Transcript Securing the World-Wide-Web

Securing the World-Wide-Web
P.R. Smith
Academic Computing
NYU School of Medicine
P.R. Smith, September 1997.
NYU Medical Center
Definition
Secure: safe against attack,
impregnable, reliable,
certain not to fail or
give way.
P.R. Smith, September 1997.
NYU Medical Center
Definition
WWW: - Transport of information
http - HyperText Transport Protocol
- Information on all
the servers connected
to the Internet.
P.R. Smith, September 1997.
NYU Medical Center
Primary Message of this Talk
Success of a WWW site depends on
the integrity of that site, on whether
it is viewed as reliable and secure.
P.R. Smith, September 1997.
NYU Medical Center
Why do I want a web site?
Everybody is doing it
Impress the CEO.
I’m not busy enough: I need a hobby.
• My organization has important
information to communicate that will
improve its ability to do business.
P.R. Smith, September 1997.
NYU Medical Center
Planning
Who do I want reading my site?
What services will I offer?
How will they be managed?
P.R. Smith, September 1997.
NYU Medical Center
Who do I want reading my site?
Careful inventory of the site’s potential
readership.
Identify the needs of the groups and the kinds of
information services they will require.
To be successful, a site needs ‘regular’ readers.
P.R. Smith, September 1997.
NYU Medical Center
What Services will I offer?
What information resources are available
here?
What is available now?
What new materials will need to be developed?
What materials will be available from other locations on the
net? How long will they last?
P.R. Smith, September 1997.
NYU Medical Center
Management Environment
WWW is an institutional resource
To be successful, the WWW effort needs
support from the highest level.
Mobilize resources.
Senior management can mandate change in the
environment. You probably can’t.
P.R. Smith, September 1997.
NYU Medical Center
Management
Manage Access
Manage Services
P.R. Smith, September 1997.
NYU Medical Center
Policy Issues
Control of Physical Access
To machine rooms, lab equipment, stand-alone servers.
Control of Logical Access
SAF, Access via network, Audit trails, Access to Communications.
Data Integrity Control
Separation of duties and function, Verification of data & equipment.
Ethical Issues
Private vs Corporate use, Criminal Activities
Preventive Measures
Backup, Archiving, Encryption, Disaster Recovery.
P.R. Smith, September 1997.
NYU Medical Center
Security Model
Data Steward
Owns, or is responsible for the Data
Data Custodian
Stores/processes the data
Data User
Internal, External
Data Assessment & Classification
Public; Internal; Resricted; Confidential
Security Monitoring and Audits
Exceptions, Emergencies, Violations, Punishment
P.R. Smith, September 1997.
NYU Medical Center
Security Policies
Mandated at the Highest Level
Necessary, since they implement the Institution’s vision.
Clearly Stated
As far as possible, written in terms all understand.
Known to All
Establish a single security-concious culture for ALL data users.
Security Acknowledgement Form
Ubiquitous
Policies apply to all individuals, internal, external
Enforced Consistently
Common process, CEO, faculty, staff, contractors.
P.R. Smith, September 1997.
NYU Medical Center
pursuit of the defenseless
impeachment of the irreproachable
punishment of the innocent
exculpation of the guilty
promotion of the incompetent
P.R. Smith, September 1997.
NYU Medical Center
General Principles of Data Security
Collected
appropriately
with accuracy
Protected during Transport and Storage
against damage
against loss
Accessed
only with authorization
Archived
so as to be recoverable
Deleted
so that no trace remains
Audited
so that activity can be traced
P.R. Smith, September 1997.
NYU Medical Center
Authentication
Identifies Individuals Uniquely. Allows you to be sure
that “Bob” really is “Bob” and not “Joe”. Schemes include simple passwords, onetime passwords, Secure-ID, ‘Kerberos’, fingerprints, retinal scans.
Authorization
Establishes what Individuals may do.
If you are
authenticated as “Bob” you may look at Outpatient Lab billing data, but not the lab
results. If you are “Dr. Joe” you may see both.
Audit
Audit logs track creation, modification and access of data and services.
P.R. Smith, September 1997.
NYU Medical Center
What is “Security” in Relation to the
WWW?
• Services offered on the Web are diverse.
• “Security” needs are service- specific.
P.R. Smith, September 1997.
NYU Medical Center
What “Services” can be offered on the
WWW?
• Document Services
Static information.
Anonymous client selects links or search parameters.
• Interactive Services
Identifiable information is elicited from client.
Registration forms, credit-card payments, on-line
examinations, clinical lab results, purchase movie
tickets...
P.R. Smith, September 1997.
NYU Medical Center
Interactive Services
Professional Advice: Second opinions, treatment options.
Medical Data / Patient Records: Records from other sites
Payment for Services: Pay hospital, doctor, therapist, HMO ....
P.R. Smith, September 1997.
NYU Medical Center
Services: Some Basic Issues
Who owns them?
Individual? Department? Third Party?
Where are they hosted?
Institutional Server? Department Server? Student Dorm?
Who gets to see them?
Everybody? Just this site? A limited group? Nobody?
Who decides?
Me? My boss? The web committee? The lawyer?
How do you resolve CONFLICT?
Shoot them all?
P.R. Smith, September 1997.
NYU Medical Center
Management Team
Institution-specific
Oversight Committee
Webmaster
Web Technician / Associate Webmaster
Graphic Designer
Programmer
Systems Manager
P.R. Smith, September 1997.
NYU Medical Center
WWW Security Issues
Accuracy of the information
Integrity of the server
Secure CGI programs
Secure Java/Script applets
Secure transport to client
Bug-free browser
Selective management of ‘cookies’
Sensible, honest, user.
P.R. Smith, September 1997.
NYU Medical Center
Document Security
Document/Information Accuracy
Who may create a document?
What are update policies? Does a document expire?
How does a reader know to trust the information?
Signed documents.
Disclaimers.
Access control (by location, password)
Integrity of the Server
Access to the server is tightly controlled:
only authorized individuals can make document changes.
Rigorous password policies. NFS access.
Secure CGI and Java/Script
Careful design and testing to detect security defects.
P.R. Smith, September 1997.
NYU Medical Center
Secure Transport to Client
Are Networks Safe?
Yes. And no. There are no absolutely clear answers.
Decision requires a risk assessment by the Institution.
Result depends on the perceived risks and the
tools available to manage them.
Is the Internet Safe for Medical Data?
Yes. And no.
Review tools that enhance secure data transport.
SSL, https
Phone system. School Buses.
P.R. Smith, September 1997.
NYU Medical Center
Secure Client
Is your Browser Secure?
Yes. For the most part, browsers (Netscape / Explorer) are
secure. However, there are known bugs in some versions.
Few people are diligent in obtaining the latest fixes.
What about ‘Cookies’?
‘Cookies’ are data left by a server to allow ‘you’ to be
identified next time you connect.
Users
Users are dishonest. They steal. They lie. They take your
‘stuff’ and pretend it is their own. They treat confidences as
gossip. They are the root of all evil.
P.R. Smith, September 1997.
NYU Medical Center
Risk Assessment
Evaluate Current Practices. What are people actually doing?
Who actually reads records? Do they need to? Does it matter?
Distinguish Policy and Actual Practice. Sure you
have a policy that medical records not leave the floor: so why is the attending
walking down the street with those files? How are you to deal with that?
Consistent Policy Can’t protect one area and leave another wide
open. This is a significant problem with electronic records. Useless having triple
passwords on the computer and allow anyone walk into the records room.
P.R. Smith, September 1997.
NYU Medical Center
The ‘Mediæval’ Security Model
Small Walled Town
Highway
Cross-Roads
Homestead
Walled City
City Gate
Hamlet
Highway Robbers - outside
Footpads/Pickpockets - inside
P.R. Smith, September 1997.
NYU Medical Center
‘Firewalls’ and ‘Proxys’
Firewall: Stands between two networks and limits connections between the
‘inside’ and the ‘outside’. Usually, between your net and the Internet, but
sometimes between different parts of a single corporate net.
Proxy: Allows web users to access the Internet without having direct access.
The proxy server passes requests out and redirects packets that return.
Firewall/Proxy
Internet
P.R. Smith, September 1997.
NYU Medical Center
Security Assumption
Inside my ‘Walled City’ I’m Safe
In principle, I should have more control over users, network access
and desktops. In fact, this may not be true.
Outside, I’m Vulnerable.
There is a concern that network traffic outside is vulnerable to theft.
In fact data ‘on the Internet’ is probably much safer.
Vulnerability arises again as soon as packets enter someone else’s
local network.
P.R. Smith, September 1997.
NYU Medical Center
Packet ‘Sniffers’
‘Sniffer’sees all packets on the local
Ethernet segment.
Node
P.R. Smith, September 1997.
Sniffer
Node
Node
NYU Medical Center
A Switched Network Defeats
‘Sniffers’
The switch sends data to each node
separately. Nodes don’t see each other’s
data.
switch
Node
P.R. Smith, September 1997.
Sniffer
Node
Node
NYU Medical Center
Defeat ‘Sniffers’ with Encrypted
Traffic
‘Sniffer’sees all packets, but can’t read any
of them.
Node
P.R. Smith, September 1997.
Sniffer
Node
Node
NYU Medical Center
Encryption
Encryption protects data by scrambling it in a recoverable
way. ‘Strong’ encryption is hard (maybe impossible) to
‘crack’with a computer. ‘Weak’ encryption is easier.
Private Key Encryption. A single key (string of characters) is
used to encrypt and to decrypt a message. To be secure, the private key has to be a
secret shared by the people who share the encrypted information.
Public Key Encryption. Keys are used in pairs, one is used to
encrypt a message, the other to decrypt it. One key is called the ‘public’ key and is
distributed freely. The ‘private’ key is kept secret, known to a single individual.
Key length.
Lengths are counted in ‘bits’. Messages encrypted with
long keys (>56bits) are hard to crack.
P.R. Smith, September 1997.
NYU Medical Center
Public Key Encryption:
Establishing Trust
Public Key Certificate - associates a given public key with an
individual (or a role) through the signature of a trusted authority.
PGP: “Web of trust” I trust this key because I trust Joe and Fred
who signed the key. Good for e-mail, but scales poorly.
X.509: A trusted certifying authority signs keys. Verisign, AT&T
Used for the Web, scales well, but many certificates are worthless.
P.R. Smith, September 1997.
NYU Medical Center
E-Mail
Used widely for message exchange
Plain-text E-mail messages are not secure.
SMTP transfers mail in multiple ‘hops’ to destination. Mail can be viewed
at each one. Postmasters get ‘bounced’ messages.
Origin
Destination
Solution: Mail packages that allow end-to-end encryption of
messages and attachments
Management issue: Postmaster must be an Institutionally
trusted individual.
P.R. Smith, September 1997.
NYU Medical Center
Who Owns Patient Records?
Professional Records are owned by the professional who collects
them, either personally or as an agent of an institution.
Who can Access Patient Records?
The Patient: can always get access, albeit with difficulty in some cases.
Payor: as a part of an audit has access to establish quality of care.
Many non-professionals have anecdotal access as a part of their
job functions (unit clerks, finance clerks, phlebotomists, ...)
Who Doesn’t have Access?
Just about everyone else: e.g. Hospitals require consent to
transfer records between institutions.
P.R. Smith, September 1997.
NYU Medical Center
Medical Data Repository
Database that holds Consolidated Medical
Data from many patients
Benefits:
• Facilitates communication between in- and out-patient caregivers
• Facilitates longtitudinal care for patients
• Provides key information in an emergency situation
• Provides data to help establish the ‘state-of-the-art’
• A resource to compare quality of care, care-giver by care-giver.
Risks:
• Many, poorly authenticated or erroneously authorized accesses
• Catastrophic loss of the repository can be a disaster for patient care.
• Data may be missed due to physician reluctance to key-in the data.
P.R. Smith, September 1997.
NYU Medical Center
Why do some people find a
Computerized Medical Record Really
Scary?
A large-scale attack with the loss of large amounts of
data can be hard to detect on a compromised computer,
and it will take place really QUICKLY. In the worst
case, it can be mounted from anywhere in the world.
A similar attack to seize paper records on the same
scale may require a truck. You should be able to spot
the truck.
P.R. Smith, September 1997.
NYU Medical Center
What is ‘Dangerous’ Information
‘Dangerous’ is defined by the individual
> Broad consensus on many items: House keys, SSN, ATM PIN.
> Disagreement on other items: Gay? HIV+? Marriages? Abortions?
Cholesterol? BP? Mental illness? Substance abuse history? Genetic
profile?
> People want to choose
How do you lose control?
> ‘Publication’. You tell someone. A really good friend.
> Inference. You’re sick and are seen visiting a physician who
specializes in HIV. You visit your probation officer.
> Observation. You take Prozac (Anxiety), Atenolol (HTN)....
> Someone gets hold of personal records.
P.R. Smith, September 1997.
NYU Medical Center
Risks to Privacy
> Friends and family
> Colleagues
> Employers
> Insurance Companies
> Landlords
> Coop Boards
P.R. Smith, September 1997.
NYU Medical Center
How do I protect myself and
my Patients?
P.R. Smith, September 1997.
NYU Medical Center
Simple Security Measures can make
a Significant Difference
Users need unique, robust passwords
Shared passwords, stupid passwords and passwords that get guessed
have been the source of all the MC’s break-ins (that we’ve detected).
Users must subscribe to your security goals
Protect their passwords, change them regularly, never share,
disconnect from authorized services when finished, and report
issues that suggest a security violation.
Education / Training
P.R. Smith, September 1997.
NYU Medical Center
Greatest Exposure from Individuals
in Positions of Trust.
Network Manager, Systems Manager,
Webmaster, Programmers, Secretary
P.R. Smith, September 1997.
NYU Medical Center
Ask for HELP!
Central site
Colleagues at other Institutions
Read the Literature
Employ a Consultant
P.R. Smith, September 1997.
NYU Medical Center
Summary
Supportive Administration
Realistic policies for security and the Web
Create a culture that supports security
Motivated, technically competent staff
A committment to development & change
P.R. Smith, September 1997.
NYU Medical Center
Acknowledgements
Bob Holzman, Loren Buhle, Bruce Kraus, Carey Ramos, Marty Nachbar,
Mark Selby, Anton Saarimaki, Stuart Brown, Suzy Gottesman, Frieda Pavel,
Roy Smith, Marc Waldman, Libby Flanagan
Art
Lucas Cranach the Elder, The Martyrdom of St. Barbara, oil on wood,
Metropolitan Museum of Art, New York.
http://www.yawp.com/cjackson/cranach1/p-cran1-12.htm
Hieronymus Bosch, The Last Judgment (left and right panels), oil on panel
(triptych); Akademie der Bildenden Künste, Vienna.
http://watt.emf.net/wm/paint/auth/bosch/judge/
Support
Provided by the NSF, and the NIH through NYU’s GCRC grant.
P.R. Smith, September 1997.
NYU Medical Center