Transcript Data Security issues

EMS Management Today
Washington, DC - June 29, 2003
EMS Security Secrets
William E. Ott, MS, Paramedic
CPCS Technologies
www . cpcstech . com
Today’s Data Security Environments Can Be Scary
Changing
Technologies
Hackers &
Extremists
Loss of Competitive
Advantage
TRUST
Opportunities for
FRAUD
Viruses & Worms
“Free” Access for
Employees
New IT Projects
Outsourcing
IT System Crashes
Specific Items to Address
• EMS workers as Information Workers
• Public Safety is one of the 13 official Critical
Infrastructures
• OPSec as a way of life and business operation
• Information security risks
– Networks
– Wireless network components
– Voice systems
– Social engineering
• Information security measures
– Firewalls
– IDS (Intrusion Detection Systems)
– Antivirus
• Business continuity planning
• Data backup and restoration
Bombs to Bytes
• Our enemies are using our own things
against us:
– Planes
– Mail
– Media
– Computers / Networks
Enemies are on the attack
• Attacks for disruption, damage, theft, industial
espionage, theft of service
– China
– Russia
– North Korea
– France
– Terror Cells
– Professional hackers, mostly for pride or
recognition, sometimes for pay
– ‘script kiddies’
– Warez crowd
Threats to Information Systems
•
•
•
•
•
•
•
•
Malicious abuse
Denial of Service and related attacks
Virus, Worm, and Trojan attacks
Outside Hacker attacks
Theft of service
Theft of information
Poorly trained IT staff
Not staying current with system patches,
antivirus definitions, etc..
• Not performing proper system maintenance
• Poor or no backup and contingency plans
EMS following the FedEx lead?
• EMS will follow the IT example of FedEx,
transitioning from package delivery with
associated information to an information
management company with the end result
of package delivery
• EMS can, is, and should follow this model,
from being a emergency response, patient
care service with associated information to
one of being an information management
agency with the end result being quality
patient care.
EMS Personnel as Information Workers
• What is involved?
– Electronic patient records
– CAD data pre and post response
– GIS data pre and post response
– System performance data
– Application of performance data to the
continuing education program
– Personnel data
– System / Vehicle data
– Facility/Event preplan data
Do you have an IT Security Plan?
• Harden and Secure for known issues
• Prepare with policies and education
• Detect intrusions and threats
• Respond to intrusions and threats
• Improve IT security measures and policies
What can happen to my data?
• Lost data or missing data is inaccessible
• Stolen data has been accessed or copied
without authorization
• Inaccurate data was entered incorrectly,
deliberately or accidentally altered, or not
updated
Threats to Productivity
• Spam
– wastes resources
– wastes time
– offensive, dangerous
• Popup ads
– wastes resources
– annoying
• Malicious use of resources
– wastes bandwidth, storage
– violates law and privacy
– WAREZ activity
Threats to Privacy / Confidentiality
•
•
•
•
•
•
•
•
•
•
No security plan
No security training or awareness
Smart or Meta Tags in shared documents
Social Engineering
Unencrypted network, esp wireless
Unencrypted e-mail
No firewall
No antivirus system
Rogue wireless
PDAs connecting to network and servers
Friend or Foe?
XXXXXXXXXXXXXXXXXXXXXXXXXX
Attack & Penetration / Profiling
•
•
An ethical hacking and profiling assessment in order to:
– Identify the technical security vulnerabilities and weaknesses
– Develop corrective technical actions
Focused on multiple access verifications as well as technical and administrative controls.
Internet
Security
Assess
Attack &
Penetration
PHASE I
Discover/Scan
PHASE II
Exploitation
Threat &
Vulnerability
PHASE III
Host Vulnerability
Assessment
Security
Infrastructure
PHASE IV
Administrative
Controls Review
Intranet
Security
Assess
Extranet
Security
Assess
Remote
Access
Assess
xxx.xxx.xxx.xxx
What is driving improved Security?
• Homeland security
• Health Insurance Portability and Accountability Act
(HIPAA)
• Maturation of existing data systems
• Inexpensive to implement security on new data systems
• It’s the right thing to do
Data Security Issues
•
•
•
•
•
•
Development of user levels or ‘roles’
Education of users
Proper use policies
Improper info via unsecured e-mail
Intrusion detection systems / scans
Antivirus protections
The “Security Chain”
FRONT
TRANSPORT
Applications
Tokens
SSL
Authentication
Browser Security
Intrusion Detection
Smart Card
Biometrics
Anti-Virus
Proxies
VPN
VLAN
Firewall
BUSINESS LOGIC
Authorization
Auditing
DMZ
Mail Servers
Firewall
Scanners
Policy Servers
DB
Risk Analysis
IPSEC
Security Agents
Anti-Virus
Backups
Perimeter
Content Filtering
Scanners
Applications
Desktop Security
PKCS
PKI
Vulnerable links
LDAP
The
weakest
link
Some Security Options
•
•
•
•
•
•
•
•
•
•
Virtual Private Networking (VPN)
Active AntiVirus Screening
Stateful packet inspection Firewalling
Proxy servers
Opt-in e-mail
Database encryption
E-mail encryption
Network / PC security policies
Two Factor User Authentication
Aggressive Audit logging and review
Virtual Private Network
• A VPN is defined as a system in which two
or more networks are connected through a
third, untrusted, network.
• The two networks are usually a main office
and a satellite office, and the third network
is usually the Internet.
VPN Diagram
E-mail Security
•
•
•
•
•
•
•
E-mail is the most used network application
Very insecure as Internet developed
Security has been a low priority for all but a few
Phil Zimmerman – Pretty Good Privacy (PGP)
Digital Certificates
Symmetric or Asymmetric encryption
Think about opt-in or digital certificates to control
spam
Ultimate Goal: Information Control
• Easy to use
– Simple model
– Native environment
• Dependable Security
• Dependable Authentication
• Persistent and Dynamic Control when
applicable
• Use control (copy and print)
• Comprehensive Auditing
• Supports breadth of content types
• Scalable and deployable
Solutions & Suggestions
• Tie security to ROI – what is the competition
doing, positive PR, etc. (at minimum tie it to loss
mitigation costs )
• Remind Privacy Rule & statute mandate sound
security practices
• Educate, educate, educate
• Use horror stories judiciously
Solutions & Suggestions
• Present options, accept risk and remain flexible
• Remember brevity with top executives – make your point
quickly and avoid fluff
• Cultivate security advocates within and outside the
organization
• Incorporate a bottom up approach (I.e., train end users,
period security announcements to staff, etc.)
Solutions & Suggestions
• Focus on culture, business process
versus technology – change the belief
“this is only an IT issue”
• Partner with regulatory, compliance,
clinical – generally deep concern felt for
privacy of patient/member
• Patience & a sense of humor a must!
Culture Change Needed!
Real Examples
Security principle: Passwords must be hard to
guess & kept secret
– Clinton signs the e-sign bill using
password “Buddy,” a radiologist picks
password “RAD”
– Passwords stuck on computer screens,
under mouse pads, on keyboards, on
stethoscopes
– Boss says, “Tell me your password
‘cause I don’t have time to submit the
form and go through training to get my
own.”
Culture Change Needed!
Real Examples
Security principle: Everyone is personally
responsible for ensuring good security
through their own behavior and through
reporting incidents
– “The computer people handle that [i.e.,
it’s not my job].”
– “ I’m not gonna rat on my friend! [and
what’s the big deal about looking up his
girlfriend’s lab test results anyway?]”
Culture Change Needed!
Real Examples
Security principle: Avoid confidential
conversations where they can be
overheard
– “We’ve asked him to lower his voice
when he’s discussing patients in the ER,
but I guess he just has a naturally loud
voice.”
– “We’re so busy that we need to catch up
on cases whenever we bump into each
other [such as in the elevator, walking
down the hall, in the cafeteria].”
Culture Change Needed!
Real Examples
Security principle: Destroy media (shred
paper, chip disks, etc.) containing
confidential data when no longer needed:
– “But it’s only a phone message slip with
the patient’s name and number on it.”
– “But it’s just a floppy disk and I’m using it
at home now for other files.”
Information Security – A Human Behavioral Problem
What Do Companies Say:
66% have information security problems
65% were attacked by own employees
51% see information security as a priority
40% do not investigate security incidents
38% have detected attacks that blocked their IT
systems
Only 33% can detect attacks and intrusions
What Does FBI Say About Companies:
91% have detected employee abuse
70% indicate the Internet as a frequent attack point
64% have suffered financial losses
40% have detected attacks from outside
36% have reported security incidents.
Source: FBI Computer Crime and Security Survey 2001
Source: EY Information Security Survey 2001 - 2002
Causes of Security Incidents
Source: EY Information Security Survey 2001
Information Security – A Dynamic Process
• Security Policies, Standards, and Procedures
• Risk Analysis
• Identification of Vulnerabilities
• Employee Training, Education, and
Awareness
• Implement strong authentication / encryption
• Use digital signatures & PKI solutions
• Performance Indicators
• Intruder Detection
• Anti-Virus Solutions
• Periodic Security Analyses
(especially after the
implementation of new IT systems)
• Attack & Penetration Analyses
(Ethical Hacking)
• Analysis of IT systems’ logs
• Threat & vulnerability analysis
• Security infrastructure
RISK
FACTORS
Correction
Data
• Continuity Plans (BCP/DRP)
• Incident Response Management
• Hot Resources
Management of Security Risks
Risk analysis is the starting point in all initiatives related to
information security because the depth of analysis indicates
the level of details we should take in consideration.
EXAMPLE RISK MAP
Impact
Major steps in performing risk management
•
Identify the risks (including security risks)
•
Evaluate and prioritize the risks (in a Cartesian field)
•
•
Elaborate the impact analyses and mitigating
strategies
Select the mitigating solutions (cost-benefit
analysis)
•
Define and implement the Action Plan
•
Monitor continuously the new risk factors
•
Elaborate the mitigating recommendations or
identify new mitigating solutions for new/existing
risks.
High
A
B
E
Medium
C
F
D
Low
Low
Medium
High
Probability
A = Earthquake
B = Communication Breakdown
C = Internal Attacks
D = Attacks on the Web Server
E = Inability to Detect New Attacks
F = Breakdown of Critical Application
Continuity & Availability of Business Processes
After September 11, 2001, the mitigation approach for risk groups have changed in order to
include all risks that can affect the continuation of business processes:
People
Managing Business Risk
Physical
Operational
BCP
Security
Managing Business Risk
BCP
Financial
What Do Companies Say:
70% are planning major BCP revisions
Only 53% have implemented a BCP
Data
Security
Source: EY Global Information Security Survey 2002
Responsibility of ensuring business continuity lies with top
management through Corporate Governance processes. It is NOT the
job of IT !!!
Business Continuity Planning
•
•
•
•
•
Focused on function and not on technology
A systematic approach in order to:
– Prepare for unforeseen/unexpected disasters and/or interruptions
– Reduction of the impact of such unforeseen events
– Rebuilding operational capabilities, starting with mission critical processes
A pre-planned sequence of events that allows for the continuation/recovery of business functions, IT
processing capabilities, network, and facilities.
Education of employees in responding effectively to crises, within a defined corporate structure
Plan is tested practically and periodically updated.
Phases of BCP Formulation:
1.
Evaluation of current state
2.
Determination of the impact to the business by risk
factors
3.
Definition of continuity strategies
4.
Development of continuity plan (BCP)
5.
Implementation, testing, and updating of the BCP
Data Disaster Facts
• Disaster Recovery Journal reports two in five
companies are not able to reopen after a disaster
• Gartner Group Information loss is more critical than
hardware failure or loss
• Ontrack Data research indicates that 80% of its data
loss customers regularly back up their data, only to
find them less than adequate at the critical moment
they need to restore. Despite technological
advances in the reliability of magnetic storage
media, data loss continues to rise, making data
recovery more important than ever
What Are Potential Disasters?
 External
• Storms (hurricanes, tornados, floods, hail…)
• Accidents (planes, trains, automobiles, hazardous
mat.)
• Regional Outages (power, communications…)
• Violence (civil unrest, terrorist acts, bioterrorism…)
 Internal
• Hardware Failures (servers, data stores, cyber
attacks..)
• Accidents (fires, water leaks, electrical…)
• Violence (disgruntled employee, corp. sabotage…)
What Are The Chances?
 Computing Probability of Data Disaster
• Trying to construct a probabilistic model by type
of exposure reaches diminishing returns very
quickly.
• Should a low probability of occurrence in a given
area alter the scope of a BCP Plan?
 Responsible BCP Planning
• Assesses the environment and mitigates the
obvious risks. (servers in a basement in a flood
plane area)
• Hopes for the best, but must plan for the worst.
BCP Is Really Insurance
• What are the critical business functions?
• What are the exposures?
 Financial
 Legal
 Supply chain management
 Customer commitments
• What are the “Recovery Time
Objectives?”
Offsite Backup Tapes
Error Prone
• Media failure and human error
• Which tape is in which box?
• Where is the box?
Slow
• Up to 30 hours before data leaves
building
• 2+ hours to begin restore
• Testing is awkward and difficult
Good backup to your backup
At least use a professional
records management company!
Distributed Data Center
Corporate Data Center
Remote Data Center
Database log files
IBM
Storage
Area
Network
Backup files
Backup
Primary
End User
Immediate Business Continuity
Testing is easy
Productive use of investment
- Management Systems
- Report Generation
- Ad Hoc Queries
Electronic Vaulting
• Involves the scheduled movement of “point-intime” snapshots of data volumes across a
network to a remote location.
• Enables recovery of prior “point-in-time” data
volumes across a network from a remote
location.
• Recoveries could consist of portions of data
volumes (i.e. files or folders) or entire data
volumes.
Current Protection Strategy Model
Pressure
Instant Recovery
Fault-Tolerance
Minutes
Hours
Recovery Gap
Days
Offline/Offsite
Data Backup
New Protection Strategy Model
Pressure
Instant Recovery
Fault-Tolerance
Minutes
Hours
eVaulting
•Warm server
•Cold server
Days
•Tape/Disk
Control, Flexibility, Capability
Remote Offices
Administrator
Hosted
Applications
Redundant Servers
•Warm
•Cold
Corp LAN
WAN
Internet
•NAS
eVault
Server
Users
Data Center
Main Office
E-Vaulting Addresses Restores
Exceeds majority of user
restore requirements
Restores begin
immediately
Most restores are less
than 1GB (80%+ are simple
file or folder restore).
As a result, the majority of
restores can be performed
via E-Vaulting over a T1
line in <1 hour
Restores that can
be serviced online
immediately by
E-Vaulting
To left of red line,
restores regularly
take place in < 1
hour over a T1 line
across the Internet
Millions
Cumulative
Restores
Annually
Hundreds
10MB
100MB
1GB
10GB
Size of Restore
100GB
Gartner Group: Key trends
• By year-end 2003, 80 percent of mobile workers will have
at least two computing devices, and 40 percent will have
three.
• Windows CE (PocketPC) will dominate in the industrial
handheld market space.
• Web-enabled phones are widely available; first-generation
content was a curiosity, second-generation useful
• Software complexity will remain the biggest barrier to
mobile productivity.
• Widespread embedded Bluetooth is 2004 phenomenon.
• Mobile network bandwidth will not be a barrier to
compelling applications.
• Spending on network capabilities will provide more
productivity than spending on processors.
Mobility – PAN, LAN, WAN
802.11b
Local Area
Bluetooth Network wLAN
Personal Area
Network (PAN)
LAN
<1Mbs
• Access
Workgroup
•Synchronization
Switches
•10 Meters
<11Mbs
• Access
•“hot spots”
•LAN equivalent
Wide Area
Network (WAN)
Wireless
Bridge
GPS
9.6 Kbit/s <2Mbs
• mCommerce
• SMS
• Internet access
• e-Mail
• Document transfer
• Web browsing • Low/high quality video
• Voice
Security’s Challenges
IT Managers are faced with security challenges for internal and
external environments.
Secure Transactions
Internet Secure the pipe
Extranet
Intranet
Access Authentication
Protect Assets
How large is the backdoor?
Larger picture…
Repudiation
Virus and malicious attack risks
Interception and eavesdropping of channel
Mobile
Network
Disturbing or misusing network services
PSTN
RAS Unauthorized access to services
Server
PAN
Internet
Corporate Network
Corruption of data
WLAN
Unauthorized access
Unauthorized
manipulation of
sensitive data
VPN
Server
Privacy issues
Spoofing of identity
Loss of data or injection of
unwanted data
Mobile Device Security Issues
• Devices get lost or stolen easily
– Biometrics – fingerprint?
– PC card – smart card?
– Power up Password – can be
bypassed?
– Device based encryption?
• Unique application requirements
– PKI – no WinCE ,Palm OS
client yet?
– Limited encryption capability
• Shoulder Surfing
802.11b Wireless Weakness
Rogue AP
Compromise of encryption key
Hardware theft is equivalent to key theft
Packet spoofing, disassociation attack
Known plain-text attack
Brute force attack
Passive monitoring
Wireless security focus areas
1
2
3 VPN
Air
Transmissions
Devices
Mobility
PAN
LAN
WAN
Wireless
Private Networks
Public
Networks
4
SSL
Applications
Traditional Security
Secure Wireless LANs
VPN
Server
W-LAN
Corporate Network
• WEP
• 802.1x
• WEP2
Secure Wireless WANs
Mobile
Networ
k
Internet
PSTN
RAS
Server
VPN
Server
Corporate Network
Device Security
Encrypted File Systems
Authentication
Power-On Password
Fingerprint ID Device
Smart Card Technology
Virus / Malicious Code Scanners
Secure Operating Systems
Physical and Logical Security
Case Locks, Security Screws, Cable
Locks, Drive Locks
Procedural Security
Caution against Shoulder-surfing
Password protection
Specific Security Steps
• Use software firewalls on all PCs such as
Zonealarm, BlackICE, Norton, etc..
• Invest in a physical firewall appliance for all
xDSL ~ cable modem connections
• Participate in DShield firewall log analysis
• Constantly survey your networks / PC with
vulnerability scanners like ShieldsUP
• Have a workable and verified backup and
continuity plan
• Apply OPSec principles to your work and
personal activities
Resource Links
•
•
•
•
•
•
•
•
www.infragard.net
www.nipc.gov
www.cert.org
www.sarc.com
www.grc.com
www.dshield.org
www.trendmicro.com
www.microsoft.com/security
Join Infragard
• One of the best things you can do to stay
current on security issues and be in the
loop with many professionals from many
industries is to join Infragard
• www.infragard.net
William E. Ott
• Email - [email protected]
• Phone - 919-363-3132
• Web - www.cpcstech.com