On Tuesday, Novermber 13th, at 11:00 AM, I will be giving this presentation to faculty and staff at the University of Wisconsin-Madison, School of Medicine and Public Health, at the Health Sciences Learning Center (HSLC), next to UW Hospital. IT Security and Healthcare, go together, like chocolate and peanut butter!
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
IT Security for Healthcare Professionals
1. The Wild, Wild Web
-
Social Engineering,
Malware and Security
Awareness
-
Nicholas Davis
MBA, CISA, CISSP
DoIT Security
November 13, 2012
Free Powerpoint Templates
Page 1
2. Introduction
• Background
• Thank you for the invitation
• Today’s Topic, Malware, Social
Engineering and overall Security
Awareness
• Importance to the healthcare field
• Pretexting
• Phishing
• QR Code Danger
• Social Networks
• Passwords
• Malware
• Baiting
• Identity Theft: How, Avoiding,
Responding
• Physical Security
• Sharing of information with the public
Free Powerpoint Templates
Page 2
3. Technology Is Not
The Answer
Strong computer security has two
components:
The Technology: passwords,
encryption, endpoint protection
such as anti-virus.
The People: You, your customers,
your business partners
Today, we will talk about both
components
Free Powerpoint Templates
Page 3
4. Social Engineering
The art of manipulating
people into performing actions
or divulging confidential
information
It is typically trickery or
deception for the purpose of
information gathering, fraud,
or computer system access
Free Powerpoint Templates
Page 4
5. Most Popular Type of
Social Engineering
Pretexting: An individual lies to obtain
privileged data. A pretext is a false motive.
Pretexting is a fancy term for impersonation
Caused resignation on CEO at HP
Brings new meaning to HP’s logo “I n v e n t”
Free Powerpoint Templates
Page 5
6. Let’s Think of HSLC
Pretexting Example
“This is the Epic upload site for UW-
Madison School of Medicine, test subjects
diabetes study data. Click here to submit
your patient data”
Just because it says so, does not make it
true!
Website address correct?
Consistent interface?
SSL lock?
Does it seem reasonable?
Have you double checked
with others?
Free Powerpoint Templates
Page 6
7. Phishing
• Deception, but not just in
person
• Email
• Websites
• Facebook status updates
• Tweets
• Phishing, in the context of
the healthcare working
environment is extremely
dangerous
Free Powerpoint Templates
Page 7
8. Phishing History
• Phreaking, term for making
phone calls for free back in
1970s
• Fishing is the use bait to
lure a target
• Phreaking + Fishing =
Phishing
Free Powerpoint Templates
Page 8
9. Phishing 1995
• Target AOL users
• Account passwords = free
online time
• Threat level: low
• Techniques: Similar names,
such as www.ao1.com for
www.aol.com
Free Powerpoint Templates
Page 9
10. Phishling 2001
Target: Ebay and major banks
Credit card numbers and
account numbers = money
Threat level: medium
Techniques: Same in 1995, as
well as keylogger
Free Powerpoint Templates
Page 10
11. Keyloggers
• Tracking (or logging) the keys
struck on a keyboard, typically in
a covert manner so that the
person using the keyboard is
unaware that their actions are
being monitored
• Software or hardware based
Free Powerpoint Templates
Page 11
12. Phishing 2007
Targets are Paypal, banks,
ebay
Purpose to steal bank
accounts
Threat level is high
Techniques: browser
vulnerabilities, link
obfuscation
Free Powerpoint Templates
Page 12
13. Don’t Touch That QR Code
• Just as bad as clicking on an
unknown link
• Looks fancy and official, but
is easy to create
Free Powerpoint Templates
Page 13
14. Phishing in 2013
• Trends for the coming year
• Identity Information
• Personal Harm
• Blackmail
Free Powerpoint Templates
Page 14
15. Example
• Mitt Romney
• Hackers claimed to have his tax
returns and threatened to release
them
• What could the ramifications
have been for him and his
accountants?
Free Powerpoint Templates
Page 15
16. Looking In the Mirror
• Which types of sensitive
information do you have access
to?
• What about others who share the
computer network with you?
• Think about the implications
associated that data being stolen
and exploited!
Free Powerpoint Templates
Page 16
17. What Phishing Looks Like
• As scam artists become more
sophisticated, so do their phishing
e-mail messages and pop-up
windows.
• They often include official-looking
logos from real organizations and
other identifying information
taken directly from legitimate
Web sites.
Free Powerpoint Templates
Page 17
18. Techniques For Phishing
• Employ visual elements from target site
• DNS Tricks:
• www.ebay.com.kr
• www.ebay.com@192.168.0.5
• www.gooogle.com
• Unicode attacks
• JavaScript Attacks
• Spoofed SSL lock Certificates
• Phishers can acquire certificates for
domains they own
• Certificate authorities make mistakes
Free Powerpoint Templates
Page 18
19. Social Engineering
Techniques
Often employed in Phishing, lower
your guard
1.Threats – Do this or else!
2.Authority – I have the authority
to ask this
3.Promises – If you do this, you
will get money
4.Praise – You deserve this
Free Powerpoint Templates
Page 19
20. Phishing
Techniques
• Socially aware attacks
• Mine social relationships from public
data
• Phishing email appears to arrive from
someone known to the victim
• Use spoofed identity of trusted
organization to gain trust
• Urge victims to update or validate their
account
• Threaten to terminate the account if the
victims not reply
• Use gift or bonus as a bait
• Security promises
Free Powerpoint Templates
Page 20
21. Let’s Talk About
Facebook
• So important, it gets its own slide!
• Essentially unauthenticated – discussion
• Three friends and you’re out! - discussion
• Privacy settings mean nothing – discussion
• Treasure Trove of identity information
• Games as information harvesters
Free Powerpoint Templates
Page 21
26. Too Good to be True,
Even When It Is Signed
Free Powerpoint Templates
Page 26
27. Detecting
Fraudulent Email
Information requested is inappropriate for
the channel of communication:
"Verify your account."nobody should not
ask you to send passwords, login names,
Social Security numbers, or other personal
information through e-mail.
Urgency and potential penalty or loss are
implied:
"If you don't respond within 48 hours,
your account will be closed.”
Free Powerpoint Templates
Page 27
28. Detecting Fraudulent
Email
"Dear Valued Customer."Phishing e-mail
messages are usually sent out in bulk and
often do not contain your first or last
name.
Free Powerpoint Templates
Page 28
29. Dectecting Fraudulent
Email
"Click the link below to gain access to
your account.“
This is an example or URL Masking (hiding
the web address)
URL alteration
www.micosoft.com
www.mircosoft.com
www.verify-microsoft.com
Free Powerpoint Templates
Page 29
30. How to Defend Against
Phishing Attacks
•Never respond to an email asking
for personal information
• Always check the site to see if it is
secure (SSL lock)
• Look for misspellings or errors in
grammar
• Never click on the link on the
email. Enter the web address
manually
• Keep your browser updated
• Keep antivirus definitions updated
• Use a firewall
• When in doubt, ask your Network
Administrator for their opinion
Free Powerpoint Templates
Page 30
31. A Note on Spear Phishing
• Designed especially for you
• Includes your name
• May reference an
environment or issue you
are aware of and familiar
with
• Asks for special treatment,
with justification for the
request
Free Powerpoint Templates
Page 31
33. Passwords
Your password is your electronic
key to valuable resources, treat it
like your house key!
Sharing – Discussion
Theft – Discussion
Password Rotation - Discussion
Free Powerpoint Templates
Page 33
34. Creating a Strong
Password
Following two rules are bare minimal that
you should follow while creating a
password.
Rule 1 – Password Length: Stick with
passwords that are at least 8 characters in
length. The more character in the
passwords is better, as the time taken to
crack the password by an attacker will be
longer. 10 characters or longer are better.
Rule 2 – Password Complexity: At least 4
characters in your passwords should be
each one of the following:
Free Powerpoint Templates
Page 34
35. Creating a Strong
Password
1.Lower case alphabets
2.Upper case alphabets
3.Numbers
4.Special Characters
Use the “8 4 Rule”
8 = 8 characters minimum length
4 = 1 lower case + 1 upper case + 1
number + 1 special character.
Do not use a password
strength checking website!
Any ideas why this
is a bad idea?
Free Powerpoint Templates
Page 35
36. Adware, Malware,
Spyware
Adware – unwanted ad software which is
noticed
Malware – unwanted software which is
noticed and potentially causes harm
Spyware – unwanted software which goes
un-noticed and harvests your personal
information
Use endpoint protection!
Free Powerpoint Templates
Page 36
37. Adware, Malware,
Spyware
How these get on your computer:
Email
Web pages
Downloaded software
CD, USB flash drive
Sometimes, out of the box
Free Powerpoint Templates
Page 37
39. Baiting
Hey, look! A free USB drive!
I wonder what is on this confidential CD
which I found in the bathroom?
These are vectors for malware!
Play on your curiousity or desire to get
something for nothing
Don’t be a piggy!
Free Powerpoint Templates
Page 39
40. Social Engineering
Methods
Using the Out of Office
responder in a responsible
manner
Free Powerpoint Templates
Page 40
41. Medical Identity Theft
Use another person’s name
Sometimes other identifying information
such as a medical bracelet or insurance
information
Obtain medical services
Make false claims
Causes erronious information to be put
into medical records
May lead to inappropriate and life
threatening situaitons
Free Powerpoint Templates
Page 41
42. Synthetic Identity Theft
A variation of identity theft which has
recently become more common is
synthetic identity theft, in which identities
are completely or partially fabricated. The
most common technique involves
combining a real social security number
with a name and birthdate other than the
ones associated with the number.
Free Powerpoint Templates
Page 42
43. How Does Identity
Theft Happen
Let’s talk through the attached paper
handout, entitled:
“Techniques for obtaining and exploiting
personal information for identity theft”
Look through the list and think to yourself
“Could this apply to me?” If so, think
about taking steps to avoid it
Free Powerpoint Templates
Page 43
44. Tips To Avoid
Identity Theft
1. Only Make Purchases On Trusted Sites
2. Order Your Credit Report
3. Know How To Spot Phishing
4. Secure Your Network
5. Can the Spam
6. Don't Store Sensitive Information On Non-
Secure Web Sites
7. Set Banking Alerts
8. Don't Reuse Passwords
9. Use Optional Security Questions
10. Don't Put Private Information On Public
Computers
Free Powerpoint Templates
Page 44
45. If Your Identity Is Stolen
See paper handout from the FTC
1.Place a fraud alert on your credit reports, and
review your reports.
2.Close the accounts that you know, or believe,
have been tampered with or opened fraudulently.
3.File a report with your local police or the police
in the community where the identity theft took
place.
4.File a complaint with the Federal Trade
Commission.
Free Powerpoint Templates
Page 45
46. Physical Security
• The UW is a fairly open and shared
physical environment
• Seeing strangers is normal, we won’t
know if they are here are friend or foe
• Lock your office
• Lock your desk
• Lock your computer
• Criminals are opportunistic
• Even if you are just gone for a moment
• Report suspicious activity to your
administration and UW Police
• If you have an IT related concern,
contact the Office of Campus
Information Security
Free Powerpoint Templates
Page 46
47. Sharing Information With
The Public
• The University of Wisconsin is an open
environment
• However, on occasion, this open nature
can be exploited by people with
nefarious intnet
• Don’t volunteer sensitive information
• Only disclose what is necessary
• Follow records retention policies
• When in doubt, ask for proof, honest
people will understand, dishonest
people will become frustrated
Free Powerpoint Templates
Page 47
48. We Have So Much More
To Talk About
• Security Awareness matters not just to
you, but to the University of Wisconsin
as a whole
• Security Awareness is an important
facet of everyone’s work
• My actions impact you
• Your actions impact me
• Security Awareness is an ever changing
and evolving area, which requires
constant attention
• DoIT is here as a resource for you
• Let us know how we can help
• Let me know if I can help
• Don’t be afraid to ask questions
• Better safe than sorry
Free Powerpoint Templates
Page 48
49. A Picture Is Worth
1000 Words
Free Powerpoint Templates
Page 49
50. Questions and
Discussion
Nicholas Davis
ndavis1@wisc.edu
608-262-3837
facebook.com/nicholas.a.davis
Free Powerpoint Templates
Page 50