Computer security and best practices
Download
Report
Transcript Computer security and best practices
Computer Security and what
you can do about it…
Vadim Droznin – a geek - not a professional speaker!
[email protected]
Don’t let this happen to you!
Introduction
Discuss best computer and mobile device
related practices to protecting you and
your office information
You will be able to make a knowledgeable
decision about combating potential
threats on the Internet and make better
decisions related to IT
QED Systems, Inc. has been helping
companies with IT related issues for over
25 years.
Outline
Best practice to protect your computer
◦
◦
◦
◦
◦
◦
◦
◦
◦
Viruses
Intrusion prevention
Passwords
Backup
Encryption
Cloud
IT outsourcing vs in-house
MASS PI Law – Regulation 201 CMR 17
HIPAA compliance
Danger, Will Robinson, Danger!
Computer Virus – a program that can infect a computer without permission
or knowledge of the user
◦
Spreads over WWW, Network Sharing, E-Mail, Social Networking, and Instant
messaging. Will spread to other computers and potentially cause data loss
Malware (malicious software) – a program that infects and damages the
computer/mobile device (most rootkits, some viruses, Trojan horses, worms)
Example: Trojan Flame - a multi-component malware for targeted attacks. It is able to
spy, leak data, download/execute other components.
Spyware – a program that intercepts and takes partial control over the
user/computer or mobile device interaction/captures key strokes
Adware – a program that displays, downloads, and pops-up ads
SPAM – an unsolicited e-mail. May be used for phishing or information gathering
Types of Antivirus/Antispyware
Kaspersky, Symantec, IObit etc.
◦ Avira, Avast and AVG have free basic versions
◦ Ability to update and monitor. Scan whole
computer weekly
Anti-Spyware: Webroot, CounterSpy, etc.
◦ MalwareBytes and SuperAntispyware have
free versions
◦ Scan weekly minimum
Viruses that disguise themselves
Antivirus 2014/2013/2012/2011
and Antivirus XP/7/8 any year
are actually viruses
Never click on a pop up about
your computer being infected
when surfing
If infected, press and hold the
power button 5 sec. to shut
down, then seek expert help
Anti-SPAM / PHISHING
Use internet e-mail sites that offer
SPAM scanning (Yahoo, Google,
MSN, etc.)
Free Anti-SPAM version included for
Outlook, Outlook Express, Apple
and other versions
PHISHING - When e-mail or
Internet link takes user to a site that
masquerades as a real site (can also
be done via a server)
Examples of PHISHING
E-Mails –
Site -
Firewall, Passwords, Wireless, etc.
Never hook your computer up to Internet without a firewall.
It takes less then 20 minutes to get hacked (cracked) or
infected
Wireless must have WPA2 enabled - 14 characters long
passphrase. Cisco, Meraki, and others offer real wireless
security solution
Wi-Fi Protected Setup (WPS) is vulnerable and should be
disabled
User account passwords on the computer and Internet sites
passwords must be at least 15 characters long – combination
of Caps, small letters, numbers, and “special” characters
UPS is recommended for computers in case of power outage
Operating Systems Pros and cons
Windows OS is still most popular and most
widely used.
◦
Windows XP/Vista/7/8 replaced by Windows 8.1 as of 2014.
◦ Windows 7 and 8.1 are more secure. Built in Windows Defender
and better security.
◦ All OSs are still prone to “security flaws”
Apple
◦ Can “dual boot” into both Apple and Windows OS.
◦ Still most secure, but more and more programs are written to
“infect” Mac OS.
Linux OS
◦ Used less, more secure then PC, but may get infected and has
flaws.
◦ May be hard to learn for computer user and compatibility issues.
Mobile Devices and Phones
Phones have become more then a phone – mobile
computers. Use a password to unlock the phone
◦ Purchase Antivirus (AVG Free) with Android based phone.
In the foreseeable future, be very careful when installing
Apps on the Android.
◦ iPhone has a much smaller chance of getting infected and
downloading a malware/spyware based app.
◦ Blackberry has the best mail encryption, but future is very
questionable.
◦ Android, iPhone and iPad apps market is continuing to grow.
Encryption
Encryption uses an algorithm to encode the
devices, files, or information
You should be encrypting any business related
information on all devices that are taken outside
the office – Laptops, Mobile Devices, Thumb
drive, etc.
When creating a web site that requires a login,
an SSL encryption should be implemented
◦ Secure Socket Layer encrypts the data over the
Internet between server and client
Backup
You can never have enough backups
Redundancy is not a backup, but can be
used for a quick restore
Backup (cont’d)
What should I NOT be using as
a media backup
Best Offsite backups (online
backups) provide encryption
◦ Carbonite - $59.95/year unlimited
size, plus plans for businesses
◦ Mozy - $5.95/month unlimited size
◦ Mozy and others offer 2 Gb free
versions
Cloud
Pros
◦ Minimizes IT support.
Allows “Pay as you go”
◦ Does not require
dedicated on-site
location
◦ 24/7 uptime not tied
to your office Internet
◦ Scalable
Cons
◦ Requires higher level
of security (prone to
attack)
◦ Some of the
Applications can not
be used, example
HIPAA compliant
◦ If part of Internet goes
down Cloud Servers
may not be reachable
Information Technology
Outsourcing
◦ Cost Efficient if used
in “pay as required”
◦ Support 24/7
◦ Some of the support
may be remote
◦ No
sick/holiday/vacation
time, though usually
higher rate during offhours
◦ Provides a CYA
In-House
◦ Cost efficient if
subsidized by grant
◦ A dedicated person
that is on site during
business hours
◦ Person grows with
office and understands
technology needs
better
Personal Information
The following information related to any
Massachusetts’ resident is considered to be
Personal Information (PI):
Name (First initial/name and last name)
And one of the following:
Social Security Number
Driver’s License Number
Financial Account Number (ex. Credit Card, Debit
Card)
Other Access Code Related to Person’s Financial
Information
MASS Personal Information Law
Standards for the Protection of Personal Information of Residents
of the Commonwealth
Effective 3/1/10
Safeguard personal information (PI), both paper and electronic
Insure security and confidentiality are consistent with industry
standards
Protect against anticipated threats
Protect against unauthorized access
Establishes minimum standards to be met in connection with the
safeguarding of personal information (PI) contained in both paper
and electronic records
Up to $50,000 per improper disposal and maximum of $5,000 per
violation
Above penalties don't include lost business, dealing with irate staff
or families, mailing out letters, and other associated costs
Written Information Security Plan (WISP)
Working document that details how your organization
will protect the non-public personal information (PI) of
both students and staff through administrative,
technical, and physical safeguards
WISP must address:
Paper Files
Electronic Information
PI - Paper Files
◦ Do not leave files containing PI out and about
◦ Lock desks and file cabinets containing PI
◦ Store keys related to locked desks/cabinets in safe
place
◦ If possible, avoid faxing PI
◦ If faxing is required, double check # and name of
recipient before sending
PI - Electronic Information
Hardware –Your computer
◦ Any Computer or mobile device that is portable can not contain PI
◦ As an extra security, if using a laptop that contains PI, try not to use
wireless at a public location – turn off wireless feature
Software – Usage on daily bases
◦ Any email that may contain PI, must be encrypted
◦ Passwords to computers, can not be left out in the open (under mouse
pad, keyboard, etc.)
◦ Passwords have to meet minimum requirements
Data Files – Protection of files with PI info
◦ Files containing PI should be password protected and never taken off
site
◦ No text, Instant Message, or social networking
◦ If there is a necessity to take files with PI offsite, files must be in an
encrypted laptop or flash drive with secure password protection
Health Insurance Portability and
Accountability Act - HIPAA
The HIPAA Privacy Rule provides federal protections for
individually identifiable health information held by covered entities
and their business associates and gives patients an array of rights
with respect to that information.
Privacy Rule is balanced so that it permits the disclosure of health
information needed for patient care and other important purposes.
HIPAA applies to “PHI” (Protected Health Information). This is
information that identifies who the health-related information
belongs to - names, email addresses, phone numbers, medical
record numbers, photos, drivers license numbers, etc. If you have
something that can identify a person together with health
information of any kind (from an appointment, to a list
of prescriptions, to test results, to a list of doctors) you have PHI
that needs to be protected per HIPAA. ePHI is merely PHI that is
stored or transmitted electronically (i.e. via email, text message,
web site, database, online document storage, FAX, etc.).
HIPAA Applies to – Covered
Entities and everyone touching PHI
Health plans:With certain exceptions, an individual or group plan that
provides or pays the cost of medical care.
Health care clearinghouses:An entity that either process or facilitates
the processing of health information from various organizations. I.e. to
reformat or process the data into standard formats.
Health care providers: Care, services, or supplies related to the health
of an individual,.
The HITECH additions to HIPAA extend HIPAA compliance requirements
to all Business Associates of Covered Entities. Further the Omnibus rule
requires that all Business Associates of Business Associates to also be
compliant - Everyone in the chain of companies from the Covered Entitles
onward needs to be compliant! Even law firms need to comply with
HIPAA where they contact PHI.
Note: Individuals (unless they fall into one on of the above categories) do not have
to be HIPAA compliant. So, for example, it is “OK” for a patient to be noncompliant in communicating with his doctor; however, the doctor must be compliant
when communicating back and must be compliant with the patient’s
communications once received.
Wrap-up
Virus/Spyware/Malware/Adware
SPAM/Phishing
Firewall
Wireless
Passwords
Windows 8/Apple
Mobile Devices
Encryption/Backup
Cloud Hosting
IT inhouse/outsourced
201 CMR 17
HIPAA- www.hhs.gov/ocr/privacy