1 / 32

Trends

Trends. Public Sector Privacy Act 1974  Computer Security Act 1987   Federal Information Security Act 2002 Protection                            Risk Assessment                              Periodic Testing and Reporting Private Sector

clare
Download Presentation

Trends

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trends Public Sector Privacy Act 1974  Computer Security Act 1987   Federal Information Security Act 2002 Protection                            Risk Assessment                              Periodic Testing and Reporting Private Sector GLBA Nov 1999                                                                 FTC Enforcement Action Tower Records 2004                     Periodic Control Testing by Independent              Required Independent Assessment every 6 months Health Care HIPAA Final Rule 2003                    HITECH 2009                       Stage 2                 Stage 3 Safeguards                                         SRA                 Encryption          ???

  2. Hacking healthcare…A malicious hacker’s (cracker’s) dream!ZakariyaSyed: TCNA, ISO9000Dan Friedrich: CISSP

  3. Disclaimer The presenter is not in any way responsible or liable for any misusage of the information presented in this session.

  4. Introduction So, what are we talking about here?

  5. Perimeter Security Verification(PSV) Excuse me… Perimeter who?

  6. Don’t beat a dead horse…CIA

  7. The CIA Triad C Confidentiality I Integrity A Availability

  8. Some confusion in the industry • Penetration Test • Vulnerability Assessment Internal vs. External

  9. What is Penetration Testing …? Confusing PT with a Vulnerability Assessment Break it till you make it? Absolutely not!

  10. Difference…? Vulnerability Assessment VS Penetration Test

  11. So, what’s the deal? Reality! Healthcare is a critical infrastructure… (Lives on the line!)

  12. Penetration testing Phases PTES (Penetration Testing Execution Standard) • Pre-Engagement Interactions • Information Gathering • Threat Modeling • Vulnerability Analysis • Exploitation • Post Exploitation • Report

  13. Quick Demo Example of VERY SCARY information gathering (IP C.)

  14. Penetration Testing Types • Internal • External • Wireless (can be part of internal/external) • Physical • Social Engineering …?

  15. But, the question remains… Why should the client care? OR What if the client cannot afford a PT ?

  16. Stats and Figures (old news) • The healthcare industry has the highest percentage of data breaches of any sector. In fact, healthcare had the highest number of reported breaches, at 43 percent (report by Symantec) If you’re on the internet, you are a TARGET! That’s, right! with a bull’s eye on it…

  17. That was then, and this is now! …U.S. healthcare organizations and hospitals data breaches, with 94 percent of healthcareorganizations hit by at least one data breach and close to half suffering more than five breaches in the past two years. The estimated costto the healthcare industry of these breaches is now at an average of $7 billion per year, a 15 percent increase over the past three years, according to the Third Annual Benchmark Study on Patient Privacy & Data Security study by The Ponemon Institute, which was commissioned by ID Experts. http://www.darkreading.com/risk-management/167901115/security/attacks-breaches/240144006/most-healthcare-organizations-suffered-data-breaches.html

  18. Benefits of PT • Discover security holes (vulnerabilities) • Security Policy implementation (Internal PT) • Employee’s security awareness An example: Password cracking! In short, the entire security posture…

  19. How did the attacks take place? • Poor security controls in place • Lack of encryption • Improper policy implementation Etc. etc. etc.

  20. How hard is it to hack in? Ok, say from 1 to 10. 10 being the hardest… It depends, but it may be easier to show you

  21. The White House

  22. Missile Defense Agency

  23. The U.S. Army

  24. How come the attackers don’t get caught? Or do they… Anonymity is not all that hard to come by, that is “if you know what you’re doing”

  25. DEMO

  26. Attack surface… Not just computers, workstations, and in house machines, but also, laptops and mobile devices (BYOD)

  27. Mobile Computing Laptops: Free internet at the airport…? Cell Phone: Ring…ring… You’ve been hacked!

  28. Encryption, encryption, and of course more encryption… What is the worst thing you can do with a strong encryption …?

  29. Conclusion… • Don’t fix what isn’t broken! • Fix it before its broken! • Create an environment that can be trusted!

  30. Awareness tips/your ideas… Top three that seem to work very well • Conferences • Training/Workshops • In house sessions • Webinars

  31. Questions/Comments/Concerns

  32. Zakariya.syed@dsu.edu Dan.friedrich@dsu.edu

More Related