Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security expenditure should be determined by security risk. What is the financial risk to UNC of undetected modification of bioresearch data? theft and.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security expenditure should be determined by security risk. What is the financial risk to UNC of undetected modification of bioresearch data? theft and."— Presentation transcript:

1 Security expenditure should be determined by security risk. What is the financial risk to UNC of undetected modification of bioresearch data? theft and unauthorized publication of bioresearch data? What is the personal risk to UNC employees of prosecution due to failure to do due diligence leading to a leak? Is data theft likely or even possible?

2 Security risk: Hacking risk is a product of ability and motivation of the hacker. ability motivation FBIhighlow (presumably) jealous spouselow (usually)high unhappy grad studenthigh (in some cases)high (in some cases) and so on...

3 Given that security is a design consideration, its classical, competing goals are “CIA:” 1.Confidentiality (the wrong people can’t get the data) 2.Integrity (the data are not corrupted) 3.Availability (the right people can get the data)

4 Basic communication entities and channels Clinic Lab DataBase with translation tables... controlled by trusted broker Researcher 1 Researcher 2 Researcher N … samples

5 Basic communication entities and channels Clinic Lab DataBase with translation tables... controlled by trusted broker Researcher 1 Researcher 2 Researcher N … Tissue Culture Facility

6 Security boundaries (logical and physical) Clinic Lab … Clinic Lab DataBase with translation tables... controlled by trusted broker Researcher 1 Researcher 2 Researcher N …

7 Points to consider: Lab and clinic security protocols are probably observed. However, researcher security practices in some cases might not be carefully observed; assumptions should be made accordingly.

8 Some standard practices used elsewhere in network security might be considered in our plans: “Audit-readiness” might be maintained to respond quickly to an outside investigation and challenge with the goal of quick clearance. Regular or random internal security audits might be included in a management strategy. Documents used in audits might include 24/7 logs, flowcharts of procedures, training documents, etc.

9 Possible security design requirements: Identification tables of entities (as in Trusted Broker doc) Translation tables among entities Authentication (two-way) between broker and entities Authorization of entities by broker Encrypted channels (SSL, IPSec, other) Protection against various denial of service attack types (limiting multiple accesses or very frequent access requests from any one researcher, etc.) Multiple types of access requirements for the human trusted broker (something you have, you know, or you are) Other requirements on trusted broker (bonded staff, permission to modify databases requiring at least two separate trusted brokers cooperating, etc.) Remote backup system...

10 Backup (as in Honest_Broker_System document): Remote backup for bioresearch data Monthly CD and printed copy for translation tables

11 Other general network security concepts to consider: Requirements document: Requirements of the biodata system are A... B... C... If the product is designed to fulfill these requirements, then the design shall be considered acceptable by customer, designer, and vendor. _____________________________ _______________ customer signature designer signaturebuilder signature management signature

12 Other general concepts to consider: Test plan document: Tests of the biodata system are A1, A2, A3,... B1, B2, B3,... C1, C2, C3,... If the product passes these tests, then the product shall be considered acceptable by customer, designer, and vendor. _____________________________ _______________ customer signature designer signaturebuilder signature management signature

13 Tricks of the trade: Random ID: ID could be social security number (30 bits) embedded in a larger key (say, 1024 bits) with the other bits random. The embedded placement of the meaningful bits is a secret held by the trusted broker. At the clinic, the SSN is converted to the key using software inaccessible to clinic staff. Thereafter, the key is used by the trusted broker with in communication with lab and researchers. For communication from broker to clinic pertaining to patients, inaccessible software at the clinic inverts the ID to the SSN. SSN = 01101010…….10 1000101110010100010100101011000101001…0101100

14 Tricks of the trade: Authentication mechanism: In a one-time, secure exchange, Party A gives a file of a random 1 Mb to Party B. B does the same to A. The files are kept as secrets. Thereafter: A sends a message to B claiming to be A. B challenges A to send a random selection of 128 bits, say, bits 55, 1012, 34114, …, 800002 of the 1 Mb originally given by A to B. B receives and checks the 128 bits and then communicates satisfaction to A. A challenges B in the same way. A communicates satisfaction to B. A and B can then exchange a public key, if the subsequent communication is to be encrypted. Many refinements are possible…

Download ppt "Security expenditure should be determined by security risk. What is the financial risk to UNC of undetected modification of bioresearch data? theft and."

Similar presentations

HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.

HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
Introduction CS-480b Dick Steflik. X.800 – OSI Security Services Security Service – a service provided by a protocol layer of communicating open systems,

Introduction CS-480b Dick Steflik. X.800 – OSI Security Services Security Service – a service provided by a protocol layer of communicating open systems,
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
OV 11 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Similar presentations

Ads by Google