Download
protecting personal identity records policy and search tools n.
Skip this Video
Loading SlideShow in 5 Seconds..
Protecting Personal Identity Records: Policy and Search Tools PowerPoint Presentation
Download Presentation
Protecting Personal Identity Records: Policy and Search Tools

Protecting Personal Identity Records: Policy and Search Tools

367 Views Download Presentation
Download Presentation

Protecting Personal Identity Records: Policy and Search Tools

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Protecting Personal Identity Records: Policy and Search Tools Doreen Meyer dimeyer@ucdavis.edu cybersecurity@ucdavis.edu

  2. Securing Personal Information • The problem of the theft of personal information • Policies describing personal information • How to identify personal information • Using Cornell spider to identify personal information • Mitigating risk of exposure of personal information on identified systems

  3. Identity Theft • From the CDW-G 2006 IT in Higher Ed Survey, • 55% reported a security incident • 33% reported data loss of theft • 9% reported loss of student personal data • Identity theft is one of the fastest growing crimes in the US

  4. HIPAA (2003) • HIPAA: Health Information Portability and Accountability Act • Psychological Services • Medical Records • http://www.hhs.gov/ocr/hipaa/

  5. Common Data Sources • Student Health Center records • Human Resources records

  6. CA SB1386 and CA Civil Code 1798 (2003) • Account access number and password • Bank/financial account number • California identification card number • Credit/debit card number • Driver’s license number • Social Security number • http://www.privacy.ca.gov/code/ipa.htm

  7. Common Data Sources • Grant application forms • Travel authorization forms • Personal financial documents • Email • Admission applications • Scholarship applications • DaFIS, BANNER, Financial Aid web sites

  8. FERPA (1974) • Family Education Rights and Privacy Act of 1974 (FERPA) • Class level, class schedule, academic status, grades, instructors, transcripts • Student ID number, Social Security number • Fees paid, loan collection records, financial aid records, etc. • http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

  9. Common Data Sources • Course rosters • Grant application forms • Homework assignments • Email • Admission applications • Scholarship applications • Banner, Financial Aid web sites

  10. SSN Remediation at UC Davis • Beginning with the students entering in Fall 2000, students were assigned student ID numbers, nine digit numbers beginning with the number 8 • SSNs converted to student ID in 2001 • Staff and faculty have been assigned nine digit numbers, and these numbers may overlap with SSNs and UCD student IDs

  11. Steps to Securing Personal Information • Obtain support from your department administration • Agree on a goal • work directly with the content owner

  12. Steps to Securing Personal Information • Identify a sample data set • Test expressions • Refine and retest • Review resulting log

  13. More steps to securing personal information • Consider key words as search terms (SSN, class) • Using your tested expressions, scan the system. Log data to password-protected CSV file • Work on and store the CSV file on a protected system • Share the results with the content owner and management.

  14. And more steps • Can the data be removed from the system? • If not, can it be encrypted? • What measures can be put in place to ensure the data is secure?

  15. Tools that you can use to identify personal information • PowerGREP • Cornell spider • Both tools are available through http://software.ucdavis.edu • PowerGREP requires approval for subsidy • Cornell spider is free • Guide to Using Spider and Powergrep at http://security.ucdavis.edu

  16. Cornell Spider • Developed by Wyman Miles at Cornell • Cornell spider runs on Mac, Linux, and Windows. The Linux version may be used to scan Windows systems off-line. • Product focus: Windows spider 3.0

  17. Cornell Spider 3 (beta)

  18. Cornell Spider 3 Configuration

  19. Cornell Spider 3 Configuration

  20. Paths to Skip (default) • DELL • I386 • System volume information • WIN • Paths to consider adding to the list? SYMANTEC, for example

  21. File Extensions to Skip • Skip binary files were data cannot be read • Default skip extension list in Spider 3 includes: IDX, HIV, INI, ICO, CHM, INF, JS, ISO, EPS, BKF, TIFF, CPP, MDS, WAV, CAB, WMDB, TTF, VSD, PSD, XML, JPEG, TIF, LNK, TOC, WMB, EXE, GIF, MPG, AVI, JPG, VMDX, WMV, MA, MPEG, MSC, MOV, MSI, MST, SYS, CLASS, BM, MP3, PNG, SWP, DLL, HLP, CSS

  22. Spider and Mailboxes • The windows version of spider 3 cannot evaluate .pst files (outlook, exchange) • The linux-bootable version can only evaluate pre-2003 .pst files • Other mail formats such as the one used by Eudora and other campus email clients can be scanned

  23. What else does spider scan? • pdf • mbox • Excel, Word • Access • OpenXML • OpenDocument • Zip, gzip, bzip • Tar, rar, arj, zoo

  24. Cornell Spider 3 Configuration

  25. Cornell Spider 3 Configuration

  26. Cornell Spider 3 Configuration

  27. Cornell Spider 3 Configuration

  28. Cornell Spider 3 Configuration

  29. Regular Expressions • Windows version uses .NET extensions • Linux-bootable version uses libprce extensions

  30. American Express Credit Card Expression ####-######-##### pattern 1234-123456-12345 example \d{count} expression for number of digits \d{4} \d{6} \d{5} count

  31. Credit Card Expression ####-######-##### pattern 1234-123456-12345 example - luckily, a hyphen is a hyphen in this case \d{4} - \d{6} - \d{5} hyphen

  32. Credit Card Expression ####-######-##### pattern 1234-123456-12345 example \b content \b word boundary \b\d{4} - \d{6} - \d{5}\b

  33. American Express Credit Card Expression \b\d{4} - \d{6} - \d{5}\b

  34. Credit Card Expressions • AMEX American Express Card and _b\d{4} - \d{6} - \d{5}\b\d{4} - \d{6} - \d{5}\b • VMCD and VMCD_b (Visa and Mastercard)\d{4}-\d{4}-\d{4}-\d{4}\b\d{4}-\d{4}-\d{4}-\d{4}\b

  35. SSN Expressions • SSN9 and SSN9_b\d{9} and \b\d{9}\b • SSN324 and SSN324_b\d{3}-\d{2}-\d{4}\b\d{3}-\d{2}-\d{4}\b

  36. UberSSN Expression from U Colorado (?<! (\w|-))(?!000) (?!666) ([0-6]\d\d|7[01256] \d|73 [0123]| 77[012] )([-]?)(?!00)(\d{2})\3(?!0000)(\d{4})(?! (\w|\-))

  37. UberSSN • (?<! (\w|-)) (?!000) (?!666) ([0-6]\d\d|7[01256] \d|73 [0123]| 77[012] ) ([-]?) (?!00)(\d{2}) \3 (?!0000)(\d{4}) (?! (\w|\-)) • Boundary • Delimiter (hyphen or space or blank, same in both cases)

  38. UberSSN from U Colorado • (?!000) (?!666) ([0-6]\d \d |7[01256] \d |73 [0123]| 77[012] ) • Cannot be 666 or 000 • If begins with 0-6, next two digits can be any number • It can begin with 7 and be followed by 01256 then any digit • It can begin with 73 then 0123 OR begin with 77 then 012

  39. Log Options

  40. Steps to Securing Personal Information • If you do find sensitive data on a system, recognize that the following questions need to be addressed in partnership with your department administrators: • Can the data be removed from the system? • If not, can it be encrypted? • What measures can be put in place to ensure the data is secure?

  41. Steps to Securing Personal Information, continued • Follow Cyber-safety guidelines • Maintain a list of sensitive systems • Monitor data access or modification • Restrict access to the system and its data • Use, share, or transfer the data securely • Secure applications that can access the personal data

  42. Campus Security Program • IET supports the Cyber-safety program and a number of tools that assist in protecting personal information, including Tripwire, Spider/PowerGREP, self-directed Nessus scans, and Pointsec. IET will soon support a web application security evaluation product.

  43. Maintain a List of Systems Containing Sensitive Data • Catalog the system name, IP, owner, type of service running on the system, type of sensitive data residing on the system • Share this information with the technical support staff and the unit administrative managers • Confirm and update this information on a regular basis

  44. Monitor When the Data is Accessed or Modified • Use Tripwire to identify file and directory changes. • Write logs to a central logging server (syslogng, snare, MOM). • Turn on auditing of successful and unsuccessful logins. • Read your logs on a regular basis.

  45. Restrict Access to the System and its Sensitive Data • No group accounts (cannot audit access) • Access system and data using encrypted protocols such as ssh (sftp, scp), ssl (https), rdp, ipsec • Evaluate physical security • Use host-based and hardware firewalls

  46. Use, Share, or Transfer Restricted Data Safely • Do not use email to send unencrypted restricted data. • Do not use restricted data as a key in a database. • Do not use restricted data on a test or development system. • When sharing restricted data, ensure that users are aware that the data should be handled carefully and in compliance with policies.

  47. Secure your Web Site • Many databases are subject to SQL Injection attacks via web interface • May web sites with forms and blogs are subject to email injection attacks • Web security tool available this summer to assist with web site security evaluation

  48. Secure Your Database • Encrypt sensitive data fields within a database • Use separate hardware and separate databases for public/private data

  49. Securing Personal Information Administrative and technical support costs increase when managing a system containing personal information.

  50. Resources • http://www.cit.cornell.edu/computer/security/tools/Cornell spider • http://security.ucdavis.edu/personalinfo.cfmSecurity Site on Personal Identity • http://security.ucdavis.edu/secure/sysadminresource/pgrep_spider_manual.pdfGuide to Using Spider and Powergrep • cuspider-l@cornell.edu Spider Mailing list • Questions: cybersecurity@ucdavis.edu