Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Computing Practices Karl Rademacher Director of Security, BSD.

Published byElijah Golden Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Computing Practices Karl Rademacher Director of Security, BSD."— Presentation transcript:

1 Secure Computing Practices Karl Rademacher Director of Security, BSD

2 Agenda Introduction to Computer Security A Primer on Phishing “Top 10 List” of Good Computing Security Practices How to: – Create a good password – Encrypt sensitive information – Protect your operating system 2

3 Introductions Karl Rademacher Director of Information Security, BSD –2016: Director of Information Security of the Biological Sciences Division –2015: Managed CDIS Information Security, ensuring compliance with NIST 800-53 Cyber Security Framework –2003-2014: Managed Global eDiscovery, Litigation Support, Forensic Analysis, email archival services, and incident response at Aon Corporation.

4 BSD Information Security Office Mission: Enable and protect the BSD research and academic enterprise. Enable Consult, train and support staff by providing cyber security expertise to: compete for research grants advance research empower academics Protect Implement, monitor and manage security solutions to: safeguard information mitigate cyber risks detect adverse cyber attacks

5 BSD Information Security Office - Services ServiceDescription IT Security Incident Response Detect, respond to cyber security events and assist departments in investigating and coordinating appropriate responses for IT security incidents, in collaboration with ITS and CBIS information security offices, General Counsel, and the HIPAA Program Office. Security MonitoringProvide real-time analysis of logs and alerts from security devices, network infrastructure, servers, and other key assets by certified security experts. Security Awareness and Training Provide security awareness educational materials, including printed materials, online learning modules, presentations, and security product demonstrations for faculty, staff, and researchers. IT Policy & StandardsCreate, review, and maintain documentation to support information security policies, standards, and guidelines that align with appropriate regulations and industry best practices. IT Security and Risk Consulting Provide consultation to help BSD units respond to security assessment findings; resolve information technology risks, threats, and vulnerabilities; and implement adequate risk mitigation measures. Risk Management and Compliance Provide guidance and tools for implementing process controls on IT-related activities to meet compliance requirements, including support for internal or external audit inquiries related to BSD IT security controls. Firewall ManagementProvide full lifecycle management and monitoring of firewall appliances, including hardware and software components required to provide firewall services.

6 What is Computer Security and why is it important? Computer Security allows the University to carry out its mission by: Enabling staff and students to carry out their jobs, education, and research Protecting personal and sensitive information Supporting critical business processes Computer Security is the protection of computing systems and the data that users store or access. 6

7 7 Good Computing Security Practices follow the “90 / 10”Rule: 10% of security safeguards are technical 90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices Example: The lock on the door is the 10%. You remembering to lock the door, checking to see if it’s closed, ensuring others do not open the door, and keeping control of the key is the 90%. Why do you need to learn about Computer Security?

8 Ignoring Computer Security leads to security breaches and regulatory fines In 2014 more than 1,500 data breaches occurred nationwide, compromising 1 billion personal records. The Office for Civil Rights has been levying HIPAA fines: Nine settlements since June 1, 2013 have totaled more than $10 million. Examples: – $1,725,220 against Concentra Health Services for an unencrypted laptop that had been stolen from one of its facilities. – $250,000 against QCA Health Plan, Inc. after an unencrypted laptop containing personal health information was stolen from an employee's car. 8

9 Phishing is Threat to Privacy and Security Email attacks, commonly known as “phishing attacks,” have become one of the primary attack methods used by cyber- criminals. Phishing attacks use social engineering techniques to trick employees into divulging personal information, clicking on risky links or taking some other ill-advised actions. Phishing attacks are one of the most effective means of instigating a data breach today. Most major security breaches happen not because of super- sophisticated hacker attacks, but because everyday people fall to phishing attacks. In the 2015 Data Breach Investigations report, published by Verizon, more than two-thirds of incidents start with a phishing attack. Every Day, 516 unique phishing attacks. 156 million phishing emails are sent. 15.5 million make it through email filters. 8 million are opened. 800 thousand click on the phishing links. 80 thousand users fall victim.

10 Phishing is Threat to Privacy and Security (cont’d) The average 10,000-employee company spends $3.7 million a year dealing with phishing attacks*. Employees waste 4.16 hours on average a year on phishing scams (47% of the cost). 27 percent of the costs was the risk of having to respond to a data breach caused by a compromised credential. 10 percent was the direct costs of addressing compromised credentials 9 percent was the risk of a data breach caused by malware 7 percent were the direct costs of containing malware. Cost of a breach including regulatory fines and penalties are the biggest threat vectors: The University of Washington Medical Center (UWM) incurred a $750,000 penalty from the Office for Civil Rights (OCR) for a breach that started with a phishing email attack. Phishing EventsTotal per eventCost per employee Cost to contain malware$208,174$22 Cost of malware not contained$338,098$35 Productivity losses from phishing$1,819,923$191 Cost to contain credential compromises$81,920$9 Cost of credential compromises not contained$1,020,705$107 Total extrapolated cost$3,768,820$395 * Source: Ponemon Institute, 2015 State of Endpoint Risk Report.

11 Example – Recent Phishing Attack Email sent to staff last week Employees redirected to fake website Clicking on the link …

12 "Top 10 List" of Good Computing Security Practices everyone can take to protect computers and data. 1.Password protect your computer and portable devices. 2.Choose good passwords and keep them secret and secure 3.Encrypt any ePHI or PII stored on portable devices or media 4.Keep your operating system patched and up-to-date 5.Install anti-virus and keep it up-to-date 6.Turn on your computer firewall 7.Lock up your devices or take them with you 8.Do not respond to anyone asking you for your password 9.Securely delete ePHI and PII when it is no longer needed 10.Back up critical information 12

13 Password protect your computer and portable devices Creating a good password Combine 2 unrelated words -> Mail + phone = m@!lf0n3 A good password has at least 12 characters = m@!lf0n-2015 Use a password or passphrase manager, such as LastPass to help manage multiple passwords/passphrases LastPass is free for students and can be downloaded from LastPass.com. The table below shows how fast your password can be guessed by a hacker: PatternCalculationResultTime to Guess 8 chars: lower case alpha26 8 2x10 11 < 1 second 8 chars: alphanumeric62 8 2x10 14 3.4 min 8 chars: all keyboard95 8 7x10 15 2 hours 12 chars: alphanumeric62 12 3x10 21 96 years 13

14 ePHI = Electronic Protected Health Information (Personal + Health) – Medical record number and/or account number with SSN – Patient demographic data (e.g. address, date of birth, date of death, sex, e-mail, etc.) – Dates of service (e.g. date of admission, discharge, etc.) – Medical records, reports, test results, or appointment dates PII = Personally Identified Information (Personal only) – Individual’s name, SSN, driver’s license number, or credit card account numbers – Health insurance policy number, subscriber ID, application or claims Encrypt any ePHI and PII stored on portable devices or media 14

15 Encryption vs. Passwords Having a password does not necessarily mean something is encrypted. –Passwords by themselves do not scramble the information. If something is only “password protected,” it is not enough protection - someone could bypass the password and read the information. Original Password Protected Encrypted 15

16 The table below shows the time and costs for handling security incidents for lost and stolen devices. 16 Encrypted Device with ePHI/PII Unencrypted Device with ePHI/PII Unencrypted Device without ePHI/PII Incident DescriptionUser’s computer stolen from his/her car. Device had ~400 patient records. User forgot laptop in cab. Device had ~400 patient records. User left tablet on plane. Device had no patient health information. Investigation time (combined hours for incident response team – legal, HR, IT, security, etc.) 1 Hour50 hours35 hours Security Forensics Costs$ 0$ 2,000$ 800 Reputation Damage Costs$ 0Priceless$ 0 Encryption saves the University both time and money

17 Encryption Solutions TypeEncryption SolutionsCost/ImpactPurpose AppleFilevault 2 Free ; native security feature; easy setup; vendor-supported; AES 128 encryption for data protection; can store recover key with Apple; well- documented install guide. Encrypt the contents of your entire drive. Solution will work for personally-owned and BSD-owned laptops. WindowsBitLocker* Free ; native security feature; AES 128-bit and 256-bit; some hardware dependencies. Encrypt the contents of your entire drive. Solution will work for personally-owned and BSD-owned laptops. * To use BitLocker, your laptop must be equipped with a Trusted Platform Module (TPM) chip, and it must be enabled. 17

18 Encryption Solutions (Cont’d) TypeEncryption SolutionsCost/ImpactPurpose Files/ Volumes AxCrypt Free; has native versions for both Windows and Apple; uses strong compliant encryption. Creates secure disk images and files for data sharing via email, cd or cloud External Storage Aegis Secure USB Key $65; unlocks with onboard PIN pad; 256-bit AES hardware-based encryption; PIN activated 7-15 digits -Alphanumeric keypad. Secures the transport of data, documents, and presentations Apple Phone/ Tablet IOS Free; native security feature, enabled by default with the use of passcode; vendor-supported; AES 128 encryption; can store recover key with Apple; well-documented install guide. Encrypts the content of the device; solution will work for personally- owned and BSD-owned devices. Android Phone/ Tablet Android Free; native security feature; easy setup; vendor-supported; AES 128 encryption; well-documented install guide. Encrypts the content of the device; solution will work for personally- owned and BSD-owned devices. 18

19 A firewall acts as a wall between your computer/private network and the internet. A firewall prevents hackers from entering your computer through the internet. Turn on your firewall 1.Open System Preferences. 2.Click the Security or Security & Privacy icon. 3.Select the Firewall tab. 4.Click the lock icon, then enter an administrator name and password. 5.Click the Firewall Options button. 1.Open Windows Firewall by clicking the Start button, and then clicking Control Panel. 2.In the left pane, click Turn Windows Firewall on. 3.Click Turn on Windows Firewall under each network location, and then click OK. 19 HOW TO

20 Vendors regularly issues patches or updates to solve security problems in their software. Computers can be set up to automatically download and install updates. When they are not applied, it leaves your computer vulnerable to hackers. Keeping your operating system patched and up-to-date 1.Open Windows Update. 2.Tap or click Choose how updates get installed. 3.Under Important updates, choose install updates every day. 4.Under Recommended updates, select the Give me recommended updates the same way I receive important updates check box. 1.Choose System Preferences from the Apple menu. 2.Click App Store. 3.Select Automatically check for updates. 20 HOW TO

21 Resources & References BSD Information Security Office – http://security.bsd.uchicago.edu http://security.bsd.uchicago.edu BSD HIPAA Program Office – http://hipaa.bsd.uchicago.edu http://hipaa.bsd.uchicago.edu Apple Encryption – FileVault 2 – http://support.apple.com/kb/ht4790 http://support.apple.com/kb/ht4790 Windows Encryption - BitLocker – http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive- encryption-overview http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive- encryption-overview Files/Volumes Encryption – AxCrypt – http://www.axantum.com/axcrypt/ http://www.axantum.com/axcrypt/ External Storage Encryption – Aegis Secure Storage – http://www.apricorn.com/aegis-secure-key.html http://www.apricorn.com/aegis-secure-key.html 21

Download ppt "Secure Computing Practices Karl Rademacher Director of Security, BSD."

Similar presentations

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Encryption – First line of defense Plamen Martinov Director of Systems and Security.

Encryption – First line of defense Plamen Martinov Director of Systems and Security.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Security Controls – What Works

Security Controls – What Works
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
Security Computing Practices Plamen Martinov Chief Information Security Officer.

Security Computing Practices Plamen Martinov Chief Information Security Officer.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
Protecting Sensitive Information PA Turnpike Commission.

Protecting Sensitive Information PA Turnpike Commission.
Security Squad Keeping your Equipment and Information Safe Security Squad Keeping your Equipment and Information Safe Security Squad Video Series, Part.

Security Squad Keeping your Equipment and Information Safe Security Squad Keeping your Equipment and Information Safe Security Squad Video Series, Part.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

Similar presentations

Ads by Google