Securing the World-Wide-Web

1
Securing the World-Wide-Web
P.R. Smith Academic Computing NYU School of
Medicine
2
Definition
Secure safe against attack,
impregnable, reliable, certain not to fail
or give way.
3
Definition
WWW - Transport of information http -
HyperText Transport Protocol -
Information on all the servers connected
to the Internet.
4
Primary Message of this Talk
Success of a WWW site depends on the integrity of
that site, on whether it is viewed as reliable
and secure.
5

• Why do I want a web site?
• Everybody is doing it
• Impress the CEO.
• Im not busy enough I need a hobby.
• My organization has important
• information to communicate that will
• improve its ability to do business.

6
Planning Who do I want reading my site? What
services will I offer? How will they be managed?
7
Who do I want reading my site? Careful
inventory of the sites potential
readership. Identify the needs of the groups and
the kinds of information services they will
require. To be successful, a site needs
regular readers.
8
What Services will I offer? What information
resources are available here? What is available
now? What new materials will need to be
developed? What materials will be available from
other locations on the net? How long will they
last?
9
Management Environment WWW is an institutional
resource To be successful, the WWW effort needs
support from the highest level. Mobilize
resources. Senior management can mandate change
in the environment. You probably cant.
10
Management Manage Access Manage Services
11
Policy Issues Control of Physical Access To
machine rooms, lab equipment, stand-alone
servers. Control of Logical Access SAF, Access
via network, Audit trails, Access to
Communications. Data Integrity
Control Separation of duties and function,
Verification of data equipment. Ethical
Issues Private vs Corporate use, Criminal
Activities Preventive Measures Backup,
Archiving, Encryption, Disaster Recovery.
12
Security Model Data Steward Owns, or is
responsible for the Data Data Custodian Stores/pr
ocesses the data Data User Internal,
External Data Assessment Classification Public
Internal Resricted Confidential Security
Monitoring and Audits Exceptions, Emergencies,
Violations, Punishment
13
Security Policies Mandated at the Highest
Level Necessary, since they implement the
Institutions vision. Clearly Stated As far as
possible, written in terms all understand. Known
to All Establish a single security-concious
culture for ALL data users. Security
Acknowledgement Form Ubiquitous Policies apply
to all individuals, internal, external Enforced
Consistently Common process, CEO, faculty, staff,
contractors.
14
pursuit of the defenseless impeachment of the
irreproachable punishment of the
innocent exculpation of the guilty promotion of
the incompetent
15
General Principles of Data Security
Collected appropriately with accuracy Protected
during Transport and Storage against damage
against loss Accessed only with authorization
Archived so as to be recoverable Deleted so
that no trace remains Audited so that activity
can be traced
16
Authentication Identifies Individuals Uniquely.
Allows you to be sure that Bob really is Bob
and not Joe. Schemes include simple passwords,
one-time passwords, Secure-ID, Kerberos,
fingerprints, retinal scans. Authorization Establ
ishes what Individuals may do. If you are
authenticated as Bob you may look at Outpatient
Lab billing data, but not the lab results. If
you are Dr. Joe you may see both. Audit Audit
logs track creation, modification and access of
data and services.
17
What is Security in Relation to the WWW?

• Services offered on the Web are diverse.
• Security needs are service- specific.

18
What Services can be offered on the WWW?

• Document Services
• Static information.
• Anonymous client selects links or search
  parameters.
• Interactive Services
• Identifiable information is elicited from client.
• Registration forms, credit-card payments,
  on-line examinations, clinical lab results,
  purchase movie tickets...

19
Interactive Services Professional Advice
Second opinions, treatment options. Medical Data
/ Patient Records Records from other
sites Payment for Services Pay hospital,
doctor, therapist, HMO ....
20
Services Some Basic Issues Who owns
them? Individual? Department? Third
Party? Where are they hosted? Institutional
Server? Department Server? Student Dorm? Who
gets to see them? Everybody? Just this site? A
limited group? Nobody? Who decides? Me? My boss?
The web committee? The lawyer? How do you
resolve CONFLICT? Shoot them all?
21
Management Team Institution-specific Oversight
Committee Webmaster Web Technician / Associate
Webmaster Graphic Designer Programmer Systems
Manager
22
WWW Security Issues Accuracy of the
information Integrity of the server Secure CGI
programs Secure Java/Script applets Secure
transport to client Bug-free browser Selective
management of cookies Sensible, honest, user.
23
Document Security Document/Information
Accuracy Who may create a document? What are
update policies? Does a document expire? How does
a reader know to trust the information? Signed
documents. Disclaimers. Access control (by
location, password) Integrity of the
Server Access to the server is tightly
controlled only authorized individuals can make
document changes. Rigorous password policies. NFS
access. Secure CGI and Java/Script Careful
design and testing to detect security defects.
24
Secure Transport to Client Are Networks
Safe? Yes. And no. There are no absolutely
clear answers. Decision requires a risk
assessment by the Institution. Result depends on
the perceived risks and the tools available to
manage them. Is the Internet Safe for Medical
Data? Yes. And no. Review tools that enhance
secure data transport. SSL, https Phone system.
School Buses.
25
Secure Client Is your Browser Secure? Yes. For
the most part, browsers (Netscape / Explorer)
are secure. However, there are known bugs in
some versions. Few people are diligent in
obtaining the latest fixes. What about
Cookies? Cookies are data left by a server to
allow you to be identified next time you
connect. Users Users are dishonest. They steal.
They lie. They take your stuff and pretend it
is their own. They treat confidences as gossip.
They are the root of all evil.
26
Risk Assessment Evaluate Current Practices.
What are people actually doing? Who actually
reads records? Do they need to? Does it
matter? Distinguish Policy and Actual Practice.
Sure you have a policy that medical records not
leave the floor so why is the attending walking
down the street with those files? How are you to
deal with that? Consistent Policy Cant protect
one area and leave another wide open. This is a
significant problem with electronic records.
Useless having triple passwords on the computer
and allow anyone walk into the records room.
27
The Mediæval Security Model
Highway
Small Walled Town
Cross-Roads
Homestead
Walled City
City Gate
Hamlet
Highway Robbers - outside Footpads/Pickpockets -
inside
28
Firewalls and Proxys Firewall Stands
between two networks and limits connections
between the inside and the outside. Usually,
between your net and the Internet, but sometimes
between different parts of a single corporate
net. Proxy Allows web users to access the
Internet without having direct access. The proxy
server passes requests out and redirects packets
that return.
Firewall/Proxy
Internet
29
Security Assumption Inside my Walled City Im
Safe In principle, I should have more control
over users, network access and desktops. In
fact, this may not be true. Outside, Im
Vulnerable. There is a concern that network
traffic outside is vulnerable to theft. In fact
data on the Internet is probably much
safer. Vulnerability arises again as soon as
packets enter someone elses local network.
30
Packet Sniffers Sniffersees all packets on
the local Ethernet segment.
Node
Node
Node
Sniffer
31
A Switched Network Defeats Sniffers The switch
sends data to each node separately. Nodes dont
see each others data.
switch
Node
Node
Node
Sniffer
32
Defeat Sniffers with Encrypted
Traffic Sniffersees all packets, but cant
read any of them.
Node
Node
Node
Sniffer
33
Encryption Encryption protects data by
scrambling it in a recoverable way. Strong
encryption is hard (maybe impossible) to
crackwith a computer. Weak encryption is
easier. Private Key Encryption. A single key
(string of characters) is used to encrypt and to
decrypt a message. To be secure, the private key
has to be a secret shared by the people who share
the encrypted information. Public Key
Encryption. Keys are used in pairs, one is used
to encrypt a message, the other to decrypt it.
One key is called the public key and is
distributed freely. The private key is kept
secret, known to a single individual. Key
length. Lengths are counted in bits. Messages
encrypted with long keys (gt56bits) are hard to
crack.
34
Public Key Encryption Establishing
Trust Public Key Certificate - associates a
given public key with an individual (or a role)
through the signature of a trusted
authority. PGP Web of trust I trust this key
because I trust Joe and Fred who signed the key.
Good for e-mail, but scales poorly. X.509 A
trusted certifying authority signs keys.
Verisign, ATT Used for the Web, scales well, but
many certificates are worthless.
35
E-Mail Used widely for message
exchange Plain-text E-mail messages are not
secure. SMTP transfers mail in multiple hops to
destination. Mail can be viewed at each one.
Postmasters get bounced messages.
Origin
Destination
Solution Mail packages that allow end-to-end
encryption of messages and attachments Management
issue Postmaster must be an Institutionally
trusted individual.
36
Who Owns Patient Records? Professional Records
are owned by the professional who collects them,
either personally or as an agent of an
institution. Who can Access Patient Records? The
Patient can always get access, albeit with
difficulty in some cases. Payor as a part of an
audit has access to establish quality of
care. Many non-professionals have anecdotal
access as a part of their job functions (unit
clerks, finance clerks, phlebotomists, ...) Who
Doesnt have Access? Just about everyone else
e.g. Hospitals require consent to transfer
records between institutions.
37

• Medical Data Repository
• Database that holds Consolidated Medical Data
  from many patients
• Benefits
• Facilitates communication between in- and
  out-patient caregivers
• Facilitates longtitudinal care for patients
• Provides key information in an emergency
  situation
• Provides data to help establish the
  state-of-the-art
• A resource to compare quality of care,
  care-giver by care-giver.
• Risks
• Many, poorly authenticated or erroneously
  authorized accesses
• Catastrophic loss of the repository can be a
  disaster for patient care.
• Data may be missed due to physician reluctance
  to key-in the data.

38
Why do some people find a Computerized Medical
Record Really Scary? A large-scale attack with
the loss of large amounts of data can be hard to
detect on a compromised computer, and it will
take place really QUICKLY. In the worst case, it
can be mounted from anywhere in the world. A
similar attack to seize paper records on the same
scale may require a truck. You should be able to
spot the truck.
39

• What is Dangerous Information
• Dangerous is defined by the individual
• Broad consensus on many items House keys, SSN,
  ATM PIN.
• Disagreement on other items Gay? HIV?
  Marriages? Abortions? Cholesterol? BP? Mental
  illness? Substance abuse history? Genetic
  profile?
• People want to choose
• How do you lose control?
• Publication. You tell someone. A really good
  friend.
• Inference. Youre sick and are seen visiting a
  physician who specializes in HIV. You visit your
  probation officer.
• Observation. You take Prozac (Anxiety),
  Atenolol (HTN)....
• Someone gets hold of personal records.

40

• Risks to Privacy
• Friends and family
• Colleagues
• Employers
• Insurance Companies
• Landlords
• Coop Boards

41
How do I protect myself and my Patients?
42
Simple Security Measures can make a Significant
Difference Users need unique, robust
passwords Shared passwords, stupid passwords and
passwords that get guessed have been the source
of all the MCs break-ins (that weve
detected). Users must subscribe to your security
goals Protect their passwords, change them
regularly, never share, disconnect from
authorized services when finished, and report
issues that suggest a security
violation. Education / Training
43
Greatest Exposure from Individuals in Positions
of Trust. Network Manager, Systems Manager,
Webmaster, Programmers, Secretary
44
Ask for HELP! Central site Colleagues at other
Institutions Read the Literature Employ a
Consultant
45
Summary Supportive Administration Realistic
policies for security and the Web Create a
culture that supports security Motivated,
technically competent staff A committment to
development change
46
Acknowledgements Bob Holzman, Loren Buhle, Bruce
Kraus, Carey Ramos, Marty Nachbar, Mark Selby,
Anton Saarimaki, Stuart Brown, Suzy Gottesman,
Frieda Pavel, Roy Smith, Marc Waldman, Libby
Flanagan Art Lucas Cranach the Elder, The
Martyrdom of St. Barbara, oil on wood,
Metropolitan Museum of Art, New York.
http//www.yawp.com/cjackson/cranach1/p-cran1-12.
htm Hieronymus Bosch, The Last Judgment (left
and right panels), oil on panel (triptych)
Akademie der Bildenden Künste,
Vienna. http//watt.emf.net/wm/paint/auth/bosch/ju
dge/ Support Provided by the NSF, and the NIH
through NYUs GCRC grant.