computer security and what you can do about it… vadim droznin – a geek - not a professional...
TRANSCRIPT
Computer Security and what you can do about it…
Vadim Droznin – a geek - not a professional speaker!
Don’t let this happen to you!
Introduction
Discuss best computer and mobile device related practices to protecting you and your office information
You will be able to make a knowledgeable decision about combating potential threats on the Internet and make better decisions related to IT
QED Systems, Inc. has been helping companies with IT related issues for over 25 years.
OutlineBest practice to protect your
computer◦ Viruses◦ Intrusion prevention◦ Passwords◦ Backup◦ Encryption◦ Cloud◦ IT outsourcing vs in-house◦ MASS PI Law – Regulation 201 CMR 17◦ HIPAA compliance
Danger, Will Robinson, Danger!
Computer Virus – a program that can infect a computer
without permission or knowledge of the user
◦ Spreads over WWW, Network Sharing, E-Mail, Social Networking,
and Instant messaging. Will spread to other computers and
potentially cause data loss
Malware (malicious software) – a program that infects and
damages the computer/mobile device (most rootkits, some
viruses, Trojan horses, worms) Example: Trojan Flame - a multi-
component malware for targeted attacks. It is able to spy, leak data,
download/execute other components.
Spyware – a program that intercepts and takes partial control over
the user/computer or mobile device interaction/captures key
strokes
Adware – a program that displays, downloads, and pops-up ads
SPAM – an unsolicited e-mail. May be used for phishing or
information gathering
Types of Antivirus/AntispywareKaspersky, Symantec, IObit etc.
◦ Avira, Avast and AVG have free basic versions
◦ Ability to update and monitor. Scan whole computer weekly
Anti-Spyware: Webroot, CounterSpy, etc. ◦ MalwareBytes and
SuperAntispyware have free versions
◦ Scan weekly minimum
Viruses that disguise themselves
Antivirus 2014/2013/2012/2011 and Antivirus XP/7/8 any year are actually viruses
Never click on a pop up about your computer being infected when surfing
If infected, press and hold the power button 5 sec. to shut down, then seek expert help
Anti-SPAM / PHISHINGUse internet e-mail sites that
offer SPAM scanning (Yahoo, Google, MSN, etc.)
Free Anti-SPAM version included for Outlook, Outlook Express, Apple and other versions
PHISHING - When e-mail or Internet link takes user to a site that masquerades as a real site (can also be done via a server)
Examples of PHISHINGE-Mails –
Site -
Firewall, Passwords, Wireless, etc. Never hook your computer up to Internet without
a firewall. It takes less then 20 minutes to get
hacked (cracked) or infected
Wireless must have WPA2 enabled - 14 characters
long passphrase. Cisco, Meraki, and others offer
real wireless security solution
Wi-Fi Protected Setup (WPS) is vulnerable and
should be disabled
User account passwords on the computer and
Internet sites passwords must be at least 15
characters long – combination of Caps, small
letters, numbers, and “special” characters
UPS is recommended for computers in case of
power outage
Operating Systems Pros and cons
Windows OS is still most popular and most widely used.◦ Windows XP/Vista/7/8 replaced by Windows 8.1 as
of 2014.
◦ Windows 7 and 8.1 are more secure. Built in Windows Defender and better security.
◦ All OSs are still prone to “security flaws”
Apple◦ Can “dual boot” into both Apple and Windows OS.
◦ Still most secure, but more and more programs are written to “infect” Mac OS.
Linux OS ◦ Used less, more secure then PC, but may get
infected and has flaws.
◦ May be hard to learn for computer user and compatibility issues.
Mobile Devices and PhonesPhones have become more then a phone
– mobile computers. Use a password to unlock the phone
◦ Purchase Antivirus (AVG Free) with Android
based phone. In the foreseeable future, be very
careful when installing Apps on the Android.
◦ iPhone has a much smaller chance of getting
infected and downloading a malware/spyware
based app.
◦ Blackberry has the best mail encryption, but
future is very questionable.
◦ Android, iPhone and iPad apps market is
continuing to grow.
EncryptionEncryption uses an algorithm to
encode the devices, files, or information
You should be encrypting any business related information on all devices that are taken outside the office – Laptops, Mobile Devices, Thumb drive, etc.
When creating a web site that requires a login, an SSL encryption should be implemented◦ Secure Socket Layer encrypts the data over
the Internet between server and client
Backup
You can never have enough backups
Redundancy is not a backup, but can be used for a quick restore
Backup (cont’d)What should I NOT be
using as a media backup
Best Offsite backups (online backups) provide encryption◦ Carbonite - $59.95/year
unlimited size, plus plans for businesses
◦ Mozy - $5.95/month unlimited size
◦ Mozy and others offer 2 Gb free versions
CloudPros
◦ Minimizes IT support. Allows “Pay as you go”
◦ Does not require dedicated on-site location
◦ 24/7 uptime not tied to your office Internet
◦ Scalable
Cons◦ Requires higher
level of security (prone to attack)
◦ Some of the Applications can not be used, example HIPAA compliant
◦ If part of Internet goes down Cloud Servers may not be reachable
Information TechnologyOutsourcing
◦ Cost Efficient if used in “pay as required”
◦ Support 24/7◦ Some of the
support may be remote
◦ No sick/holiday/vacation time, though usually higher rate during off-hours
◦ Provides a CYA
In-House◦ Cost efficient if
subsidized by grant
◦ A dedicated person that is on site during business hours
◦ Person grows with office and understands technology needs better
Personal InformationThe following information related to
any Massachusetts’ resident is considered to be Personal Information (PI):
Name (First initial/name and last name) And one of the following:
Social Security Number Driver’s License Number Financial Account Number (ex. Credit Card, Debit Card)
Other Access Code Related to Person’s Financial Information
MASS Personal Information Law Standards for the Protection of Personal Information of
Residents of the Commonwealth Effective 3/1/10 Safeguard personal information (PI), both paper and
electronic Insure security and confidentiality are consistent with
industry standards Protect against anticipated threats Protect against unauthorized access Establishes minimum standards to be met in
connection with the safeguarding of personal information (PI) contained in both paper and electronic records
Up to $50,000 per improper disposal and maximum of $5,000 per violation
Above penalties don't include lost business, dealing with irate staff or families, mailing out letters, and other associated costs
Written Information Security Plan (WISP)Working document that details how your
organization will protect the non-public personal information (PI) of both students and staff through administrative, technical, and physical safeguards
WISP must address:Paper FilesElectronic Information
PI - Paper Files
◦ Do not leave files containing PI out and
about
◦ Lock desks and file cabinets containing PI
◦ Store keys related to locked desks/cabinets
in safe place
◦ If possible, avoid faxing PI
◦ If faxing is required, double check # and
name of recipient before sending
PI - Electronic Information Hardware – Your computer
◦ Any Computer or mobile device that is portable can not contain PI
◦ As an extra security, if using a laptop that contains PI, try not to use wireless at a public location – turn off wireless feature
Software – Usage on daily bases◦ Any email that may contain PI, must be encrypted◦ Passwords to computers, can not be left out in the open
(under mouse pad, keyboard, etc.)◦ Passwords have to meet minimum requirements
Data Files – Protection of files with PI info◦ Files containing PI should be password protected and
never taken off site◦ No text, Instant Message, or social networking ◦ If there is a necessity to take files with PI offsite, files
must be in an encrypted laptop or flash drive with secure password protection
Health Insurance Portability and Accountability Act - HIPAA The HIPAA Privacy Rule provides federal protections
for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information.
Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.
HIPAA applies to “PHI” (Protected Health Information). This is information that identifies who the health-related information belongs to - names, email addresses, phone numbers, medical record numbers, photos, drivers license numbers, etc. If you have something that can identify a person together with health information of any kind (from an appointment, to a list of prescriptions, to test results, to a list of doctors) you have PHI that needs to be protected per HIPAA. ePHI is merely PHI that is stored or transmitted electronically (i.e. via email, text message, web site, database, online document storage, FAX, etc.).
HIPAA Applies to – Covered Entities and everyone touching PHI Health plans: With certain exceptions, an individual or
group plan that provides or pays the cost of medical care. Health care clearinghouses: An entity that either process
or facilitates the processing of health information from various organizations. I.e. to reformat or process the data into standard formats.
Health care providers: Care, services, or supplies related to the health of an individual,.
The HITECH additions to HIPAA extend HIPAA compliance requirements to all Business Associates of Covered Entities. Further the Omnibus rule requires that all Business Associates of Business Associates to also be compliant - Everyone in the chain of companies from the Covered Entitles onward needs to be compliant! Even law firms need to comply with HIPAA where they contact PHI.
Note: Individuals (unless they fall into one on of the above categories) do not have to be HIPAA compliant. So, for example, it is “OK” for a patient to be non-compliant in communicating with his doctor; however, the doctor must be compliant when communicating back and must be compliant with the patient’s communications once received.
Wrap-upVirus/Spyware/Malware/
AdwareSPAM/PhishingFirewall WirelessPasswordsWindows 8/AppleMobile DevicesEncryption/BackupCloud HostingIT inhouse/outsourced201 CMR 17HIPAA-
www.hhs.gov/ocr/privacy