1 / 137

Introduction to Cybersecurity & Information Assurance for FQHCs April 13, 2011

Introduction to Cybersecurity & Information Assurance for FQHCs April 13, 2011. Amelia Muccio Director of Emergency Management amuccio@njpca.org. Objectives. Cybersecurity Information assurance FQHCs as target Cyber threats/risks Vulnerabilities Countermeasures Safeguarding

raja
Download Presentation

Introduction to Cybersecurity & Information Assurance for FQHCs April 13, 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Cybersecurity & Information Assurance for FQHCs April 13, 2011 Amelia Muccio Director of Emergency Management amuccio@njpca.org

  2. Objectives • Cybersecurity • Information assurance • FQHCs as target • Cyber threats/risks • Vulnerabilities • Countermeasures • Safeguarding • Promoting a culture of security .

  3. Serious Threat • Richard Clarke was famously heard to say, "If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked.” • The growing number of attacks on our cyber networks has become, in President Obama’s words, “one of the most serious economic and national security threats our nation faces.”

  4. Who & What is At Risk? • Economy • Defense • Transportation • Medical • Government • Telecommunications • Energy Sector • Critical Infrastructure • Computers/Cable TV/Phones/MP3/Games .

  5. Fundamental Concepts of Information Assurance • Confidentiality (privacy) • Integrity (quality, accuracy, relevance) • Availability (accessibility) • CIA triad

  6. Internet • In 1995, 16 million users (0.4%) • In 2010, 1.6 billion users (23.5%) • Unable to treat physical and cyber security separately, they are intertwined.

  7. How Does an Attack Happen? • Identify the target • Gather information • Plan/Prepare the attack • Attack

  8. Information Gathering . .

  9. Attack Trends • Increasing sophistication • Decreasing costs • Increasing attack frequency • Difficulties in patching systems • Increasing network connections, dependencies, and trust relationships

  10. What Threatens Information? • Misuse • Disasters • Data interception • Computer theft • Identify/Password theft • Malicious software • Data theft/corruption • Vandalism • Human error

  11. Threats • A threat is any potential danger to information and systems • 3 levels of cyber threats • Unstructured • Structured • Highly structured

  12. Unstructured Threats • Individual/small group with little or no organization or funding • Easily detectable information gathering • Exploitations based upon documented flaws • Targets of opportunity • Gain control of machines • Motivated by bragging rights, thrills, access to resources

  13. Structured Threats • Well organized, planned and funded • Specific targets and extensive information gathering to choose avenue and means of attack • Goal-data stored on machines or machines themselves • Exploitation may rely on insider help of unknown flaw • Target drives attack • Organized crime/black hat hackers

  14. Highly Structured Threats • Extensive organization, funding and planning over an extended time, with goal of having an effect beyond the data or machine being attacked • Stealthy information gathering • Multiple attacks exploiting unknown flaws or insider help • Coordinated efforts from multiple groups • “Cyber warfare”

  15. Web as Weapon • Infrastructure run by computers • Government SCADA system • Overflow dam, disrupt oil supply • Sewage plant in Australia overflowed due to black hat hackers • Cyberterrorism (Bin Laden and Aum Shinrikyo) • Combined attack • Cause power outage and biological attack • EMS disruption and nuclear emergency • Next war fought with code & computers

  16. Hackers and Crackers • White hat hacker-curious, explore our own vulnerabilities, bragging rights/just did it. • Black hat hacker/cracker-malicious intent, exploit vulnerabilities for monetary profit or gain or perpetrate a crime, organized crime. • Gray hat hacker-helpful or ethical hacker, motivated by a sense of good. Cowboys. • GHHs find vulnerabilities, notify company of them so they can be fixed and resolved.

  17. Gray Hats • Adrian Lamo • Find vulnerabilities, inform company • WorldCom, Google, NYTimes, Bank of America, NASA • NYTimes used SSN # as passwords • Edited Yahoo Story • Robert Lyttle • DoD, Pentagon • Both got into trouble!

  18. Early Days…Phone Phreaking • 2600 Hz Tone • Captain Crunch Whistle & 4th E above Middle C • Long whistle reset line, then dial w/whistle • Tricked phone companies/tone dialing • Free long distance and international calls

  19. Risk • Threat + Vulnerability • Likelihood of an undesirable event occurring combined with the magnitude of its impact? • Natural • Manmade • Accidental or Intentional • People are the weakest link

  20. Risk Management • Identifying and assessing risk, reducing it to an acceptable level and implementing mechanisms to maintain that level • Protect against: • Physical damage • Human error • Hardware failure • Program error • Cyber attack

  21. Risk Handling Discussion • Risk reduction (countermeasures, HVA) • Risk transference (insurance) • Risk acceptance (may happen) • Risk rejection (do nothing) • Security assessments are an important part of risk management • Penetration testing • Identify all vulnerabilities and threats to information, systems and networks

  22. Contingency Planning Components • How to handle disruption? • Business continuity • Disaster recovery • Incident response

  23. Recovery Strategy • A recovery strategy provides direction to restore IT operations quickly and effectively • Backup methods • Alternate sites • Equipment replacement • Roles and responsibilities • Cost considerations

  24. BCP • A comprehensive written plan to maintain or resume business operations in the event of a disruption • Continue critical business operations • Jeopardize normal operations • Most critical operations • May require alternate sites (hot, warm, cold) • What do we need to KEEP going?

  25. DRP • A comprehensive written plan to return business operations to the pre-disruption state following a disruption • Restore IT functions (prep and restore) • Jeopardize the normal operations • Includes all operations • RETURN TO NORMAL BUSINESS OPERATIONS • WHAT DO WE NEED TO DO IN CASE OF A DISASTER?

  26. Plan Testing, Training and Exercising • Testing is a critical to ensure a viable contingency capability • Conduct plan exercises • TTXs are useful

  27. Policies and Procedures • Establish security culture • Establish best security practices • Define goals and structure of security program • Educate personnel • Maintain compliance with any regulations • Ex: email policy, Internet usage, physical security

  28. Physical Security Countermeasures • Property protection (door, locks, lightening) • Structural hardening (construction) • Physical access control (authorized users) • Intrusion detection (guards, monitoring) • Physical security procedures (escort visitors, logs) • Contingency plans (generators, off site storage) • Physical security awareness training (training for suspicious activities)

  29. Personal Security • Practices established to ensure the safety and security of personnel and other organizational assets • It’s ALL about people • People are the weakest link • Reduce vulnerability to personnel based threats .

  30. Personal Security Threat Categories • Insider threats-most common, difficult to recognize • Includes sabotage and unauthorized disclosure of information • Social engineering-multiple techniques are used to gain information from authorized employees and using that info in conjunction with an attack • Not aware of the value of information

  31. Social Engineering • Being fooled into giving someone access when the person has no business having the information.

  32. Dumpster Diving and Phishing • DD-rummaging through company’s garbage for discarded documents • Phishing-usually takes place through fraudulent emails requesting users to disclose personal or financial information • Email appear to come from a legitimate organization (PayPal)

  33. P & P • Acceptable use policy-what actions users may perform while using computers • Personnel controls-need to know, separation of duties • Hiring and termination practices-background checks, orientation, exit interview, escorting procedure

  34. Private Branch Exchange (PBX) Systems • Toll fraud • Disclosure of information • Unauthorized access • Traffic analysis • Denial of Service (DoS)

  35. PBX Threat Countermeasures • Implement physical security • Inhibit maintenance of port access • Enable alarm/audit trails • Remove all default passwords • Review the configuration of your PBX against known hacking techniques

  36. Data Networks • For computers to communicate • Less expensive to use same network • Modems designed to leverage this asset

  37. Modem Threats • Unauthorized and misconfigured modems • Authorized but misconfigured modems

  38. Wardialing • Hackers use a program that calls a range of telephone numbers until it connects to an unsecured modem and allows them dialup access • Identify potential targets

  39. Modem Threat Countermeasures • Policy • Scanning • Administrative action • Passwords • Elimination of modem connections • Use a device to protect telephony-based attacks and abuses

  40. Voice Over Internet Protocol (VoIP) • VoIP is a technology that allows someone to make voice calls using a broadband Internet connection instead of a regular (analog) phone line

  41. VoIP Benefits and Threats • Less expensive • Increased functionality • Flexibility and mobility • Service theft • Eavesdropping • Vishing • Call tampering

  42. VoIP Threat Countermeasures • Physical control • Authentication and encryption • Develop appropriate network architecture • Employ VoIP firewall and security devices

  43. Data Networks • Computers linked together • Hosts (computers, servers) • Switches and hubs • Routers

  44. Common Network Terms • Local Area Network (LAN)-network grouped in one geographic location • Wide Area Network (WAN)-network that spreads over a larger geographic area • Wireless LAN (WLAN)-is a LAN with wireless connections

  45. Data Network Protocols • Transmission Control Protocol (TCP)-moves data across networks with a connection oriented approach • User Datagram Protocol (UDP)-moves info across networks with a connectionless oriented approach • Internet Control Message Protocol (ICMP)-OS to send error messages across networks • Hypertext Transfer Protocol (HTTP)-transfers web pages, hypermedia

  46. Data Network Threats • Information gathering • Denial of Service (DoS) • Disinformation • Man-in-the-middle • Session hijacking

  47. Information Gathering Threats/Network Scanning • What target is available? • Reduces time on wasted effort (attacker) • One of the most common pre-attack identification techniques is called scanning • Scanning uses ICMP service “PING” • PING SWEEP-echo request to range of addresses (provides list of potential targets) • Are you there? Yes, I am there. • Firewall should protect against

  48. Sniffing • A sniffer is a program that monitors and analyzes network traffic and is used legitimately or illegitimately to capture data transmitted on a network

  49. Denial of Service (DoS) • Degrade and prevent operations/functionality • Distributed denial of service (DDoS) attack uses multiple attack machines simultaneously • Vast number of ICMP echo request packets are sent to the target, overwhelming its capability to process all other traffic

  50. Ping Flood/Ping of Death • Ping flood-too much ping traffic drowns out all other communication • Ping of Death-oversized or malformed ICMP packets cause target to reboot or crash • Host cannot cope with ping packets • Ping of Death relies on a vulnerability of buffer overflow • Buffer overflow-size of input exceeds the size of storage intended to be received

More Related