brett miller, medical school chief it security officer irbmed seminar series april 28, 2015 data...
TRANSCRIPT
Brett Miller, Medical School Chief IT Security Officer
IRBMED Seminar Series
April 28, 2015
Data Security
Problems with Data
• We’re accountable for real/possible exposures
• Data integrity important to research• There are people who want to steal data• If systems are compromised data exposure
or corruption can be collateral damage• Data gets everywhere…
Data Gets Everywhere
Example Data Leaks
• Thumb drives get lost• Laptops are stolen• NAS devices are put on the Internet• Collaboration tool permissions too broad• Misdirected emails• Malware steals data• Servers/databases are compromised
Personal Devices
• Hard to remove all traces of data from systems and backups
• Destruction of devices sometimes necessary• Personal systems usually not secure or
compliant• Personal cloud backup, email, or
collaboration tools probably not compliant
Configuration Challenges
• Too many devices to keep track of• Settings can unexpectedly change• Knowing details of settings can be a full
time job• It’s too easy to have your data end up in the
cloud without realizing it
The Hacker Threat
• “Attacker” is more accurate• Authorized “White Hat” or “Ethical
Hackers” test and improve security• So what about the bad hackers?
Attacker Motivation
• Money - information can be sold or held for ransom
• Ideology - hacktivism & nation states• Borrowing your system (maybe for resale)
–Used to launch attacks–Bitcoin mining or other computation
• For fun or bragging rights
Attacker Techniques
Staggering number of ways:• Compromising web or other servers• Malware• Social engineering • Network attacks• Cryptographic attacks• Attacks on physical security
Tools
• Encryption• Antivirus• System patching• Data destruction• Managed systems
Encryption – Basic Idea
Encryption Types
• Data in Transit On a wire/through the air HTTPS, SSL
• Data at Rest In a file/on a disk Credant, FileVault, BitLocker
FIPS 140-2 Encryption
• FIPS 140-2 is a government standard• Third-party testing labs certify products as
being 140-2 validated• FISMA requires it• Some projects/grants require it• HHS refers to the same standards for PHI• Encryption key must be separate
Encryption Misconceptions
• MS Office encryption is fine–Depends on the version
• Zip file encryption is OK–Need to use WinZip 18.5 or later in FIPS
140-2 mode.• If my system is encrypted, I’m safe.
–An infected system can leak data
More Misconceptions
• It’s safe to click through certificate warnings–Someone could be intercepting your data
• If it says FIPS 140-2 compatible it’s OK–It needs to be FIPS 140-2
certified/validated. NIST has lists of vendor products
Yet More Misconceptions
• I can use the same password everywhere if it’s strong–Attackers get one password and try it
everywhere• If I have a password set on my laptop, it’s
encrypted–See demo later
Antivirus
• Not 100%, but can catch common malware• A dedicated attacker won’t be deterred• Average attackers won’t go to this trouble• Not all antivirus products are equal. Watch
for updated recommendations from Security & Compliance
System Patching
• Serious vulnerabilities found every week• May only have a few hours to patch• We’ve seen systems compromised in 4-5
hours of announcements• Automatic updates are best
Data Destruction
• It can be hard to erase data• Traditional (non-SSD) hard drives require
several passes of wiping• SSD or flash memory devices may or may
not be capable of being sanitized• Physical destruction is only sure way• Best if device is encrypted before use
Managed Systems
• On managed systems, you don’t have to worry about the system itself
• Example managed systems–AirWatch–MiHarbor/MCIT Core
• Thumb drives, external drives, NASs, and personal equipment still an concern
Demo & Questions