Transcript Data and Network Security issues

JEMS EMS Today 2004
Saturday March 6, 2004
Data and Network Security:
Guarding Your Data
William E. Ott, MS, Paramedic
CPCS Technologies
www . cpcstech . com
Today’s Data Security Environments Can Be Scary
Changing
Technologies
Hackers &
Extremists
Loss of Competitive
Advantage
TRUST
Opportunities for
FRAUD
Viruses & Worms
“Free” Access for
Employees
New IT Projects
Outsourcing
IT System Crashes
Specific Items to Address
• EMS as Information Workers
• Information security risks
– Network
– Wireless
– Voice
– Social engineering
• Information security measures
– Firewall
– IDS
– Antivirus
• Business continuity planning
• Data backup and restoration
EMS following the FedEx lead?
• EMS is following the IT example of FedEx,
transitioning from package delivery with
associated information to an information
management company with the end result
of package delivery
• EMS is, and should follow this model, from
being a emergency response, patient care
service with associated information to one
of being an information management
agency with the end result being quality
patient care.
EMS as Information Workers
• What is involved?
– Electronic patient records
– CAD data pre and post response
– GIS data pre and post response
– System performance data
– Application of performance data to the
continuing education program
– Personnel data
– System / Vehicle data
– Facility/Event preplan data
Threats to Information Systems
•
•
•
•
•
•
•
•
Malicious abuse
Denial of Service and related attacks
Virus, Worm, and Trojan attacks
Outside Hacker attacks
Theft of service
Theft of information
Poorly trained IT staff
Not staying current with system patches,
antivirus definitions, etc..
• Not performing proper system maintenance
• Poor or no backup and contingency plans
Do you have an IT Security Plan?
• Harden and Secure for known issues
• Prepare with policies and education
• Detect intrusions and threats
• Respond to intrusions and threats
• Improve IT security measures and policies
What can happen to my data?
• Lost data or missing data is inaccessible
• Stolen data has been accessed or copied
without authorization
• Inaccurate data was entered incorrectly,
deliberately or accidentally altered, or not
updated
Causes for Concern
• 94%+ of corrupt, compromised, or deleted
data is because of user error, mistake,
hardware failure, or deliberate misuse
• 78%+ of malicious damage to data is
attributed to ‘trusted’ personnel according
to FBI/CERT statistics for 2002
Threats to Productivity
• Spam
– wastes resources
– wastes time
– offensive, dangerous
• Popup ads
– wastes resources
– annoying
• Malicious use of resources
– wastes bandwidth, storage
– violates law and privacy
Threats to Privacy / Confidentiality
•
•
•
•
•
•
•
•
•
•
No security plan
No security training or awareness
Smart or Meta Tags in shared documents
Social Engineering
Unencrypted network
Unencrypted e-mail
No firewall
No antivirus system
Rogue wireless
PDAs connecting to network and servers
What is driving improved Security?
• Health Insurance Portability and Accountability
Act (HIPAA)
• Maturation of existing data systems
• Inexpensive to implement security on new data
systems
• It’s the right thing to do
Data Security Issues
•
•
•
•
•
•
Development of user levels
Education of users
Proper use policies
Improper info via unsecured e-mail
Intrusion detection systems / scans
Antivirus protections
Some Security Options
•
•
•
•
•
•
•
•
•
•
Virtual Private Networking (VPN)
Active AntiVirus Screening
Stateful packet inspection Firewalling
Proxy servers
Opt-in e-mail
Database encryption
E-mail encryption
Network / PC security policies
Two Factor User Authentication
Aggressive Audit logging and review
Virtual Private Network
• A VPN is defined as a system in which two
or more networks are connected through a
third, untrusted, network.
• The two networks are usually a main office
and a satellite office, and the third network
is usually the Internet.
VPN Diagram
E-mail Security
•
•
•
•
•
•
•
E-mail is the most used network application
Very insecure as Internet developed
Security has been a low priority for all but a few
Phil Zimmerman – Pretty Good Privacy (PGP)
Digital Certificates
Symmetric or Asymmetric encryption
Think about opt-in or digital certificates to control
spam
Ultimate Goal: Information Control
• Easy to use
– Simple model
– Native environment
• Dependable Security
• Dependable Authentication
• Persistent and Dynamic Control when
applicable
• Use control (copy and print)
• Comprehensive Auditing
• Supports breadth of content types
• Scalable and deployable
Solutions & Suggestions
• Tie security to ROI – what is the competition
doing, positive PR, etc. (at minimum tie it to loss
mitigation costs )
• Remind Privacy Rule & statute mandate sound
security practices
• Educate, educate, educate
• Use horror stories judiciously
Solutions & Suggestions
• Present options, accept risk and remain flexible
• Remember brevity with top executives – make your point
quickly and avoid fluff
• Cultivate security advocates within and outside the
organization
• Incorporate a bottom up approach (I.e., train end users,
period security announcements to staff, etc.)
Information Security – A Human Behavioral Problem
What Does FBI Say About Companies:
91% have detected employee abuse
70% indicate the Internet as a frequent attack point
64% have suffered financial losses
40% have detected attacks from outside
36% have reported security incidents.
What Do Companies Say:
66% have information security problems
65% were attacked by own employees
51% see information security as a priority
40% do not investigate security incidents
38% have detected attacks that blocked their IT
systems
Only 33% can detect attacks and intrusions
Source: FBI Computer Crime and Security Survey 2001
Source: EY Information Security Survey 2001 - 2002
Causes of Security Incidents
0%
10%
20%
Employee Awareness
30%
40%
50%
56%
Tools/Security Solutions
44%
People Skills
40%
Budget
37%
Management Support
26%
Source: EY Information Security Survey 2001
Other Reasons
8%
60%
Information Security – A Dynamic Process
• Security Policies, Standards, and Procedures
• Risk Analysis
• Identification of Vulnerabilities
• Employee Training, Education, and
Awareness
• Implement strong authentication / encryption
• Use digital signatures & PKI solutions
• Performance Indicators
• Intruder Detection
• Anti-Virus Solutions
• Periodic Security Analyses
(especially after the
implementation of new IT systems)
• Attack & Penetration Analyses
(Ethical Hacking)
• Analysis of IT systems’ logs
• Threat & vulnerability analysis
• Security infrastructure
RISK
FACTORS
Correction
Data
• Continuity Plans (BCP/DRP)
• Incident Response Management
• Hot Resources
Attack & Penetration / Profiling
•
•
An ethical hacking and profiling assessment in order to:
– Identify the technical security vulnerabilities and weaknesses
– Develop corrective technical actions
Focused on multiple access verifications as well as technical and administrative controls.
Internet
Security
Assess
Attack &
Penetration
PHASE I
Discover/Scan
PHASE II
Exploitation
Threat &
Vulnerability
PHASE III
Host Vulnerability
Assessment
Security
Infrastructure
PHASE IV
Administrative
Controls Review
Intranet
Security
Assess
Extranet
Security
Assess
Remote
Access
Assess
What Are Potential Disasters?
 External
• Storms (hurricanes, tornados, floods, hail…)
• Accidents (planes, trains, automobiles, hazardous
mat.)
• Regional Outages (power, communications…)
• Violence (civil unrest, terrorist acts, bioterrorism…)
 Internal
• Hardware Failures (servers, data stores, cyber
attacks..)
• Accidents (fires, water leaks, electrical…)
• Violence (disgruntled employee, corp. sabotage…)
What Are The Chances?
 Computing Probability of Occurrence
• Trying to construct a probabilistic model by type
of exposure reaches diminishing returns very
quickly.
• Should a low probability of occurrence in a given
area alter the scope of a BCP Plan?
 Responsible BCP Planning
• Assesses the environment and mitigates the
obvious risks. (servers in a basement in a flood
plane area)
• Hopes for the best, but must plan for the worst.
Data Disaster Facts
• Disaster Recovery Journal reports two in five
companies are not able to reopen after a disaster
• Gartner Group Information loss is more critical than
hardware failure or loss
• Ontrack Data research indicates that 80% of its data
loss customers regularly back up their data, only to
find them less than adequate at the critical moment
they need to restore. Despite technological
advances in the reliability of magnetic storage
media, data loss continues to rise, making data
recovery more important than ever
Why Does This Happen
•
•
•
•
•
Systems becoming more complex
Focus on Backup Not Recovery
Shrinking Backup Window
Write-Verify Function Turned Off
Application/Data Available 24 x 7
Gartner Group: Key trends
• By year-end 2003, 80 percent of mobile workers will have
at least two computing devices, and 40 percent will have
three.
• Windows CE (PocketPC) will dominate in the industrial
handheld market space.
• Web-enabled phones are widely available; first-generation
content was a curiosity, second-generation useful
• Software complexity will remain the biggest barrier to
mobile productivity.
• Widespread embedded Bluetooth is 2004 phenomenon.
• Mobile network bandwidth will not be a barrier to
compelling applications.
• Spending on network capabilities will provide more
productivity than spending on processors.
Mobility – PAN, LAN, WAN
802.11b
Local Area
Bluetooth Network wLAN
Personal Area
Network (PAN)
LAN
<1Mbs
• Access
Workgroup
•Synchronization
Switches
•10 Meters
<11Mbs
• Access
•“hot spots”
•LAN equivalent
Wide Area
Network (WAN)
Wireless
Bridge
GPS
9.6 Kbit/s <2Mbs
• mCommerce
• SMS
• Internet access
• e-Mail
• Document transfer
• Web browsing • Low/high quality video
• Voice
Security’s Challenges
IT Managers are faced with security challenges for internal and
external environments.
Secure Transactions
Internet Secure the pipe
Extranet
Intranet
Access Authentication
Protect Corporate
Assets
Friend or Foe?
Technology Introduction
– Extensions and sub-standards
• 802.11a – 5Ghz band, 6 - 54Mbit/sec
(“WiFi5”)
• 802.11b – 2.4Ghz band, 1 - 11Mbit/sec
(“WiFi”)
• 802.11c – Bridge Operation Procedures
• 802.11d – Global Harmonization
• 802.11e – MAC Enhancements for QoS
• 802.11f – Inter Access Point Protocol
(roaming)
• 802.11g – 2.4Ghz band, “20+ Mbit/sec”
• 802.11h – Spectrum Managed 802.11a
(European)
• 802.11i - MAC Enhancements for Enhanced
Security
Technology Introduction
• What is 802.11?
– 802.11b and
802.11g
interoperate
– There are devices
that implement
802.11a and
802.11b/g
Technology Introduction
• Security
– WEP – 64 or 128 bit “standard”
• Agere – 152 bit
• US Robotics – 256 bit
– 802.1x EAP
• “Just a framework”
– TKIP
• Temporal Key Integrity Protocol – Rotating Keys
• Vendor specific at this time
– AES
• Long-term solution requiring more horsepower
802.11a/b/g weakness
Rogue AP
Compromise of encryption key
Hardware theft is equivalent to key theft
Packet spoofing, disassociation attack
Known plain-text attack
Brute force attack
Passive monitoring
Hardware Changes
• Commercial Products
– Many consumer
products are being
used in the
“commercial” arena
Software Changes
• Consumer side
– Plug-N-Play
– Insecure Defaults
– Remain difficult to
configure
• WinXP
– Notifies users of
unsafe networking
Attitude Changes
• Widespread Acceptance
– Trains, Planes, Automobiles and phone
booths
– McDonalds in San Francisco
• $4.95 for 2 hours, or free with food
purchase
Public WLAN Hot Spots Worldwide
2002
2003*
Retail outlets
11,109
50,287
Hotels
2,274
11,687
Others
1,369
9,105
Total
14,752
71,079
*Projected
Source: Dataquest Inc., San Jose
Wireless security focus areas
1
2
3 VPN
Air
Transmissions
Devices
PAN
LAN
WAN
Private Networks
Public
Networks
4
Applications
SSL/TLS
Mobility
Wireless
Traditional Security