Embed Size (px)
Citation preview
Security Computing Practices
Plamen Martinov Chief Information Security Officer
2
Agenda
• Introduction to Computer Security• “Top 10 List” of Good Computing Security Practices• How to:
– Create a good password– Encrypt sensitive information – Protect your operating system
3
What is Computer Security and why is it important?
Computer Security allows the University to carry out its mission by:
• Enabling staff and students to carry out their jobs, education, and research
• Protecting personal and sensitive information
• Supporting critical business processes
Computer Security is the protection of computing systems and the data that users store or access.
4
Good Computing Security Practices follow the “90 / 10”Rule:• 10% of security safeguards are technical• 90% of security safeguards rely on the computer user (“YOU”)
to adhere to good computing practices
Example:• The lock on the door is the 10%. You remembering to lock the
door, checking to see if it’s closed, ensuring others do not open the door, and keeping control of the key is the 90%.
Why do you need to learn about Computer Security?
5
Ignoring Computer Security leads to security breaches and regulatory fines• In 2014 more than 1,500 data breaches occurred nationwide,
compromising 1 billion personal records.• The Office for Civil Rights has been levying HIPAA fines: • Nine settlements since June 1, 2013 have totaled more than $10
million.Examples:– $1,725,220 against Concentra Health Services for an unencrypted
laptop that had been stolen from one of its facilities.– $250,000 against QCA Health Plan, Inc. after an unencrypted
laptop containing personal health information was stolen from an employee's car.
6
"Top 10 List" of Good Computing Security Practices
everyone can take to protect computers and data.
1. Password protect your computer and portable devices.2. Choose good passwords and keep them secret and secure3. Encrypt any ePHI or PII stored on portable devices or media4. Keep your operating system patched and up-to-date5. Install anti-virus and keep it up-to-date6. Turn on your computer firewall7. Lock up your devices or take them with you8. Do not respond to anyone asking you for your password9. Securely delete ePHI and PII when it is no longer needed10. Back up critical information
7
Password protect your computer and portable devices• Creating a good password
• Combine 2 unrelated words -> Mail + phone = m@!lf0n3• A good password has at least 12 characters = m@!lf0n-2015• Use a password or passphrase manager, such as LastPass to help manage multiple
passwords/passphrases• LastPass is free for students and can be downloaded from LastPass.com.
The table below shows how fast your password can be guessed by a hacker:
Pattern Calculation Result Time to Guess
8 chars: lower case alpha 268 2x1011 < 1 second
8 chars: alphanumeric 628 2x1014 3.4 min
8 chars: all keyboard 958 7x1015 2 hours
12 chars: alphanumeric 6212 3x1021 96 years
8
• ePHI = Electronic Protected Health Information (Personal + Health)– Medical record number and/or account number with SSN– Patient demographic data (e.g. address, date of birth, date of death, sex, e-mail, etc.)– Dates of service (e.g. date of admission, discharge, etc.)– Medical records, reports, test results, or appointment dates
• PII = Personally Identified Information (Personal only)– Individual’s name, SSN, driver’s license number, or credit card
account numbers– Health insurance policy number, subscriber ID, application or
claims
Encrypt any ePHI and PII stored on portable devices or media
9
Encryption vs. Passwords• Having a password does not necessarily mean
something is encrypted.– Passwords by themselves do not scramble the
information. • If something is only “password protected,” it is not
enough protection - someone could bypass the password and read the information.
Original Password Protected Encrypted
• The table below shows the time and costs for handling security incidents for lost and stolen devices.
10
Encrypted Device with ePHI/PII
Unencrypted Device with ePHI/PII
Unencrypted Device without ePHI/PII
Incident Description User’s computer stolen from his/her car. Device had ~400 patient records.
User forgot laptop in cab. Device had ~400 patient records.
User left tablet on plane. Device had no patient health information.
Investigation time (combined hours for incident response team – legal, HR, IT, security, etc.)
1 Hour 50 hours 35 hours
Security Forensics Costs $ 0 $ 2,000 $ 800
Reputation Damage Costs $ 0 Priceless $ 0
Encryption saves the University both time and money
11
Encryption SolutionsType Encryption Solutions Cost/Impact Purpose
Apple Filevault 2
Free; native security feature; easy setup; vendor-supported; AES 128 encryption for data protection; can store recover key with Apple; well-documented install guide.
Encrypt the contents of your entire drive. Solution will work for personally-owned and BSD-owned laptops.
Windows BitLocker*Free; native security feature; AES 128-bit and 256-bit; some hardware dependencies.
Encrypt the contents of your entire drive. Solution will work for personally-owned and BSD-owned laptops.
* To use BitLocker, your laptop must be equipped with a Trusted Platform Module (TPM) chip, and it must be enabled.
12
Encryption Solutions (Cont’d)Type Encryption Solutions Cost/Impact Purpose
Files/ Volumes AxCrypt
Free; has native versions for both Windows and Apple; uses strong compliant encryption.
Creates secure disk images and files for data sharing via email, cd or cloud
External Storage
Aegis Secure USB Key
$65; unlocks with onboard PIN pad; 256-bit AES hardware-based encryption; PIN activated 7-15 digits -Alphanumeric keypad.
Secures the transport of data, documents, and presentations
Apple Phone/ Tablet
IOS
Free; native security feature, enabled by default with the use of passcode; vendor-supported; AES 128 encryption; can store recover key with Apple; well-documented install guide.
Encrypts the content of the device; solution will work for personally- owned and BSD-owned devices.
Android Phone/ Tablet
AndroidFree; native security feature; easy setup; vendor-supported; AES 128 encryption; well-documented install guide.
Encrypts the content of the device; solution will work for personally- owned and BSD-owned devices.
13
• A firewall acts as a wall between your computer/private network and the internet.
• A firewall prevents hackers from entering your computer through the internet.
Turn on your firewall
1. Open System Preferences.2. Click the Security or Security
& Privacy icon.3. Select the Firewall tab.4. Click the lock icon, then enter
an administrator name and password.
5. Click the Firewall Options button.
1. Open Windows Firewall by clicking the Start button, and then clicking Control Panel.
2. In the left pane, click Turn Windows Firewall on.
3. Click Turn on Windows Firewall under each network location, and then click OK.
HOW TO
14
• Vendors regularly issues patches or updates to solve security problems in their software. Computers can be set up to automatically download and install updates.
• When they are not applied, it leaves your computer vulnerable to hackers.
Keeping your operating system patched and up-to-date
1. Open Windows Update.2. Tap or click Choose how updates get
installed. 3. Under Important updates, choose install
updates every day.4. Under Recommended updates, select the
Give me recommended updates the same way I receive important updates check box.
1. Choose System Preferences from the Apple menu.
2. Click App Store.3. Select Automatically check for
updates.
HOW TO
15
Resources & References • BSD Information Security Office
– http://security.bsd.uchicago.edu• BSD HIPAA Program Office
– http://hipaa.bsd.uchicago.edu• Apple Encryption – FileVault 2
– http://support.apple.com/kb/ht4790• Windows Encryption - BitLocker
– http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive-encryption-overview
• Files/Volumes Encryption – AxCrypt– http://www.axantum.com/axcrypt/
• External Storage Encryption – Aegis Secure Storage– http://www.apricorn.com/aegis-secure-key.html
