1 / 44

Data and Network Security: Guarding Your Data

Data and Network Security: Guarding Your Data. William E. Ott, MS, Paramedic CPCS Technologies www . cpcstech . com. JEMS EMS Today 2004 Saturday March 6, 2004. Today’s Data Security Environments Can Be Scary. Changing Technologies.

richardkbrown
Télécharger la présentation

Data and Network Security: Guarding Your Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data and Network Security:Guarding Your Data William E. Ott, MS, Paramedic CPCS Technologies www . cpcstech . com JEMS EMS Today 2004 Saturday March 6, 2004

  2. Today’s Data Security Environments Can Be Scary Changing Technologies Hacker forces Lloyd’s of London to close web site – Jan 2001 Hackers & Extremists Loss of Competitive Advantage TRUST On average, 60% of organisations have suffered a security breach in the last two years - 2001 Security lapse closes Barclays’ online bank – August 2000 One survey found that 90 percent of sampled businesses had experienced computer breaches in a 12 month period – up from 62 per cent in the previous year - March 2001 Opportunities for FRAUD Viruses & Worms “Free” Access for Employees New IT Projects Outsourcing The number of emails containing viruses detected by a leading scanning service rose above the one in 400 mark - August 2001 IT System Crashes Malicious code attacks had $13.2 bn. economic impact in 2001 - Jan 2002

  3. Specific Items to Address • EMS as Information Workers • Information security risks • Network • Wireless • Voice • Social engineering • Information security measures • Firewall • IDS • Antivirus • Business continuity planning • Data backup and restoration

  4. EMS following the FedEx lead? • EMS is following the IT example of FedEx, transitioning from package delivery with associated information to an information management company with the end result of package delivery • EMS is, and should follow this model, from being a emergency response, patient care service with associated information to one of being an information management agency with the end result being quality patient care.

  5. EMS as Information Workers • What is involved? • Electronic patient records • CAD data pre and post response • GIS data pre and post response • System performance data • Application of performance data to the continuing education program • Personnel data • System / Vehicle data • Facility/Event preplan data

  6. Threats to Information Systems • Malicious abuse • Denial of Service and related attacks • Virus, Worm, and Trojan attacks • Outside Hacker attacks • Theft of service • Theft of information • Poorly trained IT staff • Not staying current with system patches, antivirus definitions, etc.. • Not performing proper system maintenance • Poor or no backup and contingency plans

  7. Do you have an IT Security Plan? • Harden and Secure for known issues • Prepare with policies and education • Detect intrusions and threats • Respond to intrusions and threats • Improve IT security measures and policies

  8. What can happen to my data? • Lost data or missing data is inaccessible • Stolen data has been accessed or copied without authorization • Inaccurate data was entered incorrectly, deliberately or accidentally altered, or not updated

  9. Causes for Concern • 94%+ of corrupt, compromised, or deleted data is because of user error, mistake, hardware failure, or deliberate misuse • 78%+ of malicious damage to data is attributed to ‘trusted’ personnel according to FBI/CERT statistics for 2002

  10. Threats to Productivity • Spam • wastes resources • wastes time • offensive, dangerous • Popup ads • wastes resources • annoying • Malicious use of resources • wastes bandwidth, storage • violates law and privacy

  11. Threats to Privacy / Confidentiality • No security plan • No security training or awareness • Smart or Meta Tags in shared documents • Social Engineering • Unencrypted network • Unencrypted e-mail • No firewall • No antivirus system • Rogue wireless • PDAs connecting to network and servers

  12. What is driving improved Security? • Health Insurance Portability and Accountability Act (HIPAA) • Maturation of existing data systems • Inexpensive to implement security on new data systems • It’s the right thing to do

  13. Data Security Issues • Development of user levels • Education of users • Proper use policies • Improper info via unsecured e-mail • Intrusion detection systems / scans • Antivirus protections

  14. Some Security Options • Virtual Private Networking (VPN) • Active AntiVirus Screening • Stateful packet inspection Firewalling • Proxy servers • Opt-in e-mail • Database encryption • E-mail encryption • Network / PC security policies • Two Factor User Authentication • Aggressive Audit logging and review

  15. Virtual Private Network • A VPN is defined as a system in which two or more networks are connected through a third, untrusted, network. • The two networks are usually a main office and a satellite office, and the third network is usually the Internet.

  16. VPN Diagram

  17. E-mail Security • E-mail is the most used network application • Very insecure as Internet developed • Security has been a low priority for all but a few • Phil Zimmerman – Pretty Good Privacy (PGP) • Digital Certificates • Symmetric or Asymmetric encryption • Think about opt-in or digital certificates to control spam

  18. Ultimate Goal: Information Control • Easy to use • Simple model • Native environment • Dependable Security • Dependable Authentication • Persistent and Dynamic Control when applicable • Use control (copy and print) • Comprehensive Auditing • Supports breadth of content types • Scalable and deployable

  19. Solutions & Suggestions • Tie security to ROI – what is the competition doing, positive PR, etc. (at minimum tie it to loss mitigation costs ) • Remind Privacy Rule & statute mandate sound security practices • Educate, educate, educate • Use horror stories judiciously

  20. Solutions & Suggestions • Present options, accept risk and remain flexible • Remember brevity with top executives – make your point quickly and avoid fluff • Cultivate security advocates within and outside the organization • Incorporate a bottom up approach (I.e., train end users, period security announcements to staff, etc.)

  21. Information Security – A Human Behavioral Problem What Does FBI Say About Companies: 91% have detected employee abuse 70% indicate the Internet as a frequent attack point 64% have suffered financial losses 40% have detected attacks from outside 36% have reported security incidents. Source: FBI Computer Crime and Security Survey 2001 What Do Companies Say: 66% have information security problems 65% were attacked by own employees 51% see information security as a priority 40% do not investigate security incidents 38% have detected attacks that blocked their IT systems Only 33% can detect attacks and intrusions Source: EY Information Security Survey 2001 - 2002 Causes of Security Incidents Source: EY Information Security Survey 2001

  22. Prevention Detection RISK FACTORS Application Security Correction Data Logical Security Physical Security Information Security – A Dynamic Process • Security Policies, Standards, and Procedures • Risk Analysis • Identification of Vulnerabilities • Employee Training, Education, and Awareness • Implement strong authentication / encryption • Use digital signatures & PKI solutions • Performance Indicators • Intruder Detection • Anti-Virus Solutions • Periodic Security Analyses (especially after the implementation of new IT systems) • Attack & Penetration Analyses (Ethical Hacking) • Analysis of IT systems’ logs • Threat & vulnerability analysis • Security infrastructure • Continuity Plans (BCP/DRP) • Incident Response Management • Hot Resources

  23. Internet Security Assess Intranet Security Assess Extranet Security Assess Remote Access Assess Attack & Penetration PHASE I Discover/Scan PHASE II Exploitation Threat & Vulnerability PHASE III Host Vulnerability Assessment Security Infrastructure PHASE IV Administrative Controls Review Attack & Penetration / Profiling • An ethical hacking and profiling assessment in order to: • Identify the technical security vulnerabilities and weaknesses • Develop corrective technical actions • Focused on multiple access verifications as well as technical and administrative controls.

  24. What Are Potential Disasters? • External • Storms (hurricanes, tornados, floods, hail…) • Accidents (planes, trains, automobiles, hazardous mat.) • Regional Outages (power, communications…) • Violence (civil unrest, terrorist acts, bioterrorism…) • Internal • Hardware Failures (servers, data stores, cyber attacks..) • Accidents (fires, water leaks, electrical…) • Violence (disgruntled employee, corp. sabotage…)

  25. What Are The Chances? • Computing Probability of Occurrence • Trying to construct a probabilistic model by type of exposure reaches diminishing returns very quickly. • Should a low probability of occurrence in a given area alter the scope of a BCP Plan? • Responsible BCP Planning • Assesses the environment and mitigates the obvious risks. (servers in a basement in a flood plane area) • Hopes for the best, but must plan for the worst.

  26. Data Disaster Facts • Disaster Recovery Journal reportstwo in five companies are not able to reopen after a disaster • Gartner Group Information loss is more critical than hardware failure or loss • Ontrack Dataresearch indicates that 80% of its data loss customers regularly back up their data, only to find them less than adequate at the critical moment they need to restore. Despite technological advances in the reliability of magnetic storage media, data loss continues to rise, making data recovery more important than ever

  27. Why Does This Happen • Systems becoming more complex • Focus on Backup Not Recovery • Shrinking Backup Window • Write-Verify Function Turned Off • Application/Data Available 24 x 7

  28. Gartner Group: Key trends • By year-end 2003, 80 percent of mobile workers will have at least two computing devices, and 40 percent will have three. • Windows CE (PocketPC) will dominate in the industrial handheld market space. • Web-enabled phones are widely available; first-generation content was a curiosity, second-generation useful • Software complexity will remain the biggest barrier to mobile productivity. • Widespread embedded Bluetooth is 2004 phenomenon. • Mobile network bandwidth will not be a barrier to compelling applications. • Spending on network capabilities will provide more productivity than spending on processors.

  29. Mobility – PAN, LAN, WAN 802.11b Local Area Network wLAN Bluetooth Personal Area Network (PAN) Wide Area Network (WAN) WirelessBridge LAN GPS <1Mbs • Access • Synchronization • 10 Meters WorkgroupSwitches <11Mbs 9.6 Kbit/s <2Mbs • Access • “hot spots” • LAN equivalent • Voice • SMS • e-Mail • Web browsing • mCommerce • Internet access • Document transfer • Low/high quality video

  30. Security’s Challenges IT Managers are faced with security challenges for internal and external environments. Secure Transactions Secure the pipe Internet Extranet Intranet Access Authentication Protect Corporate Assets

  31. Friend or Foe?

  32. Technology Introduction • Extensions and sub-standards • 802.11a – 5Ghz band, 6 - 54Mbit/sec (“WiFi5”) • 802.11b – 2.4Ghz band, 1 - 11Mbit/sec (“WiFi”) • 802.11c – Bridge Operation Procedures • 802.11d – Global Harmonization • 802.11e – MAC Enhancements for QoS • 802.11f – Inter Access Point Protocol (roaming) • 802.11g – 2.4Ghz band, “20+ Mbit/sec” • 802.11h – Spectrum Managed 802.11a (European) • 802.11i - MAC Enhancements for Enhanced Security

  33. Technology Introduction • What is 802.11? • 802.11b and 802.11g interoperate • There are devices that implement 802.11a and 802.11b/g

  34. Technology Introduction • Security • WEP – 64 or 128 bit “standard” • Agere – 152 bit • US Robotics – 256 bit • 802.1x EAP • “Just a framework” • TKIP • Temporal Key Integrity Protocol – Rotating Keys • Vendor specific at this time • AES • Long-term solution requiring more horsepower

  35. 802.11a/b/g weakness Rogue AP Compromise of encryption key Hardware theft is equivalent to key theft Packet spoofing, disassociation attack Known plain-text attack Brute force attack Passive monitoring

  36. Hardware Changes • Commercial Products • Many consumer products are being used in the “commercial” arena

  37. Software Changes • Consumer side • Plug-N-Play • Insecure Defaults • Remain difficult to configure • WinXP • Notifies users of unsafe networking

  38. Attitude Changes • Widespread Acceptance • Trains, Planes, Automobiles and phone booths • McDonalds in San Francisco • $4.95 for 2 hours, or free with food purchase Public WLAN Hot Spots Worldwide *ProjectedSource: Dataquest Inc., San Jose

  39. Wireless security focus areas 1 2 3 VPN 4 SSL/TLS Devices AirTransmissionsPANLAN WAN PublicNetworks Private Networks Applications Mobility Wireless Traditional Security

More Related