• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
It Security For Healthcare
 

It Security For Healthcare

on

  • 259 views

I will be giving this presentation on IT Security, for healthcare professionals, at the Health Sciences Learning Center, University of Wisconsin-Madison, School of Medicine and Public Health, tomorrow ...

I will be giving this presentation on IT Security, for healthcare professionals, at the Health Sciences Learning Center, University of Wisconsin-Madison, School of Medicine and Public Health, tomorrow morning, at 11:00 CST. It will be held in room #1325 and is open to the public. I hope to see you there.

Statistics

Views

Total Views
259
Views on SlideShare
259
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    It Security For Healthcare It Security For Healthcare Presentation Transcript

    • The Wild, Wild Web - Social Engineering, Malware and Security Awareness - Nicholas Davis MBA, CISA, CISSP DoIT Security November 13, 2012Free Powerpoint Templates Page 1
    • Introduction• Background• Thank you for the invitation• Today’s Topic, Malware, Social Engineering and overall Security Awareness• Importance to the healthcare field• Pretexting• Phishing• QR Code Danger• Social Networks• Passwords• Malware• Baiting• Identity Theft: How, Avoiding, Responding• Physical Security• Sharing of information with the public Free Powerpoint Templates Page 2
    • Technology Is Not The AnswerStrong computer security has twocomponents:The Technology: passwords,encryption, endpoint protectionsuch as anti-virus.The People: You, your customers,your business partnersToday, we will talk about bothcomponents Free Powerpoint Templates Page 3
    • Social EngineeringThe art of manipulatingpeople into performing actionsor divulging confidentialinformationIt is typically trickery ordeception for the purpose ofinformation gathering, fraud,or computer system access Free Powerpoint Templates Page 4
    • Most Popular Type of Social EngineeringPretexting: An individual lies to obtainprivileged data. A pretext is a false motive.Pretexting is a fancy term for impersonationA big problem for computer Help Desks, in allorganizationsExample:Some steps the UW-Madison Help Desk takesto avoid pretexting Free Powerpoint Templates Page 5
    • Let’s Think of HSLC Pretexting Example Dear Windows User, It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update. This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to Confirm your records. Thank you, Microsoft Windows Team.Free Powerpoint Templates Page 6
    • Phishing• Deception, but not just in person• Email• Websites• Facebook status updates• Tweets• Phishing, in the context of the healthcare working environment is extremely dangerous Free Powerpoint Templates Page 7
    • Phishing History• Phreaking, term for making phone calls for free back in 1970s• Fishing is the use bait to lure a target• Phreaking + Fishing = Phishing Free Powerpoint Templates Page 8
    • Phishing 1995• Target AOL users• Account passwords = free online time• Threat level: low• Techniques: Similar names, such as www.ao1.com for www.aol.com Free Powerpoint Templates Page 9
    • Phishling 2001Target: Ebay and major banksCredit card numbers andaccount numbers = moneyThreat level: mediumTechniques: Same in 1995, aswell as keylogger Free Powerpoint Templates Page 10
    • Keyloggers• Tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored• Software or hardware based Free Powerpoint Templates Page 11
    • Phishing 2007Targets are Paypal, banks,ebayPurpose to steal bankaccountsThreat level is highTechniques: browservulnerabilities, linkobfuscation Free Powerpoint Templates Page 12
    • Don’t Touch That QR Code• Just as bad as clicking on an unknown link• Looks fancy and official, but is easy to create Free Powerpoint Templates Page 13
    • Phishing in 2013• Trends for the coming year• Identity Information• Personal Harm• Blackmail Free Powerpoint Templates Page 14
    • Looking In the Mirror• Which types of sensitive information do you have access to?• What about others who share the computer network with you?• Think about the implications associated that data being stolen and exploited! Free Powerpoint Templates Page 15
    • What Phishing Looks Like• As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.• They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites. Free Powerpoint Templates Page 16
    • Techniques For Phishing• Employ visual elements from target site• DNS Tricks:• www.ebay.com.kr• www.ebay.com@192.168.0.5• www.gooogle.com• Unicode attacks• JavaScript Attacks• Spoofed SSL lock Certificates• Phishers can acquire certificates for domains they own• Certificate authorities make mistakes Free Powerpoint Templates Page 17
    • Social Engineering TechniquesOften employed in Phishing, loweryour guard1.Threats – Do this or else!2.Authority – I have the authorityto ask this3.Promises – If you do this, youwill get money4.Praise – You deserve this Free Powerpoint Templates Page 18
    • Phishing Techniques• Socially aware attacks• Mine social relationships from public data• Phishing email appears to arrive from someone known to the victim• Use spoofed identity of trusted organization to gain trust• Urge victims to update or validate their account• Threaten to terminate the account if the victims not reply• Use gift or bonus as a bait• Security promises Free Powerpoint Templates Page 19
    • Let’s Talk About Facebook• So important, it gets its own slide!• Essentially unauthenticated – discussion• Three friends and you’re out! - discussion• Privacy settings mean nothing – discussion• Treasure Trove of identity information• Games as information harvesters Free Powerpoint Templates Page 20
    • Socially AwareFree Powerpoint Templates Page 21
    • Context Aware“Your bid on eBay has won!”“The books on your Amazon wishlist are on sale!” Free Powerpoint Templates Page 22
    • Seems SuspiciousFree Powerpoint Templates Page 23
    • 419 Nigerian Email Scam Free Powerpoint Templates Page 24
    • Too Good to be True,Even When It Is SignedFree Powerpoint Templates Page 25
    • Detecting Fraudulent EmailInformation requested is inappropriate forthe channel of communication:"Verify your account."nobody should askyou to send passwords, login names,Social Security numbers, or other personalinformation through e-mail.Urgency and potential penalty or loss areimplied:"If you dont respond within 48 hours,your account will be closed.” Free Powerpoint Templates Page 26
    • Detecting Fraudulent Email"Dear Valued Customer."Phishing e-mailmessages are usually sent out in bulk andoften do not contain your first or lastname. Free Powerpoint Templates Page 27
    • Dectecting Fraudulent Email"Click the link below to gain access toyour account.“This is an example or URL Masking (hidingthe web address)URL alterationwww.micosoft.comwww.mircosoft.comwww.verify-microsoft.com Free Powerpoint Templates Page 28
    • How to Defend Against Phishing Attacks•Never respond to an email askingfor personal information• Always check the site to see if it issecure (SSL lock)• Look for misspellings or errors ingrammar• Never click on the link on theemail. Enter the web addressmanually• Keep your browser updated• Keep antivirus definitions updated• Use a firewall• When in doubt, ask your NetworkAdministrator for their opinion Free Powerpoint Templates Page 29
    • A Note on Spear Phishing• Designed especially for you• Includes your name• May reference an environment or issue you are aware of and familiar with• Asks for special treatment, with justification for the request Free Powerpoint Templates Page 30
    • Other TechniquesAn ocean of Phishing techniques•Clone Phishing - Discussion•Whaling - Discussion•Filter Evasion - Discussion•Phone Phishing - Discussion•Tabnabbing - Discussion•Evil Twins - Discussion Free Powerpoint Templates Page 31
    • PasswordsYour password is your electronickey to valuable resources, treat itlike your house key!Sharing – DiscussionTheft – DiscussionPassword Rotation - Discussion Free Powerpoint Templates Page 32
    • Creating a Strong PasswordFollowing two rules are bare minimal thatyou should follow while creating apassword.Rule 1 – Password Length: Stick withpasswords that are at least 8 characters inlength. The more character in thepasswords is better, as the time taken tocrack the password by an attacker will belonger. 10 characters or longer are better.Rule 2 – Password Complexity: At least 4characters in your passwords should beeach one of the following: Free Powerpoint Templates Page 33
    • Creating a Strong Password1.Lower case alphabets2.Upper case alphabets3.Numbers4.Special CharactersUse the “8 4 Rule”8 = 8 characters minimum length4 = 1 lower case + 1 upper case + 1number + 1 special character.Do not use a passwordstrength checking website!Any ideas why thisis a bad idea? Free Powerpoint Templates Page 34
    • Adware, Malware, SpywareAdware – unwanted ad software which isnoticedMalware – unwanted software which isnoticed and potentially causes harmSpyware – unwanted software which goesun-noticed and harvests your personalinformationUse endpoint protection! Free Powerpoint Templates Page 35
    • CIO.WISC.EDU/SECURITYFree Powerpoint Templates Page 36
    • Adware, Malware, SpywareHow these get on your computer:EmailWeb pagesDownloaded softwareCD, USB flash driveSometimes, out of the box Free Powerpoint Templates Page 37
    • Trojan MalwareFree Powerpoint Templates Page 38
    • BaitingHey, look! A free USB drive!I wonder what is on this confidential CDwhich I found in the bathroom?These are vectors for malware!Play on your curiousity or desire to getsomething for nothingDon’t be a piggy! Free Powerpoint Templates Page 39
    • Social Engineering MethodsUsing the Out of Officeresponder in a responsiblemanner Free Powerpoint Templates Page 40
    • Medical Identity TheftUse another person’s nameSometimes other identifying informationsuch as a medical bracelet or insuranceinformationObtain medical servicesMake false claimsCauses erronious information to be putinto medical recordsMay lead to inappropriate and lifethreatening situaitons Free Powerpoint Templates Page 41
    • Synthetic Identity TheftA variation of identity theft which hasrecently become more common issynthetic identity theft, in which identitiesare completely or partially fabricated. Themost common technique involvescombining a real social security numberwith a name and birthdate other than theones associated with the number. Free Powerpoint Templates Page 42
    • How Does Identity Theft HappenLet’s talk through the attached paperhandout, entitled:“Techniques for obtaining and exploitingpersonal information for identity theft”Look through the list and think to yourself“Could this apply to me?” If so, thinkabout taking steps to avoid it Free Powerpoint Templates Page 43
    • Tips To Avoid Identity Theft1. Only Make Purchases On Trusted Sites2. Order Your Credit Report3. Know How To Spot Phishing4. Secure Your Network5. Can the Spam6. Dont Store Sensitive Information On Non- Secure Web Sites7. Set Banking Alerts8. Dont Reuse Passwords9. Use Optional Security Questions10. Dont Put Private Information On Public Computers Free Powerpoint Templates Page 44
    • If Your Identity Is Stolen (WORK)1. Contact your supervisor immediately2. Report the incident to the Office of Campus Information Security (OCIS) http:// www.cio.wisc.edu/security-report.aspx3. Contact the DoIT Help Desk4. Contact UW Police, depending on nature of incident. Consider your personal safety! “Better safe, than sorry” Free Powerpoint Templates Page 45
    • Physical Security• The UW is a fairly open and shared physical environment• Seeing strangers is normal, we won’t know if they are here as friend or foe• Lock your office• Lock your desk• Lock your computer• Criminals are opportunistic• Even if you are just gone for a moment• Report suspicious activity to your administration and UW Police• If you have an IT related concern, contact the Office of Campus Information Security Free Powerpoint Templates Page 46
    • Sharing Information With The Public• The University of Wisconsin is an open environment• However, on occasion, this open nature can be exploited by people with nefarious intent• Don’t volunteer sensitive information• Only disclose what is necessary• Follow records retention policies• When in doubt, ask for proof, honest people will understand, dishonest people will become frustrated Free Powerpoint Templates Page 47
    • We Have So Much More To Talk About• Security Awareness matters not just to you, but to the University of Wisconsin as a whole• Security Awareness is an important facet of everyone’s work• My actions impact you• Your actions impact me• Security Awareness is an ever changing and evolving area, which requires constant attention• DoIT is here as a resource for you• Let us know how we can help• Let me know if I can help• Don’t be afraid to ask questions• Better safe than sorry Free Powerpoint Templates Page 48
    • A Picture Is Worth 1000 WordsFree Powerpoint Templates Page 49
    • Questions and DiscussionNicholas Davisndavis1@wisc.edu608-262-3837facebook.com/nicholas.a.davis Free Powerpoint Templates Page 50