* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Security Considerations for Health Care Organizations
Multilevel security wikipedia , lookup
Trusted Computing wikipedia , lookup
IT risk management wikipedia , lookup
Airport security wikipedia , lookup
Next-Generation Secure Computing Base wikipedia , lookup
Authentication wikipedia , lookup
Access control wikipedia , lookup
Electronic authentication wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Information security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Security and safety features new to Windows Vista wikipedia , lookup
Wireless security wikipedia , lookup
Unix security wikipedia , lookup
Distributed firewall wikipedia , lookup
Mobile security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Security Considerations for Health Care Organizations Disclaimer This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Trust and Risk Do you trust the Internet? Do you trust wireless Cell phone Communications? Are you sure that the person at the other end of the connection is who they say they are? Trust and Risk Electronic Fund Transfer Act effective 1979 (15 U.S.C.)], the credit card and ATM industry was forced to limit personal financial risk to users (usually $50 maximum if cards used fraudulently) Approach focused on reducing risk since technology was not yet ready Limiting risk compensates for a lack of trust Many consider this approach however, as a band-aid to the real issue – increasing user trust What is available and what can be provided? Typical Hacker Threats and Protections Hackers Masquerading Eavesdropping Interception Address Spoofing Data Manipulation Dictionary Attack Replay Attacks Denial of Service Protection – Authentication – Encryption – Digital Carts./Signatures – Firewalls – Encryption – Strong Passwords – Time Stamping & sequence Numbers – Authentication Common Internet Attacks and Typical Fixes Internet Attacks Root access by buffer overflows Distributed Denial of Service E-Mail spamming, and relaying Exploitation of misconfigured software and servers Mail attachment attacks Fixes Upgrade Systems;Training Creating attack bottlenecks and coordination Training Verification/Certification of Software Training of Users to recognize Attachments Goals of Security Measures Authentication – Who or what am I transacting with? Access Control – Is the party allowed to enter into the transaction? Confidentiality – Can any unauthorized parties see the transaction? Integrity – Did the transaction complete correctly and as expected? Non-Repudiation – Are authorized parties assured they will not be denied from transacting business Virtual Private Networks (VPN) LAN/WAN Provides Virtual Network Connectivity User to LAN/WAN LAN/WAN to LAN/WAN Encrypted at the TCP/IP Level Provides Protected Communications for All TCP/IP Services LAN/WAN Firewalls Provides Traffic Management in Both Directions Generally Located at Border between Public and Private Networks Features Include Proxy Server/Network Address Translation (NAT) User Name/Password Authentication Packet Filtering Stateful vs. Stateless Packet Processing Traffic Audit Logs Intrusion Detection System (IDS) Audit !!!! Store security-pertinent system data Detect traffic patterns Develop reports and establish critical parameters intrusion criteria using agent software Set up revocation lists Detect ? LAN/WAN Predefine flexible security violations criteria (e.g., identify zombie placement, Super User, Root user occurrences) Be proactive Become network-oriented Secure ? ? ? Fix applications or alterations that were made by an attacker where appropriate (e.g., Trojan Horse ID, Zombie Ant detection eliminated) Backup Charts Firewall-1 / VPN-1 High Availability Secondary VPN-1 Gateway VPN-1 SecuRemote Primary VPN-1 Gateway IKE Synchronization Internet VPN-1 Gateway Transparent fail-over of IPSec communications without loss of connectivity Enables hot fail-over and load balancing across VPN gateways Industry’s first transparent VPN fail-over that maintains session integrity Architecture of a Distributed System Web Servers Middleware App Servers Data Storage Internal WANs and LANs DNS Messaging User Backup/ Recovery User Internet Web Servers Middleware App Servers User Clients/ Partners User Data Storage Critical Elements of Security Architecture AUDIT, DETECT, and SECURE Three stages of secure process that are to be followed Provide security agents Automated Continually monitor all systems Ensures that Zombie Ants are not being introduced or that Distributed Denial of Service conditions do not occur Added Notes: Biometric and Smart Card Technology can be applied where appropriate Biometrics is being tested Standards still in the mill People issue – many feel uneasy about providing fingerprints of eye scans, or physical variations as means to set up secure operations) Firms exist to do this today (e.g., International Biometric Group) Smart cards now used by GSA for their badges have fingerprints embedded (3GI developed this – locally available support) Operational Documentation Checklist Project Plan System Security Plan (SSP) Risk Assessment Waiver Letter(s) Approvals to Test Interim Approvals to Operate Certificate Policy Subscriber Agreement Security Program Elements Wide Security Program planning and managing to provide a framework and continuing cycle of activity for managing risk, developing security policies (in conjunction with the Office of Protection), assigning responsibilities, and monitoring the adequacy of the computer-related controls. Access Control – controls that limit or detect access to computer resources (data, programs, and equipment) that protect these resources against unauthorized modification, loss or disclosure. Segregation of Duties – establishing policies, procedures, and an organizational structure such that one individual cannot control key aspects of IT-related operations and thereby conduct unauthorized actions or gain unauthorized access to assets or records. Service Continuity – implementing controls to ensure that when unexpected events occur (i.e., virus) critical operations continue without interruption or are promptly resumed and critical and sensitive information is protected. Comprehensive Network Security Policy Approach Reference Model Protect Model Mission Deny Policy Detect Sec. Org Structure Assess Sec. Implementation Procedures Train Awareness, Training, & Education Enforce Phy & Env Protection Connectivity Controls Access Controls Sys Admin Controls Response Model Respond Report Storage Media Controls Isolate Accountability Controls Contain Assurance Recover Network Security Model Start Network Security Strategic Reference Model Threat Level 1. System Mission Level 2. Value of Information Protect Model Deny, Detect, Assess, Train, & Enforce Security Policy Level 3. Security Organizational Structure Level 4. Response Model Respond, Report, Isolate, Contain, & Recover Security Implementation Procedures Level 5. Security Awareness, Training , & Education Level 6. Physical & Environmental Systems Protection Level 7-11. Controls: System Access, Connectivity, Administration, Storage Media, & Accountability Level 12. Assurance