1D Culp Shannon Presentation

26
What Is Information Security? – Security Basics 101 Shannon M. Culp Manager Information Security – Information Security Officer (CISO)

Transcript of 1D Culp Shannon Presentation

Page 1: 1D Culp Shannon Presentation

What Is Information Security? – Security Basics 101

Shannon M. CulpManager Information Security – Information Security Officer (CISO)

Page 2: 1D Culp Shannon Presentation

2

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.

The terms information security, computer security and information assurance are frequently incorrectly used interchangeably. These fields are interrelated often and share the common goals of protecting the Confidentiality, Integrity and Availability of information; however, there are some subtle differences between them.

From Wikipedia on the internet

What is Information Security?

Page 3: 1D Culp Shannon Presentation

Information Security in Business

Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers.

Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement.

3From Wikipedia on the internet

Page 4: 1D Culp Shannon Presentation

4

FTC Act Gramm Leach Bliley Act HIPAA + HITECH Act EU Data Privacy Directive Sarbanes Oxley Bank Secrecy Act General Negligence Law Downstream Liability PCI DSS (electronic

payments)

California Data Privacy Law

Feinstein Data Privacy Reporting Proposal

OFAC –OCC Rules State Security Breach USA Patriot I and II Fair Credit Reporting Act SEC Regulations 10(b)(5) Minnesota Plastic Card

Security Act Ohio Privacy Law

Regulatory Requirements

Page 5: 1D Culp Shannon Presentation

5

Why?

To steal information- “Netspionage Costs

Firms Millions”

For financial gain or theft

- “Flaw Causes Credit Card Chaos”

To make a statement“Most do it for profit but

there are those that don’t”

Because they can!“Teen hacker intended

to disable 10,000 sites”

For revenge!“Due to the Economy - Layoffs lead to revenge hacking by X-Employees”

Page 6: 1D Culp Shannon Presentation

57.1% of respondents require HIPAA compliance

18.1% HITECH Act Compliance

42.9% Payment Card Industry (PCI)

Why Do I Need Security?

6

CSI Computer Crime Survey, December 2009 – 443 Respondents

Types of attacks experienced by respondents 64.3% - Malware infection 42.2% - Laptop / mobile device theft 30% - Insider abuse of Net access or email 29.2% - Denial of service 19.5% - Financial Fraud 15% - Unauthorized access or privilege escalation by insider 17.3% - Password sniffing 8% - Exploit of wireless network

2009 CSI Computer Crime and Security Survey

Page 7: 1D Culp Shannon Presentation

Why Do I Need Security

7

o Same respondents that reported breaches

• 99.1% had Anti-virus software• 97.9% had a Firewall• 89.9% had Anti-spyware• 85.7% used Virtual Private Networks (VPN)• 75.3% Encrypted data in transit• 72.6% utilized an Intrusion Detection System• 65.9% had Vulnerability / Patch Management• 62.2% Encrypted data at rest• 60.4% Utilized Web / URL Filtering• 40.9% had Data Loss Protection / Content Monitoring2009 CSI Computer Crime and Security Survey

Page 8: 1D Culp Shannon Presentation

Why?

INFORMATION IS MONEY!!!!!!

8

Page 9: 1D Culp Shannon Presentation

9

What Information?

Personal Health Information Social Security Number Account password Bank Account Number Bank Routing (Transit Number) Credit Card Number/Primary Access Number Credit Card Verification Code Date of Birth Drivers License Number Loan Number

Page 10: 1D Culp Shannon Presentation

What is Information Worth?

Your full identity goes for $10 - $150. That includes name, DOB, address and social security number. Surprisingly, your social security number will fetch a paltry $5 - $7. They are more valuable when attached to the rest of your personal info.

Identity theft continues to be the fasted growing crime in the world.

It’s now bringing in more money than drug trafficking. From a thief’s point of view, online identity theft is a safe and profitable business. Don’t look for it to slow down any time in the near future. Protect yourself with Identity Theft Solutions.

10

Page 11: 1D Culp Shannon Presentation

What is Information Worth?

Credit card numbers are the most popular items for sale. Even though they bring considerably less money than bank numbers, they are the easiest to steal. Their value is anywhere from $.50 to $5.

The next most valuable piece of info is your email password. It can bring from $1 - $150 depending on whether your account has been used for spamming previously. Email passwords allow access to an email account and are typically used for sending spam. They can also be used to recover a user’s passwords from various Web sites that will email password-reset information to the user’s email account.  Here’s another kick - email accounts with usernames in standard English are generally higher priced. Kinda makes you want to change your name to "Qwerty".

Medical Information and Social Security Numbers are not as easy to come by but go much further.

11

Page 12: 1D Culp Shannon Presentation

Where Do I Start With Information Security?

12

The overall goal is to ensure that Information Security and resources are protected and used according to the following: Consistent with your company’s mission and

security standards Compliance with state and federal law, the

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Safeguard the confidentiality, integrity and availability of Electronic Protected Health Information (EPHI) as required by HIPAA

Page 13: 1D Culp Shannon Presentation

Accountability and Ownership

Security must be incorporated into a “program” and collaborated as part of all employees every day activity – Security is EVERYONE’S job!

For a Security Program to be successful Not one-time or situational Must have senior management support and

leadership buy-in Accountability must be assigned to individuals Policies must be designed to be enforced Auditing and reviews must occur frequently

13

Page 14: 1D Culp Shannon Presentation

Accountability and Ownership

Implement user security policies and procedures to ensure that information accessed via electronic resources is protected.

EVERY person who performs work for your organization through employment, contract, residency, or as a student, vendor, or volunteer, etc., must be accountable for protecting electronic information, especially protected health information (PHI).

14

Page 15: 1D Culp Shannon Presentation

Accountability and Ownership

The accountabilities discussed in your program include: accessing and storing electronic information email use and all communications internet usage printing, faxing, transporting and disposing of

information Everyone in your organization should:

use good security practices know how to identify potential security risks report anything unusual or suspicious

15

Page 16: 1D Culp Shannon Presentation

Simple Security Program Guidance

Policies must enforce along with the organization’s technology and infrastructure must support: Prohibiting sharing of passwords

All users should be accountable for any activity performed under their ID

Never write passwords down! Regular random audits as well as on-demand

audits for HIPAA complaints Security Awareness – education is KEY!

16

Page 17: 1D Culp Shannon Presentation

Simple Security Program Guidance

Make sure mobile devices are protected PDA’s, Smart Phones, iPads, Blackberries,

iPhones, Windows Mobile, etc. Force a PIN, device security wipe, remote wipe on

demand Encrypt Laptops = “safe harbor” Encrypt Patient data and credit card data Make sure credit card numbers handled

according to PCI DSS (Payment Card Industry Data Security Standards)

17

Page 18: 1D Culp Shannon Presentation

Simple Security Program Guidance

Never store confidential or patient data on workstations or mobile devices

Make sure monitors and screens are positioned so that “shoulder surfers” can’t see things they aren’t supposed to

Implement “need to know” policy Make sure internet browsing is filtered and

controlled for business purposes and protection of PHI (Protected Health Information)

18

Page 19: 1D Culp Shannon Presentation

Simple Security Program Guidance

Remind staff that it is “not okay” to discuss patient activities on Facebook, MySpace, and other blogs or post pictures Opens door for HIPAA complaints,

investigations and fines Even if a name is not mentioned – still PHI

Use good security practices when opening emails and attachments

Make sure education includes shredding of documentation and secure faxing

19

Page 20: 1D Culp Shannon Presentation

Simple Security Program Guidance

Don’t allow employees to use personal email accounts for business (i.e. yahoo, hotmail, etc)

Put policy, tools and processes in place to track and monitor email messages, and internet activity

Put policy, tools and processes in place to ensure secure handling of paper documents containing PHI or confidential information

20

Page 21: 1D Culp Shannon Presentation

Simple Security Program Guidance

Use “strong” passwords protecting your password helps to protect our

organization’s information. Here are some tips for selecting strong passwords (Remember some systems may have password limitations – do your best to make these system passwords strong): Do not use your name or personal information Create passwords that are at least 6 or more

characters Use upper and lower case letters Use a combination of letters and numbers Use special characters (like %, $ @) in your password Use Misspelled words Use phrases

21

Page 22: 1D Culp Shannon Presentation

Vanity Plate – compound words Too late again = 2L8aga1n Music is for me = MusikS4m3 Day after today = dayFter2day 15djoth! (15 dogs jumped over the house) Seashore = Se@shor Deadbolt = Ded&bowlt8 Easy money = Ea$ymon3y Blackboard = blaK4borD Substitute letters for numbers in your phrases 5 or $ = S 1 = L or I 3 = E 0 = O

22

Page 23: 1D Culp Shannon Presentation

Simple Security Program Guidance

Make sure your data is available when you need it Business continuity planning (BCP) is the creation

and validation of a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical (urgent) functions within a predetermined time after a disaster or extended disruption. The logistical plan is called a business continuity plan.

In plain language, BCP is working out how to stay in business in the event of disaster. Incidents include local incidents like building fires, regional incidents like earthquakes, or national incidents like pandemic illnesses.

23

Page 24: 1D Culp Shannon Presentation

Simple Security Program Guidance

Remember the three keys of Security Confidentiality – “need to know” Integrity – information is not modified and

maintains original properties Availability – information is always available

when needed

24

Page 25: 1D Culp Shannon Presentation

Helpful Links National Institute Standards and Technology

www.NIST.org Special Publication 800-66 – HIPAA security rule FIPS 200 and NIST SP 800-53 – security controls

Computer Security Institute – www.gocsi.com HITECH Act -

http://www.hipaasurvivalguide.com/hitech-act-text.php Security Awareness Materials -

http://www.infosecuritylab.com/ http://www.sans.org/security_awareness.php

25

Page 26: 1D Culp Shannon Presentation

Good Luck!

What questions do you have?

My contact informationShannon M. CulpTriHealth, [email protected]

26