Protection of Electronic Protection of Electronic Research Data:Research Data:
What Investigators Need to What Investigators Need to KnowKnow
January 31, 2008January 31, 2008
Kay SommersKay SommersVCU Information Security OfficerVCU Information Security Officer
[email protected]@vcu.eduDave HouletteDave Houlette
VCU Health Systems VCU Health Systems Chief Information Security OfficerChief Information Security Officer
[email protected]@mcvh-vcu.edu
AgendaAgenda
Areas of Concern Areas of Concern – Vulnerabilities and ThreatsVulnerabilities and Threats
RequirementsRequirements StrategiesStrategies
– What VCU and VCU HS provideWhat VCU and VCU HS provide– What You Can DoWhat You Can Do
ResourcesResources Q&AQ&A
Bad Things Continue to Bad Things Continue to Happen…Happen…
University Security BreachesUniversity Security Breaches SANS TOP 20 highlights client-side risksSANS TOP 20 highlights client-side risks Accidental Data ExposuresAccidental Data Exposures
– Loss of laptops, USB drives, backup tapesLoss of laptops, USB drives, backup tapes– Posting personal data to websitesPosting personal data to websites
Intentional ExploitsIntentional Exploits– Theft of mobile devicesTheft of mobile devices– Compromises Compromises – Infected computersInfected computers
Regulations Regulations
State:State: – VITA State Security Policy and StandardVITA State Security Policy and Standard
SEC 500-02 and 501-01SEC 500-02 and 501-01– ARMICSARMICS
Federal:Federal:– HIPAA, FERPA, Gramm-Leach-Bliley Act, PCI-DSSHIPAA, FERPA, Gramm-Leach-Bliley Act, PCI-DSS
VCU:VCU:– Information Security Standards - Information Security Standards -
http://www.ts.vcu.edu/security/ismanagement.hthttp://www.ts.vcu.edu/security/ismanagement.htmlml
VCU Information VCU Information Security Program Security Program
Shaped by:Shaped by:– Virginia Security Policy and Standard and various Virginia Security Policy and Standard and various
federal standards federal standards – Best practices advocated by Educause, VA SCAN, Best practices advocated by Educause, VA SCAN,
SANS, NIST and ISOSANS, NIST and ISO Goals:Goals:
– Identify and protect confidential data and resources Identify and protect confidential data and resources from unauthorized access and/or disclosurefrom unauthorized access and/or disclosure
– Ensure accuracy, validity and completeness of Ensure accuracy, validity and completeness of information by protecting resources from information by protecting resources from unauthorized access and modificationunauthorized access and modification
– Provide assurance that resources are accessible Provide assurance that resources are accessible and operational to support designated educational, and operational to support designated educational, research, service and administrative operationsresearch, service and administrative operations
VCU Information Security VCU Information Security Standards Standards
http://http://www.ts.vcu.edu/security/ismanagement.htmlwww.ts.vcu.edu/security/ismanagement.html
Data Classification GuidelinesData Classification Guidelines Security Standard for Research DataSecurity Standard for Research Data Remote Access StandardRemote Access Standard Encryption StandardEncryption Standard
Strategies – Protection of Strategies – Protection of Sensitive DataSensitive Data
Risk Assessments (existing systems)Risk Assessments (existing systems) Security reviews (new proposals)Security reviews (new proposals) Security Audits via Internal AssuranceSecurity Audits via Internal Assurance ““Network Intelligence”–SecureWorks et alNetwork Intelligence”–SecureWorks et al Intrusion Detection/Prevention systemsIntrusion Detection/Prevention systems Network Access Control & URL blockingNetwork Access Control & URL blocking Secure Messaging (Zix)Secure Messaging (Zix) CEO/CIO mandate re encryption & storageCEO/CIO mandate re encryption & storage SEI Task ForceSEI Task Force IT PoliciesIT Policies Training, Education & Awareness programsTraining, Education & Awareness programs
Strategies – Protection of Sensitive Strategies – Protection of Sensitive Data Data
Information Security Program - Information Security Program - http://www.ts.vcu.edu/security/ismanagement.htmlhttp://www.ts.vcu.edu/security/ismanagement.html
Risk ManagementRisk Management– Risk Assessments and Security AuditsRisk Assessments and Security Audits
Network DefensesNetwork Defenses– Segmentation of the network - Private addressesSegmentation of the network - Private addresses– Secure subnets (VLANS)Secure subnets (VLANS)– Network Access ControlNetwork Access Control
Threat ManagementThreat Management– Monitoring and loggingMonitoring and logging
End point security End point security – Enterprise encryption solutionEnterprise encryption solution
Strategy – Data ClassificationStrategy – Data Classification HIPAA Security Rule (ePHI)HIPAA Security Rule (ePHI) FIPS 199:FIPS 199:
– High, Moderate or Low Potential High, Moderate or Low Potential ImpactImpact (Severe, Serious or Limited)(Severe, Serious or Limited)
– Addresses Confidentiality, Integrity and Addresses Confidentiality, Integrity and Availability Availability
Existing systemsExisting systems– Risk Assessments (HIPAA mandate)Risk Assessments (HIPAA mandate)– Periodic data “crawler” deployment (pending)Periodic data “crawler” deployment (pending)
New/proposed systemsNew/proposed systems– IRB request expanded w/security review linkIRB request expanded w/security review link
Strategy – Data Classification Strategy – Data Classification GuidelinesGuidelines
Criteria for Classification: Criteria for Classification: – Confidentiality, Integrity and AvailabilityConfidentiality, Integrity and Availability
Category I – data protected by Category I – data protected by regulation (federal, state or institution) regulation (federal, state or institution)
Category II – data that must be Category II – data that must be protected due to proprietary, ethical or protected due to proprietary, ethical or privacy considerationsprivacy considerations
Category III – data available to the publicCategory III – data available to the public
Strategies - PasswordsStrategies - Passwords
Long-term vision: reduce/eliminate Long-term vision: reduce/eliminate PWsPWs– Smart Cards/Tokens/Proximity Smart Cards/Tokens/Proximity – BiometricsBiometrics
In the meantime:In the meantime:– Password standards (complexity, length, Password standards (complexity, length,
etc.)etc.)– Reduced Signon (SSO)Reduced Signon (SSO)
Strategies – PasswordsStrategies – Passwords
Use of eID for all University Use of eID for all University application accessapplication access
Password Security StandardPassword Security Standardwww.ts.vcu.edu/security/ismanagement/www.ts.vcu.edu/security/ismanagement/
PasswordStandard.pdfPasswordStandard.pdf
– Complexity Complexity – Aging – password must be changed Aging – password must be changed
periodicallyperiodically– Intruder lockout – to prevent guessingIntruder lockout – to prevent guessing
Strategies - StorageStrategies - Storage
Mandate: All sensitive electronic Mandate: All sensitive electronic information (SEI) must reside on information (SEI) must reside on network storage or be encrypted!network storage or be encrypted!
SANS storage system w/offsite SANS storage system w/offsite archivesarchives
““Tiered storage” option pendiingTiered storage” option pendiing
Strategies – StorageStrategies – Storage
University Computer CenterUniversity Computer Center– Storage and backupStorage and backup– Growing capacity with virtualizationGrowing capacity with virtualization
Sensitive DataSensitive Data– Network StorageNetwork Storage– Encrypted if local Encrypted if local
Strategies - AccessStrategies - Access
Streamline Access Management Streamline Access Management Single authentication for local/remote Single authentication for local/remote
access (Active Directory)access (Active Directory) ““Pre-flight check” (Network Access Pre-flight check” (Network Access
Control)Control) SSL VPN (F5)SSL VPN (F5) Security controls commensurate with Security controls commensurate with
riskrisk
Strategies – AccessStrategies – Access
Standardization on eID and Banner Standardization on eID and Banner NumberNumber
Increased bandwidth Increased bandwidth Network Access ControlNetwork Access Control WebVPN for remote accessWebVPN for remote access
– http://www.ts.vcu.edu/security/http://www.ts.vcu.edu/security/vcuvpn.htmlvcuvpn.html
Strategies - EncryptionStrategies - Encryption
Mobile devices – mandatory Mobile devices – mandatory encryption encryption
Removable media – approved USB Removable media – approved USB drives only (Verbatim or VA-drives only (Verbatim or VA-approved)approved)
““Smart” phones & Blackberries: Smart” phones & Blackberries: centrally-owned and –supported centrally-owned and –supported secure devices onlysecure devices only
Strategies – EncryptionStrategies – Encryption
Security Standard for Encryption Security Standard for Encryption Enterprise encryption solution will be Enterprise encryption solution will be
implemented this yearimplemented this year– Interim solutions (Open Source):Interim solutions (Open Source):
Hard disk encryption: TruecryptHard disk encryption: Truecrypt File encryption: OmziffFile encryption: Omziff
Secure USB – Verbatim Store ‘n Go Secure USB – Verbatim Store ‘n Go Corporate SecureCorporate Secure
Strategies – DesktopsStrategies – Desktops
Approved vendors/devicesApproved vendors/devices Comprehensive inventory (SMS Comprehensive inventory (SMS
mandate)mandate) Centrally-reporting and –updated Centrally-reporting and –updated
anti-malware (McAfee or similar)anti-malware (McAfee or similar) Documented patch management planDocumented patch management plan Designated support contactDesignated support contact Designated security contactDesignated security contact
Strategies – DesktopsStrategies – Desktops
Anti-virusAnti-virus– Sophos is free for VCU usersSophos is free for VCU users
Second antispywareSecond antispyware– Spybot or AdAwareSpybot or AdAware
Recommendations for Securing Recommendations for Securing Desktops:Desktops:– http://www.ts.vcu.edu/security/http://www.ts.vcu.edu/security/
desktopsec.htmldesktopsec.html
LANDesk Desktop ManagementLANDesk Desktop Management
Strategies - LaptopsStrategies - Laptops
Approved vendors/devices Approved vendors/devices Mandatory encryption (Credant)Mandatory encryption (Credant) Physical security: cable locksPhysical security: cable locks ““LoJack” software LoJack” software recommendedrecommended
Strategies – LaptopsStrategies – Laptops
Confidential data must be encryptedConfidential data must be encrypted Use laptop security devices Use laptop security devices Practice safe computingPractice safe computing Laptop imagingLaptop imaging Laptop Security Recommendations:Laptop Security Recommendations:
– http://www.ts.vcu.edu/security/http://www.ts.vcu.edu/security/securelaptop.htmlsecurelaptop.html
Strategies - WirelessStrategies - Wireless
Centrally-managed wireless networks Centrally-managed wireless networks onlyonly
WPA encryptionWPA encryption Wireless Intrusion Prevention System Wireless Intrusion Prevention System
(AirDefense)(AirDefense) Guest network for patients, visitors, Guest network for patients, visitors,
vendorsvendors
Strategies – WirelessStrategies – Wireless
Wireless is under CNACWireless is under CNAC Secure wireless (WPA2) will be Secure wireless (WPA2) will be
implemented in the springimplemented in the spring– Interim: Use VPN for secure wireless Interim: Use VPN for secure wireless
connectivityconnectivity
Strategies – Strategies – Using the InternetUsing the Internet
Policies & EducationPolicies & Education URL filtering & blocking, in- and out-URL filtering & blocking, in- and out-
bound (WebSense)bound (WebSense) Traffic throttling (social sites, Traffic throttling (social sites,
P2P,etc)P2P,etc)
Strategies – Using the Internet Strategies – Using the Internet
Packetshaping trafficPacketshaping traffic Controlling SpamControlling Spam Self-Defending NetworkSelf-Defending Network
– Specialized Network Fire WallsSpecialized Network Fire Walls– Intrusion Protection SystemIntrusion Protection System– Proactive Monitoring Systems Proactive Monitoring Systems
Security awareness trainingSecurity awareness training– Role-based Modules in BlackboardRole-based Modules in Blackboard
Interim Solutions – Security is Interim Solutions – Security is An Ongoing ProcessAn Ongoing Process
Reduced SignonReduced Signon Personal USB drives: “read-only”Personal USB drives: “read-only” IT Policy updates (in progress)IT Policy updates (in progress) TEA (Training, Education, Awareness)TEA (Training, Education, Awareness) Monitoring & AuditingMonitoring & Auditing
Interim Solutions – Security is An Interim Solutions – Security is An Ongoing ProcessOngoing Process
Practice Safe ComputingPractice Safe Computing– Be an Internet SkepticBe an Internet Skeptic– Keep antivirus up-to-dateKeep antivirus up-to-date– Use a personal fire wallUse a personal fire wall– Keep patches up-to-date for operating system Keep patches up-to-date for operating system
and applicationsand applications
Defense-in-DepthDefense-in-Depth– Layers of defenses to compensate for any Layers of defenses to compensate for any
failuresfailures
Attack methodology changesAttack methodology changes– Defenses have to adjustDefenses have to adjust
Resources 1Resources 1
VCU site licensed anti-virus software:VCU site licensed anti-virus software:– http://www.ts.vcu.edu/security/virus.htmhttp://www.ts.vcu.edu/security/virus.htm
ll Info about Windows Update Service:Info about Windows Update Service:
– http://www.ts.vcu.edu/security/nonstudehttp://www.ts.vcu.edu/security/nonstudent.htmlnt.html
Password information:Password information:– http://www.ts.vcu.edu/faq/security/http://www.ts.vcu.edu/faq/security/
strongpasswords.htmlstrongpasswords.html
Resources 2 Resources 2
Personal FirewallPersonal Firewall– Windows XP SP2, ZoneAlarmWindows XP SP2, ZoneAlarm
Anti-spyware programsAnti-spyware programs– Spybot Search and Destroy, AdAware, DefenderSpybot Search and Destroy, AdAware, Defender
Protection on the Internet:Protection on the Internet:– http://www.ts.vcu.edu/security/nonstudent.htmlhttp://www.ts.vcu.edu/security/nonstudent.html
Securing laptops and other mobile devices:Securing laptops and other mobile devices:– http://www.ts.vcu.edu/security/securelaptop.htmlhttp://www.ts.vcu.edu/security/securelaptop.html
Resources 3Resources 3
Truecrypt: Truecrypt: http://www.truecrypt.org/http://www.truecrypt.org/ Omziff: Omziff:
http://www.snapfiles.com/get/omziff.http://www.snapfiles.com/get/omziff.htmlhtml
ResourcesResources
Visit VCU’s security website for Visit VCU’s security website for current security information and tips:current security information and tips:– http://www.ts.vcu.edu/security/http://www.ts.vcu.edu/security/
Questions?Questions?
Thank you for your attention.Thank you for your attention.