250 likes | 260 Views
Discuss best practices for protecting your computer and mobile device from viruses, malware, and other threats. Learn about encryption, backups, and the importance of strong passwords. Presented by Vadim Droznin, a geek with over 25 years of experience in IT.
E N D
Computer Security and what you can do about it… Vadim Droznin – a geek - not a professional speaker! vdroznin@qedsys.com
Introduction • Discuss best computer and mobile device related practices to protecting you and your office information • You will be able to make a knowledgeable decision about combating potential threats on the Internet and make better decisions related to IT • QED Systems, Inc. has been helping companies with IT related issues for over 25 years.
Outline • Best practice to protect your computer • Viruses • Intrusion prevention • Passwords • Backup • Encryption • Cloud • IT outsourcing vs in-house • MASS PI Law – Regulation 201 CMR 17 • HIPAA compliance
Danger, Will Robinson, Danger! • Computer Virus – a program that can infect a computer without permission or knowledge of the user • Spreads over WWW, Network Sharing, E-Mail, Social Networking, and Instant messaging. Will spread to other computers and potentially cause data loss • Malware (malicious software) – a program that infects and damages the computer/mobile device (most rootkits, some viruses, Trojan horses, worms) Example: Trojan Flame - a multi-component malware for targeted attacks. It is able to spy, leak data, download/execute other components. • Spyware – a program that intercepts and takes partial control over the user/computer or mobile device interaction/captures key strokes • Adware – a program that displays, downloads, and pops-up ads • SPAM – an unsolicited e-mail. May be used for phishing or information gathering
Types of Antivirus/Antispyware • Kaspersky, Symantec, IObit etc. • Avira, Avast and AVG have free basic versions • Ability to update and monitor. Scan whole computer weekly • Anti-Spyware: Webroot, CounterSpy, etc. • MalwareBytes and SuperAntispyware have free versions • Scan weekly minimum
Viruses that disguise themselves • Antivirus 2014/2013/2012/2011 and Antivirus XP/7/8 any year are actually viruses • Never click on a pop up about your computer being infected when surfing • If infected, press and hold the power button 5 sec. to shut down, then seek expert help
Anti-SPAM / PHISHING • Use internet e-mail sites that offer SPAM scanning (Yahoo, Google, MSN, etc.) • Free Anti-SPAM version included for Outlook, Outlook Express, Apple and other versions • PHISHING - When e-mail or Internet link takes user to a site that masquerades as a real site (can also be done via a server)
Examples of PHISHING E-Mails – Site -
Firewall, Passwords, Wireless, etc. • Never hook your computer up to Internet without a firewall. It takes less then 20 minutes to get hacked (cracked) or infected • Wireless must have WPA2 enabled - 14 characters long passphrase. Cisco, Meraki, and others offer real wireless security solution • Wi-Fi Protected Setup (WPS) is vulnerable and should be disabled • User account passwords on the computer and Internet sites passwords must be at least 15 characters long – combination of Caps, small letters, numbers, and “special” characters • UPS is recommended for computers in case of power outage
Operating Systems Pros and cons • Windows OS is still most popular and most widely used. • Windows XP/Vista/7/8 replaced by Windows 8.1 as of 2014. • Windows 7 and 8.1 are more secure. Built in Windows Defender and better security. • All OSs are still prone to “security flaws” • Apple • Can “dual boot” into both Apple and Windows OS. • Still most secure, but more and more programs are written to “infect” Mac OS. • Linux OS • Used less, more secure then PC, but may get infected and has flaws. • May be hard to learn for computer user and compatibility issues.
Mobile Devices and Phones • Phones have become more then a phone – mobile computers. Use a password to unlock the phone • Purchase Antivirus (AVG Free) with Android based phone. In the foreseeable future, be very careful when installing Apps on the Android. • iPhone has a much smaller chance of getting infected and downloading a malware/spyware based app. • Blackberry has the best mail encryption, but future is very questionable. • Android, iPhone and iPad apps market is continuing to grow.
Encryption • Encryption uses an algorithm to encode the devices, files, or information • You should be encrypting any business related information on all devices that are taken outside the office – Laptops, Mobile Devices, Thumb drive, etc. • When creating a web site that requires a login, an SSL encryption should be implemented • Secure Socket Layer encrypts the data over the Internet between server and client
Backup • You can never have enough backups • Redundancy is not a backup, but can be used for a quick restore
Backup (cont’d) • What should I NOT be using as a media backup • Best Offsite backups (online backups) provide encryption • Carbonite - $59.95/year unlimited size, plus plans for businesses • Mozy - $5.95/month unlimited size • Mozy and others offer 2 Gb free versions
Cloud • Pros • Minimizes IT support. Allows “Pay as you go” • Does not require dedicated on-site location • 24/7 uptime not tied to your office Internet • Scalable • Cons • Requires higher level of security (prone to attack) • Some of the Applications can not be used, example HIPAA compliant • If part of Internet goes down Cloud Servers may not be reachable
Information Technology • Outsourcing • Cost Efficient if used in “pay as required” • Support 24/7 • Some of the support may be remote • No sick/holiday/vacation time, though usually higher rate during off-hours • Provides a CYA • In-House • Cost efficient if subsidized by grant • A dedicated person that is on site during business hours • Person grows with office and understands technology needs better
Personal Information • The following information related to any Massachusetts’ resident is considered to be Personal Information (PI): • Name (First initial/name and last name) • And one of the following: • Social Security Number • Driver’s License Number • Financial Account Number (ex. Credit Card, Debit Card) • Other Access Code Related to Person’s Financial Information
MASS Personal Information Law • Standards for the Protection of Personal Information of Residents of the Commonwealth • Effective 3/1/10 • Safeguard personal information (PI), both paper and electronic • Insure security and confidentiality are consistent with industry standards • Protect against anticipated threats • Protect against unauthorized access • Establishes minimum standards to be met in connection with the safeguarding of personal information (PI) contained in both paper and electronic records • Up to $50,000 per improper disposal and maximum of $5,000 per violation • Above penalties don't include lost business, dealing with irate staff or families, mailing out letters, and other associated costs
Written Information Security Plan (WISP) • Working document that details how your organization will protect the non-public personal information (PI) of both students and staff through administrative, technical, and physical safeguards • WISP must address: • Paper Files • Electronic Information
PI - Paper Files • Do not leave files containing PI out and about • Lock desks and file cabinets containing PI • Store keys related to locked desks/cabinets in safe place • If possible, avoid faxing PI • If faxing is required, double check # and name of recipient before sending
PI - Electronic Information • Hardware – Your computer • Any Computer or mobile device that is portable can not contain PI • As an extra security, if using a laptop that contains PI, try not to use wireless at a public location – turn off wireless feature • Software – Usage on daily bases • Any email that may contain PI, must be encrypted • Passwords to computers, can not be left out in the open (under mouse pad, keyboard, etc.) • Passwords have to meet minimum requirements • Data Files – Protection of files with PI info • Files containing PI should be password protected and never taken off site • No text, Instant Message, or social networking • If there is a necessity to take files with PI offsite, files must be in an encrypted laptop or flash drive with secure password protection
Health Insurance Portability and Accountability Act - HIPAA • The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. • Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes. • HIPAA applies to “PHI” (Protected Health Information). This is information that identifies who the health-related information belongs to - names, email addresses, phone numbers, medical record numbers, photos, drivers license numbers, etc. If you have something that can identify a person together with health information of any kind (from an appointment, to a list of prescriptions, to test results, to a list of doctors) you have PHI that needs to be protected per HIPAA. ePHI is merely PHI that is stored or transmitted electronically (i.e. via email, text message, web site, database, online document storage, FAX, etc.).
HIPAA Applies to – Covered Entities and everyone touching PHI • Health plans: With certain exceptions, an individual or group plan that provides or pays the cost of medical care. • Health care clearinghouses: An entity that either process or facilitates the processing of health information from various organizations. I.e. to reformat or process the data into standard formats. • Health care providers: Care, services, or supplies related to the health of an individual,. • The HITECH additions to HIPAA extend HIPAA compliance requirements to all Business Associates of Covered Entities. Further the Omnibus rule requires that all Business Associates of Business Associates to also be compliant - Everyone in the chain of companies from the Covered Entitles onward needs to be compliant! Even law firms need to comply with HIPAA where they contact PHI. • Note: Individuals (unless they fall into one on of the above categories) do not have to be HIPAA compliant. So, for example, it is “OK” for a patient to be non-compliant in communicating with his doctor; however, the doctor must be compliant when communicating back and must be compliant with the patient’s communications once received.
Wrap-up • Virus/Spyware/Malware/Adware • SPAM/Phishing • Firewall • Wireless • Passwords • Windows 8/Apple • Mobile Devices • Encryption/Backup • Cloud Hosting • IT inhouse/outsourced • 201 CMR 17 • HIPAA- www.hhs.gov/ocr/privacy