Transcript Cybersecurity and Information Assurance PPT

Introduction to Cybersecurity &
Information Assurance for FQHCs
April 13, 2011
Amelia Muccio
Director of Emergency Management
[email protected]
Objectives
•
•
•
•
•
•
•
•
Cybersecurity
Information assurance
FQHCs as target
Cyber threats/risks
Vulnerabilities
Countermeasures
Safeguarding
Promoting a culture of
security
.
Serious Threat
• Richard Clarke was famously heard to say, "If
you spend more on coffee than on IT security,
then you will be hacked. What's more, you
deserve to be hacked.”
• The growing number of attacks on our cyber
networks has become, in President Obama’s
words, “one of the most serious economic and
national security threats our nation faces.”
Who & What is At Risk?
•
•
•
•
•
•
•
•
•
Economy
.
Defense
Transportation
Medical
Government
Telecommunications
Energy Sector
Critical Infrastructure
Computers/Cable
TV/Phones/MP3/Games
Fundamental Concepts of Information Assurance
•
•
•
•
Confidentiality (privacy)
Integrity (quality, accuracy, relevance)
Availability (accessibility)
CIA triad
Internet
• In 1995, 16 million users (0.4%)
• In 2010, 1.6 billion users (23.5%)
• Unable to treat physical and cyber security
separately, they are intertwined.
How Does an Attack Happen?
•
•
•
•
Identify the target
Gather information
Plan/Prepare the attack
Attack
Information Gathering
.
.
Attack Trends
•
•
•
•
•
Increasing sophistication
Decreasing costs
Increasing attack frequency
Difficulties in patching systems
Increasing network connections,
dependencies, and trust relationships
What Threatens Information?
•
•
•
•
•
•
•
•
•
Misuse
Disasters
Data interception
Computer theft
Identify/Password theft
Malicious software
Data theft/corruption
Vandalism
Human error
Threats
• A threat is any potential danger to
information and systems
• 3 levels of cyber threats
• Unstructured
• Structured
• Highly structured
Unstructured Threats
• Individual/small group with little or no
organization or funding
• Easily detectable information gathering
• Exploitations based upon documented
flaws
• Targets of opportunity
• Gain control of machines
• Motivated by bragging rights, thrills, access
to resources
Structured Threats
• Well organized, planned and funded
• Specific targets and extensive information
gathering to choose avenue and means of
attack
• Goal-data stored on machines or machines
themselves
• Exploitation may rely on insider help of
unknown flaw
• Target drives attack
• Organized crime/black hat hackers
Highly Structured Threats
• Extensive organization, funding and
planning over an extended time, with goal
of having an effect beyond the data or
machine being attacked
• Stealthy information gathering
• Multiple attacks exploiting unknown flaws
or insider help
• Coordinated efforts from multiple groups
• “Cyber warfare”
Web as Weapon
•
•
•
•
•
•
•
•
•
Infrastructure run by computers
Government SCADA system
Overflow dam, disrupt oil supply
Sewage plant in Australia overflowed due to
black hat hackers
Cyberterrorism (Bin Laden and Aum Shinrikyo)
Combined attack
Cause power outage and biological attack
EMS disruption and nuclear emergency
Next war fought with code & computers
Hackers and Crackers
• White hat hacker-curious, explore our own
vulnerabilities, bragging rights/just did it.
• Black hat hacker/cracker-malicious intent,
exploit vulnerabilities for monetary profit or gain
or perpetrate a crime, organized crime.
• Gray hat hacker-helpful or ethical hacker,
motivated by a sense of good. Cowboys.
• GHHs find vulnerabilities, notify company of
them so they can be fixed and resolved.
Gray Hats
• Adrian Lamo
• Find vulnerabilities, inform company
• WorldCom, Google, NYTimes, Bank of America,
NASA
• NYTimes used SSN # as passwords
• Edited Yahoo Story
• Robert Lyttle
• DoD, Pentagon
• Both got into trouble!
Early Days…Phone Phreaking
•
•
•
•
•
2600 Hz Tone
Captain Crunch Whistle & 4th E above Middle C
Long whistle reset line, then dial w/whistle
Tricked phone companies/tone dialing
Free long distance and international calls
Risk
• Threat + Vulnerability
• Likelihood of an undesirable event
occurring combined with the magnitude of
its impact?
• Natural
• Manmade
• Accidental or Intentional
• People are the weakest link
Risk Management
• Identifying and assessing risk, reducing it
to an acceptable level and implementing
mechanisms to maintain that level
• Protect against:
• Physical damage
• Human error
• Hardware failure
• Program error
• Cyber attack
Risk Handling Discussion
•
•
•
•
•
Risk reduction (countermeasures, HVA)
Risk transference (insurance)
Risk acceptance (may happen)
Risk rejection (do nothing)
Security assessments are an important part
of risk management
• Penetration testing
• Identify all vulnerabilities and threats to
information, systems and networks
Contingency Planning Components
•
•
•
•
How to handle disruption?
Business continuity
Disaster recovery
Incident response
Recovery Strategy
• A recovery strategy provides direction to
restore IT operations quickly and
effectively
• Backup methods
• Alternate sites
• Equipment replacement
• Roles and responsibilities
• Cost considerations
BCP
• A comprehensive written plan to maintain
or resume business operations in the event
of a disruption
• Continue critical business operations
• Jeopardize normal operations
• Most critical operations
• May require alternate sites (hot, warm,
cold)
• What do we need to KEEP going?
DRP
• A comprehensive written plan to return
business operations to the pre-disruption
state following a disruption
• Restore IT functions (prep and restore)
• Jeopardize the normal operations
• Includes all operations
• RETURN TO NORMAL BUSINESS
OPERATIONS
• WHAT DO WE NEED TO DO IN CASE
OF A DISASTER?
Plan Testing, Training and Exercising
• Testing is a critical to ensure a viable
contingency capability
• Conduct plan exercises
• TTXs are useful
Policies and Procedures
• Establish security culture
• Establish best security practices
• Define goals and structure of security
program
• Educate personnel
• Maintain compliance with any regulations
• Ex: email policy, Internet usage, physical
security
Physical Security Countermeasures
•
•
•
•
•
Property protection (door, locks, lightening)
Structural hardening (construction)
Physical access control (authorized users)
Intrusion detection (guards, monitoring)
Physical security procedures (escort visitors,
logs)
• Contingency plans (generators, off site storage)
• Physical security awareness training (training for
suspicious activities)
Personal Security
• Practices established
.
to ensure the safety
and security of
personnel and other
organizational assets
• It’s ALL about people
• People are the weakest
link
• Reduce vulnerability
to personnel based
threats
Personal Security Threat Categories
• Insider threats-most common, difficult to
recognize
• Includes sabotage and unauthorized
disclosure of information
• Social engineering-multiple techniques are
used to gain information from authorized
employees and using that info in
conjunction with an attack
• Not aware of the value of information
Social Engineering
• Being fooled into giving someone access
when the person has no business having the
information.
Dumpster Diving and Phishing
• DD-rummaging through company’s
garbage for discarded documents
• Phishing-usually takes place through
fraudulent emails requesting users to
disclose personal or financial information
• Email appear to come from a legitimate
organization (PayPal)
P&P
• Acceptable use policy-what actions users
may perform while using computers
• Personnel controls-need to know,
separation of duties
• Hiring and termination practicesbackground checks, orientation, exit
interview, escorting procedure
Private Branch Exchange (PBX) Systems
•
•
•
•
•
Toll fraud
Disclosure of information
Unauthorized access
Traffic analysis
Denial of Service (DoS)
PBX Threat Countermeasures
•
•
•
•
•
Implement physical security
Inhibit maintenance of port access
Enable alarm/audit trails
Remove all default passwords
Review the configuration of your PBX
against known hacking techniques
Data Networks
• For computers to communicate
• Less expensive to use same network
• Modems designed to leverage this asset
Modem Threats
• Unauthorized and misconfigured modems
• Authorized but misconfigured modems
Wardialing
• Hackers use a program that calls a range of
telephone numbers until it connects to an
unsecured modem and allows them dialup
access
• Identify potential targets
Modem Threat Countermeasures
•
•
•
•
•
•
Policy
Scanning
Administrative action
Passwords
Elimination of modem connections
Use a device to protect telephony-based
attacks and abuses
Voice Over Internet Protocol (VoIP)
• VoIP is a technology that allows someone
to make voice calls using a broadband
Internet connection instead of a regular
(analog) phone line
VoIP Benefits and Threats
•
•
•
•
•
•
•
Less expensive
Increased functionality
Flexibility and mobility
Service theft
Eavesdropping
Vishing
Call tampering
VoIP Threat Countermeasures
•
•
•
•
Physical control
Authentication and encryption
Develop appropriate network architecture
Employ VoIP firewall and security devices
Data Networks
•
•
•
•
Computers linked together
Hosts (computers, servers)
Switches and hubs
Routers
Common Network Terms
• Local Area Network (LAN)-network
grouped in one geographic location
• Wide Area Network (WAN)-network that
spreads over a larger geographic area
• Wireless LAN (WLAN)-is a LAN with
wireless connections
Data Network Protocols
• Transmission Control Protocol (TCP)-moves data
across networks with a connection oriented
approach
• User Datagram Protocol (UDP)-moves info
across networks with a connectionless oriented
approach
• Internet Control Message Protocol (ICMP)-OS to
send error messages across networks
• Hypertext Transfer Protocol (HTTP)-transfers
web pages, hypermedia
Data Network Threats
•
•
•
•
•
Information gathering
Denial of Service (DoS)
Disinformation
Man-in-the-middle
Session hijacking
Information Gathering Threats/Network
Scanning
• What target is available?
• Reduces time on wasted effort (attacker)
• One of the most common pre-attack identification
techniques is called scanning
• Scanning uses ICMP service “PING”
• PING SWEEP-echo request to range of addresses
(provides list of potential targets)
• Are you there? Yes, I am there.
• Firewall should protect against
Sniffing
• A sniffer is a program that monitors and
analyzes network traffic and is used
legitimately or illegitimately to capture data
transmitted on a network
Denial of Service (DoS)
• Degrade and prevent
operations/functionality
• Distributed denial of service (DDoS) attack
uses multiple attack machines
simultaneously
• Vast number of ICMP echo request packets
are sent to the target, overwhelming its
capability to process all other traffic
Ping Flood/Ping of Death
• Ping flood-too much ping traffic drowns
out all other communication
• Ping of Death-oversized or malformed
ICMP packets cause target to reboot or
crash
• Host cannot cope with ping packets
• Ping of Death relies on a vulnerability of
buffer overflow
• Buffer overflow-size of input exceeds the
size of storage intended to be received
Smurf Attack (Ping Flood)
• Large stream of spoofed Ping packets sent to a
broadcast address
• Source address listed as the target’s IP address
(spoofed)
• Broadcast host relays request to all hosts on
network
• Hosts reply to victim with Ping responses
• If multiple requests sent to broadcast host, target
gets overloaded with replies
DDOS with Zombies/Botnet
• Zombies-infected computers
• Botnet-bunch of infected computers (same time)massive traffic
• DDoS attack where a multitude of compromised
systems attack a single target
• Flood of incoming messages to target system and
force a shut down
• Google was target
Man-In-The-Middle Attacks
• Instead of shutting down target networks,
attackers may want access
• Access information between authorizes
parties and observes it
• Uses a sniffer and gains information
• Digital wiretapping
• Types of attacks
• Eavesdropping
• Session hijacking
Network Attack Countermeasures
•
•
•
•
•
•
Countering the threats
Scans/Sniffing/Ping sweeps
DoS/DDoS
Smurf attack
Session hijacking
Eavesdropping
Ways to Recognize Scanning
•
•
•
•
System log file analysis
Network traffic
Firewall and router logs
Intrusion Detection Systems (IDSs)
– NIDS “Snort” or HIDS “OSSEC”
• Recognize as soon as possible
• Perform regular monitoring
Defending Against Scanning-Use More than 1
•
•
•
•
•
Block ports at routers and firewalls
Block ICMP, including echo
Segment your network properly
Hide private, internal IP addresses
Change default account settings and
remove or disable unnecessary services
• Restrict permissions
• Keep applications and operating systems
patched
Sniffing Countermeasures
•
•
•
•
Strong physical security
Proper network segmentation
Communication encryption
To guard against sniffing, make sure
attacker cannot access a legitimate
communication stream
DoS and DDoS Countermeasures
•
•
•
•
•
•
•
•
Stop the attack before it happens
Block “marching orders”
Patch systems
Implement IDS
Harden TCP/IP
Avoid putting “all eggs in 1 basket”
Adjust state limits
Keep us from being targeted and lock down
assets
Snort (Network IDS)
• Snort’s open source network-based intrusion
detection system has the ability to perform realtime traffic analysis and packet logging on
Internet Protocol (IP) networks.
• Snort performs protocol analysis, content
searching, and content matching.
• The program can also be used to detect probes or
attacks, including, but not limited to, operating
system fingerprinting attempts, common gateway
interface, buffer overflows, server message block
probes, and stealth port scans.
• FREE
Other Countermeasures
• Encrypted session negotiation (ensure
handshake process)
• Repeating credential verification during the
session (kick out hijackers)
• Partitions
• User training (all personnel can understand
security)
Defense-In-Depth
• Defense-in-depth is an information
assurance (IA) strategy in which multiple
layers of defense are placed throughout an
information technology (IT) system.
• It addresses security vulnerabilities in
personnel, technology and operations for
the duration of the system's life cycle.
Perimeter Defense Countermeasures
•
•
•
•
•
•
•
•
Router security
Demilitarized Zone
Bastion host
Firewalls
Intrusion Detection Systems
Intrusion Prevention Systems
Virtual Private Network
(Defensive technologies)
Routers
• First line of perimeter defense
• Connects external environment to internal
network
• Securely configured
• Audit regularly
• Keep patched and updated
DMZ
• Machine or machines accessible by the
Internet, but not located on the internal
network or the Internet
• Web server
• Email server
• Should not contain much valuable data
• IDS sensor to detect malicious traffic
Bastion Host “Harden/Locked Down”
•
•
•
•
•
•
•
•
•
Highly exposed to attacks in DMZ
Web server
Email server
Locked down/hardened system
Unnecessary services disabled
No unnecessary applications
Fully patched
Unnecessary ports closed
Unnecessary accounts disabled
Firewalls
• Control connections from one network (or portion
of network) to another (restrict Internet access)
• Enforce security policy
• Hardware or software
• Firewalls DO NOT monitor connections not
passing directly through it—not a magic bullet
• Even perfectly configured is still vulnerable
• Packet filtering
• Proxies
• Stateful inspection
Intrusion Detection System (IDS)
• Detects suspicious activity
• Alerts upon discovery of possible compromise
attempts
• Compromised of several components
• Sensors
• Analyzers
• Administrator interfaces
• IDS can search for attacks, terminate connections,
send real time alerts, protect system files, expose
hacking techniques, illustrate vulnerabilities and
even assist in tracking down hackers
Common Types of IDS
• Host based-mail server, web server or
individual PC
• Network based-network itself,
Virtual Private Networks (VPN)
• A secure, private data connection through a
non-secure public network
• Often through the Internet
• Uses encryption and tunneling protocols
Wireless Technology
• Allows
communication
between multiple
systems/devices
without physical
connection
• Much less expensive
than wired solutions
• WLAN
.
Wireless Threats and Countermeasures
•
•
•
•
•
•
•
Access point mapping
Service Set Identifier (SSID) broadcasting
Default SSID
Radio frequency management
Default settings
Authentication
Bluetooth security
Access Point Mapping
• WLAN version of
.
wardialing
• An AP is a device
connecting a wired
network to wireless
devices using radio
frequency
• Software (net stumbler,
air snort, void11)
• Warchalking (available
access points)
Service Set Identifier (SSID) Broadcasting
• “Beaconing”-this is the continuous
announcement by a Wi-Fi access point that
it is available.
• SSID is name assigned to the wireless
connection
• Default SSIDs poses a security risk even if
the AP is not broadcasting b/c default
names are widely known
Radio Frequency Management
• The signal should die out before it reaches
the physical boundaries of the property
• This helps unauthorized users from driving
by and intercepting confidential wireless
signals
Default Settings
• Many access points arrive with no security
mechanism in place
• Changing the default settings before
deployment should be a matter of
organizational practice
Authentication Issues
• Open system-SSID, subject to sniffing
• Shared key-SSID plus WEP encrypted key
required, subject to man-in-the middle
attacks
• Many wireless networks do not contain
adequate authentication mechanisms
• Both Open and Shared are considered weak
Authentication Issues
• WEP standard proven
insufficient
• Replaced with Wi-Fi
Protected Access
(WPA)
• WPA demonstrates its
own weaknesses
• Replaced by WPA2
which is viewed as
more secure
.
Bluetooth Security
• Popular short-range technology
• Used for many personal electronic devices
including phones, music players, etc.
Threats
• Bluejacking-sending unsolicited messages to
Bluetooth devices
• Bluesnarfing-unauthorized access of information
from a wireless device through a Bluetooth
connection
• Bluebugging-unauthorized control of Bluetooth
assets
Operating System
• A program that acts as an intermediary between a
computer user and the computer hardware
• “GUI” Graphical User Interface
• Process management
• Main memory management
• File management
• I/O system management
• Secondary storage management
• Network management
• Protection system management
• User interface management
Operating System Security
• Confidentiality: only let authorized entities
access computer and information
• Integrity: only allow authorized changes to
information
• Availability: manage resources to permit
access to information and system at all
required times
Authorization and Authentication
• WHO IS AUTHORIZED?
• Authorized by policy of organization and
operational requirements
• HOW DO WE KNOW?
• Accounts (identification)
• Known systems
• Passwords
• Secure communication channel
Access Control
• Verifying the identity of entities before
granting access and restricting access
• Controls how users and systems
communicate and interact with other
systems and resources
• First line of defense
• Authenticate before allowing access to
authorized resources
• Policies, locks, passwords
• Social media policies??
Auditing
• A trail to follow
• Creation of logs
• A log is a record of
events or activities
that occur
• Detectable events
• Collect and save in
secure information
• Analyze results
.
Threats to OS
• The basic problem with OS and computers
is that a system allows unauthorized users
to compromise the system to gain
unauthorized access to system resources
• Weak/Broken identification
• Weak internal security structures
• Programming errors in operating system
Once Identified, Authorize
• User accounts are the mechanism used to
identify and authorize people
• Access control is based on identification
• Most common authentication is a password
• Password and account policies help
improve security
Implementing Policies
• The whole access control process is driven
by policies and procedures
• One part of the implementation is policies
is to implement a password policy that
makes it less likely that an attacker can
break into computer systems by
compromising a password
Password Policy
• What makes a good
.
password policy?
• New password
• Reuse of old passwords
• Length of validity
• When can it be changed
• Minimum length of
password
• Complexity requirements
• Should password be stored
Specific OS Attacks
• Dos: attack on availability, consume resources
• Hack: exploit a vulnerability to gain unauthorized
access to the system
• Backdoor: An access method that bypasses the
normal security of the system
• Memory issues: Memory is not erased before
given to another program
• Escalation of privileges: user exploits
vulnerability to gain unauthorized access
• Default settings: most OS ship with simplest
configuration, security disabled
Securing Systems
• Perform system hardening
• Find out what vulnerabilities are still
present
• Fix them
Countermeasures: DoS
• Set network and host firewall filters for
known bad traffic
• Apply OS patches for know vulnerabilities
• Limit time and resources to processes
• Monitor for threat activity on the network
and host using IDS
• “Detect and block”
Countermeasures: Hack the System
• Use account and password policies
• Change default accounts, settings,
passwords
• Use restricted accounts for services
• Apply OS patches for known vulnerabilities
• Turn off unnecessary services
• Watch for social engineering
Countermeasures: Backdoor
•
•
•
•
•
Backdoors are installed by the developer
Disable any unnecessary default accounts
Apply OS patches for known vulnerabilities
Scan system periodically
Monitor system
Countermeasures: Memory Issues
• Memory management is an issues that has a
severe impact on performance
• Apply OS patches for known vulnerabilities
• Turn on security features
• Reclaim memory on process termination
Countermeasures: Escalation of Privileges
• Apply OS patches for known vulnerabilities
• Monitor system
• Establish restricted accounts for services
(don’t run everything as administrator)
Countermeasures: Default Settings
•
•
•
•
Disable unnecessary accounts and services
Apply OS patches for known vulnerabilities
Follow lockdown procedures when possible
Monitor the system
Common Application Security Threats
• Unauthorized access to applications: first line of
defense is access control
• Cross-Site Scripting: browser allows code
injection
• SQL injection: inserts independent queries into a
database
• Buffer flow: input from a user exceeds the length
or other characteristics of an expected input
• Arbitrary code execution: one of the common
methods used by attackers to execute commands
to take over or crash the targeted machine
Unauthorized Access Countermeasures
• Determines what object can access application
• Can be implemented based on users, permissions,
and folder structures
• UserID and password
• Honeypot is a trap set to detect, deflect, or in
some manner counteract attempts at unauthorized
use of information systems.
XSS Countermeasures
•
•
•
•
•
•
•
•
•
Vulnerability in web applications
Web server owner should:
Keep web server updated
Scan for XSS vulnerabilities
Configure applications and servers properly
User should:
Keep web browser updated
Practice safe web surfing
Attend awareness training
SQL Injection Countermeasures
• Database vulnerability (credit card info/patient
information)
• Input validation
• Manual code review
• Least privilege
• When not required, disable privileges to stored
procedures, tables, etc.
• Limit execution privileges to SELECT,
UPDATE, DELETE and user-stored procedures
Buffer Overflow Countermeasures
• Software vulnerability and programming (C and
C++)
• Stack buffer overflow “Morris Worm”
• Write secure code
• Use compiler tools to detect unsafe instruction
sets in application
• Have a limited number of processes running
• Keep your application updated with latest patches
from software vendor
• Control privilege
Arbitrary Code Execution Countermeasures
•
•
•
•
•
Software bug
Install latest updates and Service Packs
Disable scripting and ActiveX (Drive by)
Configure application securely
Use alternate, safer applications
Drive by Download
• Drive by Download is an unintended download of
computer software from the Internet:
1. Downloads which a person authorized but
without understanding the consequences (e.g.
downloads which install an unknown or
counterfeit executable program, ActiveX
component, or Java applet).
2. Any download that happens without a person's
knowledge.
3. Download of spyware, a computer virus or any
kind of malware that happens without a person's
knowledge.
Personal Information Threats
• Unauthorized access to personal
information
• Loss of personal information
• Unauthorized disclosure of personal
information
• Spoofing
• Malicious software (Malware)
Unauthorized Access to Personal Information
• Commonly done by cracking user
passwords
• Recovering passwords from data that has
been stored in or transmitted by a computer
system
• Password cracking methods
• Dictionary
• Hybrid
• Brute force (every password WILL be
cracked)
Password Cracking (1-11)
•
•
•
•
•
•
•
•
•
•
•
andy
helen2008
Computer
Jonas_Puente
marykay
htimsnosaj
b1@nc@&l33
cold*beer
020973
n1h0nj1n
*pdbmc12
Loss of Personal Information
•
•
•
•
•
•
Human error, 32%
Software corruption, 25%
Virus attack (malware), 22%
Hardware failure, 13%
Sabotage, 6%
Natural disasters, 2%
Spoofing
• A situation in which a person/program
successfully masquerades as another by
presenting false information.
Malicious Software (Malware)
• Designed to damage/disrupt a system
without the owner’s consent.
• Software that gets installed on your system
and performs unwanted tasks.
• Pop ups to virus deployment.
Virus
• Individual programs
that propagate by first
infecting executable
files or the system and
then makes copies of
itself.
• Can operate without
your knowledge (visit
website, you open
attachment).
• WE OPEN IT
Worm
• Designed to replicate and spread from
computer to computer (attach to file and
run on their own)
• WE DON’T HAVE TO OPEN IT
Trojan Horse
• Designed and written like normal programs
but have hidden code that can compromise
your system from remote user/computer.
Logic/Time Bomb
• Program that lies dormant until it is
activated by something (date, message).
Spyware
• Computer software that gathers information
about a computer user and transmits it
without your knowledge (benign or
malignant, websites or credit card
information).
Adware
• Advertising supported software in which
advertisements are displayed while the
program is running.
Malware Goals
• Malicious code threatens three primary security goals:
• Confidentiality: Programs like spyware can capture
sensitive data while it is being created and pass it on to an
outside source.
• Availability: Many viruses are designed to modify
operating system and program files, leading to computer
crashes. Internet worms have spread so widely and so
quickly that they have overloaded Internet connections
and email systems, leading to effective denial-of-service
attacks.
• Integrity: Protecting information from unauthorized or
inadvertent modification. For example, without integrity,
your account information could be changed by someone
else.
Personal Information Security Countermeasures
•
•
•
•
•
Password policies
Backup
Cryptography
Spoofing countermeasures
Malware detection and prevention
Password Policies
• History- 10 passwords
•
• Max age- 120 days
• Min age- 5 days or 0 for shoulder
surfing
•
• Min length- 15 characters (at
least 8)
• Complexity- enabled
• Combo of upper & lower case &
special character & number
• La2!xxxx
• No dictionary words/patterns
• No easily obtainable information
No birthdays, pet names,
fictional character, proper
noun, etc
Use of mnemonics
Backup
• Copying files to a second medium for later
retrieval as a precaution in case the first medium
fails
• Perform frequently
• Keep in a separate location
• 93% of companies that lost their data center for
10 days or more due to a disaster filed for
bankruptcy within one year of the disaster
• 50% of businesses that found themselves without
data management for this same period filed for
bankruptcy immediately
Spoofing Countermeasures
• Practice safe email usage and web surfing
• Attend security awareness training
Malware Countermeasures
• Only run software you can trust
• Install antivirus software
• Scan file attachments with antivirus
software before opening
• Verify critical file integrity
• BACKUP
Electronic Health/Medical Records
• An electronic health record (EHR) is an evolving concept
defined as a systematic collection of electronic health
information about individual patients or populations
• It is a record in digital format that is capable of being
shared across different health care settings, by being
embedded in network-connected enterprise-wide
information systems
• Such records may include a whole range of data in
comprehensive or summary form, including
demographics, medical history, medication and allergies,
immunization status, laboratory test results, radiology
images, vital signs, personal stats like age and weight, and
billing information
Health Insurance Portability and Accountability
Act of 1996 (HIPAA)
• The Office for Civil Rights enforces the HIPAA
Privacy Rule, which protects the privacy of
individually identifiable health information; the
HIPAA Security Rule, which sets national
standards for the security of electronic protected
health information; and the confidentiality
provisions of the Patient Safety Rule, which
protect identifiable information being used to
analyze patient safety events and improve patient
safety.
EHR
• Advantages
• Reduction of cost
• Improve quality of
care
• Promote evidencebased medicine
• Record keeping and
mobility
• Disadvantages
• Costs
• Time
.
Are EHRs Vulnerable? YES!
• Vulnerabilities discovered, reported to
eHealth vendor and then patched
• Patches take A LOT of time to fix
• 2,211 days (vendor) vs. 284 days
(Microsoft)
• No one eHealth vendor in charge
Possible Issues
• Unauthorized users can compromise
integrity and confidentiality
• Unauthorized access to computer networks
• Password protection (hacks and policies)
• Subversive software (malware)
• Disaster
Privacy and Security Issues
•
•
•
•
Data breaches
Theft
Lost devices
Social networking
Personally Identifiable Information (PII)
• Information that permits the identity of an individual to be
inferred directly or indirectly
• PII includes any information that is linked or linkable to
that individual, regardless of whether the individual is a
U.S. citizen, a legal permanent resident, or a visitor to the
United States
• Apply the "need to know" principle before disclosing PII
to other personnel
• Challenge the need for the requested PII before sharing
• Consider PII materials for official use only
• Limit the collection of PII for authorized purposes only
Examples of PII
•
•
•
•
•
•
•
•
•
Name
Date of birth
Biometrics
Mailing address
Phone #
Email address
Zip code
Account numbers
License information
•
•
•
•
Social Security #
Place of birth
License plate
Photos
Sensitive Data
•
•
•
•
•
•
•
Confidentiality of patient records
Mental health
Sexual health
Drug/alcohol
Minors
Intimate partner violence/sexual violence
Genetic information
Privacy and Security of EHR
• Security program components and
regulatory requirements (HITECH, HIPAA,
Breach Notification Laws, State Laws)
• Risk assessment and mitigation plans
• Security program evaluation
• Privacy and security awareness training for
all staff
• Disclosure logs
Privacy and Security
• Security audit programs will be under the
purview of the OCR (Office of Civil
Rights) which is expected to begin with
existing programs in 2011.
• CIA Triad
Data Segmentation
•
•
•
•
•
•
Structured data fields
Common data definitions
Data entry
Locating data
Technology and codes
Building intelligence
Safeguarding PII
• Store sensitive information in a room or area that has
access control measures to prevent unauthorized access by
visitors or members of the public (e.g., locked desk
drawers, offices, and file cabinets)
• Never email sensitive information to unauthorized
individuals.
• Never leave sensitive information on community printers
• Take precautions to avoid the loss or theft of computer
devices and removable storage media
• Destroy all sensitive information by appropriate methods
(paper shredder) when it is no longer needed
• Notify your immediate supervisor if you suspect or
confirm that a privacy incident has occurred
Security Vulnerabilities and Countermeasures
• Safeguard data
• Monitor control on key systems and check
inadequate logging
• Protect access control
• Data encryption
• Privacy awareness training
• Create strong vendor management
• Develop business continuity and incident
response plans
Security and Assurance Program
• Protective measures to address potential cyber security
threats include:
• Firewalls and virus protection systems
• Password procedures
• Information encryption software
• Computer access control systems
• Computer security staff background checks (at initial hire
and periodically)
• Computer security staff training & 24/7 on-call technical
support
• Computer system recovery and restoration plans
• Intrusion detection systems
• Redundant & backup systems, & offsite backup data
storage
In Summary…
•
•
•
•
•
•
•
Identify vulnerabilities
Human error is biggest threat
Fix vulnerabilities (patches, etc.)
Have policies and procedures
Computer maintenance program
Educate staff
Stay informed of latest and greatest
References
• Voice & Data Security: An Introduction to
Information Assurance (FEMA/DHS)
• IS 906: Workplace Security Awareness
(FEMA)
• EHR PPT, Nina Robinson, NJPCA