An interesting point I took away from the readings is how replay attacks can be effectively prevented using both HMAC and a trusted PKI. Both methods work similarly by ensuring data integrity and verifying identity. HMAC secures the data, making sure any intercepted information can’t be reused without detection, while PKI confirms that the data comes from a trusted source. Replay attacks are a key concern in my current field of work, so this topic stood out to me, and learning more about these defenses helped me recognize the connection.
You’ve highlighted a critical point about the roles HMAC and PKI play in preventing replay attacks. HMAC provides a way to ensure data integrity, making it nearly impossible for intercepted information to be reused without detection. Meanwhile, PKI’s role in authenticating the data source adds another layer of defense, helping to establish trust and prevent unauthorized access. These strategies are indeed powerful together, as they address both identity verification and data security.
I found the origins of privacy as a concept interesting. It provided me with a different perspective into how the concept of privacy has evolved over centuries. Philosophically it was viewed between private and public places and began to take shape into what we know as “The Right to Privacy”. Today, privacy has become a critical issue due to the vast amount of personal data collected and shared online. We have been learning about today’s modern concept, but it made me think as to how the concept of privacy has evolved over time.
Hi Ericberto I like how privacy has evolved from a philosophical notion to a digital need. I choose a similar topic from chapter 74. There is so much personal information being gathered these days that it seems like we are always changing what privacy means and how to keep it safe. Do you think that this rise in privacy knowledge will finally lead to stricter rules all over the world?
I do believe that the rise in privacy knowledge is likely to influence more comprehensive privacy regulations. As more people become aware of the importance of protecting their personal information, there will be an increased pressure on organizations to enforce stricter privacy measures.
The interesting point I learned from the reading was the similarities and differences between SSO (single sign on) and federated identity management. SSO allows users access to multiple applications and systems in a single organization using a set of credentials while federated identity management allows users access to applications and resources across multiple organization using a single set of credentials. The federated identity management extends single sign on to multiple domains. The architecture of federated identity management gives the user illusion that there is a single identifier authority. Even though the user has many identifiers. One identifier is enough to have access to have access to all services in the federated domain. Both SSO and FIM help organizations to secure data, minimize password-related risks and improve user experiences. It is interesting to me because my organization uses both SSO and FIM, I understand how SSO works but wonder how we could have access to resources from outside domain with a single set of credentials, now I know FIM is the answer.
Hi Nelson! I like how you pointed out SSOs. I also thought this was interesting because of the fact that I incorporated this in a Project demo. SSO does help maintain security, which is why I believe Temple has incorporated it through many of their applications (like Kronos, Registration Portal, etc.)
I was interested in learning about identity theft and what aspects of a phishing email make it so deceptive to people. On example of a solid phishing email that was given was for Chase Bank and how a hacker used their recent acquisition of another bank to take advantage of their customers. Instead of the usual urgent message in the email, they described the bank acquisition and stated that sometime in the future they would need to verify a four digit PIN. This specific phishing email had success because it used current topics and it also didn’t display and urgent message like most phishing emails would.
I agree with your observation that this phishing email was effective because it avoided the typical urgent tone and instead relied on a realistic scenario. Using recent news, like the acquisition, made the email feel authentic and relevant, which lowered readers’ guard. This shows how phishing tactics are evolving to exploit current events and appear more legitimate, making it harder for people to detect them. Another perspective to consider is that phishing attacks are becoming more personalized, sometimes using information from social media or data breaches to make emails even more convincing. Great post.
Hi Vincenzo,.
I also found this interesting since I work at Chase. We receive random phishing emails as a test from our cybersecurity team. I failed the first one because it was very specific to the company, my role, and there were no typos. I think this example and my own experience opened my eyes that phishing emails are becoming more sophisticated and we need to pay more attention to detail.
Hey Dawn I appreciate you sharing that with me, I personally think that phishing emails are a staple in cyber attacks, they have existed forever and are still used by so many attackers because they work. You mentioned that at Chase you get phishing emails from your cybersecurity team, to me this shows that large organizations are on high alert when it comes to phishing attacks, and like you said they can look very real. It’s crazy to think that for how long phishing emails have been a problem, cybersecurity teams are still trying to find a solid solution and these attacks are only getting more advanced.
One of the most interesting insights from this week’s readings is how Public Key Infrastructure (PKI) works to secure digital interactions. PKI uses two keys; a public key that anyone can see and a private key kept secret by the owner. This pairing creates a powerful tool that allows us not only to encrypt information (so only the intended recipient can read it) but also to digitally sign data, providing proof of the sender’s identity and making it nearly impossible for them to deny sending it. I found this fascinating because it’s a single system that covers both security and trust, which are crucial in everything from secure emails to online transactions
it is also interesting to me how PKI works to secure data confidentiality and integrity, when a sender encrypts with a public key, it protects the confidentiality of data, if the sender encrypts with a private key, integrity of data is protected. the most interesting is that PKI prevents parties to a transaction from denying their participation. ( non repudiation)
This week’s reading provided a deeper understanding of anonymity, unobservability, and unlinkability when being online. By showing how privacy enhancing technologies (PETs) are advancing to secure online identities and decrease identity theft. Even while sharing or processing personal data, PETs employ data reduction, encryption, and anonymization. This was intresting to me because as digital interactions rise, so does the need for new privacy protection without sacrificing usefulness. Or, overall, becoming overbearing. PETs demonstrate a change in security thinking from ensuring access to protecting personal data from illegal or unneeded exposure, which is crucial in today’s internet environment.
it’s fascinating to see how PETs are shifting the focus from just controlling access to actually safeguarding personal data. The balance between privacy and usability is tricky, but it’s clear that these technologies are helping us protect identities without getting in the way of online interactions. It’s a great example of how cybersecurity is evolving to meet the demands of today’s digital world.
The most interesting part of the weeks readings were discussing the real differences between access and identity management. Because I have only operated in modern security settings I never really considered those two to be separate concepts. In my mind they have always been so thoroughly linked together that I didn’t even think about how difficult security management would have been in the days of authentication through access. Where gaining access to a single machine with high access could grant access to an entire organization.
Yeah, I totally get what you’re saying! It’s wild to think about how different things used to be when identity and access management weren’t so closely linked. Like, it’s hard to imagine a time when just getting access to one high-level computer could let you roam free through an entire organization’s systems. Nowadays, everything is so interconnected, and it makes sense to see identity and access as one cohesive thing.
Actually, that reminds me of when I was a Help Desk supervisor back in 2007. One of my agents had been given administrative rights in Outlook, and it turned out he could read the VP of Information Technology’s emails. I had no clue until he brought it to my attention, since it never even crossed my mind to look at someone else’s messages. I immediately contacted the system administrators to have those permissions revoked. The whole situation led to a bunch of meetings and policy changes to make sure something like that wouldn’t happen again!
That is incredible that those sorts of security oversights used to be an issue. At this point the default seems to be locked down as much as physically possible, with the only exceptions being the compromises that the business needs to keep functioning.
A key takeaway from this weeks reading is the important role of social engineering in identity theft. Attackers often focus on building trust with their victims, showing that even strong technical defenses can be bypassed if they manipulate people’s trust. This highlights the need to teach users about the psychological tricks used in phishing and similar scams, which can be just as effective as technical methods.
I agree. The examples that were provided in our readings were surprisingly hard to tell apart from legitimate emails. The graphics and wording were so convincing and professional looking, and it felt really personal. I couldn’t even spot any obvious misspellings or errors, which made it even trickier to identify as a phishing attempt. It definitely shows how important it is to be aware of these psychological tactics and stay cautious.
I found the example of Chase Bank being susceptible to a phishing email as interesting because it realy speaks to how sophosticated phishing is becoming. Typically you learn in security awareness about typos, urgency, etc. but with more sophisticated attacks they are detailed and not as easily spotted. I work at Chase and we receive phishing emails as tests. I actually failed the first one because it was not as easily spotted.
Hi Dawn! Thanks for your response! I think this was a great takeaway and example. Phishing attacks have become more sophisticated, and especially with new tactics of social engineering, they will become even harder to spot. I was researching some Adobe products and a lot of their Cloud Experience Software can help protect employees and executives from phishing attacks. I think many companies could implement their services to be protected.
I found SSO’s very interesting from this week’s reading. SSO grants access to multiple applications within one organization using one login, while federated identity management extends access across multiple organizations with the same credentials. A group of friends and I are participating in an Online Software Challenge where we are pitching an application, Lunchie, that focuses on achieving the UN’s Sustainable Goal of Zero Hunger. The application allows users access to discounted foods that local restaurants would otherwise throw away or dispose of. In our Figma demo, we included SSO for sign-in in our application as it is geared toward college students. Students affiliated with the organization that is partnered with Lunchie will have access. It was cool to learn more about SSO while actually using it within our demonstration!
Hi Neel,
It has been interesting for me as well to learn about certain topics while actually using what is being discussed. For example, SSO, I used to find it a bit frustsrating since I am constantly switching between Temple’s domain and my work domain for Zoom and Outlook. However, the readings and lectures have opened my eyes to the necessity and complexity of SSO as a security measure.
I found SSO very interesting as it is something I use for work daily as a remote worker, and my organization leverages a cloud environment. I’ve always thought about how it impacts my productivity since I only need to sign in once to access multiple applications and systems to complete my tasks, and I don’t have to remember multiple passwords. What I found particularly interesting is that SSO can improve response time to compromised accounts, as any unusual activity on a single login is easier to identify. Additionally, from a security standpoint, it reduces the number of password-related incidents fielded by the help desk, freeing up IT resources and enhancing overall security. SSO also makes onboarding and offboarding employees much more efficient, as access can be granted or revoked centrally, saving time and reducing potential security gaps.
I agree that SSO significantly boosts both productivity and security, especially for remote teams using cloud environments. It not only simplifies access and enhances monitoring for suspicious activity but also reduces password issues and streamlines employee onboarding and offboarding.
While reading the chapter about online privacy, I was surprised to learn that health data collected by mobile apps is not subject to HIPAA regulations. Having worked in the health field as an IT professional for over 15 years, I always thought that any health-related information, especially PHI, was protected under HIPAA.
This comes as a surprise to me as well, I currently work in pharma, and we utilize devices to capture patient data. Do you think there should be more comprehensive regulations to protect health data collected by mobile apps?
I absolutely think there should be more comprehensive regulations! It seems pretty wild that health data collected by mobile apps isn’t protected under HIPAA. I mean, it’s still really sensitive information, so you’d think it would have the same level of protection. With so much personal health data being collected and shared through mobile apps, it definitely makes sense to have stricter rules to keep that information safe. Since you work in pharma, you probably see the importance of this even more, and it’s kind of alarming to think about the gaps in protection.
I’ve heard about this issue and I think it is because it is included in the user policies that all information entered may be sold or shared with third-parties.
******Was originally posted in question 2 by mistake *******
One thing I found interesting from reading Chapter 53: Privacy-Enhancing Technologies was that some of the agenda items for PETs are that they must protect individuals from the producers and retailers of the technologies. It was interesting to me because we have discussed how important it was to maintain the CIA triad from threat actors and insiders, but it was equally important to protect the Confidentiality, Integrity, and Availability of information from the makers and sellers of certain security tools. It reminded me that it was important to understand the level of unchecked access vendors may have to the instances of tools within an organization and subsequently the visibility into an organization’s network. It was similar to an article I wrote about which explained the SolarWinds exploit.
Christopher Williams says
An interesting point I took away from the readings is how replay attacks can be effectively prevented using both HMAC and a trusted PKI. Both methods work similarly by ensuring data integrity and verifying identity. HMAC secures the data, making sure any intercepted information can’t be reused without detection, while PKI confirms that the data comes from a trusted source. Replay attacks are a key concern in my current field of work, so this topic stood out to me, and learning more about these defenses helped me recognize the connection.
Cyrena Haynes says
You’ve highlighted a critical point about the roles HMAC and PKI play in preventing replay attacks. HMAC provides a way to ensure data integrity, making it nearly impossible for intercepted information to be reused without detection. Meanwhile, PKI’s role in authenticating the data source adds another layer of defense, helping to establish trust and prevent unauthorized access. These strategies are indeed powerful together, as they address both identity verification and data security.
Ericberto Mariscal says
I found the origins of privacy as a concept interesting. It provided me with a different perspective into how the concept of privacy has evolved over centuries. Philosophically it was viewed between private and public places and began to take shape into what we know as “The Right to Privacy”. Today, privacy has become a critical issue due to the vast amount of personal data collected and shared online. We have been learning about today’s modern concept, but it made me think as to how the concept of privacy has evolved over time.
Tache Johnson says
Hi Ericberto I like how privacy has evolved from a philosophical notion to a digital need. I choose a similar topic from chapter 74. There is so much personal information being gathered these days that it seems like we are always changing what privacy means and how to keep it safe. Do you think that this rise in privacy knowledge will finally lead to stricter rules all over the world?
Ericberto Mariscal says
Hi Tache,
I do believe that the rise in privacy knowledge is likely to influence more comprehensive privacy regulations. As more people become aware of the importance of protecting their personal information, there will be an increased pressure on organizations to enforce stricter privacy measures.
Nelson Ezeatuegwu says
The interesting point I learned from the reading was the similarities and differences between SSO (single sign on) and federated identity management. SSO allows users access to multiple applications and systems in a single organization using a set of credentials while federated identity management allows users access to applications and resources across multiple organization using a single set of credentials. The federated identity management extends single sign on to multiple domains. The architecture of federated identity management gives the user illusion that there is a single identifier authority. Even though the user has many identifiers. One identifier is enough to have access to have access to all services in the federated domain. Both SSO and FIM help organizations to secure data, minimize password-related risks and improve user experiences. It is interesting to me because my organization uses both SSO and FIM, I understand how SSO works but wonder how we could have access to resources from outside domain with a single set of credentials, now I know FIM is the answer.
Neel Patel says
Hi Nelson! I like how you pointed out SSOs. I also thought this was interesting because of the fact that I incorporated this in a Project demo. SSO does help maintain security, which is why I believe Temple has incorporated it through many of their applications (like Kronos, Registration Portal, etc.)
Vincenzo Macolino says
I was interested in learning about identity theft and what aspects of a phishing email make it so deceptive to people. On example of a solid phishing email that was given was for Chase Bank and how a hacker used their recent acquisition of another bank to take advantage of their customers. Instead of the usual urgent message in the email, they described the bank acquisition and stated that sometime in the future they would need to verify a four digit PIN. This specific phishing email had success because it used current topics and it also didn’t display and urgent message like most phishing emails would.
James Nyamokoh says
Hi Vince,
I agree with your observation that this phishing email was effective because it avoided the typical urgent tone and instead relied on a realistic scenario. Using recent news, like the acquisition, made the email feel authentic and relevant, which lowered readers’ guard. This shows how phishing tactics are evolving to exploit current events and appear more legitimate, making it harder for people to detect them. Another perspective to consider is that phishing attacks are becoming more personalized, sometimes using information from social media or data breaches to make emails even more convincing. Great post.
Dawn Foreman says
Hi Vincenzo,.
I also found this interesting since I work at Chase. We receive random phishing emails as a test from our cybersecurity team. I failed the first one because it was very specific to the company, my role, and there were no typos. I think this example and my own experience opened my eyes that phishing emails are becoming more sophisticated and we need to pay more attention to detail.
Vincenzo Macolino says
Hey Dawn I appreciate you sharing that with me, I personally think that phishing emails are a staple in cyber attacks, they have existed forever and are still used by so many attackers because they work. You mentioned that at Chase you get phishing emails from your cybersecurity team, to me this shows that large organizations are on high alert when it comes to phishing attacks, and like you said they can look very real. It’s crazy to think that for how long phishing emails have been a problem, cybersecurity teams are still trying to find a solid solution and these attacks are only getting more advanced.
James Nyamokoh says
One of the most interesting insights from this week’s readings is how Public Key Infrastructure (PKI) works to secure digital interactions. PKI uses two keys; a public key that anyone can see and a private key kept secret by the owner. This pairing creates a powerful tool that allows us not only to encrypt information (so only the intended recipient can read it) but also to digitally sign data, providing proof of the sender’s identity and making it nearly impossible for them to deny sending it. I found this fascinating because it’s a single system that covers both security and trust, which are crucial in everything from secure emails to online transactions
Nelson Ezeatuegwu says
Hi James,
it is also interesting to me how PKI works to secure data confidentiality and integrity, when a sender encrypts with a public key, it protects the confidentiality of data, if the sender encrypts with a private key, integrity of data is protected. the most interesting is that PKI prevents parties to a transaction from denying their participation. ( non repudiation)
Tache Johnson says
This week’s reading provided a deeper understanding of anonymity, unobservability, and unlinkability when being online. By showing how privacy enhancing technologies (PETs) are advancing to secure online identities and decrease identity theft. Even while sharing or processing personal data, PETs employ data reduction, encryption, and anonymization. This was intresting to me because as digital interactions rise, so does the need for new privacy protection without sacrificing usefulness. Or, overall, becoming overbearing. PETs demonstrate a change in security thinking from ensuring access to protecting personal data from illegal or unneeded exposure, which is crucial in today’s internet environment.
Christopher Williams says
it’s fascinating to see how PETs are shifting the focus from just controlling access to actually safeguarding personal data. The balance between privacy and usability is tricky, but it’s clear that these technologies are helping us protect identities without getting in the way of online interactions. It’s a great example of how cybersecurity is evolving to meet the demands of today’s digital world.
Benjamin Rooks says
The most interesting part of the weeks readings were discussing the real differences between access and identity management. Because I have only operated in modern security settings I never really considered those two to be separate concepts. In my mind they have always been so thoroughly linked together that I didn’t even think about how difficult security management would have been in the days of authentication through access. Where gaining access to a single machine with high access could grant access to an entire organization.
Aisha Ings says
Yeah, I totally get what you’re saying! It’s wild to think about how different things used to be when identity and access management weren’t so closely linked. Like, it’s hard to imagine a time when just getting access to one high-level computer could let you roam free through an entire organization’s systems. Nowadays, everything is so interconnected, and it makes sense to see identity and access as one cohesive thing.
Actually, that reminds me of when I was a Help Desk supervisor back in 2007. One of my agents had been given administrative rights in Outlook, and it turned out he could read the VP of Information Technology’s emails. I had no clue until he brought it to my attention, since it never even crossed my mind to look at someone else’s messages. I immediately contacted the system administrators to have those permissions revoked. The whole situation led to a bunch of meetings and policy changes to make sure something like that wouldn’t happen again!
Benjamin Rooks says
That is incredible that those sorts of security oversights used to be an issue. At this point the default seems to be locked down as much as physically possible, with the only exceptions being the compromises that the business needs to keep functioning.
Andrea Baum says
A key takeaway from this weeks reading is the important role of social engineering in identity theft. Attackers often focus on building trust with their victims, showing that even strong technical defenses can be bypassed if they manipulate people’s trust. This highlights the need to teach users about the psychological tricks used in phishing and similar scams, which can be just as effective as technical methods.
Aisha Ings says
Hi Andrea,
I agree. The examples that were provided in our readings were surprisingly hard to tell apart from legitimate emails. The graphics and wording were so convincing and professional looking, and it felt really personal. I couldn’t even spot any obvious misspellings or errors, which made it even trickier to identify as a phishing attempt. It definitely shows how important it is to be aware of these psychological tactics and stay cautious.
Dawn Foreman says
I found the example of Chase Bank being susceptible to a phishing email as interesting because it realy speaks to how sophosticated phishing is becoming. Typically you learn in security awareness about typos, urgency, etc. but with more sophisticated attacks they are detailed and not as easily spotted. I work at Chase and we receive phishing emails as tests. I actually failed the first one because it was not as easily spotted.
Neel Patel says
Hi Dawn! Thanks for your response! I think this was a great takeaway and example. Phishing attacks have become more sophisticated, and especially with new tactics of social engineering, they will become even harder to spot. I was researching some Adobe products and a lot of their Cloud Experience Software can help protect employees and executives from phishing attacks. I think many companies could implement their services to be protected.
Neel Patel says
I found SSO’s very interesting from this week’s reading. SSO grants access to multiple applications within one organization using one login, while federated identity management extends access across multiple organizations with the same credentials. A group of friends and I are participating in an Online Software Challenge where we are pitching an application, Lunchie, that focuses on achieving the UN’s Sustainable Goal of Zero Hunger. The application allows users access to discounted foods that local restaurants would otherwise throw away or dispose of. In our Figma demo, we included SSO for sign-in in our application as it is geared toward college students. Students affiliated with the organization that is partnered with Lunchie will have access. It was cool to learn more about SSO while actually using it within our demonstration!
Dawn Foreman says
Hi Neel,
It has been interesting for me as well to learn about certain topics while actually using what is being discussed. For example, SSO, I used to find it a bit frustsrating since I am constantly switching between Temple’s domain and my work domain for Zoom and Outlook. However, the readings and lectures have opened my eyes to the necessity and complexity of SSO as a security measure.
Cyrena Haynes says
I found SSO very interesting as it is something I use for work daily as a remote worker, and my organization leverages a cloud environment. I’ve always thought about how it impacts my productivity since I only need to sign in once to access multiple applications and systems to complete my tasks, and I don’t have to remember multiple passwords. What I found particularly interesting is that SSO can improve response time to compromised accounts, as any unusual activity on a single login is easier to identify. Additionally, from a security standpoint, it reduces the number of password-related incidents fielded by the help desk, freeing up IT resources and enhancing overall security. SSO also makes onboarding and offboarding employees much more efficient, as access can be granted or revoked centrally, saving time and reducing potential security gaps.
Andrea Baum says
I agree that SSO significantly boosts both productivity and security, especially for remote teams using cloud environments. It not only simplifies access and enhances monitoring for suspicious activity but also reduces password issues and streamlines employee onboarding and offboarding.
Aisha Ings says
While reading the chapter about online privacy, I was surprised to learn that health data collected by mobile apps is not subject to HIPAA regulations. Having worked in the health field as an IT professional for over 15 years, I always thought that any health-related information, especially PHI, was protected under HIPAA.
Ericberto Mariscal says
Hi Aisha,
This comes as a surprise to me as well, I currently work in pharma, and we utilize devices to capture patient data. Do you think there should be more comprehensive regulations to protect health data collected by mobile apps?
Aisha Ings says
Hi Ericberto,
I absolutely think there should be more comprehensive regulations! It seems pretty wild that health data collected by mobile apps isn’t protected under HIPAA. I mean, it’s still really sensitive information, so you’d think it would have the same level of protection. With so much personal health data being collected and shared through mobile apps, it definitely makes sense to have stricter rules to keep that information safe. Since you work in pharma, you probably see the importance of this even more, and it’s kind of alarming to think about the gaps in protection.
Gbolahan Afolabi says
I’ve heard about this issue and I think it is because it is included in the user policies that all information entered may be sold or shared with third-parties.
Gbolahan Afolabi says
******Was originally posted by mistake in question 2 ******
Gbolahan Afolabi says
******Was originally posted by mistake in question 2 ******
Gbolahan Afolabi says
******Was originally posted in question 2 by mistake *******
One thing I found interesting from reading Chapter 53: Privacy-Enhancing Technologies was that some of the agenda items for PETs are that they must protect individuals from the producers and retailers of the technologies. It was interesting to me because we have discussed how important it was to maintain the CIA triad from threat actors and insiders, but it was equally important to protect the Confidentiality, Integrity, and Availability of information from the makers and sellers of certain security tools. It reminded me that it was important to understand the level of unchecked access vendors may have to the instances of tools within an organization and subsequently the visibility into an organization’s network. It was similar to an article I wrote about which explained the SolarWinds exploit.