Socializing Attack/Defense Trees to Prevent Misuse

Slides:

Advertisements

Similar presentations

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Confidentiality and HIPAA

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

NAU HIPAA Awareness Training

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept

Informed Consent.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA Regulations What do you need to know?.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Security Controls – What Works

Risk Management Vs Risk avoidance William Gillette.

Steps to Compliance: Risk Assessment PRESENTED BY.

Whistleblower Protection Institution Overview of Georgian Legislation and international experience Maia Dvalishvili Deputy Head, Civil Service Bureau of.

Network security policy: best practices

Computer Security: Principles and Practice

Information Asset Classification

Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.

Electronic Records Management: What Management Needs to Know May 2009.

HIPAA PRIVACY AND SECURITY AWARENESS.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Privacy and Confidentiality. Definitions n Privacy - having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally,

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Securing Patient-Related Data: The Impact of HIPAA Module VI NUR 603 Russ McGuire.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Working with HIT Systems

Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Introduction.

Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.

Privacy Act United States Army (Managerial Training)

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Health Information Delivery Services and Solutions Peter Tippett, MD, PhD, Chairman Information Risk & Security in Healthcare Data Breach Investigation.

Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.

HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.

HIPAA Privacy and Security

Protecting PHI & PII 12/30/2017 6:45 AM

Information Security, Theory and Practice.

From Restrictions to Regulations: The Social Side of Security

Cyber Protections: First Step, Risk Assessment

Chapter 3: IRS and FTC Data Security Rules

Cyber defense management

I have many checklists: how do I get started with cyber security?

The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture

Disability Services Agencies Briefing On HIPAA

Final HIPAA Security Rule

CONTRACTS PRIVILEGED COMMUNICATION PRIVACY ACT

The Practical Side of Meaningful Use:

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

CONTRACTS PRIVILEGED COMMUNICATION PRIVACY ACT

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Role of State Audit Bureau of Kuwait in promoting and audit of IT Security

Accounting Information Systems & Computer Fraud

Protecting Student Data

School of Medicine Orientation Information Security Training

Presentation transcript:

Socializing Attack/Defense Trees to Prevent Misuse Özgür Kafalı Postdoctoral Researcher

Security Threat Modeling Attack/defense trees Misuse case diagrams

Current Approaches Informal Focus mainly on technical vulnerabilities Written in natural language Cannot formalize how nodes relate to each other Focus mainly on technical vulnerabilities Less attention to human misuse Intentional or unintentional

Goals I fixed 100+ vulnerabilities today, great! How many humans did you fix though? Enhance attack/defense trees with social factors to understand and prevent misuse Picture credit to http://www.outsidethebeltway.com/nuclear-planet-engineers-want-us-to-know-theyre-not-homer-simpson/

Towards Happy Little Attack/Defense Trees Bob Ross on trees and their significance: Picture credit to “http://do210.com/p/internships” “Trees don't grow even, they don't grow straight ... Just however it makes them happy”

How Prevalent are Misuses? Investigated 1,600 breaches from HHS Common misuses: Improper disposal Incorrect emails

HHS Breach Categories Vulnerabilities Misuses 44%

Are Policies Enough to Prevent Misuse? HIPAA clause: Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored Breach: failure to erase patient data on disposed photocopiers’ hard drives

How Good is HIPAA? very few Vulnerabilities Misuses

Normative Formalization Commitments Authorizations Prohibitions

Representing Requirements Parents are authorized to access minor’s medical records if they are legal representatives.

Representing Breaches Breach: failure to erase patient data on disposed photocopiers’ hard drives Healthcare workers are committed to erasing any media that might contain sensitive patient data

Social Factors Norms regulate interactions of users State who is accountable to whom, and for what Picture credit to https://www.reddit.com/r/TheSimpsons/comments/19jygj/rolling_rolling_rolling_toxic_barrel_rolling/

Normative Reasoning Having a normative model enables formal relations among norms Understand conflicts Pairwise comparison of norms Understand what desired security properties our threat models support

Normative Attack/Defense Trees Asset Misuse Malware Phishing Norm Norm Violation Sanction Refine

Efforts to Improve Threat Models Collaborative games for identification and risk based prioritization of vulnerabilities Protection Poker Elevation of Privilege

Norm Defense Game Strategy card game for security Attacker and defender teams New elements: Accountability Forensics Logging Forensics Acc Logging

Evaluation Different game modes: experts, novices Introduce random elements to simulate realistic scenarios Novelty: Outcome holds clues about security of the subject system

Benefits For us: More papers For you: Less misuse For the greater good: raise awareness regarding social factors

Collaboration Investigation of breaches Game design and evaluation Seeking breach reports from organizations Game design and evaluation Seeking players to be involved in our game Our approach will improve your threat models, or your money back!