Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Digital Photo SecurityWhat You Need to Know
International Association of Forensic NursingMarch 14, 2011Keith Fricke, CISSP, MBA
IAFN March 14, 2011
Agenda
• Bio
• Digital SANE Photos in a Regulatory & Legal Landscape
• Basic Measures in Securing Digital Photos
• Electronic Crime and It’s Impact on Healthcare Photos
• Summary / Q&A
• Closing Statement
IAFN March 14, 2011
Keith Fricke CISSP, MBA
• Keith Fricke has 25 years’ experience in Information Technology with focus in Information Security the last 11 years
• Information Security Officer at Catholic Health Partners
• Adjunct Professor, MIS Dept. Ursuline College
• Member of Information System Security Association (ISSA)
• Board Member of Cleveland’s InfraGard Chapter
IAFN March 14, 2011
Disclaimers
• I am not an attorney and am not providing legal advice
• I am representing my views as an Information Security Professional and not those of my employer
• I am not promoting any products in any demos in this presentation
REGULATORY & LEGAL LANDSCAPE
IAFN March 14, 2011
IAFN March 14, 2011
Regulatory Landscape
• HIPAA Security Rule– 45 CFR 164.308(a)(1) – Security Management Process– 45 CFR 164.308(a)(6) – Security Incident Procedures– 45 CFR 164.310(d)(1) – Media and Device Control– 45 CFR 164.312(a) – Access Control– 45 CFR 164.312(b) – Audit Controls– 45 CFR 164.312(e)(1) – Transmission Security
IAFN March 14, 2011
Regulatory Landscape
• HITECH Act– 45 CFR 164.404, .406, and .408 - Data Breach Notification– Encrypting Data at Rest is the “get out of jail free card”
• HIPAA Privacy Rule & Anticipated Changes– Minimum Necessary & Need to Know– Accounting of Disclosures
–Ties back to HIPAA Security Audit Controls
• Meaningful Use
IAFN March 14, 2011
Regulatory Landscape
• Meaningful Use– 45 CFR 170.302(r) – Audit Logging
–Stage 1 Only Requires EHR vendor to have audit functionality
–Stage 1 EHR customers not required to implement auditing–But remember the HIPAA Security Rule? –Stage 1 requires a risk assessment
– Logging reduces some risks
IAFN March 14, 2011
Regulatory Landscape
• Linking All This to SANE photos– Maintaining Privacy Rule’s Need-to-Know in an EHR
– Can your EHR restrict access to SANE photos?– If not, keep them separate & scan a paper stating SANE photos
exist– Audit Logging
– If photos are kept separate & handled by few, logging access is not as necessary
– HIPAA Security Rule– Security Management governs protecting SANE photos
– Encrypting Photos– Storage Media Disposal– Incident Response– Sending photos to third parties
IAFN March 14, 2011
Legal Landscape
• Some Regulations Have Legal Ramifications– HITECH Act has Civil Penalties– New Power of States’ Attorney General
• Data Breach Legislation
• Federal Rules of Civil Procedure & e-Discovery
• Chain of Custody of Cameras & Photos
BASIC MEASURES TO SECURE SANE PHOTOS
IAFN March 14, 2011
IAFN March 14, 2011
Triad of Information Security
• Confidentiality– Encryption– Data Destruction
• Integrity– Hashing
• Availability– Backing Up / Restoring– Testing
ENCRYPTION
IAFN March 14, 2011
IAFN March 14, 2011
Encryption
• Definition: Scrambling information to make it unintelligible without knowing the encryption key– The “key” is usually a passphrase
• Data Encrypted in Motion– Think of online banking– Data is scrambled only during transmissions
IAFN March 14, 2011
Encryption• Data at Rest
– Scrambling data as it exists in a file or a database– Permits secure transfer of data over an unsecure
transmission (i.e. email or to an unencrypted web site)– Is encryption the same as a password? NO
–House Analogy
–AES (Advanced Encryption Standard) is current government standard–128 or 256 are strength ratings
–3DES is older but still used (don’t use plain DES)–Software Encryption vs. Hardware Encryption
SANE Photos l March 13, 2011 l 16
IAFN March 14, 2011
IAFN March 14, 2011
Important
• Verify Ability to Decrypt File– Make Sure Files Can Be Decrypted – Verify the intended encryption password is correct– Do this before deleting original files– If encryption password is wrong, data cannot be retrieved
An Important Sidebar – Creating Good Passphrases
• A passphrase used to encrypt data can be thought of as being like a password
• A one character password has 52 possibilities (A-Z a-z)
• Using numbers 0-9 increases possibilities to 62
• Using non alpha-numeric characters increases possibilities to 95
IAFN March 14, 2011
Password Combinations
• 95 characters–1=95–2=9025–3=857,375–4=81,450,625–5=7,737,809,375–6=735,091,890,625–7=69,833,729,609,375–8=6,634,204,312,890,625
• 52 characters–1=52–2=2704–3=140,608–4=7,311,616–5=380,204,032–6=19,770,609,664–7=1,028,071,702,528–8=53,459,728,531,456
PasswordsAssume a 1GHz PC can try 2.8 million/sec
• 95 characters–1=33 millionths–2=3 thousandths–3=.3 seconds–4=29 seconds–5=46 minutes–6=73 hours–7=288 days–8=75 years
• 52 characters–1=18 millionths–2=9 thousandths–3=5 hundredths–4=2.61 seconds–5=2.25 minutes–6=117 minutes–7=4.24 days–8=220 days
DATA DESTRUCTION
IAFN March 14, 2011
Physical Destruction
• Destroy Media on which data are stored– CDs can be broken up or microwave for 3-5 seconds– Smash USB Thumb drives, Memory Cards– Use strong magnetic field on diskettes & tape backups– Smash hard drives– Can contract with disposal companies
IAFN March 14, 2011
Electronic Destruction• “Normal” Delete does not really delete the file
• Data is recoverable after deleting from Recycle Bin
IAFN March 14, 2011
IAFN March 14, 2011
Forensic Data Deletion
• Overwrites Data Rendering it Unrecoverable
IAFN March 14, 2011
Copier Security
• Buy a copier with data encryption. This may be an extra charge, but it is well worth it.
• Retain and destroy all hard drives from digital copiers when they are retired.
• Have the copier company wipe the data, but insist that they give you a certificate of destruction.
• Never use an office or public copier for copying personal information. Get your own personal copier for home use. These small all-in-one printer/fax/copiers don't have a hard drive.
IAFN March 14, 2011
Source: blog.chiefsecurityofficers.com
http://www.youtube.com/watch?v=iC38D5am7go
HASHING
IAFN March 14, 2011
IAFN March 14, 2011
Hashing
–Think of it as the DNA of a File–Mathematical Process
–Creates Unique String of Numbers–“Digital Fingerprint”
–Based on the File Run Through It–You Change the File, You Change the Hash
–An Example
IAFN March 14, 2011
df1f2b3be98fda6ae7b8a404e99e66a08055fa914efde810b65a5c8906a47c57
The hash for this file is the long string of letters and numbers
below. It uniquely identifies this file. Only this combination of
letters, numbers, and punctuation produces this hash
value
IAFN March 14, 2011
Changing the file by merely replacing the period with an
exclamation point changes the hash completely
New Hash: 7101f6ef0dfd29e9530b8ccee54f20374c7a7a882f10b3809f87efb5c2a07042Old Hash: df1f2b3be98fda6ae7b8a404e99e66a08055fa914efde810b65a5c8906a47c57
The same concept applies to digital photos. Slightly modifying
a photo changes its hash. By showing that a photo’s hash has
not changed instills high confidence the photo has not
changed
IAFN March 14, 2011
Note: All hashes are the same in this example because the photo used was copied 5 times and renamed.
In a real situation, each photo would be different therefore each hash would be different
Example of File Hashing Software
The Importance of Hashing SANE Photos
• Helps prove integrity of digital photos in court
IAFN March 14, 2011
DATA BACKUP & RESTORE
IAFN March 14, 2011
Backing Up Photos
• Work with your IT & InfoSec Departments– Will help identify the proper media and location for
storage– As with all data backups, store copies offsite– Use commercial vendors (not the trunk of your car)– Remember that backup tapes and CDs have a shelf life
– Conflicting information: Unused shelf life typically 5 to 10 years but some vendors claim CDs/DVDs last 50 to 100 years
– Longevity depends on environmental conditions and handling– Nothing lasts for forever
IAFN March 14, 2011
ELECTRONIC CRIME
IAFN March 14, 2011
The Reason for Laws, Regulations, and Security
• Electronic crime is pervasive
• Shift from hacker notoriety to organized business
IAFN March 14, 2011
The Good Ole Days
Today
Why Steal My Registration?
• Car radio $$ vs. Identity $$$$$$$
• Buy, Sell, or Trade
• Fix me Doc
Tell Me About the “HOW”
• Abusing Authorized Access
• Unauthorized Access–Wireless Technology–Social Engineering–Malware & Phishing
Wireless Technology
• Sends data over radio frequencies
• Like TV and AM/FM radio
• A Commodity
Invading on Wireless
• Security off by default
• People post findings and tools on the Internet to invade upon wireless communications
Invading on Wireless
• Eavesdropping from a distance
• Do-it-yourself plans on the Internet
Social Engineering
Demo
Social Engineering• Using the techniques of persuasion and/or
deception to gain access to information systems
• S.E Applied
Social Engineering
• The Help Desk call
• Malware –Viruses–Trojans–Add email
• Phishing
Putting SANE in Context
• Russian Business Network–Who they are–What they do–Why it is hard to stop them
• Trafficking Your Files
• File Sharing Sites–LimeWire, Kazaa–TENYOB
IAFN March 14, 2011
Summary• Electronic Crime is a Lucrative, Well-Organized
Business
• The Internet Provides the Means and the Knowledge
• Laws Exist Helping Protect Information and Individuals
• Encryption, Hashing, Data Destruction and Data Backups Enable Privacy, Security and Integrity
• Know the forces that affect your photos, ask questions and expect your IT Departments to help
IAFN March 14, 2011
IAFN March 14, 2011
Closing Thoughts• Awareness vs. FUD
• Scratching the Surface of eCrime
Contact Information:
330-884-6680