Brett Miller, Medical School Chief IT Security Officer IRBMED Seminar Series April 28, 2015 Data Security

Problems with Data We’re accountable for real/possible exposures Data integrity important to research There are people who want to steal data If systems are compromised data exposure or corruption can be collateral damage Data gets everywhere…

Data Gets Everywhere

Example Data Leaks Thumb drives get lost Laptops are stolen NAS devices are put on the Internet Collaboration tool permissions too broad Misdirected s Malware steals data Servers/databases are compromised

Personal Devices Hard to remove all traces of data from systems and backups Destruction of devices sometimes necessary Personal systems usually not secure or compliant Personal cloud backup, , or collaboration tools probably not compliant

Configuration Challenges Too many devices to keep track of Settings can unexpectedly change Knowing details of settings can be a full time job It’s too easy to have your data end up in the cloud without realizing it

The Hacker Threat “Attacker” is more accurate Authorized “White Hat” or “Ethical Hackers” test and improve security So what about the bad hackers?

Attacker Motivation Money - information can be sold or held for ransom Ideology - hacktivism & nation states Borrowing your system (maybe for resale) –Used to launch attacks –Bitcoin mining or other computation For fun or bragging rights

Attacker Techniques Staggering number of ways: Compromising web or other servers Malware Social engineering Network attacks Cryptographic attacks Attacks on physical security

Tools Encryption Antivirus System patching Data destruction Managed systems

Encryption – Basic Idea

Encryption Types Data in Transit  On a wire/through the air  HTTPS, SSL Data at Rest  In a file/on a disk  Credant, FileVault, BitLocker

FIPS Encryption FIPS is a government standard Third-party testing labs certify products as being validated FISMA requires it Some projects/grants require it HHS refers to the same standards for PHI Encryption key must be separate

Encryption Misconceptions MS Office encryption is fine –Depends on the version Zip file encryption is OK –Need to use WinZip 18.5 or later in FIPS mode. If my system is encrypted, I’m safe. –An infected system can leak data

More Misconceptions It’s safe to click through certificate warnings –Someone could be intercepting your data If it says FIPS compatible it’s OK –It needs to be FIPS certified/validated. NIST has lists of vendor products

Yet More Misconceptions I can use the same password everywhere if it’s strong –Attackers get one password and try it everywhere If I have a password set on my laptop, it’s encrypted –See demo later

Antivirus Not 100%, but can catch common malware A dedicated attacker won’t be deterred Average attackers won’t go to this trouble Not all antivirus products are equal. Watch for updated recommendations from Security & Compliance

System Patching Serious vulnerabilities found every week May only have a few hours to patch We’ve seen systems compromised in 4-5 hours of announcements Automatic updates are best

Data Destruction It can be hard to erase data Traditional (non-SSD) hard drives require several passes of wiping SSD or flash memory devices may or may not be capable of being sanitized Physical destruction is only sure way Best if device is encrypted before use

Managed Systems On managed systems, you don’t have to worry about the system itself Example managed systems –AirWatch –MiHarbor/MCIT Core Thumb drives, external drives, NASs, and personal equipment still an concern

Demo & Questions