User Tools

Site Tools


it:security

personal IT security for health professionals

introduction

  • most doctors tend to have a complacent attitude to the security of their personal computer and mobile devices
  • until it is stolen and they realise that not only have they not backed it up adequately and that it will take a lot of man hours to configure a replacement device, but their personal lives and potential confidential information relating to their patients and colleagues may be in the hands of those one would prefer not to have access.
  • passwords less than 20 characters are said to be easy to crack using brute force techniques
  • having said that, it is likely that a thief stealing a laptop or other device is just wanting to convert it into cash and indeed they are unlikely to financially gain from any of the contents, as any sensible owner will take immediate steps to change account passwords and cancel credit cards if this data was stored on the computer, but nevertheless, such a loss will cause stress and much inconvenience and time wasting.
  • be aware that there are a few gotchas associated with theft of your personal belongings from work:
    • hospital insurance may cover loss of stolen goods within the hospital if no other insurance covers it (you may be up for an excess of $2500), but perhaps incidentals such as need to change car keys or house keys may not be covered.
    • the cost of having your car keys changed may be ~$2000 for some models, AAMI will only reimburse you up to $1000 and that is after the excess has been paid, in other words, AAMI may only be giving you $500 net to cover your $2000 key changeover and if you do not take “reasonable” steps to ensure the safety of your car by changing the locks and not driving it to a hospital car are until they are changed, they may not cover you if your car is then stolen!
    • a similar scenario would apply to your house keys if they are stolen.
    • your house and contents insurance is unlikely to cover any items used for business use

basic rules

backup to at least 2 separate devices

  • if your data, photos, etc are important to you, make sure it is backed up adequately and frequently so there are at least 2 separate copies in different locations at all times
  • it is very easy to lose 1 copy unexpectedly through accidental deletion, corrupt files, hard disk failure, loss, or theft.
  • hard drives do fail - it seems Hitachi and Western Digital are much better than Seagate in this regard 1)
  • writing to an external hard drive formatted in NTFS from a MacOS computer may corrupt the drive formatting - do NOT do this!
    • use ExFAT formatting for external hard drives

protect and encrypt data

  • password protection
    • password protect sensitive Office documents and zip files
    • consider password protecting links to shared files on DropBox:
  • encrypt important data
    • see encryption of drives at bottom of this document
    • remember, using public WiFi allows others to see your data and passwords being sent to the internet - use encrypted internet file data (use https websites not http, or use a VPN)
    • encrypt files or folders which you sync to online cloud services such as DropBox, SkyDrive or GoogleDrive
      • see BoxCrypt - free for private use for up to 5Gb data on only 1 service and max. 2 devices - just don't lose your password!
  • erase data if device is stolen
    • set iPhone to automatically erase all data if > 10 failed PIN tries
    • consider installing remote access capability to remotely wipe the data - easy on an iPhone, not so easy on computers but possible using remote desktop technologies such as Log Me In
    • unfortunately this will not help if thieves steal it from you while you are using it as can happen in public places, or if they force you to unlock the phone

physically secure devices

  • don't take sensitive data in mobile devices such as laptops unnecessarily and if you do, ensure reasonable physical security measures to avoid theft

enable two-factor security for accounts

portable mobile devices

  • the easiest way to get to your bank account is via accessing your email by stealing your smartphone and accessing it - either by taking it while it was unlocked or by using sophisticated tools
  • once they have access to your email account and your phone they can reset your online passwords and take control of your accounts and locking you out of your email accounts

iPhone and iPad

  • ensure you have the latest firmware installed
  • set a PIN code that will not be too easy to guess (ie. NOT 1234)
  • in Settings:General set the following:
    • Auto-Lock to 1-15 minutes or Immediate
    • Passcode Lock = ON, Siri = OFF (disable Siri bypassing PIN-locked phone status), Erase Data = ON (automatically WIPE / ERASE ALL data from device after 10 incorrect PIN code attempts - this is critical otherwise thieves WILL be able to hack your pin code)
  • in Settings:iCloud set:
    • Find My iPhone = ON (this will enable you to locate your phone via another Apple device or via iCloud if lost as long as it is on and has network access, it will also allow you to remotely wipe all the data, then you can contact your telephone network provider to cancel the microSim card)
    • account = your iCloud account (NOTE if you share your iTunes account with family members, ensure you have your own different iCloud account)
    • turn backup ON for all items you wish to backup to iClouds (in particular, Contacts, Calendars, Reminders, Bookmarks, Documents and Data), you may wish to not back up your Photostream to iCloud to save space as you only get 5Gb free.
    • Storage and Backup: iCloud Backup = ON
  • if you are negligent, lazy or just plain foolish and have not set a security pin to lockup the phone, you have a last chance to do this if it does become stolen or lost by using Find My Phone (assuming you have at least enabled this function and have an iCloud account set up and you know your log in and password to it) to set the pin and lock the phone and at the same time sending a message to the finder to call a phone number and this number can be called from the phone even whilst locked.
  • if you forget your PIN, here is how to remedy it but you must have access to a computer which has been used to sync that phone before - see http://www.gottabemobile.com/2014/04/30/what-to-do-if-you-forgot-your-iphone-passcode/
  • anyone with forensic software such as Elcomsoft iOS forensic toolkit / Elcomsoft Phone Password Breaker (EPPB) / Oxygen / Cellebrite can get past your iPhone/iPad password if they have your iPhone or iPad
  • hackers can also use tools such as iBrute to hack your iCloud account password and download your entire backup onto their iPhone
  • NOTHING on the internet is totally secure!!!

laptop and desktop computers

  • very basic security is to ensure all users must log onto the computer with a password or biometric fingerprint access
  • ensure only reliable and knowledgable users had admin rights, all others should have guest account rights only to reduce risk of viral attacks as well as physical attacks.
  • Of course, you need up to date antiviral software installed and a firewall installed to help prevent viral attack but even then you must be aware NOT to click on links within phishing scam emails, SMS or social media messages and don't respond to and give out passwords or the like to cold call phone calls which purport to be from Microsoft or the ATO, etc.
  • the above might seem OK but most computer literate guys can hack through all your information with ease if they have physical access to the computer
  • sure you can password protect individual important files such as Microsoft Word, Excel and databases, but these won't protect everything such as your email, contacts and general documents and in any case, these passwords tend to be quite low levels of security which can generally be accessed by a determined person.
  • furthermore, when you delete a file, the file is not actually deleted from the physical drive but only appears to be deleted - a computer savvy person can analyse the raw data on a drive to detect this data. If it is really important, after deleting the file, either add non-sensitive data to fill the drive up and over-write the data, or use special software to securely erase the data.
  • a particular risk is the use of USB drives which are extremely easy to have lost or stolen.
  • your piece of mind is likely to be far more important than this poor attempt at security, so YOU MUST ENCRYPT your data as well as ensure it is BACKED UP!!
  • if your laptop has security technology from Absolute pre-installed in the BIOS at the factory, then you have the option of paying a subscription for their LoJack for Laptops software to activate this technology which will allow you to remotely delte files and lock down the laptop as well as potentially locate it in a similar manner to your iPhone or iPad.

backing up Windows PC

  • Microsoft have deprecated their Windows 7 backup technology and replaced it with a new backup technology in Windows 8 and Windows 8.1 which they call File History
  • However, you can still use the Windows 7 system as it has been renamed as “System Image Backup” (in Windows 8 it was called Windows 7 File Recovery) which can be found in left lower corner of the Windows 8.1 Control Panel : File History
  • Windows 8 File History:
    • backs up files automatically (if turned on) to a designated external drive
    • if you disconnect your removable hard drive or the network share becomes inaccessible for a period of time, Windows will create a local cache of files to save on the drive when you next connect it
    • BUT ONLY backs up files in your “libraries”, desktop, contacts and favourites, and you can specifically exclude folders
    • to force another folder to be backed up, you can simply add it to one of your libraries
      • unfortunately, this may have the unintended consequence that all these files will then be displayed in your Metro app (for instance if you have a folder of all your photos as a backup but only have your best photos in a photo library, you will end up with ALL your photos displaying in your photo app if you include that folder in your library so it can be backed up)
      • you may prefer to just manually copy these other folders to an external drive
    • the backed up file can be accessed via either:
      • right click a folder or file in Windows Explorer and select history, or,
      • use the Restore personal files link in the File History Control Panel

encrypting disk drives

MS Windows computers

MS BitLocker software

  • unlike EFS, BitLocker does not depend on the individual user accounts associated with files. BitLocker is either on or off, for all users or groups.
  • thus to prevent other Windows users accessing your files, you still need to use another encryption tool such as EFS or VeraCrypt
  • if you are a MS Windows user buying a new computer or wishing to upgrade the operating system, then you should strongly consider buying the PRO or ENTERPRISE version of MS Windows 10 64bit (assuming you have a computer with 4Gb RAM or more to run the 64bit version, otherwise get 32bit).
    • the reason for this is that the PRO and Enterprise are the only versions to include BitLocker drive encryption software which will make your life so much easier than other encryption software.
    • it will also allow encryption of your removal drives including USB drives
    • unfortunately, it may not be as easy as one would like, but that is the price to pay for piece of mind.
    • in particular, you may have to enter the very long recovery key if recover mode is triggered such as with any hardware change!
  • BitLocker requires the Trusted Platform Module (TPM), a special microchip in some newer computers that supports advanced security features.
  • unlike EFS, it can only be enabled or disabled by an Administrator user.

VeraCrypt

  • as of May 2014, True Crypt is no longer maintained and thus is no longer secure, however, Vera Crypt has taken this on and provides a new and backwardly compatible system
  • see http://truecrypt.sourceforge.net/ on how to convert existing TrueCrypt volumes to BitLocker volumes

Vera Crypt:

  • if you don't have BitLocker, or you wish to block other users accessing your files, then consider Vera Crypt which is a free for non-commercial use open source encryption software technology which can also be used on MacOS and on external hard drives.
  • to read a Vera Crypt encrypted file volume, Vera Crypt must be installed on the computer (this requires local admin rights, so unlikely you can use a hospital computer to read your encrypted files, although once installed, a non-admin can read/write to the encrypted volume as if it was another drive once Vera Crypt has mounted it as a drive using the correct password).
  • consider creating a backup of the header in case it gets corrupted and makes your data inaccessible even with a password
  • allows various types of encryption to be created:
    • file volumes on a drive which must be mounted as a drive via True Crypt software and password
      • can use hidden volumes but these can be problematic as adding data to the outer volume may corrupt the hidden volume accidentally unless you have set this not to happen each time you mount the outer volume.
    • non-system partitions - not recommended for beginners
    • system drives including the operating system
      • creates a Rescue Disk boot CD and uses the original password made at time of this disk. This allows:
        • boot from CD for those not wanting to install True Crypt boot loader onto the hard drive as they use alternate boot loaders
        • restoration of a corrupted HDD boot loader
        • restore corrupted master key of a normal or outer partition/drive
        • restore volume header of hidden volume
        • decrypt a corrupted encrypted operating system drive to allow MS Windows boot disk to repair it
      • can encrypt a Win7 64bit system drive but not a MacOS system drive
      • requires user to enter a pre-boot password authentication - you must have pre-boot support for USB keyboards enabled in the BIOS
warning - possible data loss
  • deleting the encrypted file volume is very easy to do accidentally as it seems like any other file but without an extension - deleting it will lose your data inside it!
  • the encrypted file volume is at risk of being corrupted and permanently inaccessible if you do either of the following:
    • place data in a hidden volume and forget to go through the correct process to protect it when mounting the outer volume and then add data to the outer volume
    • physically remove a removable mounted encrypted drive before using Vera Crypt to dismount it - very easy to pull the wrong USB cable out!!
removing Vera Crypt encryption
  • system partition - just decrypt
  • file volume - mount volume, copy any wanted files elsewhere, dismount volume, then delete the volume file
  • partition-hosted volume - use Computer Management to reformat the partition after extracting any required data from it and dismounting it.
  • device-hosted - use Computer Management to “Initialise Disk” and create a new partition

MS EFS folder encryption

  • an old encryption technology introduced in Microsoft Windows 2000 and the NTFS 5.0 file system
  • the encryption applies at the user account level, and thus is not suitable for encrypting the system files (unlike Bit Locker)
  • it is easily hackable (unless you also use BitLocker)
  • mainly only useful for preventing other users readily accessing your files.
  • the EFS system uses both public and private key encryption and CryptoAPI architecture.
  • if you have Windows XP or later and Home Premium edition or higher (but EFS is not fully supported on Windows 7 Starter, Windows 7 Home Basic, and Windows 7 Home Premium), and your drive is NTFS and not FAT32, then you may consider using EFS folder encryption
  • right click on the folder in My Computer, and select Properties then in the dialog box, under General, click on Advanced, then there is a checkbox to tick Encrypt data
  • if you do this, not even an Admin can open your files you create in this folder although they can view the contents of the folder
  • one of the distinguishing convenient features of EFS is that the files remain encrypted when they are transferred to a different folder or to a different NTFS drive.
  • access to these encrypted files may be lost if either:
    • system does not boot (you can't just attach the hard drive to another computer as the encrypted folder will not be readable)
    • the user's password has been reset by an administrator without entering the old password
    • the user profile has been deleted
    • the user is migrated to a different domain
    • operating system is re-installed
  • THUS BEFORE USING EFS, SET UP THE EFS RECOVERY AGENT AND BACK UP the private key and the associated recovery certificates for each user account who will be using encryption
    • if you do not have a back up copy and your operating system becomes corrupted or fails, you may NEVER be able to access the encrypted files although Advanced EFS Data Recovery software may be able to recover the data in certain circumstances
    • these should be exported to a removable media which is stored safely away from the computer
    • for best security, these should be removed from the computer

external portable hard drives

  • these are now very cheap but unfortunately the far majority are mine fields for security disasters, unless you use the above encryption technologies.
  • a far better, albeit more expensive alternative, are the new drives with biometric fingerprint and built-in encryption, plus less likely to self-destruct when dropped than normal drives.
it/security.txt · Last modified: 2021/06/19 19:43 by gary1