“securing the unsecured” security awareness training himss louisiana chapter october 8, 2004
TRANSCRIPT
“Securing the Unsecured”Security Awareness Training
HIMSS Louisiana Chapter
October 8, 2004
Slide 2
Agenda
Why Who What When Where and How Tests for Understanding Documentation
Slide 3
Why Security Awareness Training
Regulatory/Corporate Compliance Users Don’t Get It It Can’t Happen Here Syndrome Make Our Lives Easier Goals of Security Awareness
Training
Slide 4
Why: Regulatory/Corporate Compliance
Sarbanes-Oxley• Requires companies to become more fiscally accountable
JCAHO• “To continuously improve the safety and quality of care
provided to the public through the provision of health care accreditation and related services that support performance improvement in health care organizations. “
USA Patriot Act• Requires seeking, detecting, and
reporting computer trespasses HIPAA
• Requires CIA of patients' private information
Slide 5
Why: Users Don’t Get It
There’s nothing important on my computer We have virus software so my computer is
protected from everything All threats are from the outside It’s not my job/I’m too busy to worry about security Technology provides full protection
Slide 6
Why: It Can’t Happen Here Syndrome
Use Examples from Your Organization Use Examples from Others:
• Two years of research material lost with no backup
• Test results are changed
• Falsified ID is used to send threatening e-mail
• Employees running side business with our technology
• Hospital machines used as zombies for DDOS attacks
• Virus, worm, trojan infestations and attacks
• Illegal music downloading
• Online gaming
• IT equipment stolen
Slide 7
Why: Make Our Lives Easier
Routine Helpdesk Calls are Reduced Fewer Malicious Code Outbreaks Lowers Data Restore Requests Able to Focus on Projects Users Feel Ownership Users Think More Highly of IT Less Time Spent Firefighting
Slide 8
Goals of Security Awareness Training
Establish a knowledge baseline for the entire organization
Modifying user behavior helps the security team Adds a human component to defense-in-depth Securing people is at least as important as
securing systems
Slide 9
Who Needs Security Awareness Training
Employees Non-employees
Slide 10
Who: Employees
All Employees• Determine minimum level for everyone
• Include volunteers, medical staff and administration
Department Champions• Find your IT want-to-bes
• Use them to help smooth the path
Management• Make sure that they are not embarrassed
• Provide justification for expenditures
IT Staff• Keep them fully informed
Slide 11
Who: Non-employees
On-site• Volunteers
• Medical Staff
• Others
Remote• Medical Staff
• Public
• Support
Contract/Non-contract• Escort?
Slide 12
What: Security Awareness Training
Most Common Mistakes Training Topics Acceptable Use Policy/Agreement
Slide 13
What: Most Common Mistakes
Poor Password Management Workstation Attached and Unattended Malicious E-mail Attachments Ineffective Anti-virus Software Uncontrolled Laptops Unreported Security Violations Updates, Hot Fixes, Service Packs not Installed Poor Perimeter Protection
• Electronic
• Physical
Slide 14
What: Training Topics
Data Backup/Restore Physical Security Portables Social Engineering ID/Passwords E-mail Wireless Malicious Software
Slide 15
Data Backup/Restore
Users are responsible for communicating their needs
IT is responsible for making sure it happens• Included in IT procedures
• Tools supplied to users
Slide 16
Physical Security
Every User is an Extension of the Security Force Lock Offices as Often as Practical Restrict Open External Entrances Technology
• Cameras• Motion sensors• Alarm systems• Tags
Slide 17
Portables
Favorite Target of Thieves Less Likely to Draw Attention Easily Hidden “Turn” Fast at Pawn Shops and Online Almost Always Contain “Sensitive” Data
Slide 18
Social Engineering
“This is (manager, director, etc.)
and I need…” “This is Sue with the Help Desk and we are:
• verifying your passwords…”
• troubleshooting logon problems…”
• got your (bogus) request to change your…”
E-mail Attachments Dumpster Diving Recover Data from Surplus
Equipment/Media
Slide 19
ID/Passwords
Users are responsible for what
happens with their ID/password If you HAVE to write them down treat the paper
like a credit card Change passwords if there is a
possibility it has been compromised Use complex passwords The sanctions for not protecting
login credentials are…
Slide 20
From the University of Michigan
Passwords Are Like Underwear: Change yours often! Don’t leave yours lying around! The longer the more protection! Don’t share yours with friends! Be mysterious!
Slide 21
E-mails Exist in Multiple Places Deleting an Email from One Place Does Not
Delete it from Anywhere Else Be Aware of “bcc” Spam Effects and Avoidance Verify Attachments Before Opening Don’t Send Confidential Information
via Standard E-mail E-mail Can be Forged
Slide 22
Wireless
Don’t Plug in Your Own Wireless Access Point Don’t Change the Secure Configuration:
• To make it work with your home network
• So it will connect in the airport
• To access other facilities networks
Use a Wire When Available• Faster
• More secure
• Less competition for access
point bandwidth
Slide 23
Malicious Software
Leave Virus Protection and Firewall Programs Running
Check for or Allow Updates Recognize Potential Malicious Activities:
• Hard drive running when no programs are running
• Unusual or unexpected logon screens
• Boot up speed or sequence changes
• Performance degradation
• Returned e-mails
Others?
Slide 24
What: Acceptable Use Policy/Agreement
Include All Security Topics Templates and Examples are Available Online Include in Training Have Users Sign May Include Confidentiality
and Privacy
Slide 25
When: Security Awareness Training
Prior to System/Facility Access• Require security training
• Have Acceptable Use Policy; Confidentiality; Privacy and other agreements signed
Ongoing• New Hire
• Reminder
• Annual
• Include security
every chance
Non-employees
Slide 26
Where and How: Security Awareness Training
Posters Newsletters Login Dialogue Boxes E-mails Display Tables Contests “Mystery Guest”
Slide 27
Tests for Understanding
Positives• Proof that learning occurred
• Program improvements
Negatives• Proof that learning did not occur
• Handling the failures
Slide 28
Documentation
Annual Plan Who/What/When Matrix Proof of Occurrence Quality Review Meeting Minutes
Slide 29
From George Mason University
S.E.C.U.R.E. I.T. Simple (All users can implement these procedures)
Effective (Problems are solved by following procedures)
Concerned (All users should be concerned about security)
Useful (Procedures keep resources safe and available)
Responsibility (All users must follow the AUP)
Economical (Resources are protected and conserved)
Information (Confidentiality, integrity, accessibility)
Technology (Hardware is protected and preserved)
Thank
Healthlink Incorporated3800 Buffalo Speedway, Suite 550
Houston, TX . 770981.800.223.8956
You