“Securing the Unsecured”Security Awareness Training

HIMSS Louisiana ChapterOctober 8, 2004

Slide 2

Agenda

Why Who What When Where and How Tests for Understanding Documentation

Slide 3

Why Security Awareness Training

Regulatory/Corporate Compliance Users Don’t Get It It Can’t Happen Here Syndrome Make Our Lives Easier Goals of Security Awareness

Training

Slide 4

Why: Regulatory/Corporate Compliance

Sarbanes-Oxley• Requires companies to become more fiscally accountable

JCAHO• “To continuously improve the safety and quality of care

provided to the public through the provision of health care accreditation and related services that support performance improvement in health care organizations. “

USA Patriot Act• Requires seeking, detecting, and

reporting computer trespasses HIPAA

• Requires CIA of patients' private information

Slide 5

Why: Users Don’t Get It

There’s nothing important on my computer We have virus software so my computer is

protected from everything All threats are from the outside It’s not my job/I’m too busy to worry about security Technology provides full protection

Slide 6

Why: It Can’t Happen Here Syndrome

Use Examples from Your Organization Use Examples from Others:

• Two years of research material lost with no backup• Test results are changed• Falsified ID is used to send threatening e-mail• Employees running side business with our technology• Hospital machines used as zombies for DDOS attacks• Virus, worm, trojan infestations and attacks• Illegal music downloading• Online gaming• IT equipment stolen

Slide 7

Why: Make Our Lives Easier

Routine Helpdesk Calls are Reduced Fewer Malicious Code Outbreaks Lowers Data Restore Requests Able to Focus on Projects Users Feel Ownership Users Think More Highly of IT Less Time Spent Firefighting

Slide 8

Goals of Security Awareness Training

Establish a knowledge baseline for the entire organization

Modifying user behavior helps the security team Adds a human component to defense-in-depth Securing people is at least as important as

securing systems

Slide 9

Who Needs Security Awareness Training

Employees Non-employees

Slide 10

Who: Employees

All Employees• Determine minimum level for everyone• Include volunteers, medical staff and administration

Department Champions• Find your IT want-to-bes• Use them to help smooth the path

Management• Make sure that they are not embarrassed• Provide justification for expenditures

IT Staff• Keep them fully informed

Slide 11

Who: Non-employees

On-site• Volunteers• Medical Staff• Others

Remote• Medical Staff• Public• Support

Contract/Non-contract• Escort?

Slide 12

What: Security Awareness Training

Most Common Mistakes Training Topics Acceptable Use Policy/Agreement

Slide 13

What: Most Common Mistakes

Poor Password Management Workstation Attached and Unattended Malicious E-mail Attachments Ineffective Anti-virus Software Uncontrolled Laptops Unreported Security Violations Updates, Hot Fixes, Service Packs not Installed Poor Perimeter Protection

• Electronic• Physical

Slide 14

What: Training Topics

Data Backup/Restore Physical Security Portables Social Engineering ID/Passwords E-mail Wireless Malicious Software

Slide 15

Data Backup/Restore

Users are responsible for communicating their needs

IT is responsible for making sure it happens• Included in IT procedures• Tools supplied to users

Slide 16

Physical Security

Every User is an Extension of the Security Force Lock Offices as Often as Practical Restrict Open External Entrances Technology

• Cameras• Motion sensors• Alarm systems• Tags

Slide 17

Portables

Favorite Target of Thieves Less Likely to Draw Attention Easily Hidden “Turn” Fast at Pawn Shops and Online Almost Always Contain “Sensitive” Data

Slide 18

Social Engineering

“This is (manager, director, etc.) and I need…”

“This is Sue with the Help Desk and we are:• verifying your passwords…”• troubleshooting logon problems…”• got your (bogus) request to change your…”

E-mail Attachments Dumpster Diving Recover Data from Surplus

Equipment/Media

Slide 19

ID/Passwords

Users are responsible for what happens with their ID/password

If you HAVE to write them down treat the paper like a credit card

Change passwords if there is a possibility it has been compromised

Use complex passwords The sanctions for not protecting

login credentials are…

Slide 20

From the University of Michigan

Passwords Are Like Underwear: Change yours often! Don’t leave yours lying around! The longer the more protection! Don’t share yours with friends! Be mysterious!

Slide 21

E-Mail

E-mails Exist in Multiple Places Deleting an Email from One Place Does Not

Delete it from Anywhere Else Be Aware of “bcc” Spam Effects and Avoidance Verify Attachments Before Opening Don’t Send Confidential Information

via Standard E-mail E-mail Can be Forged

Slide 22

Wireless

Don’t Plug in Your Own Wireless Access Point Don’t Change the Secure Configuration:

• To make it work with your home network• So it will connect in the airport• To access other facilities networks

Use a Wire When Available• Faster• More secure• Less competition for access

point bandwidth

Slide 23

Malicious Software

Leave Virus Protection and Firewall Programs Running

Check for or Allow Updates Recognize Potential Malicious Activities:

• Hard drive running when no programs are running• Unusual or unexpected logon screens• Boot up speed or sequence changes• Performance degradation• Returned e-mails

Others?

Slide 24

What: Acceptable Use Policy/Agreement

Include All Security Topics Templates and Examples are Available Online Include in Training Have Users Sign May Include Confidentiality

and Privacy

Slide 25

When: Security Awareness Training

Prior to System/Facility Access• Require security training • Have Acceptable Use Policy; Confidentiality; Privacy

and other agreements signed Ongoing

• New Hire• Reminder• Annual• Include security

every chance Non-employees

Slide 26

Where and How: Security Awareness Training Posters Newsletters Login Dialogue Boxes E-mails Display Tables Contests “Mystery Guest”

Slide 27

Tests for Understanding

Positives• Proof that learning occurred• Program improvements

Negatives• Proof that learning did not occur• Handling the failures

Slide 28

Documentation

Annual Plan Who/What/When Matrix Proof of Occurrence Quality Review Meeting Minutes

Slide 29

From George Mason University

S.E.C.U.R.E. I.T. Simple (All users can implement these procedures) Effective (Problems are solved by following procedures) Concerned (All users should be concerned about

security) Useful (Procedures keep resources safe and available) Responsibility (All users must follow the AUP) Economical (Resources are protected and conserved) Information (Confidentiality, integrity, accessibility) Technology (Hardware is protected and preserved)

Thank

Healthlink Incorporated3800 Buffalo Speedway, Suite 550

Houston, TX . 770981.800.223.8956

claude.younger@healthlinkinc.comwww.healthlinkinc.com

You