Download
1 / 80
800 likes | 926 Vues
DAIDS Regional Training Event, Johannesburg, South Africa, August 2012. Gregory Garecki (Senior Information Technology Security Analyst) John Quarantillo (CRSS (Westat) –Senior Systems Analyst). DIVISION OF AIDS AND NIAID OCICB. Version 3.0. Securing DAIDS clinical
E N D
DAIDS Regional Training Event, Johannesburg, South Africa, August 2012 Gregory Garecki (Senior Information Technology Security Analyst) John Quarantillo (CRSS (Westat) –Senior Systems Analyst) DIVISION OF AIDS AND NIAID OCICB Version 3.0 Securing DAIDS clinical research information
Introduction Gregory Garecki • Background: Over 15 years in Information Technology (IT) and Security • Experience: Securing information resources, detecting and responding to security threats, auditing information systems • Current Role: Senior IT Security Analyst at NIH
Introduction John Quarantillo • Background: 26 years in IT • Experience: Over 10 years in Information Security & Assurance • Industries: Health Studies, Pharmaceutical, Medical Devices • Current Role: Senior Systems Analyst at Westat • IT Manager for the NIAID HIV and Other Infectious Diseases Clinical Research Support Services (CRSS) Contract
Audience Response System (ARS) Respond to Questions Change an Answer Responses are Anonymous Question cue is a on preceding slide • Ensure remote is on by pressing and holding the “On/Off” button Please leave remotes on the tables Choose your answer Send or change your answer
When a virus infects a computer and destroys part of a file, making that file’s data inaccurate, it is an example of: Loss of Confidentiality Loss of Integrity Loss of Availability Audience Response System (ARS) (cont’d) Choose your answer Send or change your answer
The criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and financial information by masquerading as a trustworthy entity is called _____. Audience Response System (ARS) (cont’d) Choose your answer Send or change your answer
Objectives Workshop participants will be able to: • Understand clinical research security risks with regard to: Data, Software, Hardware, and Networks • Articulate risk-based information security goals • Secure clinical research information responsibly by raising awareness and learning how to act as a human sensor
Pre-Assessment 1 • The goals of Information Security are to: • Protect research data • Protect confidentiality, integrity, and availability of information to support mission objectives • Prevent criminal activity and theft of sensitive data by hacking into the attackers’ systems • Help clinical site/laboratory managers monitor their staff members’ computer usage and support mission objectives
Pre-Assessment 2 You have been working hard transferring Case Report Forms (CRFs) to the Data Management Center (DMC) when you receive an email from the DMC asking you to provide your system password to verify your identity. What should you do? • Open the email to confirm whether or not it is suspicious and then provide the requested information • Call the number you have for the DMC to verify the request • Forward the email to all of your peers • Read the email and reply to the sender to confirm your email address and receipt of the email
Pre-Assessment 3 Your investigator sends you an urgent email asking you to forward a particular study participant’s CRF, which details an interesting Serious Adverse Event (SAE). What do you do? • Send an email with the CRF attached • Copy the CRF to a CD, USB drive, or other device and mail it to the investigator • Print and fax the requested document to your investigator • None of the above
Pre-Assessment 4 While you are working, a message suddenly pops up stating your system is infected with a virus and provides a link to software for removing this virus. What do you do? • Click on the link to download the software, install, and run it since you are being responsible about security • Do nothing and report this to the clinical site/laboratory managers with a copy of the message if possible • Download the software and share with everyone on the team so they can also remove viruses from their computers • Do nothing; ignore the message and forget about it
Pre-Assessment 5 The person sitting next to you on a flight is overwhelmed and asks you if they can use your laptop to charge their phone so they can call their child who is in the hospital as soon as they land. What should you do? • Say yes so the person can contact their sick child • Say no because you need the laptop's remaining battery power to finish your work • Say no because you do not know what effect this device might have on your computer • Say yes on the condition that you finish your work first
ICE BREAKERDiscuss the most commonIT security issues facing your site
Classic Information Security Confidentiality Data Information Integrity Availability
Examples – Loss of Confidentiality • Using another person’s password to log on to a system • Allowing a co-worker to use a secure system for which he/she should not have access after you have logged on • Unencrypted laptop containing sensitive clinical information about the company and/or personal information is stolen or sold, and the information is accessed • Sharing or copying information without proper authorization (e.g., over the phone or by email)
Examples – Loss of Integrity • When a virus infects a computer, corrupting parts of a file thereby making it inaccurate • Input errors while entering sensitive patient information into a database • An automated process that is not correctly written and/or validated processes bulk updates to the database, possibly altering data • An employee accidentally or with malicious intent deletes important patient clinical information
Examples – Loss of Availability • Failure to back up data on a regular basis combined with loss of integrity or hardware failure • Lack of bandwidth due to excessive media streaming • Equipment failures during normal use • An employee accidentally or with malicious intent deletes important patient clinical information
The Parkerian Hexad • Confidentiality • Possession or control • Integrity • Authenticity • Availability • Utility Source: http://www.mekabay.com/overviews/index.htm
What Constitutes Clinical Data Risk? Email and other Documents Case Report Form Clinical Trial Results Participant Contact Information
A Few Top Exploits • Microsoft Remote Desktop - This is the 2012 Remote Desktop Protocol (RDP) Bug that can allow remote code execution. • Adobe PDF-Embedded Social Engineering - The idea is that you can embed and execute the most popular social engineering-style module. • Java AtomicReferenceArray - This may be the first Java exploit that “just works” against all platforms for the vulnerable versions of Java. • Source: https://community.rapid7.com/community/metasploit/blog/2012/05/22/10-hottest-metasploit-exploit-and-auxiliary-modules-in-april
Impact to Clinical Research • Why does clinical data risk matter? • Research participant privacy and safety • Organizational reputation & integrity • Damage containment and litigation costs
Clinical Risk Mitigation Techniques • Deliver Annual Security Awareness Training to create human clinical risk sensors. • Develop automated tools and technologies that minimize opportunities and detect exploits. • Report security incidents immediately and respond with sound security procedures.
Clinical Risk Mitigation Techniques (cont’d) • Schedule clinical data backups; store the backup data offsite in a secure manner. • Verify that software is secure before and after download and installation. • Apply current software patches when they are made available as quickly as possible.
Risk Mitigation Techniques:Data Backup & Uninterruptible Power Supply (UPS) Usage
Risk Mitigation: Data Backup • Always back up your data/information following a defined method and schedule. • Develop procedures that describe: • Person responsible for backups • What to back up • Time and frequency of backups • Where to back up • How to back up
Risk Mitigation: Data Backup Practices • Good data backup practices • Develop and frequently test backup strategies • Verify successful completion and integrity of backup • Define media rotation scheme • Perform trial restorations • Maintain backup log • Train appropriate personnel • Secure devices and media
Risk Mitigation: UPS Usage • Benefits • Offers protection from power outages/interruptions (brown out/sag, line noise) • Enables clean shutdown • Minimizes data corruption/loss • Minimizes hardware failure • Offers surge/spike protection • Note • Available for minimum length of time • Check regularly (monthly) • Source: Wikipedia (http://www.wikipedia.org/)
What is your Password IQ? Source: SANS Institute Security Newsletter for Computer Users, February 2010
Password iq How often should you change your password? • Every 30 days • Every 60 days • Every 90 days • When IT tells you to
PASSWORD IQ (cont’d) One of your co-workers is working on a critical report this weekend and needs access to some of your files. How should you give her your password? • Send it in an email message • Call her on the phone and tell her the password • Don’t give it to her or anybody else • Write it on a piece of paper, seal it in an envelope, and mail it to her
PASSWORD IQ (cont’d) What is the most common password? • Password • 123456 • Qwerty • abc123 Source: PC Magazine
PASSWORD IQ (cont’d) What characters should you use in a password to make it strong? • Letters (lower and upper case) • Numbers • Special characters (~!@#$%^&*) • All of the above
PASSWORD IQ (cont’d) How long should a strong password be at the minimum? • Five characters • Eight characters • As long as possible • Size doesn’t matter
Create Strong Passwords • Use passphrase passwords that are easy to remember, difficult to guess, yet conform to system constraints. • Use passwords without personally identifiable information (PII) or other sensitive data. • Use different passwords for different purposes to limit the risk of exposing multiple sites when one password is compromised.
Password Entropy Source: http://xkcd.com/936/
Keep Your Passwords Safe • Do not share passwords with ANYONE (including IT support). • Change a password immediately if you suspect it has been compromised, shared with another person, or stolen (even if it was encrypted). • Do not store passwords in easily accessible places or in close proximity to your computer.
Activity Write down examples of passwords you would use for the following: • Personal email • Banking website • Social network account
Source: Defense Intelligence Agency Risk Mitigation Technique:Portable Device Security
Portable Device Security • Examples of Portable Devices • Smart phones • Laptops • Tablets (Apple iPad, Motorola Xoom, etc.) • Storage devices (flash drives, iPod, portable hard drives) • Portable Device Vulnerabilities & Threats • Ease of access to device/data • Loss/Theft • Increasing amounts of sensitive data stored • Increasing capabilities (web browsing, applications) • Blurring lines between personal and business use
Portable Device Security (cont’d) • Use a strong personal identification number (PIN), password, or passphrase to protect the information stored on your device. • Limit browsing to well-known and trusted sites. Use secure sockets layer (SSL) encryption for browsing and webmail whenever possible. • Use encryption for sending sensitive information when using an untrusted network. • Keep operating system/firmware and applications up to date. • Exercise caution with opening links and downloading attachments. • Source: www.securingthehuman.org
Portable Device Security (cont’d) • Encrypt sensitive data stored on devices (e.g., PointSecfor PC and FileVault for Mac). • Install anti-malware (virus, spyware, etc.) software and update definitions frequently. • Update operating system and installed applications as recommended by vendor notifications. • Do not use a privileged account to browse the internet – always use a standard account for nonprivileged tasks. • Use a physical lock, when possible, to secure devices. • Source: www.securingthehuman.org
Portable Device Security (cont’d) • Turn on the auto-lock/screensaver feature for the system to timeout after a period of inactivity. • Require a password when device resumes from screensaver. • Install software that enables retrieval and/or remote wipe of device if lost/stolen. • Disable Wi-Fi and Bluetooth and other optional service when not in use. • Only install applications you need, and only from trustworthy sources. • Do not connect personal devices to employer system unless approved. • Source: www.securingthehuman.org
Portable Device Security (cont’d) • Attach an ID label (with minimal information – e.g., contact number or email) to back of portable device with alternate contact information in case it’s lost. • Back up device regularly. • Erase all confidential information before disposing of portable device. • Ensure portable device is permitted by your employer’s policies and any regulatory guidelines applicable to your industry. • Read documentation and terms of service for each software application before you install it. • Source: www.securingthehuman.org
Exploit Example The next set of slides reviews a popular exploit, its impact, and ways to avoid becoming a victim.
Spear Phishing Exploit Phishing The criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and financial information by masquerading as a trustworthy entity. Phishing messages usually appear to come from a large and well-known company or website with a broad membership base.
