{"fromBook":[],"fromCategory":[{"articleId":291466,"title":"Security Awareness For Dummies Cheat Sheet","slug":"security-awareness-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/291466"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}},{"articleId":270933,"title":"How to Structure a Pen Test Report","slug":"how-to-structure-a-pen-test-report","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270933"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":290170,"slug":"cloud-security-for-dummies","isbn":"9781119790464","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119790468/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119790468/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119790468-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119790468/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119790468/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/cloud-security-fd-9781119790464-203x255.jpg","width":203,"height":255},"title":"Cloud Security For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"<p><p><b><b data-author-id=\"34680\">Ted Coombs</b></b> is a direct descendant of King Edward of England, a former world record holder for most miles roller skated in a day, and a longtime technology guru and author. He&#8217;s written over a dozen technology books on a wide array of topics ranging from database programming to building an internet site. Along the way he helped create early artificial intelligence tools and served as cybersecurity professional focused on computer forensics.</p>","authors":[{"authorId":34680,"name":"Ted Coombs","slug":"ted-coombs","description":" <p><b>Ted Coombs</b> is a direct descendant of King Edward of England, a former world record holder for most miles roller skated in a day, and a longtime technology guru and author. He&#8217;s written over a dozen technology books on a wide array of topics ranging from database programming to building an internet site. Along the way he helped create early artificial intelligence tools and served as cybersecurity professional focused on computer forensics. ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/34680"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119790464&quot;]}]\" id=\"du-slot-63221b150a384\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119790464&quot;]}]\" id=\"du-slot-63221b150ada1\"></div></div>"},"articleType":{"articleType":"Cheat Sheet","articleList":[{"articleId":0,"title":"","slug":null,"categoryList":[],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/"}}],"content":[{"title":"Managing access to cloud resources","thumb":null,"image":null,"content":"<p>Access to cloud resources involves several types of security precautions:</p>\n<ul>\n<li><strong>Protecting your local devices from malware.</strong> Infected devices can allow hackers to gain access to your local network and consequently to your cloud services. Compromised accounts can also reveal login information that can be used to infiltrate your cloud accounts.</li>\n<li><strong>User account control limits who has access to your resources.</strong> There are several strategies for managing who can connect to your applications and data, but the goal should be to trust no one. This concept is known as zero trust, where access is granted only to those who have a legitimate need. This means that a well-managed access system knows the risks from both the users and the resources they access.These systems can even control the time of day that access is allowed to limit access to times when it’s reasonably expected that someone should have access.</li>\n</ul>\n<p>Here are some ways you can get started along the path to better managed cloud access:</p>\n<ul>\n<li><strong>Employ a network discovery tool.</strong> With environments changing by the second as mobile devices, IoT gadgets, desktops, and remote networks connect and disconnect constantly, it’s not possible for people to manually track what is connected. Discovery tools can make this process possible.</li>\n<li><strong>Use a CMDB configuration management database to keep track of the devices your discovery system finds.</strong> It will also track where your data resides, users who access your cloud resources, and even create lists of people who are responsible when a resource fails or begins operating outside of its normal parameters.</li>\n<li><strong>Create a risk assessment.</strong> All configuration items (Cis) in your CMDB have a level of risk associated with them. Create risk levels based on how your business would be impacted should one of these items stop working, be stolen, or locked up by ransomware. People also need to have a risk profile. For example, employees might be more trusted than vendors who have access to your cloud resources. Risk assessments allow you to automate how applications such as user account management systems control access to your resources.</li>\n<li><strong>Consider employing AIOps an artificial intelligent system of managing your network operations.</strong> Using data from logs, tracking systems, user account management systems, and more, the AI uses this data to create and manage alerts. Alert management can be automated to reduce the number of mundane tasks, such as adding disk space when a drive becomes full.Alert management can also intelligently group alerts to avoid overwhelming your network operators with floods of alerts. Instead, they are grouped based on the most likely cause of the alert and these AIOps systems then recommend solutions based on how similar problems were solved in the past.</li>\n</ul>\n"},{"title":"Maintaining network and application security","thumb":null,"image":null,"content":"<p>Hacking user accounts to break into networks is not the only way hackers exploit your cloud systems. The number one exploit is taking advantage of misconfigured networks. The number of configuration possibilities in a complex cloud environment is staggering. With the virtualized environment of the cloud, where applications run in containers or on virtual machines, each of these environments have their own configuration settings. To manage this complexity Configuration as Code (CoC) allows you to automate these configuration settings.</p>\n<p class=\"article-tips tip\">Configuration as Code can cause misconfigurations when the settings in the code are incorrect. Make sure you test these settings before putting this code into production.</p>\n<p>Beyond misconfigurations, applications running in the cloud can have bugs that hackers exploit to gain control of the data they manage or even to gain control of the network on which the application runs.</p>\n<p>There is a methodology for application development known as DevOps that allows for continuous planning, development, testing, and release of applications in an agile manner. The testing portion of this application development is normally automated, catching bugs and weak code before applications are released. Monitoring after applications are released catches bugs before they are exploited.</p>\n"},{"title":"Where to go for more information","thumb":null,"image":null,"content":"<p>There are hundreds of organizations and groups focused on improving cloud security. Find local groups and get involved giving you support in keeping up with the rapidly changing world of information security and how it impacts the security of your cloud resources. Some of the best resources to monitor for the latest security updates are:</p>\n<p><strong><a href=\"https://cloudsecurityalliance.org/\" target=\"_blank\" rel=\"noopener\">Cloud Security Alliance</a>:</strong> This non-profit alliance is dedicated to defining and raising awareness of best practices to ensure a secure cloud computing environment.</p>\n<p><strong><a href=\"https://www.nist.gov/cyberframework\" target=\"_blank\" rel=\"noopener\">National Institute of Standards and Technology</a> (NIST):</strong> This government agency has created a framework for information security, giving you a guide for implementing your own security measures.</p>\n"}],"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0},"sponsorAd":"","sponsorEbookTitle":"","sponsorEbookLink":"","sponsorEbookImage":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"One year","lifeExpectancySetFrom":"2022-01-10T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":290240},{"headers":{"creationTime":"2020-01-30T02:31:25+00:00","modifiedTime":"2021-12-29T20:17:29+00:00","timestamp":"2022-09-14T18:18:59+00:00"},"data":{"breadcrumbs":[{"name":"Technology","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33512"},"slug":"technology","categoryId":33512},{"name":"Cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"},"slug":"cybersecurity","categoryId":33537}],"title":"The Fundamentals of GDPR and Data Protection","strippedTitle":"the fundamentals of gdpr and data protection","slug":"the-fundamentals-of-gdpr-and-data-protection","canonicalUrl":"","seo":{"metaDescription":"Learn the fundamentals of the General Data Protection Regulation and the data protections laws, including the consequences of non-GDPR-compliance.","noIndex":0,"noFollow":0},"content":"One aim of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, was to harmonize data protection laws across Europe — so its legal form is a <em>regulation</em> (an order that must be executed) as opposed to a <em>directive</em> (a result to achieve, though the means to achieve aren’t dictated)<strong><em>. </em></strong>\r\n\r\nThe GDPR is the successor to the European Union's (EU) Data Protection Directive 1995 (Directive 95/46/EC). Unlike a directive, when the EU enacts a regulation, it becomes national legislation in each EU member state, with member states having no opportunity to change it via national legislation.\r\n\r\nHowever, EU member states are permitted to make certain <em>derogations</em> (a fancy term for <em>exemptions</em>) from the GDPR (such as in the case of the need to uphold a country’s security), so data protection laws across Europe aren’t quite as harmonized as may have been desired by some of the legislators.\r\n\r\nAlthough EU member states cannot change the GDPR, each member state requires national legislation to accompany the GDPR, for two reasons:\r\n<ul>\r\n \t<li>The GDPR needs to fit into the member state’s legal framework.</li>\r\n \t<li>National legislation is needed to choose from the exemptions permitted by the GDPR.</li>\r\n</ul>\r\nAt the time this article was written, all but three member states had passed national legislation to sit alongside the GDPR. So, you need to familiarize yourself with not only the GDPR but also the legislation that was implemented in the EU member state(s) in which your organization is established.\r\n\r\n[caption id=\"attachment_267803\" align=\"alignnone\" width=\"556\"]<img class=\"size-full wp-image-267803\" src=\"https://www.dummies.com/wp-content/uploads/gdpr-compliance.jpg\" alt=\"GDPR compliance concept\" width=\"556\" height=\"366\" /> ©SB_photos/Shutterstock.com[/caption]\r\n<h2 id=\"tab1\" ><a name=\"_Toc19043350\"></a>Data protection laws</h2>\r\nData protection laws exist to balance the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Data protection laws provide important rights for data subjects and for the enforcement of such rights.\r\n\r\nThis list describes a handful of additional points about these laws to keep in mind. Data protection laws:\r\n<ul>\r\n \t<li><strong>Protect data subjects: </strong>A <em>data subject</em> is an individual whose personal data is collected, held, and/or processed.</li>\r\n \t<li><strong>Apply to organizations that control the processing of personal data (known as <em>data controllers</em>) and also organizations that process personal data under the instructions of data controllers (known as <em>data processors</em>): </strong>These include companies (both private and public), charities (not-for-profit, political, and so on), and associations (such as churches, sports clubs, and professional leagues, to name only a few).</li>\r\n \t<li><strong>Apply throughout the world: </strong>The concept of privacy originated in the United States in the 1890s. Although the EU has been a front-runner in establishing the laws protecting data and sees itself as setting the gold standard of data protections laws, the vast majority of countries around the world have some form of data protection laws.</li>\r\n \t<li><strong>Do not prevent organizations from using personal data: </strong>Organizations can legitimately use personal data to their benefit as long as they comply with applicable data protection laws. Every organization is likely to process some personal data — of its clients, employees, suppliers, prospects, and so on.</li>\r\n \t<li><strong>Prevent common misuses of personal data: </strong>Organizations often fail to (a) put in place appropriate measures to keep personal data secure (b) inform the data subject at the point of data collection about what it is intending to do with the personal data and where necessary to obtain consent and (c) transfer personal data to third parties without the knowledge of the data subject. Data protection laws generally prevent these common misuses.</li>\r\n</ul>\r\nCountries hold to varying degrees of regulation and enforcement and some countries don’t have any data protection laws. The following table rates the strength of various countries’ efforts to protect data.\r\n<table><caption><strong>Regulation/Enforcement Strength of Data Protection Laws Worldwide</strong></caption>\r\n<tbody>\r\n<tr>\r\n<td width=\"216\"><strong>Type of Regulation/Enforcement</strong></td>\r\n<td width=\"301\"><strong>Countries</strong></td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Tough</td>\r\n<td width=\"301\">Australia, Canada, Hong Kong, South Korea</td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Strong</td>\r\n<td width=\"301\">Argentina, China, Estonia, Finland, Iceland, Japan, Latvia, Malaysia, Monaco, Morocco, New Zealand</td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Light</td>\r\n<td width=\"301\">Angola, Belarus, Costa Rica, Egypt, Ghana, Lithuania, Mexico, Nigeria, Russia, Saudi Arabia/UAE, South Africa, Turkey, Ukraine</td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Limited</td>\r\n<td width=\"301\">Honduras, India, Indonesia, Pakistan, Panama, Thailand, Uruguay</td>\r\n</tr>\r\n</tbody>\r\n</table>\r\n<h2 id=\"tab2\" ><a name=\"_Toc19043351\"></a>The 10 most important obligations of the GDPR</h2>\r\nThe <em>obligations</em> I refer to in this section’s heading are the ten most important actions you need to take to comply with the GDPR; I’ve only summarized these obligations in the following list because I discuss them further throughout this book:\r\n<ul>\r\n \t<li><strong>Prepare a data inventory to map your data flows</strong> so that you can understand exactly what personal data you’re processing and what you’re doing with it.</li>\r\n \t<li><strong>Work out the lawful grounds for processing each type of personal data</strong> for each purpose for which you’re processing it.</li>\r\n \t<li><strong>Ensure that your data security strategy is robust</strong> and that you have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach or other security incident.</li>\r\n \t<li><strong>Ensure that an appropriate safeguard is in place</strong> whenever you transfer personal data outside of the European Economic Area (EEA).</li>\r\n \t<li><strong>Update your Privacy Notice</strong> to ensure that you’re being transparent about the means and purposes of your data-processing.</li>\r\n \t<li><strong>Update your Cookie Policy</strong> to ensure that you aren’t relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained.</li>\r\n \t<li><strong>Ensure that your <a href=\"https://www.dummies.com/computers/pcs/computer-security/10-ways-to-train-employees-to-be-good-stewards-of-data/\">staff are appropriately trained</a></strong> in relevant areas of the GDPR.</li>\r\n \t<li><strong>Ensure that you have reviewed the grounds on which you process employee data,</strong> and issue a revised employee privacy notice where necessary.</li>\r\n \t<li><strong>Determine whether you need to appoint a data protection officer (DPO).</strong> If you do, take the necessary steps to hire a suitable candidate.</li>\r\n \t<li><strong>Review all of your processor and subprocessor arrangements</strong> and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data.</li>\r\n</ul>\r\n<h2 id=\"tab3\" ><a name=\"_Toc19043352\"></a>The consequences of non-compliance</h2>\r\nThink of this as a description of not only the consequences you face if you aren’t compliant with the GDPR but also the reasons you should care about being compliant.\r\n<h3><a name=\"_Toc19043353\"></a>Increased fines and sanctions</h3>\r\nThe GDPR has introduced significant increases in the maximum fines for breaches of its requirements.\r\n\r\nUnder the GDPR, the fine for certain breaches of the GDPR have been increased to 20 million euros (about $24 million USD) or 4 percent of global turnover for the past financial year, whichever is higher. For “lesser” breaches, the maximum fines have increased to 10 million euros (about $12 million USD) or 2 percent of global turnover for the past financial year, whichever is higher.\r\n\r\nThis significant increase in fines indicates the increasing importance of data protection within the EU as the value of personal data increases and the processing becomes even more sophisticated.\r\n\r\nThis is not to say that you will be fined these amounts for any infringements of the GDPR. You would have to do something that significantly impacts on the rights and freedoms of a large number of data subjects to incur a maximum fine.\r\n<p class=\"article-tips remember\">Supervisory authorities are the regulatory authorities (often known as <em>data protection authorities</em>) within individual EU member states that are responsible for the enforcement of the GDPR.</p>\r\n\r\n<h3><a name=\"_Toc19043354\"></a>Civil claims</h3>\r\nData subjects can now bring civil claims against data controllers for infringements of their data subject rights. So, if, for example, you don’t respond appropriately to a data subject right request (namely where the data subject can request details of the personal data you process for that data subject) or if you experience a data breach that affects the data subject’s personal data, you could find yourself on the receiving end of a civil claim.\r\n\r\nAs you may have noticed in recent high-profile data breaches, such as the British Airways data breach in 2019, data protection lawyers are placing advertisements encouraging victims of data breaches to join group actions against the data controller.\r\n\r\nA civil claim against you would not only damage your reputation further but would also cost a significant amount of time and money to defend the claim.\r\n<h3><a name=\"_Toc19043355\"></a>Data subject complaints</h3>\r\nThe general public is much savvier about their data protection rights than they used to be, for these reasons:\r\n<ul>\r\n \t<li>The introduction of the GDPR garnered a lot of publicity due to the increased sanctions.</li>\r\n \t<li>Supervisory authorities ran various awareness campaigns to ensure that data subjects were aware of their rights.</li>\r\n \t<li>Certain high-profile cases, such as the Facebook and Cambridge Analytica cases (where personal data was misused for political profiling), and the British Airways data breach case have received broad coverage in the media.</li>\r\n</ul>\r\nThis savviness has led to an increase in the number of complaints from data subjects whose personal data hasn’t been processed in accordance with the GDPR. Data subjects are lodging complaints both directly to the data controller and to supervisory authorities. The two situations require two different responses:\r\n<ul>\r\n \t<li><strong>If the data subject complains directly to you (the data controller):</strong> Although a complaint signals that an element of reputational damage has occurred, you have an opportunity to repair the relationship, which is particularly important if the data subject is a customer or a potential customer.</li>\r\n \t<li><strong>If the data subject complains to the supervisory authority:</strong> Because the supervisory authority is bound to investigate that complaint, you might face more serious consequences. The supervisory authority will review all your data processing activities, policies and procedures in relation to that complaint. If it finds that the complaint is valid, the supervisory authority will use its corrective powers in relation to such complaints.</li>\r\n</ul>\r\nThese corrective powers include the ability to issue fines, to impose a temporary or definitive ban on the processing of personal data or to force you to respond to the data subject’s requests to exercise their rights.\r\n<h3><a name=\"_Toc19043356\"></a>Brand damage</h3>\r\nWhen a data subject brings a claim against you, you risk not only sanctions from the relevant supervisory but also brand damage. A report by <a href=\"https://dma.org.uk/uploads/misc/5b0522b113a23-global-data-privacy-report---final-2_5b0522b11396e.pdf\">Axciom</a> (a consulting firm providing marketers with data and technology assistance) entitled “Global data privacy: what the consumer really thinks” showed that individuals from around the world are, in the vast majority, quite concerned about how their personal data is used and protected. If you aren’t compliant with the GDPR, you’re showing your prospects, customers, and employees that you aren’t concerned about the protection of their personal data.\r\n<h3><a name=\"_Toc19043357\"></a>Loss of trust</h3>\r\nIf you don’t comply with the GDPR and, for example, you experience a data breach or don’t respond appropriately to data subject requests, you are likely to lose trust from your customers and prospects. When they don’t trust you, they don’t want to buy from you or otherwise do business with you. Similarly, when your employees don’t trust you, they no longer want to work for you.\r\n\r\nIn unfortunate timing, British Airways sent an email to all of its customers to assure them that they could trust British Airways with their personal data. Just a couple of months later, British Airways suffered a large data breach that compromised the financial details of 185,000 customers, details that were sold on the dark web. As a result of this data breach, the share price of IAG (British Airways’ parent company) decreased by 5.8 percent (equivalent to a loss of £350m).\r\n\r\nIn 2018, <a href=\"http://www.comparitech.com/blog/information-security/data-breach-share-price-2018/\">CompariTech</a> carried out a report finding that, in the long term, organizations that have suffered data breaches financially underperformed.\r\n<h2 id=\"tab4\" ><a name=\"_Toc19043358\"></a>Be a market leader</h2>\r\nBy embracing the GDPR and showing your customers, prospects, and employees that you care about the protection of their personal data, you gain a competitive advantage.\r\n\r\nElizabeth Denham, the United Kingdom information commissioner, summed up this idea nicely:\r\n<blockquote>“Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.”</blockquote>","description":"One aim of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, was to harmonize data protection laws across Europe — so its legal form is a <em>regulation</em> (an order that must be executed) as opposed to a <em>directive</em> (a result to achieve, though the means to achieve aren’t dictated)<strong><em>. </em></strong>\r\n\r\nThe GDPR is the successor to the European Union's (EU) Data Protection Directive 1995 (Directive 95/46/EC). Unlike a directive, when the EU enacts a regulation, it becomes national legislation in each EU member state, with member states having no opportunity to change it via national legislation.\r\n\r\nHowever, EU member states are permitted to make certain <em>derogations</em> (a fancy term for <em>exemptions</em>) from the GDPR (such as in the case of the need to uphold a country’s security), so data protection laws across Europe aren’t quite as harmonized as may have been desired by some of the legislators.\r\n\r\nAlthough EU member states cannot change the GDPR, each member state requires national legislation to accompany the GDPR, for two reasons:\r\n<ul>\r\n \t<li>The GDPR needs to fit into the member state’s legal framework.</li>\r\n \t<li>National legislation is needed to choose from the exemptions permitted by the GDPR.</li>\r\n</ul>\r\nAt the time this article was written, all but three member states had passed national legislation to sit alongside the GDPR. So, you need to familiarize yourself with not only the GDPR but also the legislation that was implemented in the EU member state(s) in which your organization is established.\r\n\r\n[caption id=\"attachment_267803\" align=\"alignnone\" width=\"556\"]<img class=\"size-full wp-image-267803\" src=\"https://www.dummies.com/wp-content/uploads/gdpr-compliance.jpg\" alt=\"GDPR compliance concept\" width=\"556\" height=\"366\" /> ©SB_photos/Shutterstock.com[/caption]\r\n<h2 id=\"tab1\" ><a name=\"_Toc19043350\"></a>Data protection laws</h2>\r\nData protection laws exist to balance the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Data protection laws provide important rights for data subjects and for the enforcement of such rights.\r\n\r\nThis list describes a handful of additional points about these laws to keep in mind. Data protection laws:\r\n<ul>\r\n \t<li><strong>Protect data subjects: </strong>A <em>data subject</em> is an individual whose personal data is collected, held, and/or processed.</li>\r\n \t<li><strong>Apply to organizations that control the processing of personal data (known as <em>data controllers</em>) and also organizations that process personal data under the instructions of data controllers (known as <em>data processors</em>): </strong>These include companies (both private and public), charities (not-for-profit, political, and so on), and associations (such as churches, sports clubs, and professional leagues, to name only a few).</li>\r\n \t<li><strong>Apply throughout the world: </strong>The concept of privacy originated in the United States in the 1890s. Although the EU has been a front-runner in establishing the laws protecting data and sees itself as setting the gold standard of data protections laws, the vast majority of countries around the world have some form of data protection laws.</li>\r\n \t<li><strong>Do not prevent organizations from using personal data: </strong>Organizations can legitimately use personal data to their benefit as long as they comply with applicable data protection laws. Every organization is likely to process some personal data — of its clients, employees, suppliers, prospects, and so on.</li>\r\n \t<li><strong>Prevent common misuses of personal data: </strong>Organizations often fail to (a) put in place appropriate measures to keep personal data secure (b) inform the data subject at the point of data collection about what it is intending to do with the personal data and where necessary to obtain consent and (c) transfer personal data to third parties without the knowledge of the data subject. Data protection laws generally prevent these common misuses.</li>\r\n</ul>\r\nCountries hold to varying degrees of regulation and enforcement and some countries don’t have any data protection laws. The following table rates the strength of various countries’ efforts to protect data.\r\n<table><caption><strong>Regulation/Enforcement Strength of Data Protection Laws Worldwide</strong></caption>\r\n<tbody>\r\n<tr>\r\n<td width=\"216\"><strong>Type of Regulation/Enforcement</strong></td>\r\n<td width=\"301\"><strong>Countries</strong></td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Tough</td>\r\n<td width=\"301\">Australia, Canada, Hong Kong, South Korea</td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Strong</td>\r\n<td width=\"301\">Argentina, China, Estonia, Finland, Iceland, Japan, Latvia, Malaysia, Monaco, Morocco, New Zealand</td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Light</td>\r\n<td width=\"301\">Angola, Belarus, Costa Rica, Egypt, Ghana, Lithuania, Mexico, Nigeria, Russia, Saudi Arabia/UAE, South Africa, Turkey, Ukraine</td>\r\n</tr>\r\n<tr>\r\n<td width=\"216\">Limited</td>\r\n<td width=\"301\">Honduras, India, Indonesia, Pakistan, Panama, Thailand, Uruguay</td>\r\n</tr>\r\n</tbody>\r\n</table>\r\n<h2 id=\"tab2\" ><a name=\"_Toc19043351\"></a>The 10 most important obligations of the GDPR</h2>\r\nThe <em>obligations</em> I refer to in this section’s heading are the ten most important actions you need to take to comply with the GDPR; I’ve only summarized these obligations in the following list because I discuss them further throughout this book:\r\n<ul>\r\n \t<li><strong>Prepare a data inventory to map your data flows</strong> so that you can understand exactly what personal data you’re processing and what you’re doing with it.</li>\r\n \t<li><strong>Work out the lawful grounds for processing each type of personal data</strong> for each purpose for which you’re processing it.</li>\r\n \t<li><strong>Ensure that your data security strategy is robust</strong> and that you have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach or other security incident.</li>\r\n \t<li><strong>Ensure that an appropriate safeguard is in place</strong> whenever you transfer personal data outside of the European Economic Area (EEA).</li>\r\n \t<li><strong>Update your Privacy Notice</strong> to ensure that you’re being transparent about the means and purposes of your data-processing.</li>\r\n \t<li><strong>Update your Cookie Policy</strong> to ensure that you aren’t relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained.</li>\r\n \t<li><strong>Ensure that your <a href=\"https://www.dummies.com/computers/pcs/computer-security/10-ways-to-train-employees-to-be-good-stewards-of-data/\">staff are appropriately trained</a></strong> in relevant areas of the GDPR.</li>\r\n \t<li><strong>Ensure that you have reviewed the grounds on which you process employee data,</strong> and issue a revised employee privacy notice where necessary.</li>\r\n \t<li><strong>Determine whether you need to appoint a data protection officer (DPO).</strong> If you do, take the necessary steps to hire a suitable candidate.</li>\r\n \t<li><strong>Review all of your processor and subprocessor arrangements</strong> and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data.</li>\r\n</ul>\r\n<h2 id=\"tab3\" ><a name=\"_Toc19043352\"></a>The consequences of non-compliance</h2>\r\nThink of this as a description of not only the consequences you face if you aren’t compliant with the GDPR but also the reasons you should care about being compliant.\r\n<h3><a name=\"_Toc19043353\"></a>Increased fines and sanctions</h3>\r\nThe GDPR has introduced significant increases in the maximum fines for breaches of its requirements.\r\n\r\nUnder the GDPR, the fine for certain breaches of the GDPR have been increased to 20 million euros (about $24 million USD) or 4 percent of global turnover for the past financial year, whichever is higher. For “lesser” breaches, the maximum fines have increased to 10 million euros (about $12 million USD) or 2 percent of global turnover for the past financial year, whichever is higher.\r\n\r\nThis significant increase in fines indicates the increasing importance of data protection within the EU as the value of personal data increases and the processing becomes even more sophisticated.\r\n\r\nThis is not to say that you will be fined these amounts for any infringements of the GDPR. You would have to do something that significantly impacts on the rights and freedoms of a large number of data subjects to incur a maximum fine.\r\n<p class=\"article-tips remember\">Supervisory authorities are the regulatory authorities (often known as <em>data protection authorities</em>) within individual EU member states that are responsible for the enforcement of the GDPR.</p>\r\n\r\n<h3><a name=\"_Toc19043354\"></a>Civil claims</h3>\r\nData subjects can now bring civil claims against data controllers for infringements of their data subject rights. So, if, for example, you don’t respond appropriately to a data subject right request (namely where the data subject can request details of the personal data you process for that data subject) or if you experience a data breach that affects the data subject’s personal data, you could find yourself on the receiving end of a civil claim.\r\n\r\nAs you may have noticed in recent high-profile data breaches, such as the British Airways data breach in 2019, data protection lawyers are placing advertisements encouraging victims of data breaches to join group actions against the data controller.\r\n\r\nA civil claim against you would not only damage your reputation further but would also cost a significant amount of time and money to defend the claim.\r\n<h3><a name=\"_Toc19043355\"></a>Data subject complaints</h3>\r\nThe general public is much savvier about their data protection rights than they used to be, for these reasons:\r\n<ul>\r\n \t<li>The introduction of the GDPR garnered a lot of publicity due to the increased sanctions.</li>\r\n \t<li>Supervisory authorities ran various awareness campaigns to ensure that data subjects were aware of their rights.</li>\r\n \t<li>Certain high-profile cases, such as the Facebook and Cambridge Analytica cases (where personal data was misused for political profiling), and the British Airways data breach case have received broad coverage in the media.</li>\r\n</ul>\r\nThis savviness has led to an increase in the number of complaints from data subjects whose personal data hasn’t been processed in accordance with the GDPR. Data subjects are lodging complaints both directly to the data controller and to supervisory authorities. The two situations require two different responses:\r\n<ul>\r\n \t<li><strong>If the data subject complains directly to you (the data controller):</strong> Although a complaint signals that an element of reputational damage has occurred, you have an opportunity to repair the relationship, which is particularly important if the data subject is a customer or a potential customer.</li>\r\n \t<li><strong>If the data subject complains to the supervisory authority:</strong> Because the supervisory authority is bound to investigate that complaint, you might face more serious consequences. The supervisory authority will review all your data processing activities, policies and procedures in relation to that complaint. If it finds that the complaint is valid, the supervisory authority will use its corrective powers in relation to such complaints.</li>\r\n</ul>\r\nThese corrective powers include the ability to issue fines, to impose a temporary or definitive ban on the processing of personal data or to force you to respond to the data subject’s requests to exercise their rights.\r\n<h3><a name=\"_Toc19043356\"></a>Brand damage</h3>\r\nWhen a data subject brings a claim against you, you risk not only sanctions from the relevant supervisory but also brand damage. A report by <a href=\"https://dma.org.uk/uploads/misc/5b0522b113a23-global-data-privacy-report---final-2_5b0522b11396e.pdf\">Axciom</a> (a consulting firm providing marketers with data and technology assistance) entitled “Global data privacy: what the consumer really thinks” showed that individuals from around the world are, in the vast majority, quite concerned about how their personal data is used and protected. If you aren’t compliant with the GDPR, you’re showing your prospects, customers, and employees that you aren’t concerned about the protection of their personal data.\r\n<h3><a name=\"_Toc19043357\"></a>Loss of trust</h3>\r\nIf you don’t comply with the GDPR and, for example, you experience a data breach or don’t respond appropriately to data subject requests, you are likely to lose trust from your customers and prospects. When they don’t trust you, they don’t want to buy from you or otherwise do business with you. Similarly, when your employees don’t trust you, they no longer want to work for you.\r\n\r\nIn unfortunate timing, British Airways sent an email to all of its customers to assure them that they could trust British Airways with their personal data. Just a couple of months later, British Airways suffered a large data breach that compromised the financial details of 185,000 customers, details that were sold on the dark web. As a result of this data breach, the share price of IAG (British Airways’ parent company) decreased by 5.8 percent (equivalent to a loss of £350m).\r\n\r\nIn 2018, <a href=\"http://www.comparitech.com/blog/information-security/data-breach-share-price-2018/\">CompariTech</a> carried out a report finding that, in the long term, organizations that have suffered data breaches financially underperformed.\r\n<h2 id=\"tab4\" ><a name=\"_Toc19043358\"></a>Be a market leader</h2>\r\nBy embracing the GDPR and showing your customers, prospects, and employees that you care about the protection of their personal data, you gain a competitive advantage.\r\n\r\nElizabeth Denham, the United Kingdom information commissioner, summed up this idea nicely:\r\n<blockquote>“Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.”</blockquote>","blurb":"","authors":[{"authorId":33258,"name":"Suzanne Dibble","slug":"suzanne-dibble","description":" <p><b>Suzanne Dibble</b> is a business lawyer who has advised huge multi&#45;national corporations, private equity&#45;backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. See more at suzannedibble.com ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/33258"}}],"primaryCategoryTaxonomy":{"categoryId":33537,"title":"Cybersecurity","slug":"cybersecurity","_links":{"self":"https://dummies-api.dummies.com/v2/categories/33537"}},"secondaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"tertiaryCategoryTaxonomy":{"categoryId":0,"title":null,"slug":null,"_links":null},"trendingArticles":null,"inThisArticle":[{"label":"Data protection laws","target":"#tab1"},{"label":"The 10 most important obligations of the GDPR","target":"#tab2"},{"label":"The consequences of non-compliance","target":"#tab3"},{"label":"Be a market leader","target":"#tab4"}],"relatedArticles":{"fromBook":[{"articleId":267867,"title":"GDPR and Data Security","slug":"gdpr-and-data-security","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267867"}},{"articleId":267864,"title":"The GDPR and Data Subject Access Rights (DSARs)","slug":"the-gdpr-and-data-subject-access-rights-dsars","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267864"}},{"articleId":267861,"title":"How to Create and Communicate Your Opt-In Wording","slug":"how-to-create-and-communicate-your-opt-in-wording","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267861"}},{"articleId":267858,"title":"Data Protection: When to Use Opt-In Wording","slug":"data-protection-when-to-use-opt-in-wording","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267858"}},{"articleId":267854,"title":"How to Create and Communicate Your Cookie Policy","slug":"how-to-create-and-communicate-your-cookie-policy","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/267854"}}],"fromCategory":[{"articleId":291466,"title":"Security Awareness For Dummies Cheat Sheet","slug":"security-awareness-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/291466"}},{"articleId":290240,"title":"Cloud Security For Dummies Cheat Sheet","slug":"cloud-security-for-dummies-cheat-sheet","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/290240"}},{"articleId":270968,"title":"How to Perform a Penetration Test","slug":"how-to-perform-a-penetration-test","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270968"}},{"articleId":270960,"title":"Penetration Testing with Burp Suite and Wireshark to Uncover Vulnerabilities","slug":"penetration-testing-with-burp-suite-and-wireshark-to-uncover-vulnerabilities","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270960"}},{"articleId":270942,"title":"Building a Penetration Testing Toolkit: Considerations and Popular Pen Test Tools","slug":"building-a-penetration-testing-toolkit-considerations-and-popular-pen-test-tools","categoryList":["technology","cybersecurity"],"_links":{"self":"https://dummies-api.dummies.com/v2/articles/270942"}}]},"hasRelatedBookFromSearch":false,"relatedBook":{"bookId":282224,"slug":"gdpr-for-dummies","isbn":"9781119546092","categoryList":["technology","cybersecurity"],"amazon":{"default":"https://www.amazon.com/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20","ca":"https://www.amazon.ca/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20","indigo_ca":"http://www.tkqlhce.com/click-9208661-13710633?url=https://www.chapters.indigo.ca/en-ca/books/product/1119546095-item.html&cjsku=978111945484","gb":"https://www.amazon.co.uk/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20","de":"https://www.amazon.de/gp/product/1119546095/ref=as_li_tl?ie=UTF8&tag=wiley01-20"},"image":{"src":"https://www.dummies.com/wp-content/uploads/gdpr-for-dummies-cover-9781119546092-203x255.jpg","width":203,"height":255},"title":"GDPR For Dummies","testBankPinActivationLink":"","bookOutOfPrint":true,"authorsInfo":"<p><p><b><b data-author-id=\"33258\">Suzanne Dibble</b></b> is a business lawyer who has advised huge multi&#45;national corporations, private equity&#45;backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. See more at suzannedibble.com</p>","authors":[{"authorId":33258,"name":"Suzanne Dibble","slug":"suzanne-dibble","description":" <p><b>Suzanne Dibble</b> is a business lawyer who has advised huge multi&#45;national corporations, private equity&#45;backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. See more at suzannedibble.com ","hasArticle":false,"_links":{"self":"https://dummies-api.dummies.com/v2/authors/33258"}}],"_links":{"self":"https://dummies-api.dummies.com/v2/books/"}},"collections":[],"articleAds":{"footerAd":"<div class=\"du-ad-region row\" id=\"article_page_adhesion_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_adhesion_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119546092&quot;]}]\" id=\"du-slot-63221b1339b70\"></div></div>","rightAd":"<div class=\"du-ad-region row\" id=\"article_page_right_ad\"><div class=\"du-ad-unit col-md-12\" data-slot-id=\"article_page_right_ad\" data-refreshed=\"false\" \r\n data-target = \"[{&quot;key&quot;:&quot;cat&quot;,&quot;values&quot;:[&quot;technology&quot;,&quot;cybersecurity&quot;]},{&quot;key&quot;:&quot;isbn&quot;,&quot;values&quot;:[&quot;9781119546092&quot;]}]\" id=\"du-slot-63221b133a65b\"></div></div>"},"articleType":{"articleType":"Articles","articleList":null,"content":null,"videoInfo":{"videoId":null,"name":null,"accountId":null,"playerId":null,"thumbnailUrl":null,"description":null,"uploadDate":null}},"sponsorship":{"sponsorshipPage":false,"backgroundImage":{"src":null,"width":0,"height":0},"brandingLine":"","brandingLink":"","brandingLogo":{"src":null,"width":0,"height":0},"sponsorAd":"","sponsorEbookTitle":"","sponsorEbookLink":"","sponsorEbookImage":{"src":null,"width":0,"height":0}},"primaryLearningPath":"Advance","lifeExpectancy":"One year","lifeExpectancySetFrom":"2021-12-29T00:00:00+00:00","dummiesForKids":"no","sponsoredContent":"no","adInfo":"","adPairKey":[]},"status":"publish","visibility":"public","articleId":267845}],"_links":{"self":{"self":"https://dummies-api.dummies.com/v2/categories/33537/categoryArticles?sortField=time&sortOrder=1&size=10&offset=0"},"next":{"self":"https://dummies-api.dummies.com/v2/categories/33537/categoryArticles?sortField=time&sortOrder=1&size=10&offset=10"},"last":{"self":"https://dummies-api.dummies.com/v2/categories/33537/categoryArticles?sortField=time&sortOrder=1&size=10&offset=42"}}},"objectTitle":"","status":"success","pageType":"article-category","objectId":"33537","page":1,"sortField":"time","sortOrder":1,"categoriesIds":[],"articleTypes":[],"filterData":{"categoriesFilter":[{"itemId":0,"itemName":"All Categories","count":52}],"articleTypeFilter":[{"articleType":"All Types","count":52},{"articleType":"Articles","count":45},{"articleType":"Cheat Sheet","count":7}]},"filterDataLoadedStatus":"success","pageSize":10},"adsState":{"pageScripts":{"headers":{"timestamp":"2023-01-10T05:50:01+00:00"},"adsId":0,"data":{"scripts":[{"pages":["all"],"location":"header","script":"<!--Optimizely Script-->\r\n<script src=\"https://cdn.optimizely.com/js/10563184655.js\"></script>","enabled":false},{"pages":["all"],"location":"header","script":"<!-- comScore Tag -->\r\n<script>var _comscore = _comscore || [];_comscore.push({ c1: \"2\", c2: \"15097263\" });(function() {var s = document.createElement(\"script\"), el = document.getElementsByTagName(\"script\")[0]; s.async = true;s.src = (document.location.protocol == \"https:\" ? \"https://sb\" : \"http://b\") + \".scorecardresearch.com/beacon.js\";el.parentNode.insertBefore(s, el);})();</script><noscript><img src=\"https://sb.scorecardresearch.com/p?c1=2&c2=15097263&cv=2.0&cj=1\" /></noscript>\r\n<!-- / comScore Tag -->","enabled":true},{"pages":["all"],"location":"footer","script":"<!--BEGIN QUALTRICS WEBSITE FEEDBACK SNIPPET-->\r\n<script type='text/javascript'>\r\n(function(){var g=function(e,h,f,g){\r\nthis.get=function(a){for(var a=a+\"=\",c=document.cookie.split(\";\"),b=0,e=c.length;b<e;b++){for(var d=c[b];\" \"==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null};\r\nthis.set=function(a,c){var b=\"\",b=new Date;b.setTime(b.getTime()+6048E5);b=\"; expires=\"+b.toGMTString();document.cookie=a+\"=\"+c+b+\"; path=/; \"};\r\nthis.check=function(){var a=this.get(f);if(a)a=a.split(\":\");else if(100!=e)\"v\"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(\":\"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case \"v\":return!1;case \"r\":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(\":\")),!c}return!0};\r\nthis.go=function(){if(this.check()){var a=document.createElement(\"script\");a.type=\"text/javascript\";a.src=g;document.body&&document.body.appendChild(a)}};\r\nthis.start=function(){var t=this;\"complete\"!==document.readyState?window.addEventListener?window.addEventListener(\"load\",function(){t.go()},!1):window.attachEvent&&window.attachEvent(\"onload\",function(){t.go()}):t.go()};};\r\ntry{(new g(100,\"r\",\"QSI_S_ZN_5o5yqpvMVjgDOuN\",\"https://zn5o5yqpvmvjgdoun-wiley.siteintercept.qualtrics.com/SIE/?Q_ZID=ZN_5o5yqpvMVjgDOuN\")).start()}catch(i){}})();\r\n</script><div id='ZN_5o5yqpvMVjgDOuN'><!--DO NOT REMOVE-CONTENTS PLACED HERE--></div>\r\n<!--END WEBSITE FEEDBACK SNIPPET-->","enabled":false},{"pages":["all"],"location":"header","script":"<!-- Hotjar Tracking Code for http://www.dummies.com -->\r\n<script>\r\n (function(h,o,t,j,a,r){\r\n h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)};\r\n h._hjSettings={hjid:257151,hjsv:6};\r\n a=o.getElementsByTagName('head')[0];\r\n r=o.createElement('script');r.async=1;\r\n r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv;\r\n a.appendChild(r);\r\n })(window,document,'https://static.hotjar.com/c/hotjar-','.js?sv=');\r\n</script>","enabled":false},{"pages":["article"],"location":"header","script":"<!-- //Connect Container: dummies --> <script src=\"//get.s-onetag.com/bffe21a1-6bb8-4928-9449-7beadb468dae/tag.min.js\" async defer></script>","enabled":true},{"pages":["homepage"],"location":"header","script":"<meta name=\"facebook-domain-verification\" content=\"irk8y0irxf718trg3uwwuexg6xpva0\" />","enabled":true},{"pages":["homepage","article","category","search"],"location":"footer","script":"<!-- Facebook Pixel Code -->\r\n<noscript>\r\n<img height=\"1\" width=\"1\" src=\"https://www.facebook.com/tr?id=256338321977984&ev=PageView&noscript=1\"/>\r\n</noscript>\r\n<!-- End Facebook Pixel Code -->","enabled":true}]}},"pageScriptsLoadedStatus":"success"},"navigationState":{"navigationCollections":[{"collectionId":287568,"title":"BYOB (Be Your Own Boss)","hasSubCategories":false,"url":"/collection/for-the-entry-level-entrepreneur-287568"},{"collectionId":293237,"title":"Be a Rad Dad","hasSubCategories":false,"url":"/collection/be-the-best-dad-293237"},{"collectionId":295890,"title":"Career Shifting","hasSubCategories":false,"url":"/collection/career-shifting-295890"},{"collectionId":294090,"title":"Contemplating the Cosmos","hasSubCategories":false,"url":"/collection/theres-something-about-space-294090"},{"collectionId":287563,"title":"For Those Seeking Peace of Mind","hasSubCategories":false,"url":"/collection/for-those-seeking-peace-of-mind-287563"},{"collectionId":287570,"title":"For the Aspiring Aficionado","hasSubCategories":false,"url":"/collection/for-the-bougielicious-287570"},{"collectionId":291903,"title":"For the Budding Cannabis Enthusiast","hasSubCategories":false,"url":"/collection/for-the-budding-cannabis-enthusiast-291903"},{"collectionId":291934,"title":"For the Exam-Season Crammer","hasSubCategories":false,"url":"/collection/for-the-exam-season-crammer-291934"},{"collectionId":287569,"title":"For the Hopeless Romantic","hasSubCategories":false,"url":"/collection/for-the-hopeless-romantic-287569"},{"collectionId":296450,"title":"For the Spring Term Learner","hasSubCategories":false,"url":"/collection/for-the-spring-term-student-296450"}],"navigationCollectionsLoadedStatus":"success","navigationCategories":{"books":{"0":{"data":[{"categoryId":33512,"title":"Technology","hasSubCategories":true,"url":"/category/books/technology-33512"},{"categoryId":33662,"title":"Academics & The Arts","hasSubCategories":true,"url":"/category/books/academics-the-arts-33662"},{"categoryId":33809,"title":"Home, Auto, & Hobbies","hasSubCategories":true,"url":"/category/books/home-auto-hobbies-33809"},{"categoryId":34038,"title":"Body, Mind, & Spirit","hasSubCategories":true,"url":"/category/books/body-mind-spirit-34038"},{"categoryId":34224,"title":"Business, Careers, & Money","hasSubCategories":true,"url":"/category/books/business-careers-money-34224"}],"breadcrumbs":[],"categoryTitle":"Level 0 Category","mainCategoryUrl":"/category/books/level-0-category-0"}},"articles":{"0":{"data":[{"categoryId":33512,"title":"Technology","hasSubCategories":true,"url":"/category/articles/technology-33512"},{"categoryId":33662,"title":"Academics & The Arts","hasSubCategories":true,"url":"/category/articles/academics-the-arts-33662"},{"categoryId":33809,"title":"Home, Auto, & Hobbies","hasSubCategories":true,"url":"/category/articles/home-auto-hobbies-33809"},{"categoryId":34038,"title":"Body, Mind, & Spirit","hasSubCategories":true,"url":"/category/articles/body-mind-spirit-34038"},{"categoryId":34224,"title":"Business, Careers, & Money","hasSubCategories":true,"url":"/category/articles/business-careers-money-34224"}],"breadcrumbs":[],"categoryTitle":"Level 0 Category","mainCategoryUrl":"/category/articles/level-0-category-0"}}},"navigationCategoriesLoadedStatus":"success"},"searchState":{"searchList":[],"searchStatus":"initial","relatedArticlesList":[],"relatedArticlesStatus":"initial"},"routeState":{"name":"ArticleCategory","path":"/category/articles/cybersecurity-33537/","hash":"","query":{},"params":{"category":"cybersecurity-33537"},"fullPath":"/category/articles/cybersecurity-33537/","meta":{"routeType":"category","breadcrumbInfo":{"suffix":"Articles","baseRoute":"/category/articles"},"prerenderWithAsyncData":true},"from":{"name":null,"path":"/","hash":"","query":{},"params":{},"fullPath":"/","meta":{}}},"sfmcState":{"status":"initial"},"profileState":{"auth":{},"userOptions":{},"status":"success"}}
Logo
  • Articles Open Article Categories
  • Books Open Book Categories
  • Collections Open Collections list
  • Custom Solutions

Article Categories

Book Categories

Collections

Explore all collections
BYOB (Be Your Own Boss)
Be a Rad Dad
Career Shifting
Contemplating the Cosmos
For Those Seeking Peace of Mind
For the Aspiring Aficionado
For the Budding Cannabis Enthusiast
For the Exam-Season Crammer
For the Hopeless Romantic
For the Spring Term Learner
Log In
  • Home
  • Technology Articles
  • Cybersecurity Articles

Cybersecurity Articles

Batten down the (virtual) hatches with these rock-solid strategies for protecting your privacy and security.

Articles From Cybersecurity

page 1
page 2
page 3
page 4
page 5
page 6

Filter Results

52 results
52 results
Cybersecurity Cybersecurity All-in-One For Dummies Cheat Sheet

Cheat Sheet / Updated 01-09-2023

To cyber-protect your personal and business data, make sure everyone at home and at work recognizes that they are a target. People who believe that hackers want to breach their computers and phones and that cyber criminals want to steal their data act differently than people who do not understand the true nature of the threat. Many businesses use security awareness programs to improve security related behaviors.

View Cheat Sheet
Cybersecurity What is General Data Protections Regulation (GDPR)?

Article / Updated 10-19-2022

The General Data Protections Regulation (GDPR) is a ruling intended to protect the data of citizens within the European Union (EU). The GDPR was a move by The Council of the European Union, European Parliament, and European Commission to provide citizens with a greater level of control over their personal data. After several years of refining and debating, the regulation was officially approved by European Parliament on April 14, 2016. The EU then allowed a two-year transition period for organizations to reach compliance. As of May 25, 2018, the GDPR's heavy fines kicked in, to be levied against any business not meeting the guidelines. Who is affected by the GDPR? The GDPR has far-reaching implications for all citizens of the EU and businesses operating within the EU, regardless of physical location. If businesses hope to offer goods or services to citizens of the EU, they will be subject to the penalties imposed by the GDPR. In addition, any business that holds personal data of EU citizens can be held accountable under the GDPR. What sort of data falls under the GDPR? Name Photo Email address Social media posts Personal medical information IP addresses Bank details The GDPR covers any information that can be classified as personal details or that can be used to determine your identity. Parental consent is required to process any data relating to children ages 16 and under. The regulation specifies the entities impacted by the GDPR. The wording specifically includes data processors and data controllers. What does this mean? Information that is stored in a “cloud” or in a separate physical location is still subject to penalties. Regardless of who has determined how your information will be used and who actually uses it, fines can still be imposed for misuse if it concerns the data of EU citizens. Penalties for not complying with GDPR Businesses that fail to comply with GDPR are subject to fines. This can mean different things for businesses, depending on the level of infraction. On the high end, businesses may be required to pay up to 4 percent of their global turnover, or 20 million euros, whichever is highest. Companies may also be fined 2 percent for not taking appropriate measures to keep records in order. Ultimately, the fine depends on the nature of the infraction. Data breaches and the GDPR A data breach is any situation where an outside entity gains access to user data without the permission of the individual. Data breaches often involve the malicious use of data against users. If a data breach should occur, the GDPR specifies that companies must provide adequate notification. The affected company has 72 hours to notify the appropriate data protection agency and must inform affected individuals “without undue delay.” Uncertain politics and the GDPR In an uncertain political climate, many companies and citizens are concerned about how they will be affected by the GDPR given the undetermined nature of Brexit. Companies operating in the United Kingdom are encouraged to take measures to comply with the GDPR. Although these companies may not be subject to the GDPR, EUGDPR.org states that “The UK Government has indicated it will implement an equivalent or alternative legal mechanisms.” If you believe you will be operating in the UK but not in other EU countries, you are still encouraged to prepare for the GDPR as the UK is expected to follow suit with similar data protection legislation.

View Article
Cybersecurity Cybersecurity For Dummies Cheat Sheet

Cheat Sheet / Updated 10-19-2022

Some scams cyber-criminals use to target online shoppers seem to persist for years. This likely indicates that people are continuously falling prey to the scams, thereby encouraging criminals to keep using the same forms of trickery over and over. Look here to discover some straightforward tips on how to keep yourself — and your loved ones — safe when using the internet to shop, as well as how to avoid common cybersecurity mistakes.

View Cheat Sheet
Cybersecurity 4 Ways Hackers Crack Passwords

Article / Updated 06-23-2022

Hackers use a variety of means to gain passwords. One of the most common ways for hackers to get access to your passwords is through social engineering, but they don’t stop there. Check out the following tools and vulnerabilities hackers exploit to grab your password. Keystroke logging One of the best techniques for capturing passwords is remote keystroke logging — the use of software or hardware to record keystrokes as they’re typed. Be careful with keystroke logging. Even with good intentions, monitoring employees raises various legal issues if it’s not done correctly. Discuss with your legal counsel what you’ll be doing, ask for her guidance, and get approval from upper management. Logging tools used by hackers With keystroke-logging tools, you can assess the log files of your application to see what passwords people are using: Keystroke-logging applications can be installed on the monitored computer. Check out Veriato's Cebral, as one example. Dozens of such tools are available online. Hardware-based tools fit between the keyboard and the computer or replace the keyboard. A keystroke-logging tool installed on a shared computer can capture the passwords of every user who logs in. Countermeasures against logging tools The best defense against the installation of keystroke-logging software on your systems is to use an antimalware program or a similar endpoint protection software that monitors the local host. It’s not foolproof but can help. As with physical keyloggers, you’ll need to inspect each system visually. The potential for hackers to install keystroke-logging software is another reason to ensure that your users aren’t downloading and installing random shareware or opening attachments in unsolicited emails. Consider locking down your desktops by setting the appropriate user rights through local or group security policy in Windows. Alternatively, you could use a commercial lockdown program, such as Fortres 101 for Windows or Deep Freeze Enterprise for Windows, Linux, and macOS X. A different technology that still falls into this category is Carbon Black’s “positive security” allow listing application, called Cb Protection, which allows you to configure which executables can be run on any given system. It’s intended to fight off advanced malware but could certainly be used in this situation. Weak password storage Many legacy and stand-alone applications — such as email, dial-up network connections, and accounting software — store passwords locally, which makes them vulnerable to password hacking. By performing a basic text search, you can find passwords stored in clear text on the local hard drives of machines. You can automate the process even further by using a program called FileLocator Pro. How hackers search for passwords You can try using your favorite text-searching utility — such as the Windows search function, findstr, or grep — to search for password or passwd on your computer's drives. You may be shocked to find what’s on your systems. Some programs even write passwords to disk or leave them stored in memory. Weak password storage is a criminal hacker’s dream. Head it off if you can. This doesn’t mean that you should immediately run off and start using a cloud-based password manager, however. As we’ve all seen over the years, those systems get hacked as well! Countermeasures against weak passwords The only reliable way to eliminate weak password storage is to use only applications that store passwords securely. This practice may not be practical, but it’s your only guarantee that your passwords are secure. Another option is to instruct users not to store their passwords when prompted. Before upgrading applications, contact your software vendor to see how it manages passwords, or search for a third-party solution. How hackers use network analyzers to crack passwords A network analyzer sniffs the packets traversing the network, which is what the bad guys do if they can gain control of a computer, tap into your wireless network, or gain physical network access to set up their network analyzer. If they gain physical access, they can look for a network jack on the wall and plug right in. Finding password vulnerabilities with network analyzers The image below shows how crystal-clear passwords can be through the eyes of a network analyzer. This shows how Cain & Abel can glean thousands of passwords going across the network in a matter of a couple of hours. As you can see in the left pane, these clear text password vulnerabilities can apply to FTP, web, Telnet, and more. (The actual usernames and passwords are blurred to protect them.) If traffic isn’t tunneled through some form of encrypted link (such as a virtual private network, Secure Shell, or Secure Sockets Layer), it’s vulnerable to attack. Cain & Abel is a password-cracking tool that also has network analysis capabilities. You can also use a regular network analyzer, such as the commercial products Omnipeek and CommView, as well as the free open-source program Wireshark. With a network analyzer, you can search for password traffic in various ways. To capture POP3 password traffic, for example, you can set up a filter and a trigger to search for the PASS command. When the network analyzer sees the PASS command in the packet, it captures that specific data. Network analyzers require you to capture data on a hub segment of your network or via a monitor/mirror/span port on a switch. Otherwise, you can’t see anyone else’s data traversing the network — just yours. Check your switch’s user guide to see whether it has a monitor or mirror port and for instructions on how to configure it. You can connect your network analyzer to a hub on the public side of your firewall. You’ll capture only those packets that are entering or leaving your network — not internal traffic. Countermeasures against network analyzers Here are some good defenses against network analyzer attacks: Use switches on your network, not hubs. Ethernet hubs are things of the past, but they are still used occasionally. If you must use hubs on network segments, a program like sniffdet for Unix/Linux-based systems and PromiscDetect for Windows can detect network cards in promiscuous mode (accepting all packets, whether they’re destined for the local machine or not). A network card in promiscuous mode signifies that a network analyzer may be running on the network. Make sure that unsupervised areas, such as an unoccupied lobby or training room, don’t have live network connections. An Ethernet port is all someone needs to gain access to your internal network. Don’t let anyone without a business need gain physical access to your switches or to the network connection on the public side of your firewall. With physical access, a hacker can connect to a switch monitor port or tap into the unswitched network segment outside the firewall and then capture packets. Switches don’t provide complete security because they’re vulnerable to ARP poisoning attacks. How hackers break weak BIOS passwords Most computer BIOS (basic input/output system) settings allow power-on passwords and/or setup passwords to protect the computer’s hardware settings that are stored in the CMOS chip. Here are some ways around these passwords: You usually can reset these passwords by unplugging the CMOS battery or by changing a jumper on the motherboard. Password-cracking utilities for BIOS passwords are available on the Internet and from computer manufacturers. If gaining access to the hard drive is your ultimate goal, you can remove the hard drive from the computer and install it in another one, and you’re good to go. This technique is a great way to prove that BIOS/power-on passwords are not effective countermeasures for lost or stolen laptops. Check cirt.net for a good list of default system passwords for various vendor equipment. Tons of variables exist for hacking and hacking countermeasures depending on your hardware setup. If you plan to hack your own BIOS passwords, check for information in your user manual, or refer to the BIOS password-hacking guide. If protecting the information on your hard drives is your ultimate goal, full (sometimes referred to as whole) disk is the best way to go. The good news is that newer computers (within the past five years or so) use a new type of BIOS called unified extensible firmware interface (UEFI), which is much more resilient to boot-level system cracking attempts. Still, a weak password may be all it takes for the system to be exploited. Weak passwords in limbo Bad guys often exploit user accounts that have just been created or reset by a network administrator or help desk. New accounts may need to be created for new employees or even for security testing purposes. Accounts may need to be reset if users forget their passwords or if the accounts have been locked out because of failed attempts. Password weaknesses in user account Here are some reasons why user accounts can be vulnerable: When user accounts are reset, they’re often assigned an easily cracked or widely-known password (such as the user’s name or the word password). The time between resetting the user account and changing the password is a prime opportunity for a break-in. Many systems have default accounts or unused accounts with weak passwords or no passwords at all. These accounts are prime targets. Countermeasures against passwords in limbo The best defenses against attacks on passwords in limbo are solid help-desk policies and procedures that prevent weak passwords from being available at any given time during the new-account-generation and password-reset processes. Following are perhaps the best ways to overcome this vulnerability: Require users to be on the phone with the help desk or to have a help-desk member perform the reset at the user’s desk. Require that the user immediately log in and change the password. If you need the ultimate in security, implement stronger authentication methods, such as challenge/response questions, smart cards, or digital certificates. Automate password reset functionality via self-service tools on your network so that users can manage most of their password problems without help from others.

View Article
Cybersecurity GDPR For Dummies Cheat Sheet

Cheat Sheet / Updated 03-15-2022

The General Data Protection Regulation (GDPR) was designed to streamline data protection laws across Europe as well as provide for some consistency across the European Union (EU). Although it's been in place since May 2018, it still causes a lot of confusion. This cheat sheet answers some questions about a few major misunderstandings: Does the GDPR apply to non-EU organizations? Can non-EU organizations be fined for non-compliance? Do you need an Article 27 representative?

View Cheat Sheet
Cybersecurity Security Awareness For Dummies Cheat Sheet

Cheat Sheet / Updated 03-14-2022

Security awareness is much more complicated than just making users “aware.” Implementing an effective security awareness program means that you aren’t just providing information — rather, you’re specifically improving security related behaviors

View Cheat Sheet
Cybersecurity Penetration Testing For Dummies Cheat Sheet

Cheat Sheet / Updated 03-01-2022

Penetration (pen) testing is used by many organizations to ensure that the security controls they put in place actually work. Pen testing and security are complicated topics and can be intimidating. This cheat sheet covers basic pen testing terminology you need to know, the most commonly used pen testing tools, and a list of commonly sought-after certifications in the field of pen testing.

View Cheat Sheet
Cybersecurity Hacking For Dummies Cheat Sheet

Cheat Sheet / Updated 02-24-2022

Not all hacking is bad. It reveals security weaknesses or flaws in your computing setups. This Cheat Sheet provides you with quick references to tools and tips and alerts you to commonly hacked targets — information you need to make your security testing efforts easier.

View Cheat Sheet
Cybersecurity Cloud Security For Dummies Cheat Sheet

Cheat Sheet / Updated 01-10-2022

So many computing resources have migrated to the cloud because of ease of use, accessibility, cost, maintainability, and getting your computing closer to your clients (edge computing). With all of these advantages comes additional responsibilities. Cloud service providers do provide some security for your applications and data, but you share responsibility with them. Primarily, those responsibilities include managing access to your cloud resources and maintaining the security of your applications. While it may seem that having responsibility for two things is not a lot of work, it’s quite a challenge. Following, are the essentials of cloud security.

View Cheat Sheet
Cybersecurity The Fundamentals of GDPR and Data Protection

Article / Updated 12-29-2021

One aim of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, was to harmonize data protection laws across Europe — so its legal form is a regulation (an order that must be executed) as opposed to a directive (a result to achieve, though the means to achieve aren’t dictated). The GDPR is the successor to the European Union's (EU) Data Protection Directive 1995 (Directive 95/46/EC). Unlike a directive, when the EU enacts a regulation, it becomes national legislation in each EU member state, with member states having no opportunity to change it via national legislation. However, EU member states are permitted to make certain derogations (a fancy term for exemptions) from the GDPR (such as in the case of the need to uphold a country’s security), so data protection laws across Europe aren’t quite as harmonized as may have been desired by some of the legislators. Although EU member states cannot change the GDPR, each member state requires national legislation to accompany the GDPR, for two reasons: The GDPR needs to fit into the member state’s legal framework. National legislation is needed to choose from the exemptions permitted by the GDPR. At the time this article was written, all but three member states had passed national legislation to sit alongside the GDPR. So, you need to familiarize yourself with not only the GDPR but also the legislation that was implemented in the EU member state(s) in which your organization is established. Data protection laws Data protection laws exist to balance the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Data protection laws provide important rights for data subjects and for the enforcement of such rights. This list describes a handful of additional points about these laws to keep in mind. Data protection laws: Protect data subjects: A data subject is an individual whose personal data is collected, held, and/or processed. Apply to organizations that control the processing of personal data (known as data controllers) and also organizations that process personal data under the instructions of data controllers (known as data processors): These include companies (both private and public), charities (not-for-profit, political, and so on), and associations (such as churches, sports clubs, and professional leagues, to name only a few). Apply throughout the world: The concept of privacy originated in the United States in the 1890s. Although the EU has been a front-runner in establishing the laws protecting data and sees itself as setting the gold standard of data protections laws, the vast majority of countries around the world have some form of data protection laws. Do not prevent organizations from using personal data: Organizations can legitimately use personal data to their benefit as long as they comply with applicable data protection laws. Every organization is likely to process some personal data — of its clients, employees, suppliers, prospects, and so on. Prevent common misuses of personal data: Organizations often fail to (a) put in place appropriate measures to keep personal data secure (b) inform the data subject at the point of data collection about what it is intending to do with the personal data and where necessary to obtain consent and (c) transfer personal data to third parties without the knowledge of the data subject. Data protection laws generally prevent these common misuses. Countries hold to varying degrees of regulation and enforcement and some countries don’t have any data protection laws. The following table rates the strength of various countries’ efforts to protect data. Regulation/Enforcement Strength of Data Protection Laws Worldwide Type of Regulation/Enforcement Countries Tough Australia, Canada, Hong Kong, South Korea Strong Argentina, China, Estonia, Finland, Iceland, Japan, Latvia, Malaysia, Monaco, Morocco, New Zealand Light Angola, Belarus, Costa Rica, Egypt, Ghana, Lithuania, Mexico, Nigeria, Russia, Saudi Arabia/UAE, South Africa, Turkey, Ukraine Limited Honduras, India, Indonesia, Pakistan, Panama, Thailand, Uruguay The 10 most important obligations of the GDPR The obligations I refer to in this section’s heading are the ten most important actions you need to take to comply with the GDPR; I’ve only summarized these obligations in the following list because I discuss them further throughout this book: Prepare a data inventory to map your data flows so that you can understand exactly what personal data you’re processing and what you’re doing with it. Work out the lawful grounds for processing each type of personal data for each purpose for which you’re processing it. Ensure that your data security strategy is robust and that you have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach or other security incident. Ensure that an appropriate safeguard is in place whenever you transfer personal data outside of the European Economic Area (EEA). Update your Privacy Notice to ensure that you’re being transparent about the means and purposes of your data-processing. Update your Cookie Policy to ensure that you aren’t relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained. Ensure that your staff are appropriately trained in relevant areas of the GDPR. Ensure that you have reviewed the grounds on which you process employee data, and issue a revised employee privacy notice where necessary. Determine whether you need to appoint a data protection officer (DPO). If you do, take the necessary steps to hire a suitable candidate. Review all of your processor and subprocessor arrangements and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data. The consequences of non-compliance Think of this as a description of not only the consequences you face if you aren’t compliant with the GDPR but also the reasons you should care about being compliant. Increased fines and sanctions The GDPR has introduced significant increases in the maximum fines for breaches of its requirements. Under the GDPR, the fine for certain breaches of the GDPR have been increased to 20 million euros (about $24 million USD) or 4 percent of global turnover for the past financial year, whichever is higher. For “lesser” breaches, the maximum fines have increased to 10 million euros (about $12 million USD) or 2 percent of global turnover for the past financial year, whichever is higher. This significant increase in fines indicates the increasing importance of data protection within the EU as the value of personal data increases and the processing becomes even more sophisticated. This is not to say that you will be fined these amounts for any infringements of the GDPR. You would have to do something that significantly impacts on the rights and freedoms of a large number of data subjects to incur a maximum fine. Supervisory authorities are the regulatory authorities (often known as data protection authorities) within individual EU member states that are responsible for the enforcement of the GDPR. Civil claims Data subjects can now bring civil claims against data controllers for infringements of their data subject rights. So, if, for example, you don’t respond appropriately to a data subject right request (namely where the data subject can request details of the personal data you process for that data subject) or if you experience a data breach that affects the data subject’s personal data, you could find yourself on the receiving end of a civil claim. As you may have noticed in recent high-profile data breaches, such as the British Airways data breach in 2019, data protection lawyers are placing advertisements encouraging victims of data breaches to join group actions against the data controller. A civil claim against you would not only damage your reputation further but would also cost a significant amount of time and money to defend the claim. Data subject complaints The general public is much savvier about their data protection rights than they used to be, for these reasons: The introduction of the GDPR garnered a lot of publicity due to the increased sanctions. Supervisory authorities ran various awareness campaigns to ensure that data subjects were aware of their rights. Certain high-profile cases, such as the Facebook and Cambridge Analytica cases (where personal data was misused for political profiling), and the British Airways data breach case have received broad coverage in the media. This savviness has led to an increase in the number of complaints from data subjects whose personal data hasn’t been processed in accordance with the GDPR. Data subjects are lodging complaints both directly to the data controller and to supervisory authorities. The two situations require two different responses: If the data subject complains directly to you (the data controller): Although a complaint signals that an element of reputational damage has occurred, you have an opportunity to repair the relationship, which is particularly important if the data subject is a customer or a potential customer. If the data subject complains to the supervisory authority: Because the supervisory authority is bound to investigate that complaint, you might face more serious consequences. The supervisory authority will review all your data processing activities, policies and procedures in relation to that complaint. If it finds that the complaint is valid, the supervisory authority will use its corrective powers in relation to such complaints. These corrective powers include the ability to issue fines, to impose a temporary or definitive ban on the processing of personal data or to force you to respond to the data subject’s requests to exercise their rights. Brand damage When a data subject brings a claim against you, you risk not only sanctions from the relevant supervisory but also brand damage. A report by Axciom (a consulting firm providing marketers with data and technology assistance) entitled “Global data privacy: what the consumer really thinks” showed that individuals from around the world are, in the vast majority, quite concerned about how their personal data is used and protected. If you aren’t compliant with the GDPR, you’re showing your prospects, customers, and employees that you aren’t concerned about the protection of their personal data. Loss of trust If you don’t comply with the GDPR and, for example, you experience a data breach or don’t respond appropriately to data subject requests, you are likely to lose trust from your customers and prospects. When they don’t trust you, they don’t want to buy from you or otherwise do business with you. Similarly, when your employees don’t trust you, they no longer want to work for you. In unfortunate timing, British Airways sent an email to all of its customers to assure them that they could trust British Airways with their personal data. Just a couple of months later, British Airways suffered a large data breach that compromised the financial details of 185,000 customers, details that were sold on the dark web. As a result of this data breach, the share price of IAG (British Airways’ parent company) decreased by 5.8 percent (equivalent to a loss of £350m). In 2018, CompariTech carried out a report finding that, in the long term, organizations that have suffered data breaches financially underperformed. Be a market leader By embracing the GDPR and showing your customers, prospects, and employees that you care about the protection of their personal data, you gain a competitive advantage. Elizabeth Denham, the United Kingdom information commissioner, summed up this idea nicely: “Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.”

View Article
page 1
page 2
page 3
page 4
page 5
page 6

Quick Links

  • About For Dummies
  • Contact Us
  • Activate A Book Pin

Connect

Opt in to our newsletter!

By entering your email address and clicking the “Submit” button, you agree to the Terms of Use and Privacy Policy & to receive electronic communications from Dummies.com, which may include marketing promotions, news and updates.

About Dummies

Dummies has always stood for taking on complex concepts and making them easy to understand. Dummies helps everyone be more knowledgeable and confident in applying what they know. Whether it's to pass that big test, qualify for that big promotion or even master that cooking technique; people who rely on dummies, rely on it to learn the critical skills and relevant information necessary for success.

Terms of Use
Privacy Policy
Cookies Settings
Do Not Sell My Personal Info - CA Only