Brett Miller, Medical School Chief IT Security Officer

IRBMED Seminar Series

April 28, 2015

Data Security

Problems with Data

• We’re accountable for real/possible exposures

• Data integrity important to research• There are people who want to steal data• If systems are compromised data exposure

or corruption can be collateral damage• Data gets everywhere…

Data Gets Everywhere

Example Data Leaks

• Thumb drives get lost• Laptops are stolen• NAS devices are put on the Internet• Collaboration tool permissions too broad• Misdirected emails• Malware steals data• Servers/databases are compromised

Personal Devices

• Hard to remove all traces of data from systems and backups

• Destruction of devices sometimes necessary• Personal systems usually not secure or

compliant• Personal cloud backup, email, or

collaboration tools probably not compliant

Configuration Challenges

• Too many devices to keep track of• Settings can unexpectedly change• Knowing details of settings can be a full

time job• It’s too easy to have your data end up in the

cloud without realizing it

The Hacker Threat

• “Attacker” is more accurate• Authorized “White Hat” or “Ethical

Hackers” test and improve security• So what about the bad hackers?

Attacker Motivation

• Money - information can be sold or held for ransom

• Ideology - hacktivism & nation states• Borrowing your system (maybe for resale)

–Used to launch attacks–Bitcoin mining or other computation

• For fun or bragging rights

Attacker Techniques

Staggering number of ways:• Compromising web or other servers• Malware• Social engineering • Network attacks• Cryptographic attacks• Attacks on physical security

Tools

• Encryption• Antivirus• System patching• Data destruction• Managed systems

Encryption – Basic Idea

Encryption Types

• Data in Transit On a wire/through the air HTTPS, SSL

• Data at Rest In a file/on a disk Credant, FileVault, BitLocker

FIPS 140-2 Encryption

• FIPS 140-2 is a government standard• Third-party testing labs certify products as

being 140-2 validated• FISMA requires it• Some projects/grants require it• HHS refers to the same standards for PHI• Encryption key must be separate

Encryption Misconceptions

• MS Office encryption is fine–Depends on the version

• Zip file encryption is OK–Need to use WinZip 18.5 or later in FIPS

140-2 mode.• If my system is encrypted, I’m safe.

–An infected system can leak data

More Misconceptions

• It’s safe to click through certificate warnings–Someone could be intercepting your data

• If it says FIPS 140-2 compatible it’s OK–It needs to be FIPS 140-2

certified/validated. NIST has lists of vendor products

Yet More Misconceptions

• I can use the same password everywhere if it’s strong–Attackers get one password and try it

everywhere• If I have a password set on my laptop, it’s

encrypted–See demo later

Antivirus

• Not 100%, but can catch common malware• A dedicated attacker won’t be deterred• Average attackers won’t go to this trouble• Not all antivirus products are equal. Watch

for updated recommendations from Security & Compliance

System Patching

• Serious vulnerabilities found every week• May only have a few hours to patch• We’ve seen systems compromised in 4-5

hours of announcements• Automatic updates are best

Data Destruction

• It can be hard to erase data• Traditional (non-SSD) hard drives require

several passes of wiping• SSD or flash memory devices may or may

not be capable of being sanitized• Physical destruction is only sure way• Best if device is encrypted before use

Managed Systems

• On managed systems, you don’t have to worry about the system itself

• Example managed systems–AirWatch–MiHarbor/MCIT Core

• Thumb drives, external drives, NASs, and personal equipment still an concern

Demo & Questions