Data and Network Security: Guarding Your Data JEMS EMS Today 2004 Saturday March 6, 2004 William E. Ott, MS, Paramedic CPCS Technologies www. cpcstech. com

“Free” Access for Employees “Free” Access for Employees Opportunities for FRAUD Opportunities for FRAUD IT System Crashes Outsourcing Changing Technologies Changing Technologies Hackers & Extremists Hackers & Extremists New IT Projects Viruses & Worms Loss of Competitive Advantage Loss of Competitive Advantage Hacker forces Lloyd’s of London to close web site – Jan 2001 Security lapse closes Barclays’ online bank – August 2000 TRUST One survey found that 90 percent of sampled businesses had experienced computer breaches in a 12 month period – up from 62 per cent in the previous year - March 2001 On average, 60% of organisations have suffered a security breach in the last two years Malicious code attacks had $13.2 bn. economic impact in Jan 2002 The number of s containing viruses detected by a leading scanning service rose above the one in 400 mark - August 2001 Today’s Data Security Environments Can Be Scary

Specific Items to Address EMS as Information Workers Information security risks –Network –Wireless –Voice –Social engineering Information security measures –Firewall –IDS –Antivirus Business continuity planning Data backup and restoration

EMS following the FedEx lead? EMS is following the IT example of FedEx, transitioning from package delivery with associated information to an information management company with the end result of package delivery EMS is, and should follow this model, from being a emergency response, patient care service with associated information to one of being an information management agency with the end result being quality patient care.

EMS as Information Workers What is involved? –Electronic patient records –CAD data pre and post response –GIS data pre and post response –System performance data –Application of performance data to the continuing education program –Personnel data –System / Vehicle data –Facility/Event preplan data

Threats to Information Systems Malicious abuse Denial of Service and related attacks Virus, Worm, and Trojan attacks Outside Hacker attacks Theft of service Theft of information Poorly trained IT staff Not staying current with system patches, antivirus definitions, etc.. Not performing proper system maintenance Poor or no backup and contingency plans

Do you have an IT Security Plan? Harden and Secure for known issues Prepare with policies and education Detect intrusions and threats Respond to intrusions and threats Improve IT security measures and policies

What can happen to my data? Lost data or missing data is inaccessible Stolen data has been accessed or copied without authorization Inaccurate data was entered incorrectly, deliberately or accidentally altered, or not updated

Causes for Concern 94%+ of corrupt, compromised, or deleted data is because of user error, mistake, hardware failure, or deliberate misuse 78%+ of malicious damage to data is attributed to ‘trusted’ personnel according to FBI/CERT statistics for 2002

Threats to Productivity Spam –wastes resources –wastes time –offensive, dangerous Popup ads –wastes resources –annoying Malicious use of resources –wastes bandwidth, storage –violates law and privacy

Threats to Privacy / Confidentiality No security plan No security training or awareness Smart or Meta Tags in shared documents Social Engineering Unencrypted network Unencrypted No firewall No antivirus system Rogue wireless PDAs connecting to network and servers

What is driving improved Security? Health Insurance Portability and Accountability Act (HIPAA) Maturation of existing data systems Inexpensive to implement security on new data systems It’s the right thing to do

Data Security Issues Development of user levels Education of users Proper use policies Improper info via unsecured Intrusion detection systems / scans Antivirus protections

Some Security Options Virtual Private Networking (VPN) Active AntiVirus Screening Stateful packet inspection Firewalling Proxy servers Opt-in Database encryption encryption Network / PC security policies Two Factor User Authentication Aggressive Audit logging and review

Virtual Private Network A VPN is defined as a system in which two or more networks are connected through a third, untrusted, network. The two networks are usually a main office and a satellite office, and the third network is usually the Internet.

VPN Diagram

Security is the most used network application Very insecure as Internet developed Security has been a low priority for all but a few Phil Zimmerman – Pretty Good Privacy (PGP) Digital Certificates Symmetric or Asymmetric encryption Think about opt-in or digital certificates to control spam

Ultimate Goal: Information Control Easy to use –Simple model –Native environment Dependable Security Dependable Authentication Persistent and Dynamic Control when applicable Use control (copy and print) Comprehensive Auditing Supports breadth of content types Scalable and deployable

Solutions & Suggestions Tie security to ROI – what is the competition doing, positive PR, etc. (at minimum tie it to loss mitigation costs ) Remind Privacy Rule & statute mandate sound security practices Educate, educate, educate Use horror stories judiciously

Solutions & Suggestions Present options, accept risk and remain flexible Remember brevity with top executives – make your point quickly and avoid fluff Cultivate security advocates within and outside the organization Incorporate a bottom up approach (I.e., train end users, period security announcements to staff, etc.)

What Do Companies Say : 66% have information security problems 65% were attacked by own employees 51% see information security as a priority 40% do not investigate security incidents 38% have detected attacks that blocked their IT systems Only 33% can detect attacks and intrusions Source: EY Information Security Survey Source: EY Information Security Survey 2001 Causes of Security Incidents What Does FBI Say About Companies : 91% have detected employee abuse 70% indicate the Internet as a frequent attack point 64% have suffered financial losses 40% have detected attacks from outside 36% have reported security incidents. Source: FBI Computer Crime and Security Survey 2001 Information Security – A Human Behavioral Problem

Security Policies, Standards, and Procedures Risk Analysis Identification of Vulnerabilities Employee Training, Education, and Awareness Implement strong authentication / encryption Use digital signatures & PKI solutions Performance Indicators Intruder Detection Anti-Virus Solutions Periodic Security Analyses (especially after the implementation of new IT systems) Attack & Penetration Analyses (Ethical Hacking) Analysis of IT systems’ logs Threat & vulnerability analysis Security infrastructure Prevention Detection Correction Continuity Plans (BCP/DRP) Incident Response Management Hot Resources Data RISK FACTORS Information Security – A Dynamic Process

An ethical hacking and profiling assessment in order to: – Identify the technical security vulnerabilities and weaknesses – Develop corrective technical actions Focused on multiple access verifications as well as technical and administrative controls. Attack & Penetration / Profiling Internet Security Assess Intranet Security Assess Extranet Security Assess Remote Access Assess Attack & Penetration PHASE I Discover/Scan PHASE II Exploitation Threat & Vulnerability PHASE III Host Vulnerability Assessment Security Infrastructure PHASE IV Administrative Controls Review

What Are Potential Disasters?  External Storms (hurricanes, tornados, floods, hail…) Accidents (planes, trains, automobiles, hazardous mat.) Regional Outages (power, communications…) Violence (civil unrest, terrorist acts, bioterrorism…)  Internal Hardware Failures (servers, data stores, cyber attacks..) Accidents (fires, water leaks, electrical…) Violence (disgruntled employee, corp. sabotage…)

What Are The Chances?  Computing Probability of Occurrence Trying to construct a probabilistic model by type of exposure reaches diminishing returns very quickly. Should a low probability of occurrence in a given area alter the scope of a BCP Plan?  Responsible BCP Planning Assesses the environment and mitigates the obvious risks. (servers in a basement in a flood plane area) Hopes for the best, but must plan for the worst.

Data Disaster Facts Disaster Recovery Journal reports two in five companies are not able to reopen after a disaster Gartner Group Information loss is more critical than hardware failure or loss Ontrack Data research indicates that 80% of its data loss customers regularly back up their data, only to find them less than adequate at the critical moment they need to restore. Despite technological advances in the reliability of magnetic storage media, data loss continues to rise, making data recovery more important than ever

Why Does This Happen Systems becoming more complex Focus on Backup Not Recovery Shrinking Backup Window Write-Verify Function Turned Off Application/Data Available 24 x 7

Gartner Group: Key trends By year-end 2003, 80 percent of mobile workers will have at least two computing devices, and 40 percent will have three. Windows CE (PocketPC) will dominate in the industrial handheld market space. Web-enabled phones are widely available; first-generation content was a curiosity, second-generation useful Software complexity will remain the biggest barrier to mobile productivity. Widespread embedded Bluetooth is 2004 phenomenon. Mobile network bandwidth will not be a barrier to compelling applications. Spending on network capabilities will provide more productivity than spending on processors.

Wide Area Network (WAN) 9.6 Kbit/s <2Mbs Voice SMS Web browsing mCommerce Internet access Document transfer Low/high quality video GPS Mobility – PAN, LAN, WAN Local Area Network wLAN b LAN <11Mbs Access “hot spots” LAN equivalent Wireless Bridge Workgroup Switches Personal Area Network (PAN) <1Mbs Access Synchronization 10 Meters Bluetooth

Security’s Challenges Access Authentication Secure Transactions Protect Corporate Assets Secure the pipe Internet Extranet Intranet IT Managers are faced with security challenges for internal and external environments.

Friend or Foe?

Technology Introduction –Extensions and sub-standards a – 5Ghz band, Mbit/sec (“WiFi5”) b – 2.4Ghz band, Mbit/sec (“WiFi”) c – Bridge Operation Procedures d – Global Harmonization e – MAC Enhancements for QoS f – Inter Access Point Protocol (roaming) g – 2.4Ghz band, “20+ Mbit/sec” h – Spectrum Managed a (European) i - MAC Enhancements for Enhanced Security

Technology Introduction What is ? –802.11b and g interoperate –There are devices that implement a and b/g

Technology Introduction Security –WEP – 64 or 128 bit “standard” Agere – 152 bit US Robotics – 256 bit –802.1x EAP “Just a framework” –TKIP Temporal Key Integrity Protocol – Rotating Keys Vendor specific at this time –AES Long-term solution requiring more horsepower

802.11a/b/g weakness Rogue AP Compromise of encryption key Hardware theft is equivalent to key theft Packet spoofing, disassociation attack Known plain-text attack Brute force attack Passive monitoring

Hardware Changes Commercial Products –Many consumer products are being used in the “commercial” arena

Software Changes Consumer side –Plug-N-Play –Insecure Defaults –Remain difficult to configure WinXP –Notifies users of unsafe networking

Attitude Changes Widespread Acceptance –Trains, Planes, Automobiles and phone booths –McDonalds in San Francisco $4.95 for 2 hours, or free with food purchase Public WLAN Hot Spots Worldwide * Retail outlets11,10950,287 Hotels2,27411,687 Others1,3699,105 Total14,75271,079 *Projected Source: Dataquest Inc., San Jose

Wireless security focus areas Devices Air Transmissions PAN LAN WAN Public Networks Private Networks Applications MobilityWirelessTraditional Security 12 3 VPN 4 SSL/TLS