Protection of Electronic Protection of Electronic Research Data:Research Data:

What Investigators Need to What Investigators Need to KnowKnow

January 31, 2008January 31, 2008

Kay SommersKay SommersVCU Information Security OfficerVCU Information Security Officer

ksommers@vcu.eduksommers@vcu.eduDave HouletteDave Houlette

VCU Health Systems VCU Health Systems Chief Information Security OfficerChief Information Security Officer

dhoulette@mcvh-vcu.edudhoulette@mcvh-vcu.edu

AgendaAgenda

Areas of Concern Areas of Concern – Vulnerabilities and ThreatsVulnerabilities and Threats

RequirementsRequirements StrategiesStrategies

– What VCU and VCU HS provideWhat VCU and VCU HS provide– What You Can DoWhat You Can Do

ResourcesResources Q&AQ&A

Bad Things Continue to Bad Things Continue to Happen…Happen…

University Security BreachesUniversity Security Breaches SANS TOP 20 highlights client-side risksSANS TOP 20 highlights client-side risks Accidental Data ExposuresAccidental Data Exposures

– Loss of laptops, USB drives, backup tapesLoss of laptops, USB drives, backup tapes– Posting personal data to websitesPosting personal data to websites

Intentional ExploitsIntentional Exploits– Theft of mobile devicesTheft of mobile devices– Compromises Compromises – Infected computersInfected computers

Regulations Regulations

State:State: – VITA State Security Policy and StandardVITA State Security Policy and Standard

SEC 500-02 and 501-01SEC 500-02 and 501-01– ARMICSARMICS

Federal:Federal:– HIPAA, FERPA, Gramm-Leach-Bliley Act, PCI-DSSHIPAA, FERPA, Gramm-Leach-Bliley Act, PCI-DSS

VCU:VCU:– Information Security Standards - Information Security Standards -

http://www.ts.vcu.edu/security/ismanagement.hthttp://www.ts.vcu.edu/security/ismanagement.htmlml

VCU Information VCU Information Security Program Security Program

Shaped by:Shaped by:– Virginia Security Policy and Standard and various Virginia Security Policy and Standard and various

federal standards federal standards – Best practices advocated by Educause, VA SCAN, Best practices advocated by Educause, VA SCAN,

SANS, NIST and ISOSANS, NIST and ISO Goals:Goals:

– Identify and protect confidential data and resources Identify and protect confidential data and resources from unauthorized access and/or disclosurefrom unauthorized access and/or disclosure

– Ensure accuracy, validity and completeness of Ensure accuracy, validity and completeness of information by protecting resources from information by protecting resources from unauthorized access and modificationunauthorized access and modification

– Provide assurance that resources are accessible Provide assurance that resources are accessible and operational to support designated educational, and operational to support designated educational, research, service and administrative operationsresearch, service and administrative operations

VCU Information Security VCU Information Security Standards Standards

http://http://www.ts.vcu.edu/security/ismanagement.htmlwww.ts.vcu.edu/security/ismanagement.html

Data Classification GuidelinesData Classification Guidelines Security Standard for Research DataSecurity Standard for Research Data Remote Access StandardRemote Access Standard Encryption StandardEncryption Standard

Strategies – Protection of Strategies – Protection of Sensitive DataSensitive Data

Risk Assessments (existing systems)Risk Assessments (existing systems) Security reviews (new proposals)Security reviews (new proposals) Security Audits via Internal AssuranceSecurity Audits via Internal Assurance ““Network Intelligence”–SecureWorks et alNetwork Intelligence”–SecureWorks et al Intrusion Detection/Prevention systemsIntrusion Detection/Prevention systems Network Access Control & URL blockingNetwork Access Control & URL blocking Secure Messaging (Zix)Secure Messaging (Zix) CEO/CIO mandate re encryption & storageCEO/CIO mandate re encryption & storage SEI Task ForceSEI Task Force IT PoliciesIT Policies Training, Education & Awareness programsTraining, Education & Awareness programs

Strategies – Protection of Sensitive Strategies – Protection of Sensitive Data Data

Information Security Program - Information Security Program - http://www.ts.vcu.edu/security/ismanagement.htmlhttp://www.ts.vcu.edu/security/ismanagement.html

Risk ManagementRisk Management– Risk Assessments and Security AuditsRisk Assessments and Security Audits

Network DefensesNetwork Defenses– Segmentation of the network - Private addressesSegmentation of the network - Private addresses– Secure subnets (VLANS)Secure subnets (VLANS)– Network Access ControlNetwork Access Control

Threat ManagementThreat Management– Monitoring and loggingMonitoring and logging

End point security End point security – Enterprise encryption solutionEnterprise encryption solution

Strategy – Data ClassificationStrategy – Data Classification HIPAA Security Rule (ePHI)HIPAA Security Rule (ePHI) FIPS 199:FIPS 199:

– High, Moderate or Low Potential High, Moderate or Low Potential ImpactImpact (Severe, Serious or Limited)(Severe, Serious or Limited)

– Addresses Confidentiality, Integrity and Addresses Confidentiality, Integrity and Availability Availability

Existing systemsExisting systems– Risk Assessments (HIPAA mandate)Risk Assessments (HIPAA mandate)– Periodic data “crawler” deployment (pending)Periodic data “crawler” deployment (pending)

New/proposed systemsNew/proposed systems– IRB request expanded w/security review linkIRB request expanded w/security review link

Strategy – Data Classification Strategy – Data Classification GuidelinesGuidelines

Criteria for Classification: Criteria for Classification: – Confidentiality, Integrity and AvailabilityConfidentiality, Integrity and Availability

Category I – data protected by Category I – data protected by regulation (federal, state or institution) regulation (federal, state or institution)

Category II – data that must be Category II – data that must be protected due to proprietary, ethical or protected due to proprietary, ethical or privacy considerationsprivacy considerations

Category III – data available to the publicCategory III – data available to the public

Strategies - PasswordsStrategies - Passwords

Long-term vision: reduce/eliminate Long-term vision: reduce/eliminate PWsPWs– Smart Cards/Tokens/Proximity Smart Cards/Tokens/Proximity – BiometricsBiometrics

In the meantime:In the meantime:– Password standards (complexity, length, Password standards (complexity, length,

etc.)etc.)– Reduced Signon (SSO)Reduced Signon (SSO)

Strategies – PasswordsStrategies – Passwords

Use of eID for all University Use of eID for all University application accessapplication access

Password Security StandardPassword Security Standardwww.ts.vcu.edu/security/ismanagement/www.ts.vcu.edu/security/ismanagement/

PasswordStandard.pdfPasswordStandard.pdf

– Complexity Complexity – Aging – password must be changed Aging – password must be changed

periodicallyperiodically– Intruder lockout – to prevent guessingIntruder lockout – to prevent guessing

Strategies - StorageStrategies - Storage

Mandate: All sensitive electronic Mandate: All sensitive electronic information (SEI) must reside on information (SEI) must reside on network storage or be encrypted!network storage or be encrypted!

SANS storage system w/offsite SANS storage system w/offsite archivesarchives

““Tiered storage” option pendiingTiered storage” option pendiing

Strategies – StorageStrategies – Storage

University Computer CenterUniversity Computer Center– Storage and backupStorage and backup– Growing capacity with virtualizationGrowing capacity with virtualization

Sensitive DataSensitive Data– Network StorageNetwork Storage– Encrypted if local Encrypted if local

Strategies - AccessStrategies - Access

Streamline Access Management Streamline Access Management Single authentication for local/remote Single authentication for local/remote

access (Active Directory)access (Active Directory) ““Pre-flight check” (Network Access Pre-flight check” (Network Access

Control)Control) SSL VPN (F5)SSL VPN (F5) Security controls commensurate with Security controls commensurate with

riskrisk

Strategies – AccessStrategies – Access

Standardization on eID and Banner Standardization on eID and Banner NumberNumber

Increased bandwidth Increased bandwidth Network Access ControlNetwork Access Control WebVPN for remote accessWebVPN for remote access

– http://www.ts.vcu.edu/security/http://www.ts.vcu.edu/security/vcuvpn.htmlvcuvpn.html

Strategies - EncryptionStrategies - Encryption

Mobile devices – mandatory Mobile devices – mandatory encryption encryption

Removable media – approved USB Removable media – approved USB drives only (Verbatim or VA-drives only (Verbatim or VA-approved)approved)

““Smart” phones & Blackberries: Smart” phones & Blackberries: centrally-owned and –supported centrally-owned and –supported secure devices onlysecure devices only

Strategies – EncryptionStrategies – Encryption

Security Standard for Encryption Security Standard for Encryption Enterprise encryption solution will be Enterprise encryption solution will be

implemented this yearimplemented this year– Interim solutions (Open Source):Interim solutions (Open Source):

Hard disk encryption: TruecryptHard disk encryption: Truecrypt File encryption: OmziffFile encryption: Omziff

Secure USB – Verbatim Store ‘n Go Secure USB – Verbatim Store ‘n Go Corporate SecureCorporate Secure

Strategies – DesktopsStrategies – Desktops

Approved vendors/devicesApproved vendors/devices Comprehensive inventory (SMS Comprehensive inventory (SMS

mandate)mandate) Centrally-reporting and –updated Centrally-reporting and –updated

anti-malware (McAfee or similar)anti-malware (McAfee or similar) Documented patch management planDocumented patch management plan Designated support contactDesignated support contact Designated security contactDesignated security contact

Strategies – DesktopsStrategies – Desktops

Anti-virusAnti-virus– Sophos is free for VCU usersSophos is free for VCU users

Second antispywareSecond antispyware– Spybot or AdAwareSpybot or AdAware

Recommendations for Securing Recommendations for Securing Desktops:Desktops:– http://www.ts.vcu.edu/security/http://www.ts.vcu.edu/security/

desktopsec.htmldesktopsec.html

LANDesk Desktop ManagementLANDesk Desktop Management

Strategies - LaptopsStrategies - Laptops

Approved vendors/devices Approved vendors/devices Mandatory encryption (Credant)Mandatory encryption (Credant) Physical security: cable locksPhysical security: cable locks ““LoJack” software LoJack” software recommendedrecommended

Strategies – LaptopsStrategies – Laptops

Confidential data must be encryptedConfidential data must be encrypted Use laptop security devices Use laptop security devices Practice safe computingPractice safe computing Laptop imagingLaptop imaging Laptop Security Recommendations:Laptop Security Recommendations:

– http://www.ts.vcu.edu/security/http://www.ts.vcu.edu/security/securelaptop.htmlsecurelaptop.html

Strategies - WirelessStrategies - Wireless

Centrally-managed wireless networks Centrally-managed wireless networks onlyonly

WPA encryptionWPA encryption Wireless Intrusion Prevention System Wireless Intrusion Prevention System

(AirDefense)(AirDefense) Guest network for patients, visitors, Guest network for patients, visitors,

vendorsvendors

Strategies – WirelessStrategies – Wireless

Wireless is under CNACWireless is under CNAC Secure wireless (WPA2) will be Secure wireless (WPA2) will be

implemented in the springimplemented in the spring– Interim: Use VPN for secure wireless Interim: Use VPN for secure wireless

connectivityconnectivity

Strategies – Strategies – Using the InternetUsing the Internet

Policies & EducationPolicies & Education URL filtering & blocking, in- and out-URL filtering & blocking, in- and out-

bound (WebSense)bound (WebSense) Traffic throttling (social sites, Traffic throttling (social sites,

P2P,etc)P2P,etc)

Strategies – Using the Internet Strategies – Using the Internet

Packetshaping trafficPacketshaping traffic Controlling SpamControlling Spam Self-Defending NetworkSelf-Defending Network

– Specialized Network Fire WallsSpecialized Network Fire Walls– Intrusion Protection SystemIntrusion Protection System– Proactive Monitoring Systems Proactive Monitoring Systems

Security awareness trainingSecurity awareness training– Role-based Modules in BlackboardRole-based Modules in Blackboard

Interim Solutions – Security is Interim Solutions – Security is An Ongoing ProcessAn Ongoing Process

Reduced SignonReduced Signon Personal USB drives: “read-only”Personal USB drives: “read-only” IT Policy updates (in progress)IT Policy updates (in progress) TEA (Training, Education, Awareness)TEA (Training, Education, Awareness) Monitoring & AuditingMonitoring & Auditing

Interim Solutions – Security is An Interim Solutions – Security is An Ongoing ProcessOngoing Process

Practice Safe ComputingPractice Safe Computing– Be an Internet SkepticBe an Internet Skeptic– Keep antivirus up-to-dateKeep antivirus up-to-date– Use a personal fire wallUse a personal fire wall– Keep patches up-to-date for operating system Keep patches up-to-date for operating system

and applicationsand applications

Defense-in-DepthDefense-in-Depth– Layers of defenses to compensate for any Layers of defenses to compensate for any

failuresfailures

Attack methodology changesAttack methodology changes– Defenses have to adjustDefenses have to adjust

Resources 1Resources 1

VCU site licensed anti-virus software:VCU site licensed anti-virus software:– http://www.ts.vcu.edu/security/virus.htmhttp://www.ts.vcu.edu/security/virus.htm

ll Info about Windows Update Service:Info about Windows Update Service:

– http://www.ts.vcu.edu/security/nonstudehttp://www.ts.vcu.edu/security/nonstudent.htmlnt.html

Password information:Password information:– http://www.ts.vcu.edu/faq/security/http://www.ts.vcu.edu/faq/security/

strongpasswords.htmlstrongpasswords.html

Resources 2 Resources 2

Personal FirewallPersonal Firewall– Windows XP SP2, ZoneAlarmWindows XP SP2, ZoneAlarm

Anti-spyware programsAnti-spyware programs– Spybot Search and Destroy, AdAware, DefenderSpybot Search and Destroy, AdAware, Defender

Protection on the Internet:Protection on the Internet:– http://www.ts.vcu.edu/security/nonstudent.htmlhttp://www.ts.vcu.edu/security/nonstudent.html

Securing laptops and other mobile devices:Securing laptops and other mobile devices:– http://www.ts.vcu.edu/security/securelaptop.htmlhttp://www.ts.vcu.edu/security/securelaptop.html

Resources 3Resources 3

Truecrypt: Truecrypt: http://www.truecrypt.org/http://www.truecrypt.org/ Omziff: Omziff:

http://www.snapfiles.com/get/omziff.http://www.snapfiles.com/get/omziff.htmlhtml

ResourcesResources

Visit VCU’s security website for Visit VCU’s security website for current security information and tips:current security information and tips:– http://www.ts.vcu.edu/security/http://www.ts.vcu.edu/security/

Questions?Questions?

Thank you for your attention.Thank you for your attention.