Presentation is loading. Please wait.

Presentation is loading. Please wait.

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Mobile Device Security Dr. Charles J. Antonelli Information Technology Security Services School of Information.

Similar presentations


Presentation on theme: "I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Mobile Device Security Dr. Charles J. Antonelli Information Technology Security Services School of Information."— Presentation transcript:

1 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Mobile Device Security Dr. Charles J. Antonelli Information Technology Security Services School of Information The University of Michigan 2008

2 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Roadmap Introduction: Securing private data Threats to data Securing data Demonstration 2

3 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Demo participation Laptop  Windows with Admin authority tNative boot, or tVia VMware Server or Player  No network connectivity required Flash drive  Lexar Jump Drive Secure II tMAIS logo optional 3

4 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Demo prerequisites Required  Basic Windows user skills Nice to have  Windows Power User or better  System administration experience 4

5 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Meet the instructor Research in distributed systems, file systems, and security At U-M Center for Information Technology Integration since 1989  Faculty in SI & EECS Teaching  ITS 101 Theory and Practice of Campus Computer Security  SI 630 Security in the Digital World, SI 572 Database Applications Programming  EECS 280 C++ Programming, 482 Operating Systems, 489 Computer Networks; ENGR 101 Programming and Algorithms; SI 654 Database Applications Programming  DCE Internals, SHARE UNIX filesystem tours, … Research  Advanced packet vault  SeRIF secure remote invocation framework 5

6 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Meet the class Name Unit How many GB do you have on mobile devices? How many of those GB are sensitive data? 6

7 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Introduction

8 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 8 Motivation Protecting the confidentiality, integrity, and availability of the University information assets is not only good business … … it is required by federal and state laws and by contractual requirements

9 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Information Security Regulations Family Educational Rights and Privacy Act (FERPA) Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI- DSS) State Notification Laws Sarbanes-Oxley Act (SOX) Federal Information Security Management Act (FISMA) 9

10 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 10 Private Personal Information What is PPI?  Information that can be used to individually identify, contact, or locate a person, or may enable disclosure of this information  Aggregation may expose PPI – name and home address; SSN and bank account number; unique name and date of birth Requirements relating to PPI  Non-public (“sensitive”) information that can be linked to an individual must be appropriately protected and handled on a “need to know” basis tUnauthorized disclosure of non-public PPI may harm an individual or the University tRegulatory requirement Data Classification Guidelines https://www.itss.umich.edu/umonly/dataClass.php https://www.itss.umich.edu/umonly/dataClass.php

11 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES PPI Examples (GLBA) Social Security Number Credit Card Number Account Numbers Account Balances Any Financial Transactions Tax Return Information Driver’s License Number Date/Location of Birth 11

12 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES PPI Examples (FERPA) Grades / Transcripts Class lists or enrollment information Student Financial Services information Athletics or department recruiting information Credit Card Numbers Bank Account Numbers Wire Transfer information Payment History Financial Aid Grant information / Loans Student Tuition Bills Ethnicity Advising records Disciplinary records 12

13 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES PPI Examples (HIPAA) Patient Names Street Address, City, Country, Zip Code Dates related to individuals Phone Numbers Social Security Number Account Numbers Patient admission date Patient discharge date Medical record number Patient number: Facility assigned Unique patient number: ORS assigned Procedure dates Carrier codes (Insurance/HMO Name) Patient zip ‐ code Health care professional ID Health care facility ID Fax number Health plan beneficiary numbers Email addresses Internet Protocol Address Numbers (IP addresses) Web Universal Resource Locators (URLs) Device identifiers and serial numbers Certificate/License numbers Vehicle identification numbers and serial numbers Full face photographic images and any comparable images Biometric identifiers such as finger and voice prints Any other unique identifying number, characteristic, or code. 13

14 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Threats to data 14

15 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Threats Fundamental threats  Loss of data  Compromise of data Basic vulnerabilities  To the data  To the device where the data reside  To the data in transit 15

16 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Threats to data Type of data  Patient  Administrative  Research  Image Threats  Corruption  Compromise  Online (malware)  Lost encryption key  ITAR/outlawed encryption 16

17 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Threats to mobile devices Devices  Laptops/tablets  Flash drives  PDAs  Cell phones  Digital cameras Threats  Loss  Coercion  Confiscation  Theft 17

18 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES More motivation Date Made Public NameType# Records Aug 4, 2008 Arapahoe Coll, CO Lost/stolen flash drive 15,000 Aug 5, 2008TSAStolen laptop33,000 Aug 7, 2008 Harris Co Hosp, TX Lost/stolen flash drive 1,200 Aug 28, 2008Reynoldsburg SDStolen laptop4,259 Aug 30,2008RITStolen laptop13,800 Sep 9, 2008PittStolen laptopUnknown Sep 12, 2008TSULost flash drive9,000 Sep 30, 2008New York CityLost tapes3,600 Oct 7, 2008UNDStolen laptop84,000 Oct 7, 2008Charleston, WVStolen laptop535 18 http://www.privacyrights.org/ar/ChronDataBreaches.htm

19 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Securing Data 19

20 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Countermeasures Protect data at rest  Encryption Protect data in transit  Encryption Protect the mobile device  Physical security http://safecomputing.umich.edu/MDS/ 20

21 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Protecting data at rest Data in permanent storage  Disk, tape, flash, optical Standards-based solution:  Strong symmetric encryption tAccept no substitutes Issue: key management  Key distribution  Key escrow 21

22 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 22 Secret-Key (Symmetric Encryption) P CC P kk sender receiver encryptiondecryption EkEk DkDk Alice Bob

23 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Protecting data at rest Free & built-in encryption:  Windows tBitlocker tEncrypting File System (EFS)  Mac OS X tEncrypted disk image (Disk Utility) tFileVault  Linux tTrueCrypt (some assembly required) 23

24 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Protecting data at rest Some suggested third-party products:  Pointsec for PC and Pointsec for Pocket PC: Encryption software for PCs and Pocket PC devices. File, folder and full disk encryption.  SecureDoc and SecureDoc PDA: Encryption software for PCs and Pocket PC devices. File, folder and full disk encryption  DESlock+: File and folder encryption for PCs.  NMS for PC: File, folder and disk encryption for PCs.  PKWARE SecureZIP: File and folder encryption for PCs and Unix/Linux.  SafeBoot: File, folder and disk encryption for PCs.  PGP Desktop: File, folder (and optionally, disk encryption on PCs) encryption for PCs, Macs, and Unix/Linux.  GNU Privacy Guard (http://www.gnupg.org/)http://www.gnupg.org/ http://www.stanford.edu/group/security/securecomputing/mobile_devices.html 24

25 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Protecting data in transit Free & built-in encryption  VPN tCisco VPN client (ITCom) tMac OS X VPN client  SSH & SCP tSSH Secure Shell (U-M Blue Disk)  Data encryption tSee “protecting data at rest” 25

26 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Protect the mobile device Secure the device  Lock it up, lock it down, out of sight Secure the data on the device  Password protect a laptop  Remote wiping of data tDataDefense (Iron Mountain)  Data encryption tSee “protecting data at rest” Be aware of travel-related restrictions  Exporting crypto (ITAR)  Inpection & confiscation 26

27 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Demonstration

28 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Securing data on Flash Drives Encrypted container on the flash drive Software on flash drive encrypts and decrypts data in the container on the fly User-supplied password Demonstration: Lexar Jump Drive Secure II http://www.safecomputing.umich.edu/tools/download/se curityshorts_encrypt_thumbdrive.pdf

29 I NFORMATION T ECHNOLOGY S ECURITY S ERVICES 29 Questions?


Download ppt "I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Mobile Device Security Dr. Charles J. Antonelli Information Technology Security Services School of Information."

Similar presentations


Ads by Google