Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Introduction to Cybersecurity & Information Assurance for FQHCs April 13, 2011 PowerPoint Presentation
Download Presentation
Introduction to Cybersecurity & Information Assurance for FQHCs April 13, 2011

Introduction to Cybersecurity & Information Assurance for FQHCs April 13, 2011

149 Views Download Presentation
Download Presentation

Introduction to Cybersecurity & Information Assurance for FQHCs April 13, 2011

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Introduction to Cybersecurity & Information Assurance for FQHCs April 13, 2011 Amelia Muccio Director of Emergency Management amuccio@njpca.org

  2. Objectives • Cybersecurity • Information assurance • FQHCs as target • Cyber threats/risks • Vulnerabilities • Countermeasures • Safeguarding • Promoting a culture of security .

  3. Serious Threat • Richard Clarke was famously heard to say, "If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked.” • The growing number of attacks on our cyber networks has become, in President Obama’s words, “one of the most serious economic and national security threats our nation faces.”

  4. Who & What is At Risk? • Economy • Defense • Transportation • Medical • Government • Telecommunications • Energy Sector • Critical Infrastructure • Computers/Cable TV/Phones/MP3/Games .

  5. Fundamental Concepts of Information Assurance • Confidentiality (privacy) • Integrity (quality, accuracy, relevance) • Availability (accessibility) • CIA triad

  6. Internet • In 1995, 16 million users (0.4%) • In 2010, 1.6 billion users (23.5%) • Unable to treat physical and cyber security separately, they are intertwined.

  7. How Does an Attack Happen? • Identify the target • Gather information • Plan/Prepare the attack • Attack

  8. Information Gathering . .

  9. Attack Trends • Increasing sophistication • Decreasing costs • Increasing attack frequency • Difficulties in patching systems • Increasing network connections, dependencies, and trust relationships

  10. What Threatens Information? • Misuse • Disasters • Data interception • Computer theft • Identify/Password theft • Malicious software • Data theft/corruption • Vandalism • Human error

  11. Threats • A threat is any potential danger to information and systems • 3 levels of cyber threats • Unstructured • Structured • Highly structured

  12. Unstructured Threats • Individual/small group with little or no organization or funding • Easily detectable information gathering • Exploitations based upon documented flaws • Targets of opportunity • Gain control of machines • Motivated by bragging rights, thrills, access to resources

  13. Structured Threats • Well organized, planned and funded • Specific targets and extensive information gathering to choose avenue and means of attack • Goal-data stored on machines or machines themselves • Exploitation may rely on insider help of unknown flaw • Target drives attack • Organized crime/black hat hackers

  14. Highly Structured Threats • Extensive organization, funding and planning over an extended time, with goal of having an effect beyond the data or machine being attacked • Stealthy information gathering • Multiple attacks exploiting unknown flaws or insider help • Coordinated efforts from multiple groups • “Cyber warfare”

  15. Web as Weapon • Infrastructure run by computers • Government SCADA system • Overflow dam, disrupt oil supply • Sewage plant in Australia overflowed due to black hat hackers • Cyberterrorism (Bin Laden and Aum Shinrikyo) • Combined attack • Cause power outage and biological attack • EMS disruption and nuclear emergency • Next war fought with code & computers

  16. Hackers and Crackers • White hat hacker-curious, explore our own vulnerabilities, bragging rights/just did it. • Black hat hacker/cracker-malicious intent, exploit vulnerabilities for monetary profit or gain or perpetrate a crime, organized crime. • Gray hat hacker-helpful or ethical hacker, motivated by a sense of good. Cowboys. • GHHs find vulnerabilities, notify company of them so they can be fixed and resolved.

  17. Gray Hats • Adrian Lamo • Find vulnerabilities, inform company • WorldCom, Google, NYTimes, Bank of America, NASA • NYTimes used SSN # as passwords • Edited Yahoo Story • Robert Lyttle • DoD, Pentagon • Both got into trouble!

  18. Early Days…Phone Phreaking • 2600 Hz Tone • Captain Crunch Whistle & 4th E above Middle C • Long whistle reset line, then dial w/whistle • Tricked phone companies/tone dialing • Free long distance and international calls

  19. Risk • Threat + Vulnerability • Likelihood of an undesirable event occurring combined with the magnitude of its impact? • Natural • Manmade • Accidental or Intentional • People are the weakest link

  20. Risk Management • Identifying and assessing risk, reducing it to an acceptable level and implementing mechanisms to maintain that level • Protect against: • Physical damage • Human error • Hardware failure • Program error • Cyber attack

  21. Risk Handling Discussion • Risk reduction (countermeasures, HVA) • Risk transference (insurance) • Risk acceptance (may happen) • Risk rejection (do nothing) • Security assessments are an important part of risk management • Penetration testing • Identify all vulnerabilities and threats to information, systems and networks

  22. Contingency Planning Components • How to handle disruption? • Business continuity • Disaster recovery • Incident response

  23. Recovery Strategy • A recovery strategy provides direction to restore IT operations quickly and effectively • Backup methods • Alternate sites • Equipment replacement • Roles and responsibilities • Cost considerations

  24. BCP • A comprehensive written plan to maintain or resume business operations in the event of a disruption • Continue critical business operations • Jeopardize normal operations • Most critical operations • May require alternate sites (hot, warm, cold) • What do we need to KEEP going?

  25. DRP • A comprehensive written plan to return business operations to the pre-disruption state following a disruption • Restore IT functions (prep and restore) • Jeopardize the normal operations • Includes all operations • RETURN TO NORMAL BUSINESS OPERATIONS • WHAT DO WE NEED TO DO IN CASE OF A DISASTER?

  26. Plan Testing, Training and Exercising • Testing is a critical to ensure a viable contingency capability • Conduct plan exercises • TTXs are useful

  27. Policies and Procedures • Establish security culture • Establish best security practices • Define goals and structure of security program • Educate personnel • Maintain compliance with any regulations • Ex: email policy, Internet usage, physical security

  28. Physical Security Countermeasures • Property protection (door, locks, lightening) • Structural hardening (construction) • Physical access control (authorized users) • Intrusion detection (guards, monitoring) • Physical security procedures (escort visitors, logs) • Contingency plans (generators, off site storage) • Physical security awareness training (training for suspicious activities)

  29. Personal Security • Practices established to ensure the safety and security of personnel and other organizational assets • It’s ALL about people • People are the weakest link • Reduce vulnerability to personnel based threats .

  30. Personal Security Threat Categories • Insider threats-most common, difficult to recognize • Includes sabotage and unauthorized disclosure of information • Social engineering-multiple techniques are used to gain information from authorized employees and using that info in conjunction with an attack • Not aware of the value of information

  31. Social Engineering • Being fooled into giving someone access when the person has no business having the information.

  32. Dumpster Diving and Phishing • DD-rummaging through company’s garbage for discarded documents • Phishing-usually takes place through fraudulent emails requesting users to disclose personal or financial information • Email appear to come from a legitimate organization (PayPal)

  33. P & P • Acceptable use policy-what actions users may perform while using computers • Personnel controls-need to know, separation of duties • Hiring and termination practices-background checks, orientation, exit interview, escorting procedure

  34. Private Branch Exchange (PBX) Systems • Toll fraud • Disclosure of information • Unauthorized access • Traffic analysis • Denial of Service (DoS)

  35. PBX Threat Countermeasures • Implement physical security • Inhibit maintenance of port access • Enable alarm/audit trails • Remove all default passwords • Review the configuration of your PBX against known hacking techniques

  36. Data Networks • For computers to communicate • Less expensive to use same network • Modems designed to leverage this asset

  37. Modem Threats • Unauthorized and misconfigured modems • Authorized but misconfigured modems

  38. Wardialing • Hackers use a program that calls a range of telephone numbers until it connects to an unsecured modem and allows them dialup access • Identify potential targets

  39. Modem Threat Countermeasures • Policy • Scanning • Administrative action • Passwords • Elimination of modem connections • Use a device to protect telephony-based attacks and abuses

  40. Voice Over Internet Protocol (VoIP) • VoIP is a technology that allows someone to make voice calls using a broadband Internet connection instead of a regular (analog) phone line

  41. VoIP Benefits and Threats • Less expensive • Increased functionality • Flexibility and mobility • Service theft • Eavesdropping • Vishing • Call tampering

  42. VoIP Threat Countermeasures • Physical control • Authentication and encryption • Develop appropriate network architecture • Employ VoIP firewall and security devices

  43. Data Networks • Computers linked together • Hosts (computers, servers) • Switches and hubs • Routers

  44. Common Network Terms • Local Area Network (LAN)-network grouped in one geographic location • Wide Area Network (WAN)-network that spreads over a larger geographic area • Wireless LAN (WLAN)-is a LAN with wireless connections

  45. Data Network Protocols • Transmission Control Protocol (TCP)-moves data across networks with a connection oriented approach • User Datagram Protocol (UDP)-moves info across networks with a connectionless oriented approach • Internet Control Message Protocol (ICMP)-OS to send error messages across networks • Hypertext Transfer Protocol (HTTP)-transfers web pages, hypermedia

  46. Data Network Threats • Information gathering • Denial of Service (DoS) • Disinformation • Man-in-the-middle • Session hijacking

  47. Information Gathering Threats/Network Scanning • What target is available? • Reduces time on wasted effort (attacker) • One of the most common pre-attack identification techniques is called scanning • Scanning uses ICMP service “PING” • PING SWEEP-echo request to range of addresses (provides list of potential targets) • Are you there? Yes, I am there. • Firewall should protect against

  48. Sniffing • A sniffer is a program that monitors and analyzes network traffic and is used legitimately or illegitimately to capture data transmitted on a network

  49. Denial of Service (DoS) • Degrade and prevent operations/functionality • Distributed denial of service (DDoS) attack uses multiple attack machines simultaneously • Vast number of ICMP echo request packets are sent to the target, overwhelming its capability to process all other traffic

  50. Ping Flood/Ping of Death • Ping flood-too much ping traffic drowns out all other communication • Ping of Death-oversized or malformed ICMP packets cause target to reboot or crash • Host cannot cope with ping packets • Ping of Death relies on a vulnerability of buffer overflow • Buffer overflow-size of input exceeds the size of storage intended to be received