1 / 46

Securing the World-Wide-Web

Securing the World-Wide-Web. P.R. Smith Academic Computing NYU School of Medicine. Definition. Secure: safe against attack, impregnable, reliable, certain not to fail or give way. Definition. WWW: - Transport of information

roger
Download Presentation

Securing the World-Wide-Web

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing the World-Wide-Web P.R. Smith Academic Computing NYU School of Medicine

  2. Definition Secure: safe against attack, impregnable, reliable, certain not to fail or give way.

  3. Definition WWW: - Transport of information http - HyperText Transport Protocol - Information on all the servers connected to the Internet.

  4. Primary Message of this Talk Success of a WWW site depends on the integrity of that site, on whether it is viewed as reliable and secure.

  5. Why do I want a web site? • Everybody is doing it • Impress the CEO. • I’m not busy enough: I need a hobby. • My organization has important • information to communicate that will • improve its ability to do business.

  6. Planning Who do I want reading my site? What services will I offer? How will they be managed?

  7. Who do I want reading my site? Careful inventory of the site’s potential readership. Identify the needs of the groups and the kinds of information services they will require. To be successful, a site needs ‘regular’ readers.

  8. What Services will I offer? What information resources are available here? What is available now? What new materials will need to be developed? What materials will be available from other locations on the net? How long will they last?

  9. Management Environment WWW is an institutional resource To be successful, the WWW effort needs support from the highest level. Mobilize resources. Senior management can mandate change in the environment. You probably can’t.

  10. Management Manage Access Manage Services

  11. Policy Issues Control of Physical Access To machine rooms, lab equipment, stand-alone servers. Control of Logical Access SAF, Access via network, Audit trails, Access to Communications. Data Integrity Control Separation of duties and function, Verification of data & equipment. Ethical Issues Private vs Corporate use, Criminal Activities Preventive Measures Backup, Archiving, Encryption, Disaster Recovery.

  12. Security Model Data Steward Owns, or is responsible for the Data Data Custodian Stores/processes the data Data User Internal, External Data Assessment & Classification Public; Internal; Resricted; Confidential Security Monitoring and Audits Exceptions, Emergencies, Violations, Punishment

  13. Security Policies Mandated at the Highest Level Necessary, since they implement the Institution’s vision. Clearly Stated As far as possible, written in terms all understand. Known to All Establish a single security-concious culture for ALL data users. Security Acknowledgement Form Ubiquitous Policies apply to all individuals, internal, external Enforced Consistently Common process, CEO, faculty, staff, contractors.

  14. pursuit of the defenseless impeachment of the irreproachable punishment of the innocent exculpation of the guilty promotion of the incompetent

  15. General Principles of Data Security Collected appropriately with accuracy Protected during Transport and Storage against damage against loss Accessed only with authorization Archived so as to be recoverable Deleted so that no trace remains Audited so that activity can be traced

  16. Authentication Identifies Individuals Uniquely. Allows you to be sure that “Bob” really is “Bob” and not “Joe”. Schemes include simple passwords, one-time passwords, Secure-ID, ‘Kerberos’, fingerprints, retinal scans. Authorization Establishes what Individuals may do. If you are authenticated as “Bob” you may look at Outpatient Lab billing data, but not the lab results. If you are “Dr. Joe” you may see both. Audit Audit logs track creation, modification and access of data and services.

  17. What is “Security” in Relation to the WWW? • Services offered on the Web are diverse. • “Security” needs are service- specific.

  18. What “Services” can be offered on the WWW? • Document Services • Static information. • Anonymous client selects links or search parameters. • Interactive Services • Identifiable information is elicited from client. • Registration forms, credit-card payments, on-line examinations, clinical lab results, purchase movie tickets...

  19. Interactive Services Professional Advice: Second opinions, treatment options. Medical Data / Patient Records: Records from other sites Payment for Services: Pay hospital, doctor, therapist, HMO ....

  20. Services: Some Basic Issues Who owns them? Individual? Department? Third Party? Where are they hosted? Institutional Server? Department Server? Student Dorm? Who gets to see them? Everybody? Just this site? A limited group? Nobody? Who decides? Me? My boss? The web committee? The lawyer? How do you resolve CONFLICT? Shoot them all?

  21. Management Team Institution-specific Oversight Committee Webmaster Web Technician / Associate Webmaster Graphic Designer Programmer Systems Manager

  22. WWW Security Issues Accuracy of the information Integrity of the server Secure CGI programs Secure Java/Script applets Secure transport to client Bug-free browser Selective management of ‘cookies’ Sensible, honest, user.

  23. Document Security Document/Information Accuracy Who may create a document? What are update policies? Does a document expire? How does a reader know to trust the information? Signed documents. Disclaimers. Access control (by location, password) Integrity of the Server Access to the server is tightly controlled: only authorized individuals can make document changes. Rigorous password policies. NFS access. Secure CGI and Java/Script Careful design and testing to detect security defects.

  24. Secure Transport to Client Are Networks Safe? Yes. And no. There are no absolutely clear answers. Decision requires a risk assessment by the Institution. Result depends on the perceived risks and the tools available to manage them. Is the Internet Safe for Medical Data? Yes. And no. Review tools that enhance secure data transport. SSL, https Phone system. School Buses.

  25. Secure Client Is your Browser Secure? Yes. For the most part, browsers (Netscape / Explorer) are secure. However, there are known bugs in some versions. Few people are diligent in obtaining the latest fixes. What about ‘Cookies’? ‘Cookies’ are data left by a server to allow ‘you’ to be identified next time you connect. Users Users are dishonest. They steal. They lie. They take your ‘stuff’ and pretend it is their own. They treat confidences as gossip. They are the root of all evil.

  26. Risk Assessment Evaluate Current Practices. What are people actually doing? Who actually reads records? Do they need to? Does it matter? Distinguish Policy and Actual Practice. Sure you have a policy that medical records not leave the floor: so why is the attending walking down the street with those files? How are you to deal with that? Consistent Policy Can’t protect one area and leave another wide open. This is a significant problem with electronic records. Useless having triple passwords on the computer and allow anyone walk into the records room.

  27. The ‘Mediæval’ Security Model Small Walled Town Highway Cross-Roads Homestead Walled City City Gate Hamlet Highway Robbers - outside Footpads/Pickpockets - inside

  28. ‘Firewalls’ and ‘Proxys’ Firewall: Stands between two networks and limits connections between the ‘inside’ and the ‘outside’. Usually, between your net and the Internet, but sometimes between different parts of a single corporate net. Proxy: Allows web users to access the Internet without having direct access. The proxy server passes requests out and redirects packets that return. Firewall/Proxy Internet

  29. Security Assumption Inside my ‘Walled City’ I’m Safe In principle, I should have more control over users, network access and desktops. In fact, this may not be true. Outside, I’m Vulnerable. There is a concern that network traffic outside is vulnerable to theft. In fact data ‘on the Internet’ is probably much safer. Vulnerability arises again as soon as packets enter someone else’s local network.

  30. Packet ‘Sniffers’ ‘Sniffer’sees all packets on the local Ethernet segment. Node Sniffer Node Node

  31. A Switched Network Defeats ‘Sniffers’ The switch sends data to each node separately. Nodes don’t see each other’s data. switch Node Sniffer Node Node

  32. Defeat ‘Sniffers’ with Encrypted Traffic ‘Sniffer’sees all packets, but can’t read any of them. Node Sniffer Node Node

  33. Encryption Encryption protects data by scrambling it in a recoverable way. ‘Strong’ encryption is hard (maybe impossible) to ‘crack’with a computer. ‘Weak’ encryption is easier. Private Key Encryption. A single key (string of characters) is used to encrypt and to decrypt a message. To be secure, the private key has to be a secret shared by the people who share the encrypted information. Public Key Encryption. Keys are used in pairs, one is used to encrypt a message, the other to decrypt it. One key is called the ‘public’ key and is distributed freely. The ‘private’ key is kept secret, known to a single individual. Key length. Lengths are counted in ‘bits’. Messages encrypted with long keys (>56bits) are hard to crack.

  34. Public Key Encryption: Establishing Trust Public Key Certificate - associates a given public key with an individual (or a role) through the signature of a trusted authority. PGP: “Web of trust” I trust this key because I trust Joe and Fred who signed the key. Good for e-mail, but scales poorly. X.509: A trusted certifying authority signs keys. Verisign, AT&T Used for the Web, scales well, but many certificates are worthless.

  35. E-Mail Used widely for message exchange Plain-text E-mail messages are not secure. SMTP transfers mail in multiple ‘hops’ to destination. Mail can be viewed at each one. Postmasters get ‘bounced’ messages. Origin Destination Solution: Mail packages that allow end-to-end encryption of messages and attachments Management issue: Postmaster must be an Institutionally trusted individual.

  36. Who Owns Patient Records? Professional Records are owned by the professional who collects them, either personally or as an agent of an institution. Who can Access Patient Records? The Patient: can always get access, albeit with difficulty in some cases. Payor: as a part of an audit has access to establish quality of care. Many non-professionals have anecdotal access as a part of their job functions (unit clerks, finance clerks, phlebotomists, ...) Who Doesn’t have Access? Just about everyone else: e.g. Hospitals require consent to transfer records between institutions.

  37. Medical Data Repository • Database that holds Consolidated Medical Data from many patients • Benefits: • Facilitates communication between in- and out-patient caregivers • Facilitates longtitudinal care for patients • Provides key information in an emergency situation • Provides data to help establish the ‘state-of-the-art’ • A resource to compare quality of care, care-giver by care-giver. • Risks: • Many, poorly authenticated or erroneously authorized accesses • Catastrophic loss of the repository can be a disaster for patient care. • Data may be missed due to physician reluctance to key-in the data.

  38. Why do some people find a Computerized Medical Record Really Scary? A large-scale attack with the loss of large amounts of data can be hard to detect on a compromised computer, and it will take place really QUICKLY. In the worst case, it can be mounted from anywhere in the world. A similar attack to seize paper records on the same scale may require a truck. You should be able to spot the truck.

  39. What is ‘Dangerous’ Information • ‘Dangerous’ is defined by the individual • Broad consensus on many items: House keys, SSN, ATM PIN. • Disagreement on other items: Gay? HIV+? Marriages? Abortions? Cholesterol? BP? Mental illness? Substance abuse history? Genetic profile? • People want to choose • How do you lose control? • ‘Publication’. You tell someone. A really good friend. • Inference. You’re sick and are seen visiting a physician who specializes in HIV. You visit your probation officer. • Observation. You take Prozac (Anxiety), Atenolol (HTN).... • Someone gets hold of personal records.

  40. Risks to Privacy • Friends and family • Colleagues • Employers • Insurance Companies • Landlords • Coop Boards

  41. How do I protect myself and my Patients?

  42. Simple Security Measures can make a Significant Difference Users need unique, robust passwords Shared passwords, stupid passwords and passwords that get guessed have been the source of all the MC’s break-ins (that we’ve detected). Users must subscribe to your security goals Protect their passwords, change them regularly, never share, disconnect from authorized services when finished, and report issues that suggest a security violation. Education / Training

  43. Greatest Exposure from Individuals in Positions of Trust. Network Manager, Systems Manager, Webmaster, Programmers, Secretary

  44. Ask for HELP! Central site Colleagues at other Institutions Read the Literature Employ a Consultant

  45. Summary Supportive Administration Realistic policies for security and the Web Create a culture that supports security Motivated, technically competent staff A committment to development & change

  46. Acknowledgements Bob Holzman, Loren Buhle, Bruce Kraus, Carey Ramos, Marty Nachbar, Mark Selby, Anton Saarimaki, Stuart Brown, Suzy Gottesman, Frieda Pavel, Roy Smith, Marc Waldman, Libby Flanagan Art Lucas Cranach the Elder, The Martyrdom of St. Barbara, oil on wood, Metropolitan Museum of Art, New York. http://www.yawp.com/cjackson/cranach1/p-cran1-12.htm Hieronymus Bosch, The Last Judgment (left and right panels), oil on panel (triptych); Akademie der Bildenden Künste, Vienna. http://watt.emf.net/wm/paint/auth/bosch/judge/ Support Provided by the NSF, and the NIH through NYU’s GCRC grant.

More Related