āļĢāļ°āļāļāļāļēāļĢāļāļąāļāļāļēāļĢāļāđāļāļĄāļđāļĨāļāļ§āļēāļĄāļĨāļąāļāļāļđāđāļāđāļ§āļĒ (Thailand LA Forum 2017 āļŠāļ āļēāđāļāļāļāļīāļāļāļēāļĢāđāļāļāļĒāđ) ...Nawanan Theera-Ampornpunt
āļĢāļ°āļāļāļāļēāļĢāļāļąāļāļāļēāļĢāļāđāļāļĄāļđāļĨāļāļ§āļēāļĄāļĨāļąāļāļāļđāđāļāđāļ§āļĒ (Thailand LA Forum 2017 āļŠāļ āļēāđāļāļāļāļīāļāļāļēāļĢāđāļāļāļĒāđ) ...
5. National Healthcareâs Worst Nightmare
https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-
patients-including-pm-lee-stolen-in-singapores-most
6. Ransomware Attack in Thai Hospitals
https://www.facebook.com/SaraburiHospital/photos/a.255929423747
8100/4366815263392646/
7. Sources of the Threats
⊠Hackers
⊠Viruses & Malware
⊠Poorly-designed systems
⊠Insiders (Employees)
⊠Peopleâs ignorance & lack of knowledge
⊠Disasters & other incidents affecting information
systems
12. S: Security and Privacy of Information
and Social Media
S 1 Security and Privacy of Information
S 2 Social Media and
Communication Professionalism
Personnel Safety Goals: S in SIMPLE
14. Alice
Simplified Attack Scenarios
Server Bob
Eve/Mallory
1. âāļāđāļāļāļēāļ & āļāļĨāļēāļĒāļāļēāļâ (Users)
2. âāļĢāļ°āļŦāļ§āđāļēāļāļāļēāļâ (Network)
3. âāļāļĨāļēāļāļŦāļąāļ§āđāļâ (Servers)
15. Alice
Simplified Attack Scenarios
Server Bob
- Physical access to client computer
- Electronic access (password)
- Tricking user into doing something
(malware, phishing & social
engineering)
Eve/Mallory
16. Alice
Simplified Attack Scenarios
Server Bob
- Intercepting (eavesdropping or
âsniffingâ) data in transit
- Modifying data (âMan-in-the-middleâ
attacks)
- âReplayâ attacks
Eve/Mallory
17. Alice
Simplified Attack Scenarios
Server Bob
- Unauthorized access to servers through
- Physical means
- User accounts & privileges
- Attacks through software vulnerabilities
- Attacks using protocol weaknesses
- DoS / DDoS attacks
Eve/Mallory
18. Alice
Safeguarding Against Attacks
Server Bob
Administrative Security
- Security & privacy policy
- Governance of security risk management & response
- Uniform enforcement of policy & monitoring
- Disaster recovery planning (DRP) & Business continuity
planning/management (BCP/BCM)
- Legal obligations, requirements & disclaimers
19. Alice
Safeguarding Against Attacks
Server Bob
Physical Security
- Protecting physical access of clients & servers
- Locks & chains, locked rooms, security cameras
- Mobile device security
- Secure storage & secure disposition of storage devices
20. Alice
Safeguarding Against Attacks
Server Bob
User Security
- User account management
- Strong p/w policy (length, complexity, expiry, no meaning)
- Principle of Least Privilege
- âClear desk, clear screen policyâ
- Audit trails
- Education, awareness building & policy enforcement
- Alerts & education about phishing & social engineering
21. Alice
Safeguarding Against Attacks
Server Bob
System Security
- Antivirus, antispyware, personal firewall, intrusion
detection/prevention system (IDS/IPS), log files, monitoring
- Updates, patches, fixes of operating system vulnerabilities &
application vulnerabilities
- Redundancy (avoid âSingle Point of Failureâ)
- Honeypots
22. Alice
Safeguarding Against Attacks
Server Bob
Software Security
- Software (clients & servers) that is secure by design
- Software testing against failures, bugs, invalid inputs,
performance issues & attacks
- Updates to patch vulnerabilities
23. Alice
Safeguarding Against Attacks
Server Bob
Network Security
- Access control (physical & electronic) to network devices
- Use of secure network protocols if possible
- Data encryption during transit if possible
- Bandwidth monitoring & control
24. Alice
Safeguarding Against Attacks
Server Bob
Database Security
- Access control to databases & storage devices
- Encryption of data stored in databases if necessary
- Secure destruction of data after use
- Access control to queries/reports
- Security features of database management systems (DBMS)
- Data backups (online vs. offline)
28. ⊠Access control
⊠Selective restriction of access to the system
⊠Role-based access control
⊠Access control based on the personâs role
(rather than identity)
⊠Audit trails
⊠Logs/records that provide evidence of
sequence of activities
User Security
29. ⊠Identification
⊠Identifying who you are
⊠Usually done by user IDs or some other unique codes
⊠Authentication
⊠Confirming that you truly are who you identify
⊠Usually done by keys, PIN, passwords or biometrics
⊠Authorization
⊠Specifying/verifying how much you have access
⊠Determined based on system ownerâs policy & system
configurations
⊠âPrinciple of Least Privilegeâ
User Security
30. ⊠Multiple-Factor Authentication
⊠Two-Factor Authentication
⊠Use of multiple means (âfactorsâ) for authentication
⊠Types of Authentication Factors
⊠Something you know
⊠Password, PIN, etc.
⊠Something you have
⊠Keys, cards, tokens, devices (e.g. mobile phones)
⊠Something you are
⊠Biometrics
User Security
31. Need for Strong Password Policy
So, two informaticians
walk into a bar...
The bouncer says,
"What's the password."
One says, "Password?"
The bouncer lets them
in.
Credits: @RossMartin & AMIA (2012)
33. Recommended Password Policy
⊠Length
⊠8 characters or more (to slow down brute-force attacks)
⊠Complexity (to slow down brute-force attacks)
⊠Consists of 3 of 4 categories of characters
⊠Uppercase letters
⊠Lowercase letters
⊠Numbers
⊠Symbols (except symbols that have special uses by the
system or that can be used to hack system, e.g. SQL
Injection)
⊠No meaning (âDictionary Attacksâ)
⊠Not simple patterns (12345678, 11111111) (to slow down brute-
force attacks & prevent dictionary attacks)
⊠Not easy to guess (birthday, family names, etc.) (to prevent
unknown & known persons from guessing)Personal opinion. No legal responsibility assumed.
34. Recommended Password Policy
⊠Expiration (to make brute-force attacks not possible)
⊠6-8 months
⊠Decreasing over time because of increasing computerâs
speed
⊠But be careful! Too short duration will force users to write
passwords down
⊠Secure password storage in database or system
(encrypted or store only password hashes)
⊠Secure password confirmation
⊠Secure âforget passwordâ policy
⊠Different password for each account. Create variations
to help remember. If not possible, have different sets of
accounts for differing security needs (e.g., bank
accounts vs. social media sites) Personal opinion. No legal responsibility assumed.
36. Techniques to Remember Passwords
⊠http://www.wikihow.com/Create-a-Password-You-Can-
Remember
⊠Note that some of the techniques are less secure!
⊠One easy & secure way: password mnemonic
⊠Think of a full sentence that you can remember
⊠Ideally the sentence should have 8 or more words, with
numbers and symbols
⊠Use first character of each word as password
⊠Sentence: I love reading all 7 Harry Potter books!
⊠Password: Ilra7HPb!
⊠Voila!
Personal opinion. No legal responsibility assumed.
38. ⊠Donât be too trusting of people
⊠Always be suspicious & alert
⊠An e-mail with your friendâs name & info doesnât have to
come from him/her
⊠Look for signs of phishing attacks
⊠Donât open attachments unless you expect them
⊠Scan for viruses before opening attachments
⊠Donât click links in e-mail. Directly type in browser using
known & trusted URLs
⊠Especially cautioned if ask for passwords, bank
accounts, credit card numbers, social security numbers,
etc.
Ways to Protect against Phishing
41. ⊠Virus
⊠Propagating malware that requires user action
to propagate
⊠Infects executable files, data files with
executable contents (e.g. Macro), boot
sectors
⊠Worm
⊠Self-propagating malware
⊠Trojan
⊠A legitimate program with additional, hidden
functionality
Malware
42. ⊠Spyware
⊠Trojan that spies for & steals personal
information
⊠Logic Bomb/Time Bomb
⊠Malware that triggers under certain conditions
⊠Backdoor/Trapdoor
⊠A hole left behind by malware for future
access
Malware
43. ⊠Rogue Antispyware
⊠Software that tricks or forces users to pay before
fixing (real or hoax) spyware detected
⊠Rootkit
⊠A stealth program designed to hide existence of
certain processes or programs from detection
⊠Botnet
⊠A collection of Internet-connected computers that
have been compromised (bots) which controller of the
botnet can use to do something (e.g. do DDoS
attacks)
Malware
44. ⊠Installed & updated antivirus, antispyware, &
personal firewall
⊠Check for known signatures
⊠Check for improper file changes (integrity failures)
⊠Check for generic patterns of malware (for unknown
malware): âHeuristics scanâ
⊠Firewall: Block certain network traffic in and out
⊠Sandboxing
⊠Network monitoring & containment
⊠User education
⊠Software patches, more secure protocols
Defense Against Malware
49. ⊠Most common reason for security bugs is
invalid programming assumptions that attackers
will look for
⊠Weak input checking
⊠Buffer overflow
⊠Integer overflow
⊠Race condition (Time of Check / Time of Use
vulnerabilities)
⊠Running programs in new environments
Software Security
Adapted from Nicholas Hopperâs teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
50. ⊠Defense in Depth
⊠Multiple layers of security defense are
placed throughout a system to provide
redundancy in the event a security
control fails
⊠Secure the weakest link
⊠Promote privacy
⊠Trust no one
Secure Software Design Principles
Saltzer & Schroeder (1975), Viega & McGraw (2000)
Adapted from Nicholas Hopperâs teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
http://en.wikipedia.org/wiki/Defense_in_depth_(computing)
51. ⊠Modular design
⊠Check error conditions on return values
⊠Validate inputs (whitelist vs. blacklist)
⊠Avoid infinite loops, memory leaks
⊠Check for integer overflows
⊠Language/library choices
⊠Development processes
Secure Software Best Practices
Adapted from Nicholas Hopperâs teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
63. âPolicy & Guidelines/Work Instructions on
o Data completeness & integrity
o System security
o Patient information privacy & confidentiality
protections
o Secure data storage, retention & destruction
o Monitoring, evaluation & enforcement
âCommunication of Policy & Guidelines
IT Security & Privacy Policy Checklist
65. ⊠Project failures
⊠Waste investments
⊠Security breaches
⊠System crashes
⊠Failures by service providers to understand and
meet customer requirements
⊠System errors or bugs
Examples of IT Risks