Friday, October 5, 2012

GHC12: The Internet Enables All the Worlds Hackers to Attack Your Computers 24/7. Are we secure enough yet?

Susan Lincke (University of Wisconsin),starts out with the question: Are we secure enough, yet? Looking at all of the attack reports on the news - NO! If the big companies can't get it right, what are the chances for the little companies doing it correctly?

Dr. Lincke got a grant from the NSF to create a security workbook. A security how-to with goals that non-professionsals can easily use it. It covers things like code of ethics, risk assessment and how to protect this data. It's a workbook, so a lot of the items are skeletons that you need to fill in for your specific needs and gives you a method for calculating expected loss for all of these risks.

The workbook also introduces concepts like recovery time (interruption window, service delivery objective, and maximum tolerable outage) and terms (recovery point objective and recovery time objective).

It also helps with security classification guidelines for the data, like what type of stuff should be confidential? In a medical office, that would be data covered by HIPPA, for example.

The workbook covers concepts like network security and helps people define which services and data can leave the local network. The same concepts can then be applied to the physical security map - like, which rooms can a patient walk around unmonitored?

All of this requires an incident response plan - what to do if you get a virus? What lessons can you use going forward to prevent future infections or attacks.

I think this is a great idea - I think about a small dental office, which does need to protect patient data, but probably haven't considered this because the concepts are foreign to them and seemed too difficult to begin to approach.

This post syndicated from Thoughts on security, beer, theater and biking!