Secure Computing Practices Karl Rademacher Director of Security, BSD

Agenda Introduction to Computer Security A Primer on Phishing “Top 10 List” of Good Computing Security Practices How to: – Create a good password – Encrypt sensitive information – Protect your operating system 2

Introductions Karl Rademacher Director of Information Security, BSD –2016: Director of Information Security of the Biological Sciences Division –2015: Managed CDIS Information Security, ensuring compliance with NIST Cyber Security Framework – : Managed Global eDiscovery, Litigation Support, Forensic Analysis, archival services, and incident response at Aon Corporation.

BSD Information Security Office Mission: Enable and protect the BSD research and academic enterprise. Enable Consult, train and support staff by providing cyber security expertise to: compete for research grants advance research empower academics Protect Implement, monitor and manage security solutions to: safeguard information mitigate cyber risks detect adverse cyber attacks

BSD Information Security Office - Services ServiceDescription IT Security Incident Response Detect, respond to cyber security events and assist departments in investigating and coordinating appropriate responses for IT security incidents, in collaboration with ITS and CBIS information security offices, General Counsel, and the HIPAA Program Office. Security MonitoringProvide real-time analysis of logs and alerts from security devices, network infrastructure, servers, and other key assets by certified security experts. Security Awareness and Training Provide security awareness educational materials, including printed materials, online learning modules, presentations, and security product demonstrations for faculty, staff, and researchers. IT Policy & StandardsCreate, review, and maintain documentation to support information security policies, standards, and guidelines that align with appropriate regulations and industry best practices. IT Security and Risk Consulting Provide consultation to help BSD units respond to security assessment findings; resolve information technology risks, threats, and vulnerabilities; and implement adequate risk mitigation measures. Risk Management and Compliance Provide guidance and tools for implementing process controls on IT-related activities to meet compliance requirements, including support for internal or external audit inquiries related to BSD IT security controls. Firewall ManagementProvide full lifecycle management and monitoring of firewall appliances, including hardware and software components required to provide firewall services.

What is Computer Security and why is it important? Computer Security allows the University to carry out its mission by: Enabling staff and students to carry out their jobs, education, and research Protecting personal and sensitive information Supporting critical business processes Computer Security is the protection of computing systems and the data that users store or access. 6

7 Good Computing Security Practices follow the “90 / 10”Rule: 10% of security safeguards are technical 90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices Example: The lock on the door is the 10%. You remembering to lock the door, checking to see if it’s closed, ensuring others do not open the door, and keeping control of the key is the 90%. Why do you need to learn about Computer Security?

Ignoring Computer Security leads to security breaches and regulatory fines In 2014 more than 1,500 data breaches occurred nationwide, compromising 1 billion personal records. The Office for Civil Rights has been levying HIPAA fines: Nine settlements since June 1, 2013 have totaled more than $10 million. Examples: – $1,725,220 against Concentra Health Services for an unencrypted laptop that had been stolen from one of its facilities. – $250,000 against QCA Health Plan, Inc. after an unencrypted laptop containing personal health information was stolen from an employee's car. 8

Phishing is Threat to Privacy and Security attacks, commonly known as “phishing attacks,” have become one of the primary attack methods used by cyber- criminals. Phishing attacks use social engineering techniques to trick employees into divulging personal information, clicking on risky links or taking some other ill-advised actions. Phishing attacks are one of the most effective means of instigating a data breach today. Most major security breaches happen not because of super- sophisticated hacker attacks, but because everyday people fall to phishing attacks. In the 2015 Data Breach Investigations report, published by Verizon, more than two-thirds of incidents start with a phishing attack. Every Day, 516 unique phishing attacks. 156 million phishing s are sent million make it through filters. 8 million are opened. 800 thousand click on the phishing links. 80 thousand users fall victim.

Phishing is Threat to Privacy and Security (cont’d) The average 10,000-employee company spends $3.7 million a year dealing with phishing attacks*. Employees waste 4.16 hours on average a year on phishing scams (47% of the cost). 27 percent of the costs was the risk of having to respond to a data breach caused by a compromised credential. 10 percent was the direct costs of addressing compromised credentials 9 percent was the risk of a data breach caused by malware 7 percent were the direct costs of containing malware. Cost of a breach including regulatory fines and penalties are the biggest threat vectors: The University of Washington Medical Center (UWM) incurred a $750,000 penalty from the Office for Civil Rights (OCR) for a breach that started with a phishing attack. Phishing EventsTotal per eventCost per employee Cost to contain malware$208,174$22 Cost of malware not contained$338,098$35 Productivity losses from phishing$1,819,923$191 Cost to contain credential compromises$81,920$9 Cost of credential compromises not contained$1,020,705$107 Total extrapolated cost$3,768,820$395 * Source: Ponemon Institute, 2015 State of Endpoint Risk Report.

Example – Recent Phishing Attack sent to staff last week Employees redirected to fake website Clicking on the link …

"Top 10 List" of Good Computing Security Practices everyone can take to protect computers and data. 1.Password protect your computer and portable devices. 2.Choose good passwords and keep them secret and secure 3.Encrypt any ePHI or PII stored on portable devices or media 4.Keep your operating system patched and up-to-date 5.Install anti-virus and keep it up-to-date 6.Turn on your computer firewall 7.Lock up your devices or take them with you 8.Do not respond to anyone asking you for your password 9.Securely delete ePHI and PII when it is no longer needed 10.Back up critical information 12

Password protect your computer and portable devices Creating a good password Combine 2 unrelated words -> Mail + phone = A good password has at least 12 characters = Use a password or passphrase manager, such as LastPass to help manage multiple passwords/passphrases LastPass is free for students and can be downloaded from LastPass.com. The table below shows how fast your password can be guessed by a hacker: PatternCalculationResultTime to Guess 8 chars: lower case alpha26 8 2x10 11 < 1 second 8 chars: alphanumeric62 8 2x min 8 chars: all keyboard95 8 7x hours 12 chars: alphanumeric x years 13

ePHI = Electronic Protected Health Information (Personal + Health) – Medical record number and/or account number with SSN – Patient demographic data (e.g. address, date of birth, date of death, sex, , etc.) – Dates of service (e.g. date of admission, discharge, etc.) – Medical records, reports, test results, or appointment dates PII = Personally Identified Information (Personal only) – Individual’s name, SSN, driver’s license number, or credit card account numbers – Health insurance policy number, subscriber ID, application or claims Encrypt any ePHI and PII stored on portable devices or media 14

Encryption vs. Passwords Having a password does not necessarily mean something is encrypted. –Passwords by themselves do not scramble the information. If something is only “password protected,” it is not enough protection - someone could bypass the password and read the information. Original Password Protected Encrypted 15

The table below shows the time and costs for handling security incidents for lost and stolen devices. 16 Encrypted Device with ePHI/PII Unencrypted Device with ePHI/PII Unencrypted Device without ePHI/PII Incident DescriptionUser’s computer stolen from his/her car. Device had ~400 patient records. User forgot laptop in cab. Device had ~400 patient records. User left tablet on plane. Device had no patient health information. Investigation time (combined hours for incident response team – legal, HR, IT, security, etc.) 1 Hour50 hours35 hours Security Forensics Costs$ 0$ 2,000$ 800 Reputation Damage Costs$ 0Priceless$ 0 Encryption saves the University both time and money

Encryption Solutions TypeEncryption SolutionsCost/ImpactPurpose AppleFilevault 2 Free ; native security feature; easy setup; vendor-supported; AES 128 encryption for data protection; can store recover key with Apple; well- documented install guide. Encrypt the contents of your entire drive. Solution will work for personally-owned and BSD-owned laptops. WindowsBitLocker* Free ; native security feature; AES 128-bit and 256-bit; some hardware dependencies. Encrypt the contents of your entire drive. Solution will work for personally-owned and BSD-owned laptops. * To use BitLocker, your laptop must be equipped with a Trusted Platform Module (TPM) chip, and it must be enabled. 17

Encryption Solutions (Cont’d) TypeEncryption SolutionsCost/ImpactPurpose Files/ Volumes AxCrypt Free; has native versions for both Windows and Apple; uses strong compliant encryption. Creates secure disk images and files for data sharing via , cd or cloud External Storage Aegis Secure USB Key $65; unlocks with onboard PIN pad; 256-bit AES hardware-based encryption; PIN activated 7-15 digits -Alphanumeric keypad. Secures the transport of data, documents, and presentations Apple Phone/ Tablet IOS Free; native security feature, enabled by default with the use of passcode; vendor-supported; AES 128 encryption; can store recover key with Apple; well-documented install guide. Encrypts the content of the device; solution will work for personally- owned and BSD-owned devices. Android Phone/ Tablet Android Free; native security feature; easy setup; vendor-supported; AES 128 encryption; well-documented install guide. Encrypts the content of the device; solution will work for personally- owned and BSD-owned devices. 18

A firewall acts as a wall between your computer/private network and the internet. A firewall prevents hackers from entering your computer through the internet. Turn on your firewall 1.Open System Preferences. 2.Click the Security or Security & Privacy icon. 3.Select the Firewall tab. 4.Click the lock icon, then enter an administrator name and password. 5.Click the Firewall Options button. 1.Open Windows Firewall by clicking the Start button, and then clicking Control Panel. 2.In the left pane, click Turn Windows Firewall on. 3.Click Turn on Windows Firewall under each network location, and then click OK. 19 HOW TO

Vendors regularly issues patches or updates to solve security problems in their software. Computers can be set up to automatically download and install updates. When they are not applied, it leaves your computer vulnerable to hackers. Keeping your operating system patched and up-to-date 1.Open Windows Update. 2.Tap or click Choose how updates get installed. 3.Under Important updates, choose install updates every day. 4.Under Recommended updates, select the Give me recommended updates the same way I receive important updates check box. 1.Choose System Preferences from the Apple menu. 2.Click App Store. 3.Select Automatically check for updates. 20 HOW TO

Resources & References BSD Information Security Office – BSD HIPAA Program Office – Apple Encryption – FileVault 2 – Windows Encryption - BitLocker – encryption-overview encryption-overview Files/Volumes Encryption – AxCrypt – External Storage Encryption – Aegis Secure Storage –