• Like
  • Save
Information+security rutgers(final)
Upcoming SlideShare
Loading in...5

Information+security rutgers(final)

Uploaded on


More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • No deep dive.
  • Social engineering- often used in conjunction with blind and double blind testing, social engineering is gaining critical or sensitive information through social interaction, typically with the organization’s employees, suppliers, and contractors. Techniques may include posing as a representative of the IT department’s help desk and gaining users account and password information, posing as an employee and gaining physical access to restricted areas, intercepting mail, or even dumpster diving to search for sensitive materials. It tests the organization’s people to contribute to or prevent unauthorized access to information and information systems.
  • Security posture is not static It is dynamic and can change based on the quality of the continued execution of the program elements. It requires active management of the security program to maintain a certain security posture.
  • Proprietary is not always more secure.Open source software is often misunderstood as “free” software. With open source software, the source code is available to the user or purchaser, whereas with most software, only the executable or object code is available. The security implications are debated, but most believe that users are able to examine open source code results in systems with fewer unanticipated vulnerabilities.
  • Record keeping is mandatory The OSI open system interconnect model was first dfined and published as an international standard (ISO/IEC) 7498-1). In 1984 Last revised in 1994. Strenghts and Weakensses, Estalished, flexible,Weaknesses complex,Encapsultaiotn the process of wrapping the data using headers and somethins, traliers before ending. Layering-separating function of each laayer. TCP/IP model functions like the OSI Model. Maps to the IP modle. Simplier it is network centric doesn’t/ describe the function of the applictiont in enough detail..Does your organization keep records on or otherwise keeps track of network and data , and systems intrusions. How long is it kept?How about insider intrusions?Network security is a cornerstone for business operations because network connectivity. provide an easy and consistent venue or an attack.Availability- uptime, here we look for single points of failure. Non redundant components, can be reinforced. Redundancy has to be built into the a system at the network, application, and/or process level. Backups networks.Confidentiaily =wireless network are vulnerable to sniffing. Message protection,, non repudiation is the assurance that a specific author did actually send a specific item to a specifi recipients. Effective non-repudiation is accomplished through the use of digital signatures, and encryption. Hi redundancy. 8) Defense in depth, hurdles.
  • Network attackers-The types of attacks, attacker would take a path of least resistance. Most know issues from both the defender and attacker. It is important to have a documented topology. Single point of failures are to be avoided.Wireless 803.11 From the wired network to station, wireless local area networks. Both wireless and wired technologies are susceptible to sniffing( the collection of sniffing)Cloud computing cloud computing is the provisioning of IT services over the cloud, the internet. The term cloud is based on the depiction of the internet as a cloud .Some of the services provided in the cloud are data storage, software, security, communications, etc. Security issues since the services are being provided at a third party, trust is a major concern. Connections-VPN?Sharing of data-Cross Border Data Transfer-cloud services are provided may be challenging to ensure cross border transmission of traffic. Network partitions- firewalls are used to make trusted vsuntrustednewtorks, again no single point of failures, defenise in depth, stateful inspection. A complete firewardcolution would be having the firewall handling traccic and denying or permitting access correctly the funcationrequiremetn and the logging and monitroing aspect addressing the assurance requirements of the firewall solution by ensuring that the fireall is workign properly and providing the expected level of protection in relation to the risks that the firewall was inteneded to control
  • There are a number of risk assessment models available:OCTAVE- Operational Critical Threat, Asset, and Vulnerability EvaluationNIST SP 800-30SSE-CMM System Security Engineering Capability Maturity ModelOther……..
  • Administrative Categories to AssessReview of Policies and ProceduresImplementationEnforcementPenetration TestingVulnerabilitiesDemonstrationLogsWalkthroughTechnical SafeguardsDetailed wired/wireless network designsSecure workstation use (documentation of specific guidelines for each class of workstation)Procedures for encryption and decryption of EPHIPhysical SafeguardsData Backup and StorageDisposalAdministration safeguardsRisk Management Methodology Information Access ManagementSecurity Awareness and TrainingPrivacy PoliciesBusiness Association AgreementsQuantative- estimate single loss expectancy, annualized rate of occurance, annual loss expectancy,- estimate potential losses.
  • An organization should take a positive proactive actions.National Institute of Standards and TechnologyRecognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order “Improving Critical Infrastructure Cybersecurity” has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of information and information systems supporting critical infrastructure operations. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.Vulnerability Assessment Tools A audit trail is a record of system activities. More specifically, an audit trail is a chronological record of system activities that makes it possible a reconstruction , review, and examination of the sequence of activities that can then be used to indicate a possible intrusion, or to investigate and incident.Data generated by the system, network, application, or user activities are recorded.The configuration of an audit trail should include data about network connections, system-level events, application-level events, user level events ie keystroke activity, event filtering. It may be necessary to use some type of event filtering or clipping level. Attackers often try to scrub audit logs to cover their attacks. Vulnerability assessment tools. Penetration Testing-pen tests (also called ethical hacking) consists of a formal set of steps and procedures similar to those tricks and techniques an intruder would be likely to use. The purpose is to evaluate how well the enterprise can thwart an attack and how it might be compromised by a potential attack.
  • Core Measure 15:Regardless of which Risk Assessment process is selected there is a likely to be a gap or need of a correction action plan Analyze current stateIdentify assets, threats, vulnerabilities and business impact.Perform technical risk assessment through appropriate testing,Review existing control documentationInterview key personnel to understand concernsDevelop Strategy for Improvement or corrective action planPrioritize identified risk and exposurePerform root cause analysisDevelop potential solutionsPrepare recommendations for improvementsAssess existing versus target process maturityCommunicate and Manage RiskConsider high-level strategies to facilitate improvementRate proposed recommendations by impact and success potentialPrepare business case for identified solutions.
  • Risk Mitigation Risk appetitePrioritizationAppreciation to dealing with risk accept risk transfer risk eliminate risk reduce riskEvolving process
  • Best practicesFirewallsPhysical security systems, electronic access, control systems, badging systems, CCTV, etc.Encryption of critical data in transitRole-based access controlIntrusion detection systems monitored by personInformation assurance technologies that track access and use of organizational dataAutomated patch managementIntrusion detection systems monitored by automate systems with built in alarmsTwo factor authenticationWireless monitoringKeystroke monitoring of individual users


  • 2. Amy Walker MS, RN, CPHQ, FACHE,NEA-BC. Healthcare System Critical Care RN, Certified and Nurse Manager Director of Informatics, CIO Boot Camp-CHIME Chief Clinical Information Officer (CCIO) Technology Provider-Large Scale Development Implementation Strategic Account Management Consulting DoD Health Affairs HIPAA, Healthcare Compliance, Security, and Data Exchange Interim CIO Entrepreneur Fellow in the American College of Healthcare Executives Certified as a Healthcare Quality Professional Certified as an Advanced Nurse Executive 2010 President of the National Capital of Healthcare Executives Nominated Member of the Women’s Business Leader’s of theU.S. Healthcare Industry Foundation2
  • 3. We Will Discuss Today IT Security Pillars How to Appropriately Construct Policies and Procedures Develop, Implement, Enforce Security Standards and Risk Assessment EffectiveStrategies System Architecture and Design An Overview of Security Issues and Solutions3
  • 4. SWOT-Analysis• Identified Security Officer• Tight Integration Between RolesStrengths• Knowledge Deficit• Not Practicing to Standards• Deficient Risk Assessment ProcessWeaknesses• Are GreatOpportunities• Are GreatThreats4
  • 5. 5Obama meets with CEOs to push cyber-security legislationThe meeting in hopes of getting the stalled legislation passedcomes a day after intelligence officials warn of the threat tonational security.March 13, 2013|By Ken Dilanian and Jessica Guynn, Los AngelesTimes"What is absolutely true is thatwe have seen a steady rampingup of cyber-security threats,"President Obama said on ABCs"Good Morning America." "Someare state-sponsored. Some arejust sponsored by criminals."(Evan Vucci / Associated Press)
  • 6. Security Problems Hit Close To HomeDear user:As a follow up to our last email communication about the identified security vulnerability in the XYZ system , the U.S.General Services Administration (GSA) is taking all possible steps to protect and inform xyz users, especially those thatuse their social security numbers for purposes of doing business with the federal government.Your entity’s data has been identified to be at greater risk for potential identity theft because you used your socialsecurity number as your Tax Identification Number to do business with the federal government.This vulnerability enabled government entity administrators and delegated entity registration representatives topotentially gain access to information of any entity’s registration -- enabling visibility of entity management data at allsensitivity levels.As a precaution, GSA is taking proactive steps to protect and inform xyz users. The agency is offering users at higherrisk, like you, access to credit monitoring services and will follow up with information about these services.If you wish to take additional steps to protect against possible identity theft, visit www.xyz for specific information. If youwould like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notifyyour financial institution immediately if you see any discrepancies.We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fullyinformed of any potential risk resulting from this incident. The security of your information is a critical priority to us and wewill work to ensure the system remains secure.Sincerely,6
  • 7. In the NewsForget hackers, the foolnext to you is the realthreat7
  • 8. Statistics on Data Breaches8
  • 9. Internet Security AllianceLarry Clinton, the longtime head of the InternetSecurity Alliance delivered the keynote at the MarchPHI Protection Forum. Mr. Clinton focused on PHISecurity and Privacy, he cited an important study ofthe state of health care information security, PWC’s2013 State of Info Security Survey data regardinghealth care organizations.9
  • 10. PWCs 2013 State of Info Security Survey Most executives in the HC industry are confident in the effectivenessof their security practices. They believe their strategies are soundand many consider themselves to be leaders in the field (And yet, only) 42% have a strategy & (are) proactive in executing it Of the 4 key criteria of information security leadership, ONLY 6%RANK AS LEADERS 60% do NOT have a policy for third parties to comply with privacypolicies 73% use mal code detection tools; DOWN 16% 48% use tools to find unauthorized devices; DOWN 14% 51% use intrusion detection tools; DOWN 19%10PWC’s 2013 Stateof Info SecuritySurvey,http://www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml
  • 11.  48% use vulnerability scanning tools; DOWN 15% 31% DON’T KNOW when info sec is part of majorprojects –ONLY 18% at project inception 90% HC respondents say protecting employee &customer data is important - few know where the data isstored (43% have an accurate inventory of data) Adopting new technology (is outpacing) security – newtechnology referring to cloud 28%, mobile 46%, socmedia 45%, personal devices 51%11PWCs 2013 State of Info Security Survey
  • 12. The Reasons? As Noted by Larry Lack of funding 53% 20% top leadership “is an impediment to improved security.” Only 43% report security breaches Diminished budgets have resulted in degraded security programs, incidentsare on the rise, new technologies are being adopted faster than safeguards There are short-term economic incentives to be insecure (VoIP, use personaldevices, the Cloud) HC providers report lower $ loss from incidents but many do not performthorough or consistent analysis to appraising those losses, e.g. only 33%consider damage to brand as a financial loss12
  • 13. June 26, 2012 Alaska Department ofHealth and Social ServicesA USB hard drive possibly containing ePHI was stolen fromthe vehicle of a DHHS employee. DHHS did not have adequate safeguard policies andprocedures in place. DHHS had not completed a risk analysis, implementedsufficient risk management measures, completed securitytraining for its workforce, implemented device and mediacontrols, or addressed device and media encryption. Pay a $1.7 million fine and take corrective action toensure compliance with the Security RuleStaggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier13
  • 14. April 17, 2012 Phoenix Cardiac SurgeryStaff were posting clinical and surgical appointments for patients on anInternet-based calendar that was publicly accessible. PC failed to implement adequate policies and procedures tosafeguard patient information PC failed to document that it trained any employees on policies andprocedures. PC failed to identify a security official and conduct a risk analysis. PC failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the serviceincluded storage of and access to its ePHI. Pay a $100,000 fine and develop a corrective action plan to ensurecompliance with the Security RuleStaggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier14
  • 15. March 13, 2012Blue Cross Blue Shield of TennesseeFifty-seven unencrypted computer hard drives were stolenfrom a leased facility. The drives contained the ePHI ofmore than 1 million individuals, including member names,Social Security numbers, diagnosis codes, dates of birth,and health plan identification numbers. BCBST failed to implement appropriate administrativesafeguards by not performing the required securityevaluation. BCBST failed to implement appropriate physicalsafeguards. Pay a $1.5 million fine and implement a corrective actionplan to address gaps in its HIPAA compliance programStaggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier15
  • 16. The Foundation16
  • 17. Security TriangleConfidentialityIntegrityAvailability17
  • 18. 10 Domains of Information SecurityAccess Control •Operations SecurityBusiness Continuity andDisaster Recover Planning•Physical (EnvironmentSecurity)Cryptography •Security Architecture andDesignInformation SecurityGovernance and RiskManagement•Software DevelopmentSecurityLegal, Regulations,Investigation, andCompliance•Telecommunications andNetwork Security18International Information SystemsSecurity Certification Consortiumhttps://www.isc2.org/
  • 19. Basic Requirements Security Reliability Transparency Scalability19 Maintainability Audit ability Integrity AuthenticInternational InformationSystems SecurityCertification Consortiumhttps://www.isc2.org/
  • 20. 20Operations security (OPSEC) is a process that identifies critical information to determineif friendly actions can be observed by adversary intelligence systems, determines ifinformation obtained by adversaries could be interpreted to be useful to them, and thenexecutes selected measures that eliminate or reduce adversary exploitation of friendlycritical information.
  • 21. Construction ofPolicies and Procedures21
  • 22. SecurityEnterpriseEcosystemPeopleProcessesCoreBusinessTechnology
  • 23. 23
  • 24. Policy FrameworkImplementationStandards Procedures Protocols GuidelinesPoliciesDirectives You ShallOverarching Management DirectionRegulations Strategy Standards Laws24
  • 25. Policies and Procedures Acceptable Use Access Control Accreditation Acquisition Business Continuity Certification Change Control Management Code of Ethics Confidentiality Data Classification Internet Use25
  • 26. System Architecture and Design26
  • 27. System Architecture Components Hardware Firmware Central Processing Units Input/Output Devices Software Architectural Structures Storage and Memory27Analyze securityrisks, limitations, andpositive attributes ofeach.
  • 28. Open Source A study by Mitre corporation, sponsored by the Defense InformationSystems Agency, found extensive and diverse use of open softwareat the DoD, with over 100 open products being used in more than250 applications. Security applications were most noted as a reason open sourceshould be expanded. Widely used open security tools included SNORT, a light weightintrusion detection tool used for plugging “network security holeswhen new attacks emerge” and SARA, the security auditorsresearch Assistant, used for relatively straightforward networksecurity risk analyses. The MITRE report lists more than 100 opensource products that have demonstrated superior records ofsecurity and reliability.28
  • 29. The Abdus Salam International Centrefor Theoretical Physics
  • 30. System Security Risk Assessment30
  • 31. Risk Management Purpose The purpose of an organization’s risk managementprocess should be to protect the organization and it’sability to perform it’s mission-including but not limitedto its IT assets. Risk is a function of the likelihood of a given threatsource’s exercising a particular vulnerability and theresulting impact of that adverse event.NIST SP 800-30www.csrc.nist.gov31
  • 32. Risk AnalysisConduct an accurate and thorough assessment ofthe potential risks and vulnerabilities to theconfidentiality, integrity, and availability of electronicprotected health information held by theorganization.32
  • 33. Details of a System Security RiskAssessment Qualitative Scenario oriented No $$ values Ranking of threats Perform to the goal of reasonableness Quantitative Assign $$ values Resource extensive More difficult to determine Hybrid33International InformationSystems SecurityCertification Consortiumhttps://www.isc2.org/
  • 34. Risk Assessment SP 800-30 Step 1 Characterization Step 2 Threat Identification Step 3 Vulnerability Identification Step 4 Control Analysis Step 5 Likelihood Determination Step 6 Impact Analysis Step 7 Risk Determination Step 8 Control Recommendations Step 9 Results Documentation Steps 2, 3, 4, and 6 can be conducted in parallel after Step 1 hasbeen completed.34
  • 35. CMS Security Risk Analysis ProcessReview existingsecurity ofprotected healthinformationIdentify threatsandvulnerabilitiesAssess risks forlikelihood andimpactMitigate securityrisksMonitor results35CMS, Information SecurityOverview,
  • 36. 36
  • 37. 10 Best Practices for theSmall Health Care Environment Use Strong Passwords and Change Them Regularly Passwords and Strong Authentication Install and Maintain Anti-Virus Software Use a Firewall Control Access to Protected Health Information Limit Network Access Plan for the Unexpected Maintain Good Computer Habits Software Maintenance Protect Mobile Devices Establish a Security Culture37CMS, Information Security Overview,http://cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/index.html?redirect=/InformationSecurity/
  • 38. Security IT Issues and Solutions38
  • 39. Overview of Healthcare ITSecurity Issues and Solutions Lack of Effective Ecosystem Governance Lack of Budget Lack of Appropriate Risk Assessment with CAP MU Core Objective and Measure 12 Core Objective and Measure 15 HIPAA Privacy and Security Federal Regulations39
  • 40. Overview of Healthcare ITSecurity Issues and Solutions Attacks Vulnerabilities Complex Systems Change Control Doing More with Less Mobile and Wireless Technologies Outsourcing40
  • 41. HITRUST ™ The Health Information Trust Alliance (HITRUST) was born out of the beliefthat information security should be a core pillar of, rather than an obstacle to,the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology andinformation security leaders, has established the Common SecurityFramework (CSF), a certifiable framework that can be used by any and allorganizations that create, access, store or exchange personal health andfinancial information. The CSF is an information security framework that harmonizes therequirements of existing standards and regulations, including federal(HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). Asa framework, the CSF provides organizations with the needed structure,detail and clarity relating to information security tailored to the healthcareindustry. The CSF is available through HITRUST Central.41
  • 42. Retain absolute faith that you can and willprevail in the end, regardless of thedifficulties, and at the same time confrontthe most brutal facts of your current reality,whatever they might be.(Jim Collins Good to Great)42
  • 43. Thought Questions1. In your own experience, what are yourrecommendations on the highest IT securitypriorities?2. Are there resources related to IT security that yousuggest must be given greater visibility?3. What is your organization’s SWOT analysis tellyou?43
  • 44. References CMS, Information Security Overview, http://cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/index.html?redirect=/InformationSecurity/ HITRUST, http://hitrustalliance.net/ International Information Systems Security Certification Consortiumhttps://www.isc2.org/ National Institute of Standards and Technology,http://csrc.nist.gov/publications/PubsSPs.html Office of the National Coordinator,http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf44
  • 45. References PHI Protection Network, Linked In Group PWC’s 2013 State of Info Security Survey,http://www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press).Confidentiality, safety and security. In R. Nelson & N. Staggers,Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier The Betterly Report,http://thebetterleyreport.wordpress.com/2013/03/18/larry-clinton-of-the-internet-security-alliance-and-some-startling-statistics-about-privacy-security-in-the-health-care-industry/?goback=%2Egde_4493923_member_223850708 The Operations Security Professional’s Association,http://www.opsecprofessionals.org/45
  • 46. SWOT-Analysis• Identified Security Officer• Tight Integration Between RolesStrengths• Knowledge Deficit• Not Practicing to Standards• Deficient Risk Assessment ProcessWeaknessesOpportunitiesThreats46
  • 47. Thank You!Contact us at:4031 University Drive, Suite 100Fairfax, Virginia 22030 P: 703-283-4678E: awalker@optimizeitconsultingwww.optimizeitconsulting.comOptimizeIT Consulting LLC is a proudEDWOSBCage Code 6TH50