50
Free Powerpoint Templates Page 1 Free Powerpoint Templates The Wild, Wild Web - Social Engineering, Malware and Security Awareness - Nicholas Davis MBA, CISA, CISSP DoIT Security November 13, 2012

IT Security for Healthcare Professionals

Embed Size (px)

DESCRIPTION

On Tuesday, Novermber 13th, at 11:00 AM, I will be giving this presentation to faculty and staff at the University of Wisconsin-Madison, School of Medicine and Public Health, at the Health Sciences Learning Center (HSLC), next to UW Hospital. IT Security and Healthcare, go together, like chocolate and peanut butter!

Citation preview

Page 1: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 1

Free Powerpoint Templates

The Wild, Wild Web-

Social Engineering, Malware and Security

Awareness-

Nicholas DavisMBA, CISA, CISSP

DoIT Security

November 13, 2012

Page 2: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 2

Introduction

• Background• Thank you for the invitation• Today’s Topic, Malware, Social

Engineering and overall Security Awareness

• Importance to the healthcare field• Pretexting• Phishing• QR Code Danger• Social Networks• Passwords• Malware• Baiting• Identity Theft: How, Avoiding,

Responding• Physical Security• Sharing of information with the public

Page 3: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 3

Technology Is NotThe Answer

Strong computer security has two components:

The Technology: passwords, encryption, endpoint protection such as anti-virus.

The People: You, your customers, your business partners

Today, we will talk about both components

Page 4: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 4

Social Engineering

The art of manipulating people into performing actions or divulging confidential information

It is typically trickery or deception for the purpose of information gathering, fraud, or computer system access

Page 5: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 5

Most Popular Type of Social Engineering

Pretexting: An individual lies to obtain privileged data. A pretext is a false motive.

Pretexting is a fancy term for impersonation

Caused resignation on CEO at HP

Brings new meaning to HP’s logo “I n v e n t”

Page 6: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 6

Let’s Think of HSLCPretexting Example

“This is the Epic upload site for UW-Madison School of Medicine, test subjects diabetes study data. Click here to submit your patient data”

Just because it says so, does not make it true!Website address correct?Consistent interface?SSL lock?Does it seem reasonable?Have you double checkedwith others?

Page 7: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 7

Phishing

• Deception, but not just in person

• Email• Websites• Facebook status updates• Tweets• Phishing, in the context of

the healthcare working environment is extremely dangerous

Page 8: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 8

Phishing History

• Phreaking, term for making phone calls for free back in 1970s

• Fishing is the use bait to lure a target

• Phreaking + Fishing = Phishing

Page 9: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 9

Phishing 1995

• Target AOL users• Account passwords = free

online time• Threat level: low• Techniques: Similar names,

such as www.ao1.com for www.aol.com

Page 10: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 10

Phishling 2001

Target: Ebay and major banksCredit card numbers and account numbers = moneyThreat level: mediumTechniques: Same in 1995, as well as keylogger

Page 11: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 11

Keyloggers

• Tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored

• Software or hardware based

Page 12: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 12

Phishing 2007

Targets are Paypal, banks, ebayPurpose to steal bank accountsThreat level is highTechniques: browser vulnerabilities, link obfuscation

Page 13: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 13

Don’t Touch That QR Code

• Just as bad as clicking on an unknown link

• Looks fancy and official, but is easy to create

Page 14: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 14

Phishing in 2013

• Trends for the coming year

• Identity Information• Personal Harm• Blackmail

Page 15: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 15

Example

• Mitt Romney• Hackers claimed to have his tax

returns and threatened to release them

• What could the ramifications have been for him and his accountants?

Page 16: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 16

Looking In the Mirror

• Which types of sensitive information do you have access to?

• What about others who share the computer network with you?

• Think about the implications associated that data being stolen and exploited!

Page 17: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 17

What Phishing Looks Like

• As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.

• They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.

Page 18: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 18

Techniques For Phishing

• Employ visual elements from target site• DNS Tricks:• www.ebay.com.kr• [email protected]• www.gooogle.com• Unicode attacks• JavaScript Attacks• Spoofed SSL lock Certificates• Phishers can acquire certificates for

domains they own• Certificate authorities make mistakes

Page 19: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 19

Social EngineeringTechniques

Often employed in Phishing, lower your guard

1.Threats – Do this or else!2.Authority – I have the authority to ask this3.Promises – If you do this, you will get money4.Praise – You deserve this

Page 20: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 20

PhishingTechniques

• Socially aware attacks• Mine social relationships from public

data• Phishing email appears to arrive from

someone known to the victim• Use spoofed identity of trusted

organization to gain trust• Urge victims to update or validate their

account• Threaten to terminate the account if

the victims not reply• Use gift or bonus as a bait• Security promises

Page 21: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 21

Let’s Talk About Facebook

• So important, it gets its own slide!• Essentially unauthenticated – discussion• Three friends and you’re out! - discussion• Privacy settings mean nothing – discussion• Treasure Trove of identity information• Games as information harvesters

Page 22: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 22

Socially Aware

Page 23: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 23

Context Aware

“Your bid on eBay has won!”“The books on your Amazon wish list are on sale!”

Page 24: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 24

Seems Suspicious

Page 25: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 25

419 Nigerian Email Scam

Page 26: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 26

Too Good to be True, Even When It Is Signed

Page 27: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 27

DetectingFraudulent Email

Information requested is inappropriate for the channel of communication:

"Verify your account."nobody should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail.

Urgency and potential penalty or loss are implied:

"If you don't respond within 48 hours, your account will be closed.”

Page 28: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 28

Detecting FraudulentEmail

"Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.

Page 29: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 29

Dectecting FraudulentEmail

"Click the link below to gain access to your account.“

This is an example or URL Masking (hiding the web address)

URL alteration

www.micosoft.com www.mircosoft.com www.verify-microsoft.com

Page 30: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 30

How to Defend AgainstPhishing Attacks

•Never respond to an email asking for personal information • Always check the site to see if it is secure (SSL lock)• Look for misspellings or errors in grammar• Never click on the link on the email. Enter the web address manually• Keep your browser updated• Keep antivirus definitions updated• Use a firewall• When in doubt, ask your Network Administrator for their opinion

Page 31: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 31

A Note on Spear Phishing

• Designed especially for you• Includes your name• May reference an

environment or issue you are aware of and familiar with

• Asks for special treatment, with justification for the request

Page 32: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 32

Other TechniquesAn ocean of Phishing techniques

•Clone Phishing - Discussion•Whaling - Discussion•Filter Evasion - Discussion•Phone Phishing - Discussion•Tabnabbing - Discussion•Evil Twins - Discussion

Page 33: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 33

Passwords

Your password is your electronic key to valuable resources, treat it like your house key!

Sharing – DiscussionTheft – DiscussionPassword Rotation - Discussion

Page 34: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 34

Creating a StrongPassword

Following two rules are bare minimal that you should follow while creating a password.

Rule 1 – Password Length: Stick with passwords that are at least 8 characters in length. The more character in the passwords is better, as the time taken to crack the password by an attacker will be longer. 10 characters or longer are better.

Rule 2 – Password Complexity: At least 4 characters in your passwords should be each one of the following:

Page 35: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 35

Creating a StrongPassword

1.Lower case alphabets2.Upper case alphabets3.Numbers4.Special Characters

Use the “8 4 Rule”8 = 8 characters minimum length4 = 1 lower case + 1 upper case + 1 number + 1 special character.

Do not use a password strength checking website! Any ideas why this is a bad idea?

Page 36: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 36

Adware, Malware, Spyware

Adware – unwanted ad software which is noticedMalware – unwanted software which is noticed and potentially causes harmSpyware – unwanted software which goes un-noticed and harvests your personal information

Use endpoint protection!

Page 37: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 37

Adware, Malware, Spyware

How these get on your computer:EmailWeb pagesDownloaded softwareCD, USB flash driveSometimes, out of the box

Page 38: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 38

Trojan Malware

Page 39: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 39

Baiting

Hey, look! A free USB drive!I wonder what is on this confidential CD which I found in the bathroom?

These are vectors for malware!Play on your curiousity or desire to get something for nothing

Don’t be a piggy!

Page 40: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 40

Social Engineering Methods

Using the Out of Office responder in a responsible manner

Page 41: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 41

Medical Identity Theft

Use another person’s nameSometimes other identifying information such as a medical bracelet or insurance informationObtain medical servicesMake false claimsCauses erronious information to be put into medical recordsMay lead to inappropriate and life threatening situaitons

Page 42: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 42

Synthetic Identity Theft

A variation of identity theft which has recently become more common is synthetic identity theft, in which identities are completely or partially fabricated. The most common technique involves combining a real social security number with a name and birthdate other than the ones associated with the number.

Page 43: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 43

How Does IdentityTheft Happen

Let’s talk through the attached paper handout, entitled:

“Techniques for obtaining and exploiting personal information for identity theft”

Look through the list and think to yourself “Could this apply to me?” If so, think about taking steps to avoid it

Page 44: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 44

Tips To AvoidIdentity Theft

1. Only Make Purchases On Trusted Sites 2. Order Your Credit Report 3. Know How To Spot Phishing 4. Secure Your Network 5. Can the Spam 6. Don't Store Sensitive Information On Non-

Secure Web Sites 7. Set Banking Alerts 8. Don't Reuse Passwords 9. Use Optional Security Questions 10. Don't Put Private Information On Public

Computers

Page 45: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 45

If Your Identity Is Stolen

See paper handout from the FTC

1.Place a fraud alert on your credit reports, and review your reports. 2.Close the accounts that you know, or believe, have been tampered with or opened fraudulently.3.File a report with your local police or the police in the community where the identity theft took place. 4.File a complaint with the Federal Trade Commission.

Page 46: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 46

Physical Security

• The UW is a fairly open and shared physical environment

• Seeing strangers is normal, we won’t know if they are here are friend or foe

• Lock your office• Lock your desk• Lock your computer• Criminals are opportunistic• Even if you are just gone for a moment• Report suspicious activity to your

administration and UW Police• If you have an IT related concern,

contact the Office of Campus Information Security

Page 47: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 47

Sharing Information WithThe Public

• The University of Wisconsin is an open environment

• However, on occasion, this open nature can be exploited by people with nefarious intnet

• Don’t volunteer sensitive information• Only disclose what is necessary• Follow records retention policies• When in doubt, ask for proof, honest

people will understand, dishonest people will become frustrated

Page 48: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 48

We Have So Much MoreTo Talk About

• Security Awareness matters not just to you, but to the University of Wisconsin as a whole

• Security Awareness is an important facet of everyone’s work

• My actions impact you• Your actions impact me• Security Awareness is an ever changing

and evolving area, which requires constant attention

• DoIT is here as a resource for you• Let us know how we can help• Let me know if I can help• Don’t be afraid to ask questions• Better safe than sorry

Page 49: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 49

A Picture Is Worth1000 Words

Page 50: IT Security for Healthcare Professionals

Free Powerpoint TemplatesPage 50

Questions andDiscussion

Nicholas [email protected] 608-262-3837facebook.com/nicholas.a.davis