The purpose of this document is to outline and address security issues in the new Columbus HMIS. Security concerns include anything that could compromise the confidentiality or availability of data, either by allowing access to unauthorized users or disallowing access to authorized users.

First and foremost, we are concerned about security because we are collecting highly personal information about the men, women and children for whom we are providing services. As the guardians entrusted with this personal data, we have both a moral and a legal obligation to ensure that it is being accessed and used appropriately. This concern extends from the thorough explanation of a client consent form, to the encryption of data traveling over the Internet, to the physical security of the data-warehousing server, to the policies governing the release of this information to the public, government and funders. While the data we collect is not likely to be targeted by hackers, thieves or insiders (we hold no transferable financial information and we are not companies worth embarrassing), the nature of the information itself and the vulnerability of the populations we serve demand the highest standards. We strive not just to comply with our legal obligations of confidentiality, but to exceed them in the interests of our clients.

Good security practices begin with the unrealistic expectation that the worst will happen, and that it will happen soon. Therefore, any discussion of security necessitates an attitude of paranoia. Addressing security issues early in the implementation of a new computer system allows those concerns to be integrated at the design and training level, and to become a part of the background of daily operations. Once security is incorporated into the daily routine, the user is freed to concentrate on the operational tasks at hand.

In order to pinpoint points of vulnerability, it is important to understand the structure of the Columbus HMIS. ServicePoint is a web-enabled database application. This means that both the data and the software program itself are stored on a central server that is accessed via the Internet. In our case, this central server is located at the Bowman headquarters in Shreveport, LA. In order to run the ServicePoint application and enter, view, change or retrieve client data, agencies connect to a secure website via their own connection to an Internet service provider (ISP) and the Internet. This secure website relays information to the ServicePoint program and core database. ServicePoint requires no unusual software or hardware on connecting agency computers other than a connection to the Internet. This is because all processing and storage is done on the central server.

All computer systems have particular security risks associated with using them; although there is currently a strong cultural focus on risks associated with using the Internet, security concerns are not unique to web-enabled applications. Points of vulnerability are places in any system at which data could potentially be accessed, viewed or changed by an unauthorized person, or places at which the flow of information could be intentionally disrupted.

Points of vulnerability in our ServicePoint implementation include the central server, the electronic pathway from the server to the connecting agency computer, and the connecting agency computer itself. A connecting agency computer is any computer that is contacting, making a connection to, the central server. For the purposes of this document, a connecting agency computer could be a CSB computer, or a computer at any connecting agency or program location. While ServicePoint is in use for data entry, confidential client information is entered into the connecting agency computer, travels from computer to computer through the network infrastructure known as the Internet, and is stored on the central server. When data is recalled (displayed on the connecting agency computer), the process reverses, and confidential information travels from the server, across the Internet, to store temporarily on the connecting agency computer.

Each point in the process of data transfer has a unique set of security concerns.

As confidential client data is permanently housed on the central server, the server is most vulnerable to possible attacks. The types of server vulnerabilities are many and varied, and many IT security professionals spend their careers exploring and guarding against new forms of intrusion.

However, in broad terms, attacks targeting the central server might include:

• An On-Site Physical Invasion:

Attacks in which an unauthorized user gains physical access to the server, logs on, and accesses the core database and its confidential contents. Computer authentication issues are very different depending upon whether the user is local (accessing the computer directly through the keyboard) or remote (accessing the computer through an electronic connection, such as a network card or modem). Many forms of attack rely on physical access to the computer housing the database.

• The Destruction of Hardware/Software:

Attacks in which an unauthorized user destroys the server itself or the core database, rendering the contents unusable to anyone. This could be a local physical destruction, as might be caused by setting the server on fire, or a remote electronic destruction, such as might be caused by a virus, trojan horse, worm, malicious mobile code or email bomb. This type of attack does not enable unauthorized users to view or manipulate data, but rather focuses on making the data inaccessible to all.

• Causing a Denial of Service:

Attacks in which an unauthorized user disrupts the flow of information to and from the server and renders the ServicePoint software useless. This is usually accomplished by flooding a server with data requests of various types. This attack is not specific to the ServicePoint software, and requires no knowledge of the application. It does require knowledge of networking and operating systems.

• Exploiting known operating system security weaknesses:

Attacks in which an unauthorized user electronically gains access to the server and the core database by exploiting coding errors or weaknesses in the server operating system itself. Like a Denial of Service attack, this attack is not specific to the ServicePoint software, and requires no special knowledge of the software. It does require the knowledge of the server operating system.

 

• Exploiting ServicePoint-specific weaknesses:

Attacks in which an unauthorized user gains illegal access through the legal methods of entry provided in the ServicePoint software package. This requires a knowledge of ServicePoint core programming.

 

Unlike a local area network client-server connection, which relies on private wiring to connect the agency computer and the server, and unlike a direct dial-up connection, which relies on sending information directly over the public telephone lines, an Internet connection sends data through many different computers and over many different media to connect agency and server. The multiplicity of computers and media and the public nature of the web combine to increase the vulnerability of confidential data transmitted through the Internet. The types of attacks on data being transferred through the Internet are many and varied.

Attacks targeting data transmission via the Internet might include:

• Falsifying the User:

Attacks in which an unauthorized user presents some form of credentials to the server in order to gain illegal access, including but not limited to:

 

• Identity interception: an unauthorized user discovers the user name and password of a valid user, and uses it to gain access
• Masquerade: an unauthorized user pretends to be a valid system user (not necessarily an application user) through means that bypass the user name and password; for example, by assuming the IP address of a trusted device
• Replay attack: an intruder records the data packets exchanged from connecting agency to server during an authentication process and plays them back at a later time to gain access

• Trapping the Data Packets:

Attacks in which the confidential data packets themselves are actually copied or diverted by an unauthorized user. Instead of using these packets to gain broader access (as in a replay attack), the attacker traps the data for its own intrinsic value – the confidential data contained in the packets. These attacks include both data interception and data manipulation, in which the attacker modifies or corrupts the packets as they proceed to the server.

• Falsifying the Server:

Attacks in which an unauthorized user creates a web site to mimic the secure server’s web site. Once the false web site is created, authorized users log on and transmit user names, passwords, and confidential data to the unauthorized user. This is also known as spoofing.

 

There is no ServicePoint software installed on the connecting agency computer, and no client data is permanently stored on these computers. However, both client data temporarily stored locally and the user names and passwords of authorized users are vulnerable at the connecting agency. Authorized users do need access to the secure server; the same methods used to connect to the server for legitimate purposes could be used by unauthorized users for illegitimate purposes. This means that user names, passwords, smart cards, and other forms of authorization controlled by the user all represent points of vulnerability. Connecting agencies are highly vulnerable, because it is on the agency side where legitimate users are authorized.

Attacks targeting connecting agency computers might include:

• Social Engineering:

Attacks in which a social situation (for example, a customer service call from a third-party company) is manipulated so that an unauthorized user gains access to protected information, such as client data, or user names and passwords.

• Misuse of Privileges:

Attacks in which an authorized user knowingly or mistakenly gains access to confidential data and misuses it.

• Physical Attack:

Attacks in which an unauthorized user gains physical access to connecting agency computers containing user names, passwords, or confidential data. This is the electronic equivalent to breaking into a locked filing cabinet of client case notes.

 

In designing our ServicePoint implementation, we have kept the primacy of client confidentiality as a guiding principle. We have made decisions about server location, the addition of third-party security software, and internal policies and procedures with client confidentiality in mind.

One of the primary reasons for co-locating our database server in Shreveport, LA, at the headquarters of Bowman Internet Systems, was to take advantage of their ability to provide 24-hour a day security and support for our hardware and software. Co-location means that while CSB owns both hardware and software, we pay a monthly maintenance fee for Bowman to provide both server hosting and routine server maintenance. Bowman employs a full time staff of experts dedicated to keeping their clients up, running, and secure, using the latest technology. It is the job of the CSB Systems Manager to maintain a point of contact between Bowman and CSB and keep track of the security issues at our central database.

Our implementation plans include the following protections against:

• An On-Site Physical Invasion:

Our database server and web server are located in a physically secure building, where security guards are employed to monitor security from 7:00 a.m. to 7:00 p.m. Monday through Friday, and from 8:00 a.m. to 4:00 p.m. on Saturdays. During off-hours, a card key is required to enter the building. Within the building, the Bowman offices are also locked with a separate key structure. The server itself deploys the standard security measures available in Windows NT 4.0 to prevent unauthorized local access.

 

• The Destruction of Hardware/Software:

Bowman uses firewalls and standard virus protection software to prevent unauthorized remote access to our database server. A firewall is a software and/or hardware application that will block all incoming electronic traffic except traffic that is explicitly permitted. Permissions are configured manually by network administrators. A combination of firewalls and virus protection software will detect and prevent most viruses, trojan horses, worms, malicious mobile codes or email bombs from damaging our database.

• A Denial of Service:

The combination of firewalls and routine monitoring of network traffic by skilled professionals (in our case, Bowman network administrators) will detect and prevent an attacker from flooding our server to the point of failure.

• The Exploitation of known operating system security weaknesses:

As part of our maintenance contract, the network administrators at Bowman are responsible for updating the server with the latest software patches and fixes of known operating system weaknesses. Keeping abreast of software patches and reports of new vulnerabilities is the best way to avoid falling prey to these attacks.

• The Exploitation of ServicePoint-specific weaknesses:

Because we rely on the same company who created the ServicePoint software to host our server, we can be sure that any security holes discovered in the ServicePoint software running on our server will be addressed by technicians with access to timely and accurate information about the core program. We will not need to rely on second or third-hand software alerts, or the installation of patches and upgrades by network administrators unfamiliar with the product. This gives us a great advantage in combating application-specific security issues.

 

ServicePoint uses Verisign, the world’s largest provider of Internet trust services, to deploy a sophisticated system of digital certificates to address issues of data security over the Internet. Verisign uses a complex solution to mutually authenticate both connecting agency and server, as well as provide 128-bit encryption of data across the Internet, once secure communications have been established. Verisign products are used by many international banking companies which complete financial transactions over the Internet, including American Express. These security measures, while extensive and complex, take only seconds to execute, and will not slow connecting agency login.

Our implementation plans include the following protections against:

• User Falsification:

Using a public-key infrastructure and signed digital certificates, the latest security technology available, Verisign provides a safe and reliable method of authenticating users. These methods, while they do employ traditional user names and passwords at their base, encrypt data and provide a software-enabled check and counter-check methodology that make stealing identities or masquerading as an authorized user virtually impossible. In addition, these methods produce one-time use session keys that foil a replay attack, as user credentials will never be signed and encrypted in precisely the same way twice.

• Data Traps:

Verisign provides 128-bit SSL encryption of all data passing from agency to server, or server to agency. Encryption is the translation of data from a readable "clear text" to an encoded hash using complex mathematical algorithms. SSL, short for secure sockets layer, is a data transport protocol which encrypts data using a public-key infrastructure. 128-bit SSL encryption is the strongest encryption allowed by the U.S. Department of Commerce; it is estimated that data encrypted with 128-bit encryption would take a trillion-trillion years to crack using today’s technology. When data is encrypted, even if packets could be captured or recorded as they travel across the Internet, they could not be decoded and read.

• Server Falsification:

The public-key infrastructure provided by Verisign provides not only authentication of the connecting agency, but also authentication of the web site, and hence, authentication of the hosting server. Authentication is provided through digital certificates verified by Verisign, and is an integral part of the login process. Mutual authentication prevents a rogue web site from masquerading as our secure web site and drawing sensitive data.

 

Because of the nature of ServicePoint, protecting data on the connecting agency computer is more a matter of having adequate policies and procedures than it is a matter of software. There is no software or hardware in the connecting agency to be configured to prevent a breach of security. Only following clear and appropriate security policies can significantly minimize risks. Along with requiring HMIS Agency Agreements for using this software which will address some security concerns, CSB will also provide clear and thoughtful policies and procedures to govern its use. These policies will cover all users at all levels of use, including partner agencies as well as the CSB staff.

Our implementation plans include the following protections against:

• Social Engineering:

The biggest deterrent to social engineering is clear policies and procedures. It is much harder for users to be manipulated into providing confidential information if they have clear rules to follow when providing such information. CSB will provide clear and thoughtful policies and procedures around issues of ServicePoint data confidentiality, and confidentiality of user names and passwords. These procedures will be designed to speed problem resolution and minimize the chance of a user being manipulated into divulging confidential data through confusion or a sincere desire to help someone in need.

• Misuse of Privileges:

ServicePoint provides several levels of user access to the database. Each level has access only to a particular subset of client information, and each level has a specific and limited ability to manipulate information. Through ServicePoint training, CSB will provide clear "job descriptions" for each level of access, to ensure that Site Administrators assign an appropriate level of access to each user. We will also provide clear protocol and procedures for handling data needs and requests that fall outside of a user’s job description. Finally, we will provide clear procedures for handling changes in user access levels and user names, as well as procedures for password recovery and other access issues. These procedures will be designed to clarify and streamline the daily work of legitimate users, and minimize the chance of legitimate users misusing privileges even towards legitimate ends.

• Physical Attack:

Connecting agency computers are necessarily more physically vulnerable than our central server. As no ServicePoint data is stored on the local computer, the physical vulnerability of these computers does not necessarily constitute a significant threat to client confidentiality. However, any user access data, such as a password, that is stored on a computer or in a written file, does constitute a risk to client confidentiality. The ServicePoint policies and procedures will include provisions for the appropriate handling of user access data.

 

Through all these methods, the Community Shelter Board will provide a confidential environment for client data.

Almost every hacker or industrial spy who has ever been interviewed about her or his technique has stated that the most valuable tool in obtaining confidential information is social engineering. It is far easier to gain a user name and password from the user him or herself than it is to electronically "trap" a password over the Internet. Think about how many people in the average organization have a post-it on their computer monitor with their password written on it. Think about how many people leave their programs with blank passwords or with the default user name and password still active. Think about how many users double-click on emails containing viruses despite repeated warnings. It has proven remarkably easy for those intending harm to carry out their plans without having to employ any technological skills.

In a secure setting, the individual user is the biggest threat to confidential information.

Security will always be an ongoing concern. As the ServicePoint implementation goes forward, we ask all users to keep these security issues in mind. Ask questions, and suggest ways we can ensure the confidentiality of client data. And above all, remember the men, women, and children these security measures protect.