Your SlideShare is downloading. ×
IT Security for Healthcare Professionals
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

IT Security for Healthcare Professionals


Published on

On Tuesday, Novermber 13th, at 11:00 AM, I will be giving this presentation to faculty and staff at the University of Wisconsin-Madison, School of Medicine and Public Health, at the Health Sciences …

On Tuesday, Novermber 13th, at 11:00 AM, I will be giving this presentation to faculty and staff at the University of Wisconsin-Madison, School of Medicine and Public Health, at the Health Sciences Learning Center (HSLC), next to UW Hospital. IT Security and Healthcare, go together, like chocolate and peanut butter!

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. The Wild, Wild Web - Social Engineering, Malware and Security Awareness - Nicholas Davis MBA, CISA, CISSP DoIT Security November 13, 2012Free Powerpoint Templates Page 1
  • 2. Introduction• Background• Thank you for the invitation• Today’s Topic, Malware, Social Engineering and overall Security Awareness• Importance to the healthcare field• Pretexting• Phishing• QR Code Danger• Social Networks• Passwords• Malware• Baiting• Identity Theft: How, Avoiding, Responding• Physical Security• Sharing of information with the public Free Powerpoint Templates Page 2
  • 3. Technology Is Not The AnswerStrong computer security has twocomponents:The Technology: passwords,encryption, endpoint protectionsuch as anti-virus.The People: You, your customers,your business partnersToday, we will talk about bothcomponents Free Powerpoint Templates Page 3
  • 4. Social EngineeringThe art of manipulatingpeople into performing actionsor divulging confidentialinformationIt is typically trickery ordeception for the purpose ofinformation gathering, fraud,or computer system access Free Powerpoint Templates Page 4
  • 5. Most Popular Type of Social EngineeringPretexting: An individual lies to obtainprivileged data. A pretext is a false motive.Pretexting is a fancy term for impersonationCaused resignation on CEO at HPBrings new meaning to HP’s logo “I n v e n t” Free Powerpoint Templates Page 5
  • 6. Let’s Think of HSLC Pretexting Example“This is the Epic upload site for UW-Madison School of Medicine, test subjectsdiabetes study data. Click here to submityour patient data”Just because it says so, does not make ittrue!Website address correct?Consistent interface?SSL lock?Does it seem reasonable?Have you double checkedwith others? Free Powerpoint Templates Page 6
  • 7. Phishing• Deception, but not just in person• Email• Websites• Facebook status updates• Tweets• Phishing, in the context of the healthcare working environment is extremely dangerous Free Powerpoint Templates Page 7
  • 8. Phishing History• Phreaking, term for making phone calls for free back in 1970s• Fishing is the use bait to lure a target• Phreaking + Fishing = Phishing Free Powerpoint Templates Page 8
  • 9. Phishing 1995• Target AOL users• Account passwords = free online time• Threat level: low• Techniques: Similar names, such as for Free Powerpoint Templates Page 9
  • 10. Phishling 2001Target: Ebay and major banksCredit card numbers andaccount numbers = moneyThreat level: mediumTechniques: Same in 1995, aswell as keylogger Free Powerpoint Templates Page 10
  • 11. Keyloggers• Tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored• Software or hardware based Free Powerpoint Templates Page 11
  • 12. Phishing 2007Targets are Paypal, banks,ebayPurpose to steal bankaccountsThreat level is highTechniques: browservulnerabilities, linkobfuscation Free Powerpoint Templates Page 12
  • 13. Don’t Touch That QR Code• Just as bad as clicking on an unknown link• Looks fancy and official, but is easy to create Free Powerpoint Templates Page 13
  • 14. Phishing in 2013• Trends for the coming year• Identity Information• Personal Harm• Blackmail Free Powerpoint Templates Page 14
  • 15. Example• Mitt Romney• Hackers claimed to have his tax returns and threatened to release them• What could the ramifications have been for him and his accountants? Free Powerpoint Templates Page 15
  • 16. Looking In the Mirror• Which types of sensitive information do you have access to?• What about others who share the computer network with you?• Think about the implications associated that data being stolen and exploited! Free Powerpoint Templates Page 16
  • 17. What Phishing Looks Like• As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.• They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites. Free Powerpoint Templates Page 17
  • 18. Techniques For Phishing• Employ visual elements from target site• DNS Tricks:•••• Unicode attacks• JavaScript Attacks• Spoofed SSL lock Certificates• Phishers can acquire certificates for domains they own• Certificate authorities make mistakes Free Powerpoint Templates Page 18
  • 19. Social Engineering TechniquesOften employed in Phishing, loweryour guard1.Threats – Do this or else!2.Authority – I have the authorityto ask this3.Promises – If you do this, youwill get money4.Praise – You deserve this Free Powerpoint Templates Page 19
  • 20. Phishing Techniques• Socially aware attacks• Mine social relationships from public data• Phishing email appears to arrive from someone known to the victim• Use spoofed identity of trusted organization to gain trust• Urge victims to update or validate their account• Threaten to terminate the account if the victims not reply• Use gift or bonus as a bait• Security promises Free Powerpoint Templates Page 20
  • 21. Let’s Talk About Facebook• So important, it gets its own slide!• Essentially unauthenticated – discussion• Three friends and you’re out! - discussion• Privacy settings mean nothing – discussion• Treasure Trove of identity information• Games as information harvesters Free Powerpoint Templates Page 21
  • 22. Socially AwareFree Powerpoint Templates Page 22
  • 23. Context Aware“Your bid on eBay has won!”“The books on your Amazon wishlist are on sale!” Free Powerpoint Templates Page 23
  • 24. Seems SuspiciousFree Powerpoint Templates Page 24
  • 25. 419 Nigerian Email Scam Free Powerpoint Templates Page 25
  • 26. Too Good to be True,Even When It Is SignedFree Powerpoint Templates Page 26
  • 27. Detecting Fraudulent EmailInformation requested is inappropriate forthe channel of communication:"Verify your account."nobody should notask you to send passwords, login names,Social Security numbers, or other personalinformation through e-mail.Urgency and potential penalty or loss areimplied:"If you dont respond within 48 hours,your account will be closed.” Free Powerpoint Templates Page 27
  • 28. Detecting Fraudulent Email"Dear Valued Customer."Phishing e-mailmessages are usually sent out in bulk andoften do not contain your first or lastname. Free Powerpoint Templates Page 28
  • 29. Dectecting Fraudulent Email"Click the link below to gain access toyour account.“This is an example or URL Masking (hidingthe web address)URL Free Powerpoint Templates Page 29
  • 30. How to Defend Against Phishing Attacks•Never respond to an email askingfor personal information• Always check the site to see if it issecure (SSL lock)• Look for misspellings or errors ingrammar• Never click on the link on theemail. Enter the web addressmanually• Keep your browser updated• Keep antivirus definitions updated• Use a firewall• When in doubt, ask your NetworkAdministrator for their opinion Free Powerpoint Templates Page 30
  • 31. A Note on Spear Phishing• Designed especially for you• Includes your name• May reference an environment or issue you are aware of and familiar with• Asks for special treatment, with justification for the request Free Powerpoint Templates Page 31
  • 32. Other TechniquesAn ocean of Phishing techniques•Clone Phishing - Discussion•Whaling - Discussion•Filter Evasion - Discussion•Phone Phishing - Discussion•Tabnabbing - Discussion•Evil Twins - Discussion Free Powerpoint Templates Page 32
  • 33. PasswordsYour password is your electronickey to valuable resources, treat itlike your house key!Sharing – DiscussionTheft – DiscussionPassword Rotation - Discussion Free Powerpoint Templates Page 33
  • 34. Creating a Strong PasswordFollowing two rules are bare minimal thatyou should follow while creating apassword.Rule 1 – Password Length: Stick withpasswords that are at least 8 characters inlength. The more character in thepasswords is better, as the time taken tocrack the password by an attacker will belonger. 10 characters or longer are better.Rule 2 – Password Complexity: At least 4characters in your passwords should beeach one of the following: Free Powerpoint Templates Page 34
  • 35. Creating a Strong Password1.Lower case alphabets2.Upper case alphabets3.Numbers4.Special CharactersUse the “8 4 Rule”8 = 8 characters minimum length4 = 1 lower case + 1 upper case + 1number + 1 special character.Do not use a passwordstrength checking website!Any ideas why thisis a bad idea? Free Powerpoint Templates Page 35
  • 36. Adware, Malware, SpywareAdware – unwanted ad software which isnoticedMalware – unwanted software which isnoticed and potentially causes harmSpyware – unwanted software which goesun-noticed and harvests your personalinformationUse endpoint protection! Free Powerpoint Templates Page 36
  • 37. Adware, Malware, SpywareHow these get on your computer:EmailWeb pagesDownloaded softwareCD, USB flash driveSometimes, out of the box Free Powerpoint Templates Page 37
  • 38. Trojan MalwareFree Powerpoint Templates Page 38
  • 39. BaitingHey, look! A free USB drive!I wonder what is on this confidential CDwhich I found in the bathroom?These are vectors for malware!Play on your curiousity or desire to getsomething for nothingDon’t be a piggy! Free Powerpoint Templates Page 39
  • 40. Social Engineering MethodsUsing the Out of Officeresponder in a responsiblemanner Free Powerpoint Templates Page 40
  • 41. Medical Identity TheftUse another person’s nameSometimes other identifying informationsuch as a medical bracelet or insuranceinformationObtain medical servicesMake false claimsCauses erronious information to be putinto medical recordsMay lead to inappropriate and lifethreatening situaitons Free Powerpoint Templates Page 41
  • 42. Synthetic Identity TheftA variation of identity theft which hasrecently become more common issynthetic identity theft, in which identitiesare completely or partially fabricated. Themost common technique involvescombining a real social security numberwith a name and birthdate other than theones associated with the number. Free Powerpoint Templates Page 42
  • 43. How Does Identity Theft HappenLet’s talk through the attached paperhandout, entitled:“Techniques for obtaining and exploitingpersonal information for identity theft”Look through the list and think to yourself“Could this apply to me?” If so, thinkabout taking steps to avoid it Free Powerpoint Templates Page 43
  • 44. Tips To Avoid Identity Theft1. Only Make Purchases On Trusted Sites2. Order Your Credit Report3. Know How To Spot Phishing4. Secure Your Network5. Can the Spam6. Dont Store Sensitive Information On Non- Secure Web Sites7. Set Banking Alerts8. Dont Reuse Passwords9. Use Optional Security Questions10. Dont Put Private Information On Public Computers Free Powerpoint Templates Page 44
  • 45. If Your Identity Is StolenSee paper handout from the FTC1.Place a fraud alert on your credit reports, andreview your reports.2.Close the accounts that you know, or believe,have been tampered with or opened fraudulently.3.File a report with your local police or the policein the community where the identity theft tookplace.4.File a complaint with the Federal TradeCommission. Free Powerpoint Templates Page 45
  • 46. Physical Security• The UW is a fairly open and shared physical environment• Seeing strangers is normal, we won’t know if they are here are friend or foe• Lock your office• Lock your desk• Lock your computer• Criminals are opportunistic• Even if you are just gone for a moment• Report suspicious activity to your administration and UW Police• If you have an IT related concern, contact the Office of Campus Information Security Free Powerpoint Templates Page 46
  • 47. Sharing Information With The Public• The University of Wisconsin is an open environment• However, on occasion, this open nature can be exploited by people with nefarious intnet• Don’t volunteer sensitive information• Only disclose what is necessary• Follow records retention policies• When in doubt, ask for proof, honest people will understand, dishonest people will become frustrated Free Powerpoint Templates Page 47
  • 48. We Have So Much More To Talk About• Security Awareness matters not just to you, but to the University of Wisconsin as a whole• Security Awareness is an important facet of everyone’s work• My actions impact you• Your actions impact me• Security Awareness is an ever changing and evolving area, which requires constant attention• DoIT is here as a resource for you• Let us know how we can help• Let me know if I can help• Don’t be afraid to ask questions• Better safe than sorry Free Powerpoint Templates Page 48
  • 49. A Picture Is Worth 1000 WordsFree Powerpoint Templates Page 49
  • 50. Questions and DiscussionNicholas Free Powerpoint Templates Page 50