1. Brett Miller, Medical School Chief IT Security Officer IRBMED Seminar Series April 28, 2015 Data Security

2. Problems with Data We’re accountable for real/possible exposures Data integrity important to research There are people who want to steal data If systems are compromised data exposure or corruption can be collateral damage Data gets everywhere…

3. Data Gets Everywhere

4. Example Data Leaks Thumb drives get lost Laptops are stolen NAS devices are put on the Internet Collaboration tool permissions too broad Misdirected emails Malware steals data Servers/databases are compromised

5. Personal Devices Hard to remove all traces of data from systems and backups Destruction of devices sometimes necessary Personal systems usually not secure or compliant Personal cloud backup, email, or collaboration tools probably not compliant

6. Configuration Challenges Too many devices to keep track of Settings can unexpectedly change Knowing details of settings can be a full time job It’s too easy to have your data end up in the cloud without realizing it

7. The Hacker Threat “Attacker” is more accurate Authorized “White Hat” or “Ethical Hackers” test and improve security So what about the bad hackers?

8. Attacker Motivation Money - information can be sold or held for ransom Ideology - hacktivism & nation states Borrowing your system (maybe for resale) –Used to launch attacks –Bitcoin mining or other computation For fun or bragging rights

9. Attacker Techniques Staggering number of ways: Compromising web or other servers Malware Social engineering Network attacks Cryptographic attacks Attacks on physical security

10. Tools Encryption Antivirus System patching Data destruction Managed systems

11. Encryption – Basic Idea

12. Encryption Types Data in Transit  On a wire/through the air  HTTPS, SSL Data at Rest  In a file/on a disk  Credant, FileVault, BitLocker

13. FIPS 140-2 Encryption FIPS 140-2 is a government standard Third-party testing labs certify products as being 140-2 validated FISMA requires it Some projects/grants require it HHS refers to the same standards for PHI Encryption key must be separate

14. Encryption Misconceptions MS Office encryption is fine –Depends on the version Zip file encryption is OK –Need to use WinZip 18.5 or later in FIPS 140-2 mode. If my system is encrypted, I’m safe. –An infected system can leak data

15. More Misconceptions It’s safe to click through certificate warnings –Someone could be intercepting your data If it says FIPS 140-2 compatible it’s OK –It needs to be FIPS 140-2 certified/validated. NIST has lists of vendor products

16. Yet More Misconceptions I can use the same password everywhere if it’s strong –Attackers get one password and try it everywhere If I have a password set on my laptop, it’s encrypted –See demo later

17. Antivirus Not 100%, but can catch common malware A dedicated attacker won’t be deterred Average attackers won’t go to this trouble Not all antivirus products are equal. Watch for updated recommendations from Security & Compliance

18. System Patching Serious vulnerabilities found every week May only have a few hours to patch We’ve seen systems compromised in 4-5 hours of announcements Automatic updates are best

19. Data Destruction It can be hard to erase data Traditional (non-SSD) hard drives require several passes of wiping SSD or flash memory devices may or may not be capable of being sanitized Physical destruction is only sure way Best if device is encrypted before use

20. Managed Systems On managed systems, you don’t have to worry about the system itself Example managed systems –AirWatch –MiHarbor/MCIT Core Thumb drives, external drives, NASs, and personal equipment still an concern

21. Demo & Questions