It Security For Healthcare


Published on

I will be giving this presentation on IT Security, for healthcare professionals, at the Health Sciences Learning Center, University of Wisconsin-Madison, School of Medicine and Public Health, tomorrow morning, at 11:00 CST. It will be held in room #1325 and is open to the public. I hope to see you there.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

It Security For Healthcare

  1. 1. The Wild, Wild Web - Social Engineering, Malware and Security Awareness - Nicholas Davis MBA, CISA, CISSP DoIT Security November 13, 2012Free Powerpoint Templates Page 1
  2. 2. Introduction• Background• Thank you for the invitation• Today’s Topic, Malware, Social Engineering and overall Security Awareness• Importance to the healthcare field• Pretexting• Phishing• QR Code Danger• Social Networks• Passwords• Malware• Baiting• Identity Theft: How, Avoiding, Responding• Physical Security• Sharing of information with the public Free Powerpoint Templates Page 2
  3. 3. Technology Is Not The AnswerStrong computer security has twocomponents:The Technology: passwords,encryption, endpoint protectionsuch as anti-virus.The People: You, your customers,your business partnersToday, we will talk about bothcomponents Free Powerpoint Templates Page 3
  4. 4. Social EngineeringThe art of manipulatingpeople into performing actionsor divulging confidentialinformationIt is typically trickery ordeception for the purpose ofinformation gathering, fraud,or computer system access Free Powerpoint Templates Page 4
  5. 5. Most Popular Type of Social EngineeringPretexting: An individual lies to obtainprivileged data. A pretext is a false motive.Pretexting is a fancy term for impersonationA big problem for computer Help Desks, in allorganizationsExample:Some steps the UW-Madison Help Desk takesto avoid pretexting Free Powerpoint Templates Page 5
  6. 6. Let’s Think of HSLC Pretexting Example Dear Windows User, It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update. This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to Confirm your records. Thank you, Microsoft Windows Team.Free Powerpoint Templates Page 6
  7. 7. Phishing• Deception, but not just in person• Email• Websites• Facebook status updates• Tweets• Phishing, in the context of the healthcare working environment is extremely dangerous Free Powerpoint Templates Page 7
  8. 8. Phishing History• Phreaking, term for making phone calls for free back in 1970s• Fishing is the use bait to lure a target• Phreaking + Fishing = Phishing Free Powerpoint Templates Page 8
  9. 9. Phishing 1995• Target AOL users• Account passwords = free online time• Threat level: low• Techniques: Similar names, such as for Free Powerpoint Templates Page 9
  10. 10. Phishling 2001Target: Ebay and major banksCredit card numbers andaccount numbers = moneyThreat level: mediumTechniques: Same in 1995, aswell as keylogger Free Powerpoint Templates Page 10
  11. 11. Keyloggers• Tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored• Software or hardware based Free Powerpoint Templates Page 11
  12. 12. Phishing 2007Targets are Paypal, banks,ebayPurpose to steal bankaccountsThreat level is highTechniques: browservulnerabilities, linkobfuscation Free Powerpoint Templates Page 12
  13. 13. Don’t Touch That QR Code• Just as bad as clicking on an unknown link• Looks fancy and official, but is easy to create Free Powerpoint Templates Page 13
  14. 14. Phishing in 2013• Trends for the coming year• Identity Information• Personal Harm• Blackmail Free Powerpoint Templates Page 14
  15. 15. Looking In the Mirror• Which types of sensitive information do you have access to?• What about others who share the computer network with you?• Think about the implications associated that data being stolen and exploited! Free Powerpoint Templates Page 15
  16. 16. What Phishing Looks Like• As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.• They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites. Free Powerpoint Templates Page 16
  17. 17. Techniques For Phishing• Employ visual elements from target site• DNS Tricks:•••• Unicode attacks• JavaScript Attacks• Spoofed SSL lock Certificates• Phishers can acquire certificates for domains they own• Certificate authorities make mistakes Free Powerpoint Templates Page 17
  18. 18. Social Engineering TechniquesOften employed in Phishing, loweryour guard1.Threats – Do this or else!2.Authority – I have the authorityto ask this3.Promises – If you do this, youwill get money4.Praise – You deserve this Free Powerpoint Templates Page 18
  19. 19. Phishing Techniques• Socially aware attacks• Mine social relationships from public data• Phishing email appears to arrive from someone known to the victim• Use spoofed identity of trusted organization to gain trust• Urge victims to update or validate their account• Threaten to terminate the account if the victims not reply• Use gift or bonus as a bait• Security promises Free Powerpoint Templates Page 19
  20. 20. Let’s Talk About Facebook• So important, it gets its own slide!• Essentially unauthenticated – discussion• Three friends and you’re out! - discussion• Privacy settings mean nothing – discussion• Treasure Trove of identity information• Games as information harvesters Free Powerpoint Templates Page 20
  21. 21. Socially AwareFree Powerpoint Templates Page 21
  22. 22. Context Aware“Your bid on eBay has won!”“The books on your Amazon wishlist are on sale!” Free Powerpoint Templates Page 22
  23. 23. Seems SuspiciousFree Powerpoint Templates Page 23
  24. 24. 419 Nigerian Email Scam Free Powerpoint Templates Page 24
  25. 25. Too Good to be True,Even When It Is SignedFree Powerpoint Templates Page 25
  26. 26. Detecting Fraudulent EmailInformation requested is inappropriate forthe channel of communication:"Verify your account."nobody should askyou to send passwords, login names,Social Security numbers, or other personalinformation through e-mail.Urgency and potential penalty or loss areimplied:"If you dont respond within 48 hours,your account will be closed.” Free Powerpoint Templates Page 26
  27. 27. Detecting Fraudulent Email"Dear Valued Customer."Phishing e-mailmessages are usually sent out in bulk andoften do not contain your first or lastname. Free Powerpoint Templates Page 27
  28. 28. Dectecting Fraudulent Email"Click the link below to gain access toyour account.“This is an example or URL Masking (hidingthe web address)URL Free Powerpoint Templates Page 28
  29. 29. How to Defend Against Phishing Attacks•Never respond to an email askingfor personal information• Always check the site to see if it issecure (SSL lock)• Look for misspellings or errors ingrammar• Never click on the link on theemail. Enter the web addressmanually• Keep your browser updated• Keep antivirus definitions updated• Use a firewall• When in doubt, ask your NetworkAdministrator for their opinion Free Powerpoint Templates Page 29
  30. 30. A Note on Spear Phishing• Designed especially for you• Includes your name• May reference an environment or issue you are aware of and familiar with• Asks for special treatment, with justification for the request Free Powerpoint Templates Page 30
  31. 31. Other TechniquesAn ocean of Phishing techniques•Clone Phishing - Discussion•Whaling - Discussion•Filter Evasion - Discussion•Phone Phishing - Discussion•Tabnabbing - Discussion•Evil Twins - Discussion Free Powerpoint Templates Page 31
  32. 32. PasswordsYour password is your electronickey to valuable resources, treat itlike your house key!Sharing – DiscussionTheft – DiscussionPassword Rotation - Discussion Free Powerpoint Templates Page 32
  33. 33. Creating a Strong PasswordFollowing two rules are bare minimal thatyou should follow while creating apassword.Rule 1 – Password Length: Stick withpasswords that are at least 8 characters inlength. The more character in thepasswords is better, as the time taken tocrack the password by an attacker will belonger. 10 characters or longer are better.Rule 2 – Password Complexity: At least 4characters in your passwords should beeach one of the following: Free Powerpoint Templates Page 33
  34. 34. Creating a Strong Password1.Lower case alphabets2.Upper case alphabets3.Numbers4.Special CharactersUse the “8 4 Rule”8 = 8 characters minimum length4 = 1 lower case + 1 upper case + 1number + 1 special character.Do not use a passwordstrength checking website!Any ideas why thisis a bad idea? Free Powerpoint Templates Page 34
  35. 35. Adware, Malware, SpywareAdware – unwanted ad software which isnoticedMalware – unwanted software which isnoticed and potentially causes harmSpyware – unwanted software which goesun-noticed and harvests your personalinformationUse endpoint protection! Free Powerpoint Templates Page 35
  36. 36. CIO.WISC.EDU/SECURITYFree Powerpoint Templates Page 36
  37. 37. Adware, Malware, SpywareHow these get on your computer:EmailWeb pagesDownloaded softwareCD, USB flash driveSometimes, out of the box Free Powerpoint Templates Page 37
  38. 38. Trojan MalwareFree Powerpoint Templates Page 38
  39. 39. BaitingHey, look! A free USB drive!I wonder what is on this confidential CDwhich I found in the bathroom?These are vectors for malware!Play on your curiousity or desire to getsomething for nothingDon’t be a piggy! Free Powerpoint Templates Page 39
  40. 40. Social Engineering MethodsUsing the Out of Officeresponder in a responsiblemanner Free Powerpoint Templates Page 40
  41. 41. Medical Identity TheftUse another person’s nameSometimes other identifying informationsuch as a medical bracelet or insuranceinformationObtain medical servicesMake false claimsCauses erronious information to be putinto medical recordsMay lead to inappropriate and lifethreatening situaitons Free Powerpoint Templates Page 41
  42. 42. Synthetic Identity TheftA variation of identity theft which hasrecently become more common issynthetic identity theft, in which identitiesare completely or partially fabricated. Themost common technique involvescombining a real social security numberwith a name and birthdate other than theones associated with the number. Free Powerpoint Templates Page 42
  43. 43. How Does Identity Theft HappenLet’s talk through the attached paperhandout, entitled:“Techniques for obtaining and exploitingpersonal information for identity theft”Look through the list and think to yourself“Could this apply to me?” If so, thinkabout taking steps to avoid it Free Powerpoint Templates Page 43
  44. 44. Tips To Avoid Identity Theft1. Only Make Purchases On Trusted Sites2. Order Your Credit Report3. Know How To Spot Phishing4. Secure Your Network5. Can the Spam6. Dont Store Sensitive Information On Non- Secure Web Sites7. Set Banking Alerts8. Dont Reuse Passwords9. Use Optional Security Questions10. Dont Put Private Information On Public Computers Free Powerpoint Templates Page 44
  45. 45. If Your Identity Is Stolen (WORK)1. Contact your supervisor immediately2. Report the incident to the Office of Campus Information Security (OCIS) http:// Contact the DoIT Help Desk4. Contact UW Police, depending on nature of incident. Consider your personal safety! “Better safe, than sorry” Free Powerpoint Templates Page 45
  46. 46. Physical Security• The UW is a fairly open and shared physical environment• Seeing strangers is normal, we won’t know if they are here as friend or foe• Lock your office• Lock your desk• Lock your computer• Criminals are opportunistic• Even if you are just gone for a moment• Report suspicious activity to your administration and UW Police• If you have an IT related concern, contact the Office of Campus Information Security Free Powerpoint Templates Page 46
  47. 47. Sharing Information With The Public• The University of Wisconsin is an open environment• However, on occasion, this open nature can be exploited by people with nefarious intent• Don’t volunteer sensitive information• Only disclose what is necessary• Follow records retention policies• When in doubt, ask for proof, honest people will understand, dishonest people will become frustrated Free Powerpoint Templates Page 47
  48. 48. We Have So Much More To Talk About• Security Awareness matters not just to you, but to the University of Wisconsin as a whole• Security Awareness is an important facet of everyone’s work• My actions impact you• Your actions impact me• Security Awareness is an ever changing and evolving area, which requires constant attention• DoIT is here as a resource for you• Let us know how we can help• Let me know if I can help• Don’t be afraid to ask questions• Better safe than sorry Free Powerpoint Templates Page 48
  49. 49. A Picture Is Worth 1000 WordsFree Powerpoint Templates Page 49
  50. 50. Questions and DiscussionNicholas Free Powerpoint Templates Page 50