Data and Network Security issues - Cpcstech

Document Sample
Data and Network Security issues - Cpcstech Powered By Docstoc
					         JEMS EMS Today 2004
         Saturday March 6, 2004

Data and Network Security:
       Guarding Your Data

          William E. Ott, MS, Paramedic
                   CPCS Technologies
                 www . cpcstech . com
Today’s Data Security Environments Can Be Scary
    Hackers &                                                             Loss of Competitive
    Extremists                                                                 Advantage

                                                             Opportunities for

                                                                            Viruses & Worms
 “Free” Access for
    Employees                              New IT Projects


                                    IT System Crashes
Specific Items to Address
• EMS as Information Workers
• Information security risks
   – Network
   – Wireless
   – Voice
   – Social engineering
• Information security measures
   – Firewall
   – IDS
   – Antivirus
• Business continuity planning
• Data backup and restoration
 EMS following the FedEx lead?
• EMS is following the IT example of FedEx,
  transitioning from package delivery with
  associated information to an information
  management company with the end result
  of package delivery

• EMS is, and should follow this model, from
  being a emergency response, patient care
  service with associated information to one
  of being an information management
  agency with the end result being quality
  patient care.
  EMS as Information Workers
• What is involved?
  – Electronic patient records
  – CAD data pre and post response
  – GIS data pre and post response
  – System performance data
  – Application of performance data to the
    continuing education program
  – Personnel data
  – System / Vehicle data
  – Facility/Event preplan data
    Threats to Information Systems
• Malicious abuse
• Denial of Service and related attacks
• Virus, Worm, and Trojan attacks
• Outside Hacker attacks
• Theft of service
• Theft of information
• Poorly trained IT staff
• Not staying current with system patches,
  antivirus definitions, etc..
• Not performing proper system maintenance
• Poor or no backup and contingency plans
Do you have an IT Security Plan?
• Harden and Secure for known issues

• Prepare with policies and education

• Detect intrusions and threats

• Respond to intrusions and threats

• Improve IT security measures and
 What can happen to my data?

• Lost data or missing data is inaccessible

• Stolen data has been accessed or copied
  without authorization

• Inaccurate data was entered incorrectly,
  deliberately or accidentally altered, or not
        Causes for Concern

• 94%+ of corrupt, compromised, or deleted
  data is because of user error, mistake,
  hardware failure, or deliberate misuse

• 78%+ of malicious damage to data is
  attributed to ‘trusted’ personnel according
  to FBI/CERT statistics for 2002
    Threats to Productivity
• Spam
  – wastes resources
  – wastes time
  – offensive, dangerous
• Popup ads
  – wastes resources
  – annoying
• Malicious use of resources
  – wastes bandwidth, storage
  – violates law and privacy
    Threats to Privacy / Confidentiality

•   No security plan
•   No security training or awareness
•   Smart or Meta Tags in shared documents
•   Social Engineering
•   Unencrypted network
•   Unencrypted e-mail
•   No firewall
•   No antivirus system
•   Rogue wireless
•   PDAs connecting to network and servers
What is driving improved Security?

• Health Insurance Portability and Accountability
  Act (HIPAA)

• Maturation of existing data systems

• Inexpensive to implement security on new data

• It’s the right thing to do
         Data Security Issues

•   Development of user levels
•   Education of users
•   Proper use policies
•   Improper info via unsecured e-mail
•   Intrusion detection systems / scans
•   Antivirus protections
       Some Security Options

•   Virtual Private Networking (VPN)
•   Active AntiVirus Screening
•   Stateful packet inspection Firewalling
•   Proxy servers
•   Opt-in e-mail
•   Database encryption
•   E-mail encryption
•   Network / PC security policies
•   Two Factor User Authentication
•   Aggressive Audit logging and review
      Virtual Private Network

• A VPN is defined as a system in which two
  or more networks are connected through a
  third, untrusted, network.

• The two networks are usually a main office
  and a satellite office, and the third network
  is usually the Internet.
VPN Diagram
                E-mail Security
•   E-mail is the most used network application
•   Very insecure as Internet developed
•   Security has been a low priority for all but a few
•   Phil Zimmerman – Pretty Good Privacy (PGP)
•   Digital Certificates
•   Symmetric or Asymmetric encryption
•   Think about opt-in or digital certificates to control
 Ultimate Goal: Information Control

• Easy to use
   – Simple model
   – Native environment
• Dependable Security
• Dependable Authentication
• Persistent and Dynamic Control when
• Use control (copy and print)
• Comprehensive Auditing
• Supports breadth of content types
• Scalable and deployable
     Solutions & Suggestions

• Tie security to ROI – what is the competition
  doing, positive PR, etc. (at minimum tie it to loss
  mitigation costs )

• Remind Privacy Rule & statute mandate sound
  security practices

• Educate, educate, educate

• Use horror stories judiciously
      Solutions & Suggestions

• Present options, accept risk and remain flexible

• Remember brevity with top executives – make your point
  quickly and avoid fluff

• Cultivate security advocates within and outside the

• Incorporate a bottom up approach (I.e., train end users,
  period security announcements to staff, etc.)
Information Security – A Human Behavioral Problem
  What Do Companies Say:                                                   What Does FBI Say About Companies:
  66% have information security problems                                   91% have detected employee abuse
  65% were attacked by own employees                                       70% indicate the Internet as a frequent attack point
  51% see information security as a priority                               64% have suffered financial losses
  40% do not investigate security incidents                                40% have detected attacks from outside
  38% have detected attacks that blocked their IT                          36% have reported security incidents.
  systems                                                                               Source: FBI Computer Crime and Security Survey 2001
  Only 33% can detect attacks and intrusions
  Source: EY Information Security Survey 2001 - 2002
                                                           Causes of Security Incidents
                                           0%        10%        20%         30%        40%        50%           60%

                 Employee Awareness                                        56%

                Tools/Security Solutions                             44%

                           People Skills                        40%

                                Budget                         37%

                 Management Support                    26%
                                                                  Source: EY Information Security Survey 2001
                        Other Reasons           8%
Information Security – A Dynamic Process
                                                       • Security Policies, Standards, and Procedures
 • Intruder Detection
                                                       • Risk Analysis
 • Anti-Virus Solutions
                                                       • Identification of Vulnerabilities
 • Periodic Security Analyses
                                                       • Employee Training, Education, and
   (especially after the
   implementation of new IT systems)
                                                       • Implement strong authentication / encryption
 • Attack & Penetration Analyses
                                                       • Use digital signatures & PKI solutions
   (Ethical Hacking)
                                                       • Performance Indicators
 • Analysis of IT systems’ logs
 • Threat & vulnerability analysis
 • Security infrastructure                                                                  RISK


                               • Continuity Plans (BCP/DRP)
                               • Incident Response Management
                               • Hot Resources
Attack & Penetration / Profiling
 •    An ethical hacking and profiling assessment in order to:
        – Identify the technical security vulnerabilities and weaknesses

        – Develop corrective technical actions

 •    Focused on multiple access verifications as well as technical and administrative controls.

                                           Internet   Intranet      Extranet        Remote
                                           Security   Security      Security        Access
                                           Assess     Assess        Assess          Assess

                      PHASE I
      Attack &        Discover/Scan
     Penetration      PHASE II

                      PHASE III
      Threat &
                      Host Vulnerability
     Vulnerability    Assessment

                      PHASE IV
     Infrastructure   Controls Review
  What Are Potential Disasters?
 External
   • Storms (hurricanes, tornados, floods, hail…)
   • Accidents (planes, trains, automobiles, hazardous
   • Regional Outages (power, communications…)
   • Violence (civil unrest, terrorist acts, bioterrorism…)

 Internal
  • Hardware Failures (servers, data stores, cyber
  • Accidents (fires, water leaks, electrical…)
  • Violence (disgruntled employee, corp. sabotage…)
    What Are The Chances?
 Computing Probability of Occurrence
  • Trying to construct a probabilistic model by type
    of exposure reaches diminishing returns very
  • Should a low probability of occurrence in a given
    area alter the scope of a BCP Plan?

 Responsible BCP Planning
  • Assesses the environment and mitigates the
    obvious risks. (servers in a basement in a flood
    plane area)
  • Hopes for the best, but must plan for the worst.
    Data Disaster Facts

• Disaster Recovery Journal reports two in five
  companies are not able to reopen after a disaster

• Gartner Group Information loss is more critical than
  hardware failure or loss

• Ontrack Data research indicates that 80% of its data
  loss customers regularly back up their data, only to
  find them less than adequate at the critical moment
  they need to restore. Despite technological
  advances in the reliability of magnetic storage
  media, data loss continues to rise, making data
  recovery more important than ever
      Why Does This Happen

•   Systems becoming more complex
•   Focus on Backup Not Recovery
•   Shrinking Backup Window
•   Write-Verify Function Turned Off
•   Application/Data Available 24 x 7
     Gartner Group: Key trends
• By year-end 2003, 80 percent of mobile workers will have
  at least two computing devices, and 40 percent will have
• Windows CE (PocketPC) will dominate in the industrial
  handheld market space.
• Web-enabled phones are widely available; first-generation
  content was a curiosity, second-generation useful
• Software complexity will remain the biggest barrier to
  mobile productivity.
• Widespread embedded Bluetooth is 2004 phenomenon.
• Mobile network bandwidth will not be a barrier to
  compelling applications.
• Spending on network capabilities will provide more
  productivity than spending on processors.
          Mobility – PAN, LAN, WAN

              Local Area
   Bluetooth Network wLAN
Personal Area                                        Wide Area
Network (PAN)                                      Network (WAN)

     <1Mbs                  LAN   Bridge                        GPS
 • Access
 •10 Meters
                 <11Mbs                 9.6 Kbit/s <2Mbs
             • Access
             •“hot spots”           • Voice        • mCommerce
             •LAN equivalent        • SMS          • Internet access
                                    • e-Mail       • Document transfer
                                    • Web browsing • Low/high quality video
        Security’s Challenges
IT Managers are faced with security challenges for internal and
                   external environments.

             Secure Transactions

                     Internet Secure the pipe

                                            Access Authentication

          Protect Corporate
Friend or Foe?
   Technology Introduction
– Extensions and sub-standards
   • 802.11a – 5Ghz band, 6 - 54Mbit/sec
   • 802.11b – 2.4Ghz band, 1 - 11Mbit/sec
   • 802.11c – Bridge Operation Procedures
   • 802.11d – Global Harmonization
   • 802.11e – MAC Enhancements for QoS
   • 802.11f – Inter Access Point Protocol
   • 802.11g – 2.4Ghz band, “20+ Mbit/sec”
   • 802.11h – Spectrum Managed 802.11a
   • 802.11i - MAC Enhancements for Enhanced
     Technology Introduction
• What is 802.11?

  – 802.11b and

  – There are devices
    that implement
    802.11a and
       Technology Introduction
• Security
   – WEP – 64 or 128 bit “standard”
      • Agere – 152 bit
      • US Robotics – 256 bit
   – 802.1x EAP
      • “Just a framework”

   – TKIP
      • Temporal Key Integrity Protocol – Rotating Keys
      • Vendor specific at this time
   – AES
      • Long-term solution requiring more horsepower
   802.11a/b/g weakness

Rogue AP

Compromise of encryption key

Hardware theft is equivalent to key theft

Packet spoofing, disassociation attack

Known plain-text attack

Brute force attack

Passive monitoring
        Hardware Changes
• Commercial Products

  – Many consumer
    products are being
    used in the
    “commercial” arena
           Software Changes
• Consumer side
  – Plug-N-Play
  – Insecure Defaults
  – Remain difficult to

• WinXP
  – Notifies users of
    unsafe networking
                       Attitude Changes
• Widespread Acceptance
  – Trains, Planes, Automobiles and phone
  – McDonalds in San Francisco
     • $4.95 for 2 hours, or free with food
          Public WLAN Hot Spots Worldwide
                          2002          2003*

      Retail outlets     11,109         50,287   Source: Dataquest Inc., San Jose
      Hotels              2,274         11,687

      Others              1,369         9,105

      Total              14,752         71,079
       Wireless security focus areas

   1            2       3 VPN
                                         Private Networks
               PAN         Networks         Applications
               LAN           4

Mobility     Wireless                Traditional Security

Shared By: