Presentation is loading. Please wait.

Presentation is loading. Please wait.

OFFICE OF CYBER INFRASTRUCTURE AND COMPUTATIONAL BIOLOGY This project has been funded in whole or in part with Federal funds from the Division of AIDS.

Similar presentations


Presentation on theme: "OFFICE OF CYBER INFRASTRUCTURE AND COMPUTATIONAL BIOLOGY This project has been funded in whole or in part with Federal funds from the Division of AIDS."— Presentation transcript:

1 OFFICE OF CYBER INFRASTRUCTURE AND COMPUTATIONAL BIOLOGY This project has been funded in whole or in part with Federal funds from the Division of AIDS (DAIDS), National Institute of Allergy and Infectious Diseases, National Institutes of Health, Department of Health and Human Services, under contract No. HHSN C, entitled NIAID HIV and Other Infectious Diseases Clinical Research Support Services (CRSS). DAIDS REGIONAL TRAINING EVENT, JOHANNESBURG, SOUTH AFRICA, AUGUST 2012 Gregory Garecki (Senior Information Technology Security Analyst) John Quarantillo (CRSS (Westat) –Senior Systems Analyst) DIVISION OF AIDS AND NIAID OCICB Version 3.0 SECURING DAIDS CLINICAL RESEARCH INFORMATION

2 Introduction Gregory Garecki  Background: Over 15 years in Information Technology (IT) and Security  Experience: Securing information resources, detecting and responding to security threats, auditing information systems  Current Role: Senior IT Security Analyst at NIH 2

3 Introduction John Quarantillo  Background: 26 years in IT  Experience: Over 10 years in Information Security & Assurance  Industries: Health Studies, Pharmaceutical, Medical Devices  Current Role: Senior Systems Analyst at Westat  IT Manager for the NIAID HIV and Other Infectious Diseases Clinical Research Support Services (CRSS) Contract 3

4 Audience Response System (ARS)  Respond to Questions  Change an Answer  Responses are Anonymous  Question cue is a on preceding slide  Ensure remote is on by pressing and holding the “On/Off” button  Please leave remotes on the tables 4 Choose your answer Send or change your answer

5 When a virus infects a computer and destroys part of a file, making that file’s data inaccurate, it is an example of: A.Loss of Confidentiality B.Loss of Integrity C.Loss of Availability Choose your answer Send or change your answer Audience Response System (ARS) (cont’d) 5

6 The criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and financial information by masquerading as a trustworthy entity is called _____. Choose your answer Send or change your answer Audience Response System (ARS) (cont’d) 6

7 Workshop participants will be able to:  Understand clinical research security risks with regard to: Data, Software, Hardware, and Networks  Articulate risk-based information security goals  Secure clinical research information responsibly by raising awareness and learning how to act as a human sensor Objectives 7

8 PRE-ASSESSMENT 8

9 The goals of Information Security are to: A.Protect research data B.Protect confidentiality, integrity, and availability of information to support mission objectives C.Prevent criminal activity and theft of sensitive data by hacking into the attackers’ systems D.Help clinical site/laboratory managers monitor their staff members’ computer usage and support mission objectives Pre-Assessment 1 9

10 Pre-Assessment 2 You have been working hard transferring Case Report Forms (CRFs) to the Data Management Center (DMC) when you receive an from the DMC asking you to provide your system password to verify your identity. What should you do? A.Open the to confirm whether or not it is suspicious and then provide the requested information B.Call the number you have for the DMC to verify the request C.Forward the to all of your peers D.Read the and reply to the sender to confirm your address and receipt of the 10

11 Pre-Assessment 3 Your investigator sends you an urgent asking you to forward a particular study participant’s CRF, which details an interesting Serious Adverse Event (SAE). What do you do? A.Send an with the CRF attached B.Copy the CRF to a CD, USB drive, or other device and mail it to the investigator C.Print and fax the requested document to your investigator D.None of the above 11

12 Pre-Assessment 4 While you are working, a message suddenly pops up stating your system is infected with a virus and provides a link to software for removing this virus. What do you do? A.Click on the link to download the software, install, and run it since you are being responsible about security B.Do nothing and report this to the clinical site/laboratory managers with a copy of the message if possible C.Download the software and share with everyone on the team so they can also remove viruses from their computers D.Do nothing; ignore the message and forget about it 12

13 Pre-Assessment 5 The person sitting next to you on a flight is overwhelmed and asks you if they can use your laptop to charge their phone so they can call their child who is in the hospital as soon as they land. What should you do? A.Say yes so the person can contact their sick child B.Say no because you need the laptop's remaining battery power to finish your work C.Say no because you do not know what effect this device might have on your computer D.Say yes on the condition that you finish your work first 13

14 ICE BREAKER Discuss the most common IT security issues facing your site 14

15 Confidentiality AvailabilityIntegrity Data Information Classic Information Security 15

16 Examples – Loss of Confidentiality  Using another person’s password to log on to a system  Allowing a co-worker to use a secure system for which he/she should not have access after you have logged on  Unencrypted laptop containing sensitive clinical information about the company and/or personal information is stolen or sold, and the information is accessed  Sharing or copying information without proper authorization (e.g., over the phone or by ) 16

17 Examples – Loss of Integrity  When a virus infects a computer, corrupting parts of a file thereby making it inaccurate  Input errors while entering sensitive patient information into a database  An automated process that is not correctly written and/or validated processes bulk updates to the database, possibly altering data  An employee accidentally or with malicious intent deletes important patient clinical information 17

18 Examples – Loss of Availability  Failure to back up data on a regular basis combined with loss of integrity or hardware failure  Lack of bandwidth due to excessive media streaming  Equipment failures during normal use  An employee accidentally or with malicious intent deletes important patient clinical information 18

19 The Parkerian Hexad  Confidentiality  Possession or control  Integrity  Authenticity  Availability  Utility Source: 19

20 Clinical Data Risk VulnerabilityOpportunity Exploit and other Documents Participant Contact Information Clinical Trial Results Case Report Form What Constitutes Clinical Data Risk? 20

21 A Few Top Exploits  Microsoft Remote Desktop - This is the 2012 Remote Desktop Protocol (RDP) Bug that can allow remote code execution.  Adobe PDF-Embedded Social Engineering - The idea is that you can embed and execute the most popular social engineering-style module.  Java AtomicReferenceArray - This may be the first Java exploit that “just works” against all platforms for the vulnerable versions of Java. Source: https://community.rapid7.com/community/metasploit/blog/2012/05/22/10- hottest-metasploit-exploit-and-auxiliary-modules-in-april 21

22 Impact to Clinical Research Why does clinical data risk matter?  Research participant privacy and safety  Organizational reputation & integrity  Damage containment and litigation costs 22

23 23 Let’s take a Break !!!

24 Clinical Risk Mitigation Techniques  Deliver Annual Security Awareness Training to create human clinical risk sensors.  Develop automated tools and technologies that minimize opportunities and detect exploits.  Report security incidents immediately and respond with sound security procedures. 24

25 Clinical Risk Mitigation Techniques (cont’d)  Schedule clinical data backups; store the backup data offsite in a secure manner.  Verify that software is secure before and after download and installation.  Apply current software patches when they are made available as quickly as possible. 25

26 Risk Mitigation Techniques: Data Backup & Uninterruptible Power Supply (UPS) Usage 26

27 Risk Mitigation: Data Backup Always back up your data/information following a defined method and schedule. Develop procedures that describe:  Person responsible for backups  What to back up  Time and frequency of backups  Where to back up  How to back up 27

28 Risk Mitigation: Data Backup (cont’d) 28 Ease of Access to Files Managing Accounts Secure File Storage/ Transfer File Restore Automation Network- Attached Storage (NAS) Online Storage Removable Storage

29 Risk Mitigation: Data Backup Practices Good data backup practices  Develop and frequently test backup strategies  Verify successful completion and integrity of backup  Define media rotation scheme  Perform trial restorations  Maintain backup log  Train appropriate personnel  Secure devices and media 29

30 Risk Mitigation: UPS Usage Benefits  Offers protection from power outages/interruptions (brown out/sag, line noise)  Enables clean shutdown  Minimizes data corruption/loss  Minimizes hardware failure  Offers surge/spike protection Note  Available for minimum length of time  Check regularly (monthly) Source: Wikipedia (http://www.wikipedia.org/) 30

31 Risk Mitigation Technique: Password Management 31

32 Source: SANS Institute Security Newsletter for Computer Users, February 2010 What is your Password IQ? 32

33 PASSWORD IQ How often should you change your password? A.Every 30 days B.Every 60 days C.Every 90 days D.When IT tells you to 33

34 PASSWORD IQ (cont’d) One of your co-workers is working on a critical report this weekend and needs access to some of your files. How should you give her your password? A.Send it in an message B.Call her on the phone and tell her the password C.Don’t give it to her or anybody else D.Write it on a piece of paper, seal it in an envelope, and mail it to her 34

35 PASSWORD IQ (cont’d) What is the most common password? A.Password B C.Qwerty D.abc Source: PC Magazine

36 PASSWORD IQ (cont’d) What characters should you use in a password to make it strong? A.Letters (lower and upper case) B.Numbers C.Special characters D.All of the above 36

37 PASSWORD IQ (cont’d) How long should a strong password be at the minimum? A.Five characters B.Eight characters C.As long as possible D.Size doesn’t matter 37

38 Create Strong Passwords  Use passphrase passwords that are easy to remember, difficult to guess, yet conform to system constraints.  Use passwords without personally identifiable information (PII) or other sensitive data.  Use different passwords for different purposes to limit the risk of exposing multiple sites when one password is compromised. 38

39 Source: Password Entropy 39

40 Keep Your Passwords Safe  Do not share passwords with ANYONE (including IT support).  Change a password immediately if you suspect it has been compromised, shared with another person, or stolen (even if it was encrypted).  Do not store passwords in easily accessible places or in close proximity to your computer. 40

41 Remember… 41

42 Activity Write down examples of passwords you would use for the following:  Personal  Banking website  Social network account 42

43 Risk Mitigation Technique: Portable Device Security Source: Defense Intelligence Agency 43

44 Portable Device Security Examples of Portable Devices  Smart phones  Laptops  Tablets (Apple iPad, Motorola Xoom, etc.)  Storage devices (flash drives, iPod, portable hard drives) Portable Device Vulnerabilities & Threats  Ease of access to device/data  Loss/Theft  Increasing amounts of sensitive data stored  Increasing capabilities (web browsing, applications)  Blurring lines between personal and business use 44

45 Portable Device Security (cont’d)  Use a strong personal identification number (PIN), password, or passphrase to protect the information stored on your device.  Limit browsing to well-known and trusted sites. Use secure sockets layer (SSL) encryption for browsing and webmail whenever possible.  Use encryption for sending sensitive information when using an untrusted network.  Keep operating system/firmware and applications up to date.  Exercise caution with opening links and downloading attachments. Source: 45

46 Portable Device Security (cont’d)  Encrypt sensitive data stored on devices (e.g., PointSec for PC and FileVault for Mac).  Install anti-malware (virus, spyware, etc.) software and update definitions frequently.  Update operating system and installed applications as recommended by vendor notifications.  Do not use a privileged account to browse the internet – always use a standard account for nonprivileged tasks.  Use a physical lock, when possible, to secure devices. 46 Source:

47 Portable Device Security (cont’d)  Turn on the auto-lock/screensaver feature for the system to timeout after a period of inactivity.  Require a password when device resumes from screensaver.  Install software that enables retrieval and/or remote wipe of device if lost/stolen.  Disable Wi-Fi and Bluetooth and other optional service when not in use.  Only install applications you need, and only from trustworthy sources.  Do not connect personal devices to employer system unless approved. 47 Source:

48 Portable Device Security (cont’d)  Attach an ID label (with minimal information – e.g., contact number or ) to back of portable device with alternate contact information in case it’s lost.  Back up device regularly.  Erase all confidential information before disposing of portable device.  Ensure portable device is permitted by your employer’s policies and any regulatory guidelines applicable to your industry.  Read documentation and terms of service for each software application before you install it. 48 Source:

49 Exploit Example The next set of slides reviews a popular exploit, its impact, and ways to avoid becoming a victim. 49

50 Spear Phishing Exploit Phishing The criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and financial information by masquerading as a trustworthy entity. Phishing messages usually appear to come from a large and well-known company or website with a broad membership base. 50

51 Spear Phishing Exploit (cont’d) Spear phishing Spear phishing targets a specific organization seeking unauthorized access to confidential data and appears to come from a trusted source. In the case of spear phishing, the source of the is likely to be an individual within the recipient's own company and generally someone in a position of authority. 51

52 How many of you have ever:  Received an asking for your username and password or linking you to a site where you are to login?  Responded with the requested information?  Questioned the legitimacy of the and reported it to someone?  Created user accounts similar to those used for your research systems? 52 Spear Phishing Exploit (cont’d)

53 Exploit Walkthrough Spear Phishing Exploit  Register a domain similar to a trusted source  Obtain targets:  List of course attendees (insider information)  Research information about the training to tailor the message  Access sample from hacking into an attendee’s  Create survey and send to attendees 53

54 Phishing Awareness 54 Source:

55 Phishing Awareness (cont’d) 55 BrowserNot SecureSecure Chrome (Version 21) FireFox (Version 14) Internet Explorer (Version 8)

56 Activity  List five things you can do to protect sensitive clinical research data.  List five things you should avoid that may impact data security. 56

57 Let’s take a Break !!! 57

58 The next set of slides reviews six scenarios and question sets that go along with each scenario. Read and discuss each scenario and its associated questions with the members of your table or the people sitting near you. Be prepared to discuss suggestions for reducing the chance of each scenario happening at your site with the larger group. Text for each scenario is in your handout. Scenarios 58

59 Laboratory Information Management System (LIMS) Server Upgrades While upgrading the LIMS server, an unvalidated source was used to obtain the updates since there was not a full time technical staff member to provide the required software. During the upgrade, a window popped up stating that the system’s antivirus software was out of date and to use the displayed link to update the system. The name on the window matched the antivirus software in use so the laboratory manager went ahead and clicked on the link to update the system. A few days after completing the upgrade, several users complained about their systems being slow and crashing sporadically. A week later, the LIMS server and several other systems crashed. Scenario 1 59

60 Scenario 1 Discussion Questions 1.What is wrong? What are some possible causes? 2.Which Information Security Goal is compromised? 3.What could be done to resolve these problems? 4.What could have been done differently to prevent these problems from happening? 60

61 Scenario 2 Researcher Loses Clinical Research Data A scientist relies on his USB drive as his primary data storage. He often backs up data to another system but believes in having the most recent files on the USB drive in case he needs them. As a result of this and also because he does not want to deal with the hassle of remembering to back up the data, he lets a period of time go by before he backs up the data. A visiting researcher wants to share study results and the scientist loans the researcher his USB drive. Afterwards, the scientist connects the USB drive back to his system to view the files but his system crashes and when he powers back on, he realizes he has lost all the data on the computer and USB drive. 61

62 Scenario 2 Discussion Questions 1.What happened? 2.Which Information Security Goal is compromised? 3.What is the potential impact and cost of such a loss? 4.What could have been done to prevent this from happening? 62

63 Scenario 3 Data Managers Sharing USB Drives Several data managers within a site were sharing a single USB drive for transferring CRFs. At some point, a virus was introduced to the USB drive and spread to the other systems, including the shared network storage drive, overwriting data files and their extensions (e.g., all documents were changed to.exe – a file that is used to run a program/application). 63

64 Scenario 3 Discussion Questions 1.Why did this happen? 2.Which Information Security Goal is compromised? 3.What are some potential impacts? 4.How can this be avoided in the future? 64

65 Scenario 4 Inappropriate Use of Resources The Champions League is on during the time you are in the laboratory. At first you are disappointed that you would have to miss it, but then your friend sends you a link to a website that streams the game and bypasses the website access restrictions. You send this link to several colleagues who you know also share your passion for the game. During the tournament, you and the others you shared the link with are watching the game and using a significant amount of network resources. At some point, several researchers begin complaining about how slow the network is, and how it is impacting their online research and access. 65

66 Scenario 4 Discussion Questions 1.What is happening here? 2.Which Information Security Goal is compromised? 3.Who is responsible and what is the impact? 4.How can this be avoided in the future? 66

67 Scenario 5 Use of Authorized and Unauthorized Software and/or Devices After a year of hard work, a researcher was finally approved for funding for IT system purchases. She went to the local computer shop and unknowingly purchased several laptops with a home edition operating system and pirated applications. Excited, she distributed the laptops to her staff. One of her more technical staff practiced good security and immediately tried to update the versions of the installed software applications. However, he received an error from the vendor indicating the application could not be updated. Furthermore, since it was a home edition operating system, they later discovered the laptops could not be connected to the enterprise network domain. 67

68 Scenario 5 Discussion Questions 1.What is the problem here? 2.Which Information Security Goal is compromised? 3.What are some potential impacts of using unlicensed and pirated software in the workplace? 4.How could a similar situation be avoided in the future? 68

69 Scenario 6 Compromised Passwords Johnson has been out of the office all week attending a regional training event. One of Johnson's colleagues needs to access files on his computer in order to complete a project that is due. Johnson knows he will not be able to return to the office before the deadline, so to help his colleague retrieve the file he s his password credentials to his colleague. 69

70 Scenario 6 Discussion Questions 1.What could happen because of this? 2.Which Information Security Goal is compromised? 3.What is the potential impact? 4.How can this be avoided in the future? 70

71 Site-Specific Information Security Questions 71

72 Conclusion Workshop participants should now be able to:  Understand clinical research security risks with regard to: Data, Software, Hardware, and Networks  Articulate risk-based information security goals  Secure clinical research information responsibly by raising awareness and learning how to act as a human sensor 72

73 POST-ASSESSMENT 73

74 The goals of Information Security are to: A.Protect research data B.Protect confidentiality, integrity, and availability of information to support mission objectives C.Prevent criminal activity and theft of sensitive data by hacking into the attackers’ systems D.Help clinical site/laboratory managers monitor their staff members’ computer usage and support mission objectives Post-Assessment 1 74

75 Post-Assessment 2 You have been working hard transferring CRFs to the DMC when you receive an from the DMC asking you to provide your system password to verify your identity. What should you do? A.Open the to confirm whether or not it is suspicious and then provide the requested information B.Call the number you have for the DMC to verify the request C.Forward the to all of your peers D.Read the and reply to the sender to confirm your address and receipt of the 75

76 Post-Assessment 3 Your investigator sends you an urgent asking you to forward a particular study participant’s CRF, which details an interesting SAE. What do you do? A.Send an with the CRF attached B.Copy the CRF to a CD, USB drive, or other device and mail it to the investigator C.Print and fax the requested document to your investigator D.None of the above 76

77 Post-Assessment 4 While you are working, a message suddenly pops up stating your system is infected with a virus and provides a link to software for removing this virus. What do you do? A.Click on the link to download the software, install, and run it since you are being responsible about security B.Do nothing and report this to the clinical site/laboratory managers with a copy of the message if possible C.Download the software and share with everyone on the team so they can also remove viruses from their computers D.Do nothing; ignore the message and forget about it 77

78 Post-Assessment 5 The person sitting next to you on a flight is overwhelmed and asks you if they can use your laptop to charge their phone so they can call their child who is in the hospital as soon as they land. What should you do? A.Say yes so the person can contact their sick child B.Say no because you need the laptop's remaining battery power to finish your work C.Say no because you do not know what effect this device might have on your computer D.Say yes on the condition that you finish your work first 78

79 Appendix A: Information Security and Assurance Action Plan Instructions: Use the template on the next slide as a tool to help generate an action plan for your network. Go through the handout for references that may help you in completing this template. A few questions to consider while developing the plan:  What are your biggest vulnerabilities?  What/Who are your biggest threats?  What can you change today that will improve your security?  How do you think you can influence your colleagues, and who would be the best person to contact? 79

80 Appendix A (cont’d) ProductsPersonnelPolicies & Procedures Plan Do Check Act Note: This Action Plan Template is only a tool and not a requirement mandated by DAIDS. 80


Download ppt "OFFICE OF CYBER INFRASTRUCTURE AND COMPUTATIONAL BIOLOGY This project has been funded in whole or in part with Federal funds from the Division of AIDS."

Similar presentations


Ads by Google