1 / 80

DAIDS Regional Training Event, Johannesburg, South Africa, August 2012

DAIDS Regional Training Event, Johannesburg, South Africa, August 2012. Gregory Garecki (Senior Information Technology Security Analyst) John Quarantillo (CRSS (Westat) –Senior Systems Analyst). DIVISION OF AIDS AND NIAID OCICB. Version 3.0. Securing DAIDS clinical

calvin
Download Presentation

DAIDS Regional Training Event, Johannesburg, South Africa, August 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DAIDS Regional Training Event, Johannesburg, South Africa, August 2012 Gregory Garecki (Senior Information Technology Security Analyst) John Quarantillo (CRSS (Westat) –Senior Systems Analyst) DIVISION OF AIDS AND NIAID OCICB Version 3.0 Securing DAIDS clinical research information

  2. Introduction Gregory Garecki • Background: Over 15 years in Information Technology (IT) and Security • Experience: Securing information resources, detecting and responding to security threats, auditing information systems • Current Role: Senior IT Security Analyst at NIH

  3. Introduction John Quarantillo • Background: 26 years in IT • Experience: Over 10 years in Information Security & Assurance • Industries: Health Studies, Pharmaceutical, Medical Devices • Current Role: Senior Systems Analyst at Westat • IT Manager for the NIAID HIV and Other Infectious Diseases Clinical Research Support Services (CRSS) Contract

  4. Audience Response System (ARS) Respond to Questions Change an Answer Responses are Anonymous Question cue is a on preceding slide • Ensure remote is on by pressing and holding the “On/Off” button Please leave remotes on the tables Choose your answer Send or change your answer

  5. When a virus infects a computer and destroys part of a file, making that file’s data inaccurate, it is an example of: Loss of Confidentiality Loss of Integrity Loss of Availability Audience Response System (ARS) (cont’d) Choose your answer Send or change your answer

  6. The criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and financial information by masquerading as a trustworthy entity is called _____. Audience Response System (ARS) (cont’d) Choose your answer Send or change your answer

  7. Objectives Workshop participants will be able to: • Understand clinical research security risks with regard to: Data, Software, Hardware, and Networks • Articulate risk-based information security goals • Secure clinical research information responsibly by raising awareness and learning how to act as a human sensor

  8. PRE-ASSESSMENT

  9. Pre-Assessment 1 • The goals of Information Security are to: • Protect research data • Protect confidentiality, integrity, and availability of information to support mission objectives • Prevent criminal activity and theft of sensitive data by hacking into the attackers’ systems • Help clinical site/laboratory managers monitor their staff members’ computer usage and support mission objectives

  10. Pre-Assessment 2 You have been working hard transferring Case Report Forms (CRFs) to the Data Management Center (DMC) when you receive an email from the DMC asking you to provide your system password to verify your identity. What should you do? • Open the email to confirm whether or not it is suspicious and then provide the requested information • Call the number you have for the DMC to verify the request • Forward the email to all of your peers • Read the email and reply to the sender to confirm your email address and receipt of the email

  11. Pre-Assessment 3 Your investigator sends you an urgent email asking you to forward a particular study participant’s CRF, which details an interesting Serious Adverse Event (SAE). What do you do? • Send an email with the CRF attached • Copy the CRF to a CD, USB drive, or other device and mail it to the investigator • Print and fax the requested document to your investigator • None of the above

  12. Pre-Assessment 4 While you are working, a message suddenly pops up stating your system is infected with a virus and provides a link to software for removing this virus. What do you do? • Click on the link to download the software, install, and run it since you are being responsible about security • Do nothing and report this to the clinical site/laboratory managers with a copy of the message if possible • Download the software and share with everyone on the team so they can also remove viruses from their computers • Do nothing; ignore the message and forget about it

  13. Pre-Assessment 5 The person sitting next to you on a flight is overwhelmed and asks you if they can use your laptop to charge their phone so they can call their child who is in the hospital as soon as they land. What should you do? • Say yes so the person can contact their sick child • Say no because you need the laptop's remaining battery power to finish your work • Say no because you do not know what effect this device might have on your computer • Say yes on the condition that you finish your work first

  14. ICE BREAKERDiscuss the most commonIT security issues facing your site

  15. Classic Information Security Confidentiality Data Information Integrity Availability

  16. Examples – Loss of Confidentiality • Using another person’s password to log on to a system • Allowing a co-worker to use a secure system for which he/she should not have access after you have logged on • Unencrypted laptop containing sensitive clinical information about the company and/or personal information is stolen or sold, and the information is accessed • Sharing or copying information without proper authorization (e.g., over the phone or by email)

  17. Examples – Loss of Integrity • When a virus infects a computer, corrupting parts of a file thereby making it inaccurate • Input errors while entering sensitive patient information into a database • An automated process that is not correctly written and/or validated processes bulk updates to the database, possibly altering data • An employee accidentally or with malicious intent deletes important patient clinical information

  18. Examples – Loss of Availability • Failure to back up data on a regular basis combined with loss of integrity or hardware failure • Lack of bandwidth due to excessive media streaming • Equipment failures during normal use • An employee accidentally or with malicious intent deletes important patient clinical information

  19. The Parkerian Hexad • Confidentiality • Possession or control • Integrity • Authenticity • Availability • Utility Source: http://www.mekabay.com/overviews/index.htm

  20. What Constitutes Clinical Data Risk? Email and other Documents Case Report Form Clinical Trial Results Participant Contact Information

  21. A Few Top Exploits • Microsoft Remote Desktop - This is the 2012 Remote Desktop Protocol (RDP) Bug that can allow remote code execution. • Adobe PDF-Embedded Social Engineering - The idea is that you can embed and execute the most popular social engineering-style module. • Java AtomicReferenceArray - This may be the first Java exploit that “just works” against all platforms for the vulnerable versions of Java. • Source: https://community.rapid7.com/community/metasploit/blog/2012/05/22/10-hottest-metasploit-exploit-and-auxiliary-modules-in-april

  22. Impact to Clinical Research • Why does clinical data risk matter? • Research participant privacy and safety • Organizational reputation & integrity • Damage containment and litigation costs

  23. Let’s take a Break !!!

  24. Clinical Risk Mitigation Techniques • Deliver Annual Security Awareness Training to create human clinical risk sensors. • Develop automated tools and technologies that minimize opportunities and detect exploits. • Report security incidents immediately and respond with sound security procedures.

  25. Clinical Risk Mitigation Techniques (cont’d) • Schedule clinical data backups; store the backup data offsite in a secure manner. • Verify that software is secure before and after download and installation. • Apply current software patches when they are made available as quickly as possible.

  26. Risk Mitigation Techniques:Data Backup & Uninterruptible Power Supply (UPS) Usage

  27. Risk Mitigation: Data Backup • Always back up your data/information following a defined method and schedule. • Develop procedures that describe: • Person responsible for backups • What to back up • Time and frequency of backups • Where to back up • How to back up

  28. Risk Mitigation: Data Backup (cont’d)

  29. Risk Mitigation: Data Backup Practices • Good data backup practices • Develop and frequently test backup strategies • Verify successful completion and integrity of backup • Define media rotation scheme • Perform trial restorations • Maintain backup log • Train appropriate personnel • Secure devices and media

  30. Risk Mitigation: UPS Usage • Benefits • Offers protection from power outages/interruptions (brown out/sag, line noise) • Enables clean shutdown • Minimizes data corruption/loss • Minimizes hardware failure • Offers surge/spike protection • Note • Available for minimum length of time • Check regularly (monthly) • Source: Wikipedia (http://www.wikipedia.org/)

  31. Risk Mitigation Technique:Password Management

  32. What is your Password IQ? Source: SANS Institute Security Newsletter for Computer Users, February 2010

  33. Password iq How often should you change your password? • Every 30 days • Every 60 days • Every 90 days • When IT tells you to

  34. PASSWORD IQ (cont’d) One of your co-workers is working on a critical report this weekend and needs access to some of your files. How should you give her your password? • Send it in an email message • Call her on the phone and tell her the password • Don’t give it to her or anybody else • Write it on a piece of paper, seal it in an envelope, and mail it to her

  35. PASSWORD IQ (cont’d) What is the most common password? • Password • 123456 • Qwerty • abc123 Source: PC Magazine

  36. PASSWORD IQ (cont’d) What characters should you use in a password to make it strong? • Letters (lower and upper case) • Numbers • Special characters (~!@#$%^&*) • All of the above

  37. PASSWORD IQ (cont’d) How long should a strong password be at the minimum? • Five characters • Eight characters • As long as possible • Size doesn’t matter

  38. Create Strong Passwords • Use passphrase passwords that are easy to remember, difficult to guess, yet conform to system constraints. • Use passwords without personally identifiable information (PII) or other sensitive data. • Use different passwords for different purposes to limit the risk of exposing multiple sites when one password is compromised.

  39. Password Entropy Source: http://xkcd.com/936/

  40. Keep Your Passwords Safe • Do not share passwords with ANYONE (including IT support). • Change a password immediately if you suspect it has been compromised, shared with another person, or stolen (even if it was encrypted). • Do not store passwords in easily accessible places or in close proximity to your computer.

  41. Remember…

  42. Activity Write down examples of passwords you would use for the following: • Personal email • Banking website • Social network account

  43. Source: Defense Intelligence Agency Risk Mitigation Technique:Portable Device Security

  44. Portable Device Security • Examples of Portable Devices • Smart phones • Laptops • Tablets (Apple iPad, Motorola Xoom, etc.) • Storage devices (flash drives, iPod, portable hard drives) • Portable Device Vulnerabilities & Threats • Ease of access to device/data • Loss/Theft • Increasing amounts of sensitive data stored • Increasing capabilities (web browsing, applications) • Blurring lines between personal and business use

  45. Portable Device Security (cont’d) • Use a strong personal identification number (PIN), password, or passphrase to protect the information stored on your device. • Limit browsing to well-known and trusted sites. Use secure sockets layer (SSL) encryption for browsing and webmail whenever possible. • Use encryption for sending sensitive information when using an untrusted network. • Keep operating system/firmware and applications up to date. • Exercise caution with opening links and downloading attachments. • Source: www.securingthehuman.org

  46. Portable Device Security (cont’d) • Encrypt sensitive data stored on devices (e.g., PointSecfor PC and FileVault for Mac). • Install anti-malware (virus, spyware, etc.) software and update definitions frequently. • Update operating system and installed applications as recommended by vendor notifications. • Do not use a privileged account to browse the internet – always use a standard account for nonprivileged tasks. • Use a physical lock, when possible, to secure devices. • Source: www.securingthehuman.org

  47. Portable Device Security (cont’d) • Turn on the auto-lock/screensaver feature for the system to timeout after a period of inactivity. • Require a password when device resumes from screensaver. • Install software that enables retrieval and/or remote wipe of device if lost/stolen. • Disable Wi-Fi and Bluetooth and other optional service when not in use. • Only install applications you need, and only from trustworthy sources. • Do not connect personal devices to employer system unless approved. • Source: www.securingthehuman.org

  48. Portable Device Security (cont’d) • Attach an ID label (with minimal information – e.g., contact number or email) to back of portable device with alternate contact information in case it’s lost. • Back up device regularly. • Erase all confidential information before disposing of portable device. • Ensure portable device is permitted by your employer’s policies and any regulatory guidelines applicable to your industry. • Read documentation and terms of service for each software application before you install it. • Source: www.securingthehuman.org

  49. Exploit Example The next set of slides reviews a popular exploit, its impact, and ways to avoid becoming a victim.

  50. Spear Phishing Exploit Phishing The criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and financial information by masquerading as a trustworthy entity. Phishing messages usually appear to come from a large and well-known company or website with a broad membership base.

More Related