SlideShare une entreprise Scribd logo

Health Information Privacy and Security

Nawanan Theera-Ampornpunt
Nawanan Theera-Ampornpunt
Technologie
1  sur  70
Télécharger pour lire hors ligne
TMHG 529 Health Information Privacy & Security Nawanan Theera-Ampornpunt, M.D., Ph.D. Faculty of Medicine Ramathibodi Hospital Mahidol University April 22, 2013 http://www.SlideShare.net/Nawanan
Outline  Introduction to Information Privacy & Security  Protecting Information Privacy & Security  User Security  Software Security  Cryptography  Malware  Security Standards  Privacy & Security Laws will be in next topic
Introduction to Information Privacy & Security
Threats to Information Security Malware
Sources of the Threats  Hackers  Viruses & Malware  Poorly-designed systems  Insiders (Employees)  People’s ignorance & lack of knowledge  Disasters & other incidents affecting information systems
Consequences of Security Attacks  Information risks  Unauthorized access & disclosure of confidential information  Unauthorized addition, deletion, or modification of information  Operational risks  System not functional (Denial of Service - DoS)  System wrongly operated  Personal risks  Identity thefts  Financial losses  Disclosure of information that may affect employment or other personal aspects (e.g. health information)  Physical/psychological harms  Organizational risks  Financial losses  Damage to reputation & trust  Etc.
Privacy & Security  Privacy: “The ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively.” (Wikipedia)  Security: “The degree of protection to safeguard ... person against danger, damage, loss, and crime.” (Wikipedia)  Information Security: “Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction” (Wikipedia)
Information Security  Confidentiality  Integrity  Availability
Examples of Confidentiality Risks http://usatoday30.usatoday.com/life/people/2007-10-10-clooney_N.htm
Examples of Integrity Risks “Operation Aurora” Alleged Targets: Google, Adobe, Juniper Networks, Yahoo!, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical Goal: To gain access to and potentially modify source code repositories at high tech, security & defense contractor companies http://www.wired.com/threatlevel/2010/03/source-code-hacks/ http://en.wikipedia.org/wiki/Operation_Aurora
Examples of Integrity Risks Web Defacements http://news.softpedia.com/news/700-000-InMotion-Websites-Hacked-by-TiGER-M-TE-223607.shtml
Examples of Availability Risks Viruses/worms that led to instability & system restart (e.g. Blaster worm) http://en.wikipedia.org/wiki/Blaster_worm
Examples of Availability Risks Ariane 5 Flight 501 Rocket Launch Failure Cause: Software bug on rocket acceleration due to data conversion from a 64-bit floating point number to a 16-bit signed integer without proper checks, leading to arithmatic overflow http://en.wikipedia.org/wiki/Ariane_5_Flight_501
Interesting Resources  http://en.wikipedia.org/wiki/List_of_software_bugs  http://en.wikipedia.org/wiki/Notable_computer_viruses_a nd_worms  http://en.wikipedia.org/wiki/Hacktivism  http://en.wikipedia.org/wiki/Website_defacement  http://en.wikipedia.org/wiki/Hacker_(computer_security)  http://en.wikipedia.org/wiki/List_of_hackers
Protecting Information Privacy & Security
Common Security Terms  Attack  An attempt to breach system security  Threat  A scenario that can harm a system  Vulnerability  The “hole” that is used in the attack
Class Exercise  Identify some possible means an attacker could use to conduct a security attack
Simplified Attack Scenarios Alice Server Bob Eve/Mallory
Simplified Attack Scenarios Alice Server Bob - Physical access to client computer - Electronic access (password) - Tricking user into doing something (malware, phishing & social Eve/Mallory engineering)
Simplified Attack Scenarios Alice Server Bob - Intercepting (eavesdropping or “sniffing”) data in transit - Modifying data (“Man-in-the- middle” attacks) Eve/Mallory - “Replay” attacks
Simplified Attack Scenarios Alice Server Bob - Unauthorized access to servers through - Physical means - User accounts & privileges - Attacks through software vulnerabilities - Attacks using protocol weaknesses - DoS / DDoS attacks Eve/Mallory
Simplified Attack Scenarios Alice Server Bob Other & newer forms of attacks possible Eve/Mallory
Safeguarding Against Attacks Alice Server Bob Administrative Security - Security & privacy policy - Governance of security risk management & response - Uniform enforcement of policy & monitoring - Disaster recovery planning (DRP) & Business continuity planning/management (BCP/BCM) - Legal obligations, requirements & disclaimers
Safeguarding Against Attacks Alice Server Bob Physical Security - Protecting physical access of clients & servers - Locks & chains, locked rooms, security cameras - Mobile device security - Secure storage & secure disposition of storage devices
Safeguarding Against Attacks Alice Server Bob User Security - User account management - Strong p/w policy (length, complexity, expiry, no meaning) - Principle of Least Privilege - “Clear desk, clear screen policy” - Audit trails - Education, awareness building & policy enforcement - Alerts & education about phishing & social engineering
Safeguarding Against Attacks Alice Server Bob System Security - Antivirus, antispyware, personal firewall, intrusion detection/prevention system (IDS/IPS), log files, monitoring - Updates, patches, fixes of operating system vulnerabilities & application vulnerabilities - Redundancy (avoid “Single Point of Failure”) - Honeypots
Safeguarding Against Attacks Alice Server Bob Software Security - Software (clients & servers) that is secure by design - Software testing against failures, bugs, invalid inputs, performance issues & attacks - Updates to patch vulnerabilities
Safeguarding Against Attacks Alice Server Bob Network Security - Access control (physical & electronic) to network devices - Use of secure network protocols if possible - Data encryption during transit if possible - Bandwidth monitoring & control
Safeguarding Against Attacks Alice Server Bob Database Security - Access control to databases & storage devices - Encryption of data stored in databases if necessary - Secure destruction of data after use - Access control to queries/reports - Security features of database management systems (DBMS)
Privacy Safeguards  Security safeguards  Informed consent  Privacy culture  User awareness building & education  Organizational policy & regulations  Enforcement  Ongoing privacy & security assessments, monitoring, and protection Image: http://www.nurseweek.com/news/images/privacy.jpg
User Security
User Security  Access control  Selective restriction of access to the system  Role-based access control  Access control based on the person’s role (rather than identity)  Audit trails  Logs/records that provide evidence of sequence of activities
User Security  Identification  Identifying who you are  Usually done by user IDs or some other unique codes  Authentication  Confirming that you truly are who you identify  Usually done by keys, PIN, passwords or biometrics  Authorization  Specifying/verifying how much you have access  Determined based on system owner’s policy & system configurations  “Principle of Least Privilege”
User Security  Nonrepudiation  Proving integrity, origin, & performer of an activity without the person’s ability to refute his actions  Most common form: signatures  Electronic signatures offer varying degrees of nonrepudiation  PIN/password vs. biometrics  Digital certificates (in public key infrastructure - PKI) often used to ascertain nonrepudiation
User Security  Multiple-Factor Authentication  Two-Factor Authentication  Use of multiple means (“factors”) for authentication  Types of Authentication Factors  Something you know  Password, PIN, etc.  Something you have  Keys, cards, tokens, devices (e.g. mobile phones)  Something you are  Biometrics
Need for Strong Password Policy So, two informaticians walk into a bar... The bouncer says, "What's the password." One says, "Password?" The bouncer lets them in. Credits: @RossMartin & AMIA (2012)
Recommended Password Policy  Length  8 characters or more (to slow down brute-force attacks)  Complexity (to slow down brute-force attacks)  Consists of 3 of 4 categories of characters  Uppercase letters  Lowercase letters  Numbers  Symbols (except symbols that have special uses by the system or that can be used to hack system, e.g. SQL Injection)  No meaning (“Dictionary Attacks”)  Not simple patterns (12345678, 11111111) (to slow down brute- force attacks & prevent dictionary attacks)  Not easy to guess (birthday, family names, etc.) (to prevent unknown & known persons from guessing) Personal opinion. No legal responsibility assumed.
Recommended Password Policy  Expiration (to make brute-force attacks not possible)  6-8 months  Decreasing over time because of increasing computer’s speed  But be careful! Too short duration will force users to write passwords down  Secure password storage in database or system (encrypted or store only password hashes)  Secure password confirmation  Secure “forget password” policy  Different password for each account. Create variations to help remember. If not possible, have different sets of accounts for differing security needs (e.g., bank accounts vs. social media sites) Personal opinion. No legal responsibility assumed.
Techniques to Remember Passwords  http://www.wikihow.com/Create-a-Password-You-Can- Remember  Note that some of the techniques are less secure!  One easy & secure way: password mnemonic  Think of a full sentence that you can remember  Ideally the sentence should have 8 or more words, with numbers and symbols  Use first character of each word as password  Sentence: I love reading all 7 Harry Potter books!  Password: Ilra7HPb!  Voila! Personal opinion. No legal responsibility assumed.
Social Engineering Examples Dear mail.mahidol.ac.th Email Account User, We wrote to you on 11th January 2010 advising that you change the password on your account in order to prevent any unauthorised account access following the network instruction we previously communicated. all Mailhub systems will undergo regularly scheduled maintenance. Access to your e-mail via the Webmail client will be unavailable for some time during this maintenance period. We are currently upgrading our data base and e-mail account center i.e homepage view. We shall be deleting old [https://mail.mahidol.ac.th/l accounts which are no longer active to create more space for new accountsusers. we have also investigated a system wide security audit to improve and enhance our current security. In order to continue using our services you are require to update and re-comfirmed your email account details as requested below. To complete your account re-comfirmation,you must reply to this email immediately and enter your account details as requested below. Username : Password : Date of Birth: Future Password : Real social-engineering e-mail received by Speaker
Phishing Real phishing e-mail received by Speaker
Signs of a Phishing Attack  Poor grammar  Lots of typos  Trying very hard to convince you to open attachment, click on link, or reply without enough detail  May appear to be from known person (rely on trust & innocence)
Ways to Protect against Phishing  Don’t be too trusting of people  Always be suspicious & alert  An e-mail with your friend’s name & info doesn’t have to come from him/her  Look for signs of phishing attacks  Don’t open attachments unless you expect them  Scan for viruses before opening attachments  Don’t click links in e-mail. Directly type in browser using known & trusted URLs  Especially cautioned if ask for passwords, bank accounts, credit card numbers, social security numbers, etc.
Software Security
Software Security  Most common reason for security bugs is invalid programming assumptions that attackers will look for  Weak input checking  Buffer overflow  Integer overflow  Race condition (Time of Check / Time of Use vulnerabilities)  Running programs in new environments Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Software Security  Feeping creaturism (Creeping featurism)  Log files that contain sensitive information  Configuration bugs  Unnecessary privileges  Monoculture  Security bypass Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Example of Weak Input Checking: SQL Injection  Consider a log-in form on a web page  Source code would look something like this: statement = "SELECT * FROM users WHERE name = '" + userName + "';"  Attacker would enter as username: ' or '1'='1  Which leads to this always-true query:  statement = "SELECT * FROM users WHERE name = '" + "' or '1'='1" + "';" statement = "SELECT * FROM users WHERE name = '' or '1'='1';" http://en.wikipedia.org/wiki/SQL_injection
Secure Software Design Principles  Economy of Mechanism  Design should be small & simple  Fail-safe default  Complete mediation  Check every access to every object  Open design  Separation of privilege / Least Privilege Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Secure Software Design Principles  Least common mechanism  Minimize complexity of shared components  Psychological acceptability  If users don’t buy in to security mechanism or don’t understand how to use it, system is insecure  Work factor  Cost of attack should exceed resources attacker will spend Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Secure Software Design Principles  Compromise recording  If too expensive to prevent a compromise, record it  Tamper evident vs. tamperproof  Log files Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271 Image source: http://www.flickr.com/photos/goobelyga/2340650133/
Secure Software Design Principles  Defense in Depth  Multiple layers of security defense are placed throughout a system to provide redundancy in the event a security control fails  Secure the weakest link  Promote privacy  Trust no one Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271 http://en.wikipedia.org/wiki/Defense_in_depth_(computing)
Secure Software Best Practices  Modular design  Check error conditions on return values  Validate inputs (whitelist vs. blacklist)  Avoid infinite loops, memory leaks  Check for integer overflows  Language/library choices  Development processes Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Cryptography
Eve Cryptography Alice Bob  Goal: provide a secure channel between Alice & Bob  A secure channel  Leaks no information about its contents  Delivers only messages from Alice & Bob  Delivers messages in order or not at all Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Cryptography  Use of keys to convert plaintext into ciphertext  Secret keys only Alice & Bob know  History: Caesar’s cipher, substitution cipher, polyalphabetic rotation  Use of keys and some generator function to create random-looking strings (e.g. stream ciphers, block ciphers) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Encryption Using Secret Key (Symmetric Cryptography) Alice Eve Bob 1. Encrypt message using secret key 3. Decrypt message 2. Send encrypted message to Bob using same secret key Eve doesn’t know secret key (but there are various ways to discover the key) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Cryptography  What if no shared secret exists?  Public-key cryptography  Each publishes public key publicly  Each keep secret key secret  Use arithmetic to encrypt & decrypt message Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Public-Key Cryptography (Asymmetric Cryptography) Alice Eve Bob 1. Obtains Bob’s public key from public server 4. Decrypt message using 2. Use Bob’s public key to encrypt message own private key 3. Send encrypted message to Bob Even if Eve knows public key, can’t discover message (unless weakness in algorithm) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Digital Signatures Alice Bob 3. Use Alice’s public key 1. Sign message using own private key against plaintext received 2. Send plaintext and random-looking string to get digital signature (digital signature) to Bob 4. Compare to match Alice’s digital signature Provides nonrepudiation received against signature obtained in #3 Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
Malware
Malware  Malicious software - Any code with intentional, undesirable side effects  Virus  Worm  Trojan  Spyware  Logic Bomb/Time Bomb  Backdoor/Trapdoor  Rootkit  Botnet
Malware  Virus  Propagating malware that requires user action to propagate  Infects executable files, data files with executable contents (e.g. Macro), boot sectors  Worm  Self-propagating malware  Trojan  A legitimate program with additional, hidden functionality
Malware  Spyware  Trojan that spies for & steals personal information  Logic Bomb/Time Bomb  Malware that triggers under certain conditions  Backdoor/Trapdoor  A hole left behind by malware for future access
Malware  Rogue Antispyware (Ransomware)  Software that tricks or forces users to pay before fixing (real or hoax) spyware detected  Rootkit  A stealth program designed to hide existence of certain processes or programs from detection  Botnet  A collection of Internet-connected computers that have been compromised (bots) which controller of the botnet can use to do something (e.g. do DDoS attacks)
Defense Against Malware  Installed & updated antivirus, antispyware, & personal firewall  Check for known signatures  Check for improper file changes (integrity failures)  Check for generic patterns of malware (for unknown malware): “Heuristics scan”  Firewall: Block certain network traffic in and out  Sandboxing  Network monitoring & containment  User education  Software patches, more secure protocols
Newer Threats  Social media spams/scams/clickjacking  Social media privacy issues  User privacy settings  Location services  Mobile device malware & other privacy risks  Stuxnet (advanced malware targeting certain countries)  Advanced persistent threats (APT) by governments & corporations against specific targets
Security Standards
Some Information Security Standards • ISO/IEC 27000 — Information security management systems — Overview and vocabulary • ISO/IEC 27001 — Information security management systems — Requirements • ISO/IEC 27002 — Code of practice for information security management • ISO/IEC 27003 — Information security management system implementation guidance • ISO/IEC 27004 — Information security management — Measurement • ISO/IEC 27005 — Information security risk management • ISO/IEC 27031 — Guidelines for information and communications technology readiness for business continuity • ISO/IEC 27032 — Guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet) • ISO/IEC 27033-1 — Network security overview and concepts • ISO/IEC 27033-2 — Guidelines for the design and implementation of network security • ISO/IEC 27033-3:2010 — Reference networking scenarios - Threats, design techniques and control issues • ISO/IEC 27034 — Guideline for application security • ISO/IEC 27035 — Security incident management • ISO 27799 — Information security management in health using ISO/IEC 27002
More Information  US-CERT  U.S. Computer Emergency Readiness Team  http://www.us-cert.gov/  Subscribe to alerts & news  Microsoft Security Resources  http://technet.microsoft.com/en-us/security  http://technet.microsoft.com/en- us/security/bulletin  Common Vulnerabilities & Exposures  http://cve.mitre.org/
Q&A

Recommandé

Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)Nawanan Theera-Ampornpunt
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical SecurityJorge Sebastiao
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical SecurityAlfred Ouyang
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk MgmtAlfred Ouyang
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & PrivacyNawanan Theera-Ampornpunt
 
Security and control in mis
Security and control in misSecurity and control in mis
Security and control in misGurjit
 
Basics of IT security
Basics of IT securityBasics of IT security
Basics of IT securityDr. Ramkumar Lakshminarayanan
 

Recommandé

Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)Health Information Privacy and Security (November 8, 2021)
Health Information Privacy and Security (November 8, 2021)Nawanan Theera-Ampornpunt
 
Integrating Physical And Logical Security
Integrating Physical And Logical SecurityIntegrating Physical And Logical Security
Integrating Physical And Logical SecurityJorge Sebastiao
 
6 Physical Security
6 Physical Security6 Physical Security
6 Physical SecurityAlfred Ouyang
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk MgmtAlfred Ouyang
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & PrivacyNawanan Theera-Ampornpunt
 
Security and control in mis
Security and control in misSecurity and control in mis
Security and control in misGurjit
 
Basics of IT security
Basics of IT securityBasics of IT security
Basics of IT securityDr. Ramkumar Lakshminarayanan
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurancebdemchak
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professionalciso_insights
 
Application Security: What do we need to know?
Application Security: What do we need to know?Application Security: What do we need to know?
Application Security: What do we need to know?Jose L. Quiñones-Borrero
 
XBOSoft Mobile Security Webinar with Jon D. Hagar
XBOSoft Mobile Security Webinar with Jon D. HagarXBOSoft Mobile Security Webinar with Jon D. Hagar
XBOSoft Mobile Security Webinar with Jon D. HagarXBOSoft
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)Biswajit Bhattacharjee
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010joevest
 
Ancaman & kelemahan server
Ancaman & kelemahan serverAncaman & kelemahan server
Ancaman & kelemahan serverDedi Dwianto
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Layers of control
Layers of controlLayers of control
Layers of controlRebecca Jones
 
C02
C02C02
C02newbie2019
 
INFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMINFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMANAND MURALI
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Iss lecture 1
Iss lecture 1Iss lecture 1
Iss lecture 1Ali Habeeb
 
Security and management
Security and managementSecurity and management
Security and managementArtiSolanki5
 
Cryptography and authentication
Cryptography and authenticationCryptography and authentication
Cryptography and authenticationmbadhi
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Business Value of Security and Control
Business Value of Security and ControlBusiness Value of Security and Control
Business Value of Security and ControlSyama Raveendran
 
Lukas - Ancaman E-Health Security
Lukas - Ancaman E-Health SecurityLukas - Ancaman E-Health Security
Lukas - Ancaman E-Health SecurityIndonesia Honeynet Chapter
 
Introduction to information security field
Introduction to information security fieldIntroduction to information security field
Introduction to information security fieldAhmed Musaad
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9Amanda Case
 
Baip 2.Fim.Fim
Baip 2.Fim.FimBaip 2.Fim.Fim
Baip 2.Fim.FimBareal
 
Cpu report
Cpu reportCpu report
Cpu reportedalatpishe
 

Contenu connexe

Tendances

Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurancebdemchak
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professionalciso_insights
 
Application Security: What do we need to know?
Application Security: What do we need to know?Application Security: What do we need to know?
Application Security: What do we need to know?Jose L. Quiñones-Borrero
 
XBOSoft Mobile Security Webinar with Jon D. Hagar
XBOSoft Mobile Security Webinar with Jon D. HagarXBOSoft Mobile Security Webinar with Jon D. Hagar
XBOSoft Mobile Security Webinar with Jon D. HagarXBOSoft
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)Biswajit Bhattacharjee
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010joevest
 
Ancaman & kelemahan server
Ancaman & kelemahan serverAncaman & kelemahan server
Ancaman & kelemahan serverDedi Dwianto
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
INFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMINFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMANAND MURALI
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
Security and management
Security and managementSecurity and management
Security and managementArtiSolanki5
 
Cryptography and authentication
Cryptography and authenticationCryptography and authentication
Cryptography and authenticationmbadhi
 
Business Value of Security and Control
Business Value of Security and ControlBusiness Value of Security and Control
Business Value of Security and ControlSyama Raveendran
 
Introduction to information security field
Introduction to information security fieldIntroduction to information security field
Introduction to information security fieldAhmed Musaad
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9Amanda Case
 

Tendances (20)

Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurance
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professional
 
Application Security: What do we need to know?
Application Security: What do we need to know?Application Security: What do we need to know?
Application Security: What do we need to know?
 
XBOSoft Mobile Security Webinar with Jon D. Hagar
XBOSoft Mobile Security Webinar with Jon D. HagarXBOSoft Mobile Security Webinar with Jon D. Hagar
XBOSoft Mobile Security Webinar with Jon D. Hagar
 
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
SECURITY & CONTROL OF INFORMATION SYSTEM (Management Information System)
 
Information security management v2010
Information security management v2010Information security management v2010
Information security management v2010
 
Ancaman & kelemahan server
Ancaman & kelemahan serverAncaman & kelemahan server
Ancaman & kelemahan server
 
Information security management
Information security managementInformation security management
Information security management
 
Layers of control
Layers of controlLayers of control
Layers of control
 
C02
C02C02
C02
 
INFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMINFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEM
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
Iss lecture 1
Iss lecture 1Iss lecture 1
Iss lecture 1
 
Security and management
Security and managementSecurity and management
Security and management
 
Cryptography and authentication
Cryptography and authenticationCryptography and authentication
Cryptography and authentication
 
Mobile security
Mobile securityMobile security
Mobile security
 
Business Value of Security and Control
Business Value of Security and ControlBusiness Value of Security and Control
Business Value of Security and Control
 
Lukas - Ancaman E-Health Security
Lukas - Ancaman E-Health SecurityLukas - Ancaman E-Health Security
Lukas - Ancaman E-Health Security
 
Introduction to information security field
Introduction to information security fieldIntroduction to information security field
Introduction to information security field
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
 

En vedette

Baip 2.Fim.Fim
Baip 2.Fim.FimBaip 2.Fim.Fim
Baip 2.Fim.FimBareal
 
Lluch 2013 de la literatura anglesa a la catalana un canvi de circuit lector ...
Lluch 2013 de la literatura anglesa a la catalana un canvi de circuit lector ...Lluch 2013 de la literatura anglesa a la catalana un canvi de circuit lector ...
Lluch 2013 de la literatura anglesa a la catalana un canvi de circuit lector ...Gemma Lluch
 
A Personal Journey Toward Thailand's eHealth: A Presentation in Consideration...
A Personal Journey Toward Thailand's eHealth: A Presentation in Consideration...A Personal Journey Toward Thailand's eHealth: A Presentation in Consideration...
A Personal Journey Toward Thailand's eHealth: A Presentation in Consideration...Nawanan Theera-Ampornpunt
 

En vedette (6)

Baip 2.Fim.Fim
Baip 2.Fim.FimBaip 2.Fim.Fim
Baip 2.Fim.Fim
 
Cpu report
Cpu reportCpu report
Cpu report
 
Lluch 2013 de la literatura anglesa a la catalana un canvi de circuit lector ...
Lluch 2013 de la literatura anglesa a la catalana un canvi de circuit lector ...Lluch 2013 de la literatura anglesa a la catalana un canvi de circuit lector ...
Lluch 2013 de la literatura anglesa a la catalana un canvi de circuit lector ...
 
IT for MDs (Part 2)
IT for MDs (Part 2)IT for MDs (Part 2)
IT for MDs (Part 2)
 
A Personal Journey Toward Thailand's eHealth: A Presentation in Consideration...
A Personal Journey Toward Thailand's eHealth: A Presentation in Consideration...A Personal Journey Toward Thailand's eHealth: A Presentation in Consideration...
A Personal Journey Toward Thailand's eHealth: A Presentation in Consideration...
 
Research Trends in Health IT
Research Trends in Health ITResearch Trends in Health IT
Research Trends in Health IT
 

Similaire à Health Information Privacy and Security

Health Information Security and Privacy (June 19, 2017)
Health Information Security and Privacy (June 19, 2017)Health Information Security and Privacy (June 19, 2017)
Health Information Security and Privacy (June 19, 2017)Nawanan Theera-Ampornpunt
 
Health Information Privacy and Security (October 21, 2020)
Health Information Privacy and Security (October 21, 2020)Health Information Privacy and Security (October 21, 2020)
Health Information Privacy and Security (October 21, 2020)Nawanan Theera-Ampornpunt
 
Health Information Privacy and Security (October 30, 2019)
Health Information Privacy and Security (October 30, 2019)Health Information Privacy and Security (October 30, 2019)
Health Information Privacy and Security (October 30, 2019)Nawanan Theera-Ampornpunt
 
Information Security & Privacy in Healthcare (February 9, 2021)
Information Security & Privacy in Healthcare (February 9, 2021)Information Security & Privacy in Healthcare (February 9, 2021)
Information Security & Privacy in Healthcare (February 9, 2021)Nawanan Theera-Ampornpunt
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.pptSadiaMuqaddas
 
Computer and Network Security
Computer and Network SecurityComputer and Network Security
Computer and Network SecurityAsif Raza
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.pptROHITCHHOKER3
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on reviewMiltonBiswas8
 
Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture NotesFellowBuddy.com
 
Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011lbcollins18
 
Cybersecurity and Risk Management Technology
Cybersecurity and Risk Management TechnologyCybersecurity and Risk Management Technology
Cybersecurity and Risk Management TechnologyMohammad Febri
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)Ali Habeeb
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpagenakomuri
 
1 security goals
1 security goals1 security goals
1 security goalsdrewz lin
 

Similaire à Health Information Privacy and Security (20)

Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
Health Information Security and Privacy (June 19, 2017)
Health Information Security and Privacy (June 19, 2017)Health Information Security and Privacy (June 19, 2017)
Health Information Security and Privacy (June 19, 2017)
 
Health Information Privacy and Security (October 21, 2020)
Health Information Privacy and Security (October 21, 2020)Health Information Privacy and Security (October 21, 2020)
Health Information Privacy and Security (October 21, 2020)
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
Cybersecurity (November 12, 2021)
Cybersecurity (November 12, 2021)Cybersecurity (November 12, 2021)
Cybersecurity (November 12, 2021)
 
Health Information Privacy and Security (October 30, 2019)
Health Information Privacy and Security (October 30, 2019)Health Information Privacy and Security (October 30, 2019)
Health Information Privacy and Security (October 30, 2019)
 
Information Security & Privacy in Healthcare (February 9, 2021)
Information Security & Privacy in Healthcare (February 9, 2021)Information Security & Privacy in Healthcare (February 9, 2021)
Information Security & Privacy in Healthcare (February 9, 2021)
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
Computer and Network Security
Computer and Network SecurityComputer and Network Security
Computer and Network Security
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
01-intro-thompson.ppt
01-intro-thompson.ppt01-intro-thompson.ppt
01-intro-thompson.ppt
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on review
 
Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture Notes
 
Insecurity vssut
Insecurity vssutInsecurity vssut
Insecurity vssut
 
Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011
 
IS Unit II.pptx
IS Unit II.pptxIS Unit II.pptx
IS Unit II.pptx
 
Cybersecurity and Risk Management Technology
Cybersecurity and Risk Management TechnologyCybersecurity and Risk Management Technology
Cybersecurity and Risk Management Technology
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpage
 
1 security goals
1 security goals1 security goals
1 security goals
 

Plus de Nawanan Theera-Ampornpunt

Health Informatics for Health Service Systems (March 11, 2024)
Health Informatics for Health Service Systems (March 11, 2024)Health Informatics for Health Service Systems (March 11, 2024)
Health Informatics for Health Service Systems (March 11, 2024)Nawanan Theera-Ampornpunt
 
Personal Data Protection Act and the Four Subordinate Laws (February 29, 2024)
Personal Data Protection Act and the Four Subordinate Laws (February 29, 2024)Personal Data Protection Act and the Four Subordinate Laws (February 29, 2024)
Personal Data Protection Act and the Four Subordinate Laws (February 29, 2024)Nawanan Theera-Ampornpunt
 
Privacy & PDPA Awareness Training for Ramathibodi Residents (October 5, 2023)
Privacy & PDPA Awareness Training for Ramathibodi Residents (October 5, 2023)Privacy & PDPA Awareness Training for Ramathibodi Residents (October 5, 2023)
Privacy & PDPA Awareness Training for Ramathibodi Residents (October 5, 2023)Nawanan Theera-Ampornpunt
 
Case Study PDPA Workshop (September 15, 2023)
Case Study PDPA Workshop (September 15, 2023)Case Study PDPA Workshop (September 15, 2023)
Case Study PDPA Workshop (September 15, 2023)Nawanan Theera-Ampornpunt
 
Case Studies on Overview of PDPA and its Subordinate Laws (September 15, 2023)
Case Studies on Overview of PDPA and its Subordinate Laws (September 15, 2023)Case Studies on Overview of PDPA and its Subordinate Laws (September 15, 2023)
Case Studies on Overview of PDPA and its Subordinate Laws (September 15, 2023)Nawanan Theera-Ampornpunt
 
Ramathibodi Security & Privacy Awareness Training (Fiscal Year 2023)
Ramathibodi Security & Privacy Awareness Training (Fiscal Year 2023)Ramathibodi Security & Privacy Awareness Training (Fiscal Year 2023)
Ramathibodi Security & Privacy Awareness Training (Fiscal Year 2023)Nawanan Theera-Ampornpunt
 
Relationship Between Thailand's Official Information Act and Personal Data Pr...
Relationship Between Thailand's Official Information Act and Personal Data Pr...Relationship Between Thailand's Official Information Act and Personal Data Pr...
Relationship Between Thailand's Official Information Act and Personal Data Pr...Nawanan Theera-Ampornpunt
 
Social Media - PDPA: Is There A Way Out? (October 19, 2022)
Social Media - PDPA: Is There A Way Out? (October 19, 2022)Social Media - PDPA: Is There A Way Out? (October 19, 2022)
Social Media - PDPA: Is There A Way Out? (October 19, 2022)Nawanan Theera-Ampornpunt
 
Do's and Don'ts on PDPA for Doctors (May 31, 2022)
Do's and Don'ts on PDPA for Doctors (May 31, 2022)Do's and Don'ts on PDPA for Doctors (May 31, 2022)
Do's and Don'ts on PDPA for Doctors (May 31, 2022)Nawanan Theera-Ampornpunt
 
Telemedicine: A Health Informatician's Point of View
Telemedicine: A Health Informatician's Point of ViewTelemedicine: A Health Informatician's Point of View
Telemedicine: A Health Informatician's Point of ViewNawanan Theera-Ampornpunt
 
การบริหารความเสี่ยงคณะฯ (February 9, 2022)
การบริหารความเสี่ยงคณะฯ (February 9, 2022)การบริหารความเสี่ยงคณะฯ (February 9, 2022)
การบริหารความเสี่ยงคณะฯ (February 9, 2022)Nawanan Theera-Ampornpunt
 
จริยธรรมและกฎหมายที่เกี่ยวข้องกับเทคโนโลยีสารสนเทศทางสุขภาพ (February 8, 2022)
จริยธรรมและกฎหมายที่เกี่ยวข้องกับเทคโนโลยีสารสนเทศทางสุขภาพ (February 8, 2022)จริยธรรมและกฎหมายที่เกี่ยวข้องกับเทคโนโลยีสารสนเทศทางสุขภาพ (February 8, 2022)
จริยธรรมและกฎหมายที่เกี่ยวข้องกับเทคโนโลยีสารสนเทศทางสุขภาพ (February 8, 2022)Nawanan Theera-Ampornpunt
 
พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) (January 21, 2022)
พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) (January 21, 2022)พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) (January 21, 2022)
พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) (January 21, 2022)Nawanan Theera-Ampornpunt
 
Digital Health Transformation for Health Executives (January 18, 2022)
Digital Health Transformation for Health Executives (January 18, 2022)Digital Health Transformation for Health Executives (January 18, 2022)
Digital Health Transformation for Health Executives (January 18, 2022)Nawanan Theera-Ampornpunt
 
Updates on Privacy & Security Laws (November 26, 2021)
Updates on Privacy & Security Laws (November 26, 2021)Updates on Privacy & Security Laws (November 26, 2021)
Updates on Privacy & Security Laws (November 26, 2021)Nawanan Theera-Ampornpunt
 
Health Informatics for Clinical Research (November 25, 2021)
Health Informatics for Clinical Research (November 25, 2021)Health Informatics for Clinical Research (November 25, 2021)
Health Informatics for Clinical Research (November 25, 2021)Nawanan Theera-Ampornpunt
 
Research Ethics and Ethics for Health Informaticians (November 15, 2021)
Research Ethics and Ethics for Health Informaticians (November 15, 2021)Research Ethics and Ethics for Health Informaticians (November 15, 2021)
Research Ethics and Ethics for Health Informaticians (November 15, 2021)Nawanan Theera-Ampornpunt
 
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...Nawanan Theera-Ampornpunt
 

Plus de Nawanan Theera-Ampornpunt (20)

Health Informatics for Health Service Systems (March 11, 2024)
Health Informatics for Health Service Systems (March 11, 2024)Health Informatics for Health Service Systems (March 11, 2024)
Health Informatics for Health Service Systems (March 11, 2024)
 
Personal Data Protection Act and the Four Subordinate Laws (February 29, 2024)
Personal Data Protection Act and the Four Subordinate Laws (February 29, 2024)Personal Data Protection Act and the Four Subordinate Laws (February 29, 2024)
Personal Data Protection Act and the Four Subordinate Laws (February 29, 2024)
 
Privacy & PDPA Awareness Training for Ramathibodi Residents (October 5, 2023)
Privacy & PDPA Awareness Training for Ramathibodi Residents (October 5, 2023)Privacy & PDPA Awareness Training for Ramathibodi Residents (October 5, 2023)
Privacy & PDPA Awareness Training for Ramathibodi Residents (October 5, 2023)
 
Case Study PDPA Workshop (September 15, 2023)
Case Study PDPA Workshop (September 15, 2023)Case Study PDPA Workshop (September 15, 2023)
Case Study PDPA Workshop (September 15, 2023)
 
Case Studies on Overview of PDPA and its Subordinate Laws (September 15, 2023)
Case Studies on Overview of PDPA and its Subordinate Laws (September 15, 2023)Case Studies on Overview of PDPA and its Subordinate Laws (September 15, 2023)
Case Studies on Overview of PDPA and its Subordinate Laws (September 15, 2023)
 
Ramathibodi Security & Privacy Awareness Training (Fiscal Year 2023)
Ramathibodi Security & Privacy Awareness Training (Fiscal Year 2023)Ramathibodi Security & Privacy Awareness Training (Fiscal Year 2023)
Ramathibodi Security & Privacy Awareness Training (Fiscal Year 2023)
 
Relationship Between Thailand's Official Information Act and Personal Data Pr...
Relationship Between Thailand's Official Information Act and Personal Data Pr...Relationship Between Thailand's Official Information Act and Personal Data Pr...
Relationship Between Thailand's Official Information Act and Personal Data Pr...
 
Social Media - PDPA: Is There A Way Out? (October 19, 2022)
Social Media - PDPA: Is There A Way Out? (October 19, 2022)Social Media - PDPA: Is There A Way Out? (October 19, 2022)
Social Media - PDPA: Is There A Way Out? (October 19, 2022)
 
Do's and Don'ts on PDPA for Doctors (May 31, 2022)
Do's and Don'ts on PDPA for Doctors (May 31, 2022)Do's and Don'ts on PDPA for Doctors (May 31, 2022)
Do's and Don'ts on PDPA for Doctors (May 31, 2022)
 
Telemedicine: A Health Informatician's Point of View
Telemedicine: A Health Informatician's Point of ViewTelemedicine: A Health Informatician's Point of View
Telemedicine: A Health Informatician's Point of View
 
Meeting Management (March 2, 2022)
Meeting Management (March 2, 2022)Meeting Management (March 2, 2022)
Meeting Management (March 2, 2022)
 
การบริหารความเสี่ยงคณะฯ (February 9, 2022)
การบริหารความเสี่ยงคณะฯ (February 9, 2022)การบริหารความเสี่ยงคณะฯ (February 9, 2022)
การบริหารความเสี่ยงคณะฯ (February 9, 2022)
 
จริยธรรมและกฎหมายที่เกี่ยวข้องกับเทคโนโลยีสารสนเทศทางสุขภาพ (February 8, 2022)
จริยธรรมและกฎหมายที่เกี่ยวข้องกับเทคโนโลยีสารสนเทศทางสุขภาพ (February 8, 2022)จริยธรรมและกฎหมายที่เกี่ยวข้องกับเทคโนโลยีสารสนเทศทางสุขภาพ (February 8, 2022)
จริยธรรมและกฎหมายที่เกี่ยวข้องกับเทคโนโลยีสารสนเทศทางสุขภาพ (February 8, 2022)
 
พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) (January 21, 2022)
พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) (January 21, 2022)พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) (January 21, 2022)
พระราชบัญญัติคุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 (PDPA) (January 21, 2022)
 
Digital Health Transformation for Health Executives (January 18, 2022)
Digital Health Transformation for Health Executives (January 18, 2022)Digital Health Transformation for Health Executives (January 18, 2022)
Digital Health Transformation for Health Executives (January 18, 2022)
 
Updates on Privacy & Security Laws (November 26, 2021)
Updates on Privacy & Security Laws (November 26, 2021)Updates on Privacy & Security Laws (November 26, 2021)
Updates on Privacy & Security Laws (November 26, 2021)
 
Hospital Informatics (November 26, 2021)
Hospital Informatics (November 26, 2021)Hospital Informatics (November 26, 2021)
Hospital Informatics (November 26, 2021)
 
Health Informatics for Clinical Research (November 25, 2021)
Health Informatics for Clinical Research (November 25, 2021)Health Informatics for Clinical Research (November 25, 2021)
Health Informatics for Clinical Research (November 25, 2021)
 
Research Ethics and Ethics for Health Informaticians (November 15, 2021)
Research Ethics and Ethics for Health Informaticians (November 15, 2021)Research Ethics and Ethics for Health Informaticians (November 15, 2021)
Research Ethics and Ethics for Health Informaticians (November 15, 2021)
 
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...
 

Dernier

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Dernier (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

Health Information Privacy and Security

  • 1. TMHG 529 Health Information Privacy & Security Nawanan Theera-Ampornpunt, M.D., Ph.D. Faculty of Medicine Ramathibodi Hospital Mahidol University April 22, 2013 http://www.SlideShare.net/Nawanan
  • 2. Outline  Introduction to Information Privacy & Security  Protecting Information Privacy & Security  User Security  Software Security  Cryptography  Malware  Security Standards  Privacy & Security Laws will be in next topic
  • 4. Threats to Information Security Malware
  • 5. Sources of the Threats  Hackers  Viruses & Malware  Poorly-designed systems  Insiders (Employees)  People’s ignorance & lack of knowledge  Disasters & other incidents affecting information systems
  • 6. Consequences of Security Attacks  Information risks  Unauthorized access & disclosure of confidential information  Unauthorized addition, deletion, or modification of information  Operational risks  System not functional (Denial of Service - DoS)  System wrongly operated  Personal risks  Identity thefts  Financial losses  Disclosure of information that may affect employment or other personal aspects (e.g. health information)  Physical/psychological harms  Organizational risks  Financial losses  Damage to reputation & trust  Etc.
  • 7. Privacy & Security  Privacy: “The ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively.” (Wikipedia)  Security: “The degree of protection to safeguard ... person against danger, damage, loss, and crime.” (Wikipedia)  Information Security: “Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction” (Wikipedia)
  • 8. Information Security  Confidentiality  Integrity  Availability
  • 9. Examples of Confidentiality Risks http://usatoday30.usatoday.com/life/people/2007-10-10-clooney_N.htm
  • 10. Examples of Integrity Risks “Operation Aurora” Alleged Targets: Google, Adobe, Juniper Networks, Yahoo!, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical Goal: To gain access to and potentially modify source code repositories at high tech, security & defense contractor companies http://www.wired.com/threatlevel/2010/03/source-code-hacks/ http://en.wikipedia.org/wiki/Operation_Aurora
  • 11. Examples of Integrity Risks Web Defacements http://news.softpedia.com/news/700-000-InMotion-Websites-Hacked-by-TiGER-M-TE-223607.shtml
  • 12. Examples of Availability Risks Viruses/worms that led to instability & system restart (e.g. Blaster worm) http://en.wikipedia.org/wiki/Blaster_worm
  • 13. Examples of Availability Risks Ariane 5 Flight 501 Rocket Launch Failure Cause: Software bug on rocket acceleration due to data conversion from a 64-bit floating point number to a 16-bit signed integer without proper checks, leading to arithmatic overflow http://en.wikipedia.org/wiki/Ariane_5_Flight_501
  • 14. Interesting Resources  http://en.wikipedia.org/wiki/List_of_software_bugs  http://en.wikipedia.org/wiki/Notable_computer_viruses_a nd_worms  http://en.wikipedia.org/wiki/Hacktivism  http://en.wikipedia.org/wiki/Website_defacement  http://en.wikipedia.org/wiki/Hacker_(computer_security)  http://en.wikipedia.org/wiki/List_of_hackers
  • 15. Protecting Information Privacy & Security
  • 16. Common Security Terms  Attack  An attempt to breach system security  Threat  A scenario that can harm a system  Vulnerability  The “hole” that is used in the attack
  • 17. Class Exercise  Identify some possible means an attacker could use to conduct a security attack
  • 18. Simplified Attack Scenarios Alice Server Bob Eve/Mallory
  • 19. Simplified Attack Scenarios Alice Server Bob - Physical access to client computer - Electronic access (password) - Tricking user into doing something (malware, phishing & social Eve/Mallory engineering)
  • 20. Simplified Attack Scenarios Alice Server Bob - Intercepting (eavesdropping or “sniffing”) data in transit - Modifying data (“Man-in-the- middle” attacks) Eve/Mallory - “Replay” attacks
  • 21. Simplified Attack Scenarios Alice Server Bob - Unauthorized access to servers through - Physical means - User accounts & privileges - Attacks through software vulnerabilities - Attacks using protocol weaknesses - DoS / DDoS attacks Eve/Mallory
  • 22. Simplified Attack Scenarios Alice Server Bob Other & newer forms of attacks possible Eve/Mallory
  • 23. Safeguarding Against Attacks Alice Server Bob Administrative Security - Security & privacy policy - Governance of security risk management & response - Uniform enforcement of policy & monitoring - Disaster recovery planning (DRP) & Business continuity planning/management (BCP/BCM) - Legal obligations, requirements & disclaimers
  • 24. Safeguarding Against Attacks Alice Server Bob Physical Security - Protecting physical access of clients & servers - Locks & chains, locked rooms, security cameras - Mobile device security - Secure storage & secure disposition of storage devices
  • 25. Safeguarding Against Attacks Alice Server Bob User Security - User account management - Strong p/w policy (length, complexity, expiry, no meaning) - Principle of Least Privilege - “Clear desk, clear screen policy” - Audit trails - Education, awareness building & policy enforcement - Alerts & education about phishing & social engineering
  • 26. Safeguarding Against Attacks Alice Server Bob System Security - Antivirus, antispyware, personal firewall, intrusion detection/prevention system (IDS/IPS), log files, monitoring - Updates, patches, fixes of operating system vulnerabilities & application vulnerabilities - Redundancy (avoid “Single Point of Failure”) - Honeypots
  • 27. Safeguarding Against Attacks Alice Server Bob Software Security - Software (clients & servers) that is secure by design - Software testing against failures, bugs, invalid inputs, performance issues & attacks - Updates to patch vulnerabilities
  • 28. Safeguarding Against Attacks Alice Server Bob Network Security - Access control (physical & electronic) to network devices - Use of secure network protocols if possible - Data encryption during transit if possible - Bandwidth monitoring & control
  • 29. Safeguarding Against Attacks Alice Server Bob Database Security - Access control to databases & storage devices - Encryption of data stored in databases if necessary - Secure destruction of data after use - Access control to queries/reports - Security features of database management systems (DBMS)
  • 30. Privacy Safeguards  Security safeguards  Informed consent  Privacy culture  User awareness building & education  Organizational policy & regulations  Enforcement  Ongoing privacy & security assessments, monitoring, and protection Image: http://www.nurseweek.com/news/images/privacy.jpg
  • 32. User Security  Access control  Selective restriction of access to the system  Role-based access control  Access control based on the person’s role (rather than identity)  Audit trails  Logs/records that provide evidence of sequence of activities
  • 33. User Security  Identification  Identifying who you are  Usually done by user IDs or some other unique codes  Authentication  Confirming that you truly are who you identify  Usually done by keys, PIN, passwords or biometrics  Authorization  Specifying/verifying how much you have access  Determined based on system owner’s policy & system configurations  “Principle of Least Privilege”
  • 34. User Security  Nonrepudiation  Proving integrity, origin, & performer of an activity without the person’s ability to refute his actions  Most common form: signatures  Electronic signatures offer varying degrees of nonrepudiation  PIN/password vs. biometrics  Digital certificates (in public key infrastructure - PKI) often used to ascertain nonrepudiation
  • 35. User Security  Multiple-Factor Authentication  Two-Factor Authentication  Use of multiple means (“factors”) for authentication  Types of Authentication Factors  Something you know  Password, PIN, etc.  Something you have  Keys, cards, tokens, devices (e.g. mobile phones)  Something you are  Biometrics
  • 36. Need for Strong Password Policy So, two informaticians walk into a bar... The bouncer says, "What's the password." One says, "Password?" The bouncer lets them in. Credits: @RossMartin & AMIA (2012)
  • 37. Recommended Password Policy  Length  8 characters or more (to slow down brute-force attacks)  Complexity (to slow down brute-force attacks)  Consists of 3 of 4 categories of characters  Uppercase letters  Lowercase letters  Numbers  Symbols (except symbols that have special uses by the system or that can be used to hack system, e.g. SQL Injection)  No meaning (“Dictionary Attacks”)  Not simple patterns (12345678, 11111111) (to slow down brute- force attacks & prevent dictionary attacks)  Not easy to guess (birthday, family names, etc.) (to prevent unknown & known persons from guessing) Personal opinion. No legal responsibility assumed.
  • 38. Recommended Password Policy  Expiration (to make brute-force attacks not possible)  6-8 months  Decreasing over time because of increasing computer’s speed  But be careful! Too short duration will force users to write passwords down  Secure password storage in database or system (encrypted or store only password hashes)  Secure password confirmation  Secure “forget password” policy  Different password for each account. Create variations to help remember. If not possible, have different sets of accounts for differing security needs (e.g., bank accounts vs. social media sites) Personal opinion. No legal responsibility assumed.
  • 39. Techniques to Remember Passwords  http://www.wikihow.com/Create-a-Password-You-Can- Remember  Note that some of the techniques are less secure!  One easy & secure way: password mnemonic  Think of a full sentence that you can remember  Ideally the sentence should have 8 or more words, with numbers and symbols  Use first character of each word as password  Sentence: I love reading all 7 Harry Potter books!  Password: Ilra7HPb!  Voila! Personal opinion. No legal responsibility assumed.
  • 40. Social Engineering Examples Dear mail.mahidol.ac.th Email Account User, We wrote to you on 11th January 2010 advising that you change the password on your account in order to prevent any unauthorised account access following the network instruction we previously communicated. all Mailhub systems will undergo regularly scheduled maintenance. Access to your e-mail via the Webmail client will be unavailable for some time during this maintenance period. We are currently upgrading our data base and e-mail account center i.e homepage view. We shall be deleting old [https://mail.mahidol.ac.th/l accounts which are no longer active to create more space for new accountsusers. we have also investigated a system wide security audit to improve and enhance our current security. In order to continue using our services you are require to update and re-comfirmed your email account details as requested below. To complete your account re-comfirmation,you must reply to this email immediately and enter your account details as requested below. Username : Password : Date of Birth: Future Password : Real social-engineering e-mail received by Speaker
  • 41. Phishing Real phishing e-mail received by Speaker
  • 42. Signs of a Phishing Attack  Poor grammar  Lots of typos  Trying very hard to convince you to open attachment, click on link, or reply without enough detail  May appear to be from known person (rely on trust & innocence)
  • 43. Ways to Protect against Phishing  Don’t be too trusting of people  Always be suspicious & alert  An e-mail with your friend’s name & info doesn’t have to come from him/her  Look for signs of phishing attacks  Don’t open attachments unless you expect them  Scan for viruses before opening attachments  Don’t click links in e-mail. Directly type in browser using known & trusted URLs  Especially cautioned if ask for passwords, bank accounts, credit card numbers, social security numbers, etc.
  • 45. Software Security  Most common reason for security bugs is invalid programming assumptions that attackers will look for  Weak input checking  Buffer overflow  Integer overflow  Race condition (Time of Check / Time of Use vulnerabilities)  Running programs in new environments Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 46. Software Security  Feeping creaturism (Creeping featurism)  Log files that contain sensitive information  Configuration bugs  Unnecessary privileges  Monoculture  Security bypass Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 47. Example of Weak Input Checking: SQL Injection  Consider a log-in form on a web page  Source code would look something like this: statement = "SELECT * FROM users WHERE name = '" + userName + "';"  Attacker would enter as username: ' or '1'='1  Which leads to this always-true query:  statement = "SELECT * FROM users WHERE name = '" + "' or '1'='1" + "';" statement = "SELECT * FROM users WHERE name = '' or '1'='1';" http://en.wikipedia.org/wiki/SQL_injection
  • 48. Secure Software Design Principles  Economy of Mechanism  Design should be small & simple  Fail-safe default  Complete mediation  Check every access to every object  Open design  Separation of privilege / Least Privilege Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 49. Secure Software Design Principles  Least common mechanism  Minimize complexity of shared components  Psychological acceptability  If users don’t buy in to security mechanism or don’t understand how to use it, system is insecure  Work factor  Cost of attack should exceed resources attacker will spend Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 50. Secure Software Design Principles  Compromise recording  If too expensive to prevent a compromise, record it  Tamper evident vs. tamperproof  Log files Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271 Image source: http://www.flickr.com/photos/goobelyga/2340650133/
  • 51. Secure Software Design Principles  Defense in Depth  Multiple layers of security defense are placed throughout a system to provide redundancy in the event a security control fails  Secure the weakest link  Promote privacy  Trust no one Saltzer & Schroeder (1975), Viega & McGraw (2000) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271 http://en.wikipedia.org/wiki/Defense_in_depth_(computing)
  • 52. Secure Software Best Practices  Modular design  Check error conditions on return values  Validate inputs (whitelist vs. blacklist)  Avoid infinite loops, memory leaks  Check for integer overflows  Language/library choices  Development processes Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 54. Eve Cryptography Alice Bob  Goal: provide a secure channel between Alice & Bob  A secure channel  Leaks no information about its contents  Delivers only messages from Alice & Bob  Delivers messages in order or not at all Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 55. Cryptography  Use of keys to convert plaintext into ciphertext  Secret keys only Alice & Bob know  History: Caesar’s cipher, substitution cipher, polyalphabetic rotation  Use of keys and some generator function to create random-looking strings (e.g. stream ciphers, block ciphers) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 56. Encryption Using Secret Key (Symmetric Cryptography) Alice Eve Bob 1. Encrypt message using secret key 3. Decrypt message 2. Send encrypted message to Bob using same secret key Eve doesn’t know secret key (but there are various ways to discover the key) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 57. Cryptography  What if no shared secret exists?  Public-key cryptography  Each publishes public key publicly  Each keep secret key secret  Use arithmetic to encrypt & decrypt message Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 58. Public-Key Cryptography (Asymmetric Cryptography) Alice Eve Bob 1. Obtains Bob’s public key from public server 4. Decrypt message using 2. Use Bob’s public key to encrypt message own private key 3. Send encrypted message to Bob Even if Eve knows public key, can’t discover message (unless weakness in algorithm) Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 59. Digital Signatures Alice Bob 3. Use Alice’s public key 1. Sign message using own private key against plaintext received 2. Send plaintext and random-looking string to get digital signature (digital signature) to Bob 4. Compare to match Alice’s digital signature Provides nonrepudiation received against signature obtained in #3 Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
  • 61. Malware  Malicious software - Any code with intentional, undesirable side effects  Virus  Worm  Trojan  Spyware  Logic Bomb/Time Bomb  Backdoor/Trapdoor  Rootkit  Botnet
  • 62. Malware  Virus  Propagating malware that requires user action to propagate  Infects executable files, data files with executable contents (e.g. Macro), boot sectors  Worm  Self-propagating malware  Trojan  A legitimate program with additional, hidden functionality
  • 63. Malware  Spyware  Trojan that spies for & steals personal information  Logic Bomb/Time Bomb  Malware that triggers under certain conditions  Backdoor/Trapdoor  A hole left behind by malware for future access
  • 64. Malware  Rogue Antispyware (Ransomware)  Software that tricks or forces users to pay before fixing (real or hoax) spyware detected  Rootkit  A stealth program designed to hide existence of certain processes or programs from detection  Botnet  A collection of Internet-connected computers that have been compromised (bots) which controller of the botnet can use to do something (e.g. do DDoS attacks)
  • 65. Defense Against Malware  Installed & updated antivirus, antispyware, & personal firewall  Check for known signatures  Check for improper file changes (integrity failures)  Check for generic patterns of malware (for unknown malware): “Heuristics scan”  Firewall: Block certain network traffic in and out  Sandboxing  Network monitoring & containment  User education  Software patches, more secure protocols
  • 66. Newer Threats  Social media spams/scams/clickjacking  Social media privacy issues  User privacy settings  Location services  Mobile device malware & other privacy risks  Stuxnet (advanced malware targeting certain countries)  Advanced persistent threats (APT) by governments & corporations against specific targets
  • 68. Some Information Security Standards • ISO/IEC 27000 — Information security management systems — Overview and vocabulary • ISO/IEC 27001 — Information security management systems — Requirements • ISO/IEC 27002 — Code of practice for information security management • ISO/IEC 27003 — Information security management system implementation guidance • ISO/IEC 27004 — Information security management — Measurement • ISO/IEC 27005 — Information security risk management • ISO/IEC 27031 — Guidelines for information and communications technology readiness for business continuity • ISO/IEC 27032 — Guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet) • ISO/IEC 27033-1 — Network security overview and concepts • ISO/IEC 27033-2 — Guidelines for the design and implementation of network security • ISO/IEC 27033-3:2010 — Reference networking scenarios - Threats, design techniques and control issues • ISO/IEC 27034 — Guideline for application security • ISO/IEC 27035 — Security incident management • ISO 27799 — Information security management in health using ISO/IEC 27002
  • 69. More Information  US-CERT  U.S. Computer Emergency Readiness Team  http://www.us-cert.gov/  Subscribe to alerts & news  Microsoft Security Resources  http://technet.microsoft.com/en-us/security  http://technet.microsoft.com/en- us/security/bulletin  Common Vulnerabilities & Exposures  http://cve.mitre.org/
  • 70. Q&A