protecting personal identity records policy and search tools l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Protecting Personal Identity Records: Policy and Search Tools PowerPoint Presentation
Download Presentation
Protecting Personal Identity Records: Policy and Search Tools

Loading in 2 Seconds...

play fullscreen
1 / 50

Protecting Personal Identity Records: Policy and Search Tools - PowerPoint PPT Presentation


  • 346 Views
  • Uploaded on

Protecting Personal Identity Records: Policy and Search Tools Doreen Meyer dimeyer@ucdavis.edu cybersecurity@ucdavis.edu Securing Personal Information The problem of the theft of personal information Policies describing personal information How to identify personal information

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Protecting Personal Identity Records: Policy and Search Tools' - mike_john


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
protecting personal identity records policy and search tools

Protecting Personal Identity Records: Policy and Search Tools

Doreen Meyer

dimeyer@ucdavis.edu

cybersecurity@ucdavis.edu

securing personal information
Securing Personal Information
  • The problem of the theft of personal information
  • Policies describing personal information
  • How to identify personal information
  • Using Cornell spider to identify personal information
  • Mitigating risk of exposure of personal information on identified systems
identity theft
Identity Theft
  • From the CDW-G 2006 IT in Higher Ed Survey,
  • 55% reported a security incident
  • 33% reported data loss of theft
  • 9% reported loss of student personal data
  • Identity theft is one of the fastest growing crimes in the US
hipaa 2003
HIPAA (2003)
  • HIPAA: Health Information Portability and Accountability Act
  • Psychological Services
  • Medical Records
  • http://www.hhs.gov/ocr/hipaa/
common data sources
Common Data Sources
  • Student Health Center records
  • Human Resources records
ca sb1386 and ca civil code 1798 2003
CA SB1386 and CA Civil Code 1798 (2003)
  • Account access number and password
  • Bank/financial account number
  • California identification card number
  • Credit/debit card number
  • Driver’s license number
  • Social Security number
  • http://www.privacy.ca.gov/code/ipa.htm
common data sources7
Common Data Sources
  • Grant application forms
  • Travel authorization forms
  • Personal financial documents
  • Email
  • Admission applications
  • Scholarship applications
  • DaFIS, BANNER, Financial Aid web sites
ferpa 1974
FERPA (1974)
  • Family Education Rights and Privacy Act of 1974 (FERPA)
  • Class level, class schedule, academic status, grades, instructors, transcripts
  • Student ID number, Social Security number
  • Fees paid, loan collection records, financial aid records, etc.
  • http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
common data sources9
Common Data Sources
  • Course rosters
  • Grant application forms
  • Homework assignments
  • Email
  • Admission applications
  • Scholarship applications
  • Banner, Financial Aid web sites
ssn remediation at uc davis
SSN Remediation at UC Davis
  • Beginning with the students entering in Fall 2000, students were assigned student ID numbers, nine digit numbers beginning with the number 8
  • SSNs converted to student ID in 2001
  • Staff and faculty have been assigned nine digit numbers, and these numbers may overlap with SSNs and UCD student IDs
steps to securing personal information
Steps to Securing Personal Information
  • Obtain support from your department administration
  • Agree on a goal
  • work directly with the content owner
steps to securing personal information12
Steps to Securing Personal Information
  • Identify a sample data set
  • Test expressions
  • Refine and retest
  • Review resulting log
more steps to securing personal information
More steps to securing personal information
  • Consider key words as search terms (SSN, class)
  • Using your tested expressions, scan the system. Log data to password-protected CSV file
  • Work on and store the CSV file on a protected system
  • Share the results with the content owner and management.
and more steps
And more steps
  • Can the data be removed from the system?
  • If not, can it be encrypted?
  • What measures can be put in place to ensure the data is secure?
tools that you can use to identify personal information
Tools that you can use to identify personal information
  • PowerGREP
  • Cornell spider
  • Both tools are available through http://software.ucdavis.edu
  • PowerGREP requires approval for subsidy
  • Cornell spider is free
  • Guide to Using Spider and Powergrep at http://security.ucdavis.edu
cornell spider
Cornell Spider
  • Developed by Wyman Miles at Cornell
  • Cornell spider runs on Mac, Linux, and Windows. The Linux version may be used to scan Windows systems off-line.
  • Product focus: Windows spider 3.0
paths to skip default
Paths to Skip (default)
  • DELL
  • I386
  • System volume information
  • WIN
  • Paths to consider adding to the list? SYMANTEC, for example
file extensions to skip
File Extensions to Skip
  • Skip binary files were data cannot be read
  • Default skip extension list in Spider 3 includes: IDX, HIV, INI, ICO, CHM, INF, JS, ISO, EPS, BKF, TIFF, CPP, MDS, WAV, CAB, WMDB, TTF, VSD, PSD, XML, JPEG, TIF, LNK, TOC, WMB, EXE, GIF, MPG, AVI, JPG, VMDX, WMV, MA, MPEG, MSC, MOV, MSI, MST, SYS, CLASS, BM, MP3, PNG, SWP, DLL, HLP, CSS
spider and mailboxes
Spider and Mailboxes
  • The windows version of spider 3 cannot evaluate .pst files (outlook, exchange)
  • The linux-bootable version can only evaluate pre-2003 .pst files
  • Other mail formats such as the one used by Eudora and other campus email clients can be scanned
what else does spider scan
What else does spider scan?
  • pdf
  • mbox
  • Excel, Word
  • Access
  • OpenXML
  • OpenDocument
  • Zip, gzip, bzip
  • Tar, rar, arj, zoo
regular expressions
Regular Expressions
  • Windows version uses .NET extensions
  • Linux-bootable version uses libprce extensions
american express credit card expression
American Express Credit Card Expression

####-######-##### pattern

1234-123456-12345 example

\d{count} expression for number of digits

\d{4} \d{6} \d{5} count

credit card expression
Credit Card Expression

####-######-##### pattern

1234-123456-12345 example

- luckily, a hyphen is a hyphen in this case

\d{4} - \d{6} - \d{5} hyphen

credit card expression32
Credit Card Expression

####-######-##### pattern

1234-123456-12345 example

\b content \b word boundary

\b\d{4} - \d{6} - \d{5}\b

credit card expressions
Credit Card Expressions
  • AMEX American Express Card and _b\d{4} - \d{6} - \d{5}\b\d{4} - \d{6} - \d{5}\b
  • VMCD and VMCD_b (Visa and Mastercard)\d{4}-\d{4}-\d{4}-\d{4}\b\d{4}-\d{4}-\d{4}-\d{4}\b
ssn expressions
SSN Expressions
  • SSN9 and SSN9_b\d{9} and \b\d{9}\b
  • SSN324 and SSN324_b\d{3}-\d{2}-\d{4}\b\d{3}-\d{2}-\d{4}\b
uberssn expression from u colorado
UberSSN Expression from U Colorado

(?<! (\w|-))(?!000) (?!666) ([0-6]\d\d|7[01256] \d|73 [0123]| 77[012] )([-]?)(?!00)(\d{2})\3(?!0000)(\d{4})(?! (\w|\-))

uberssn
UberSSN
  • (?<! (\w|-)) (?!000) (?!666) ([0-6]\d\d|7[01256] \d|73 [0123]| 77[012] ) ([-]?) (?!00)(\d{2}) \3 (?!0000)(\d{4}) (?! (\w|\-))
  • Boundary
  • Delimiter (hyphen or space or blank, same in both cases)
uberssn from u colorado
UberSSN from U Colorado
  • (?!000) (?!666) ([0-6]\d \d |7[01256] \d |73 [0123]| 77[012] )
  • Cannot be 666 or 000
  • If begins with 0-6, next two digits can be any number
  • It can begin with 7 and be followed by 01256 then any digit
  • It can begin with 73 then 0123 OR begin with 77 then 012
steps to securing personal information40
Steps to Securing Personal Information
  • If you do find sensitive data on a system, recognize that the following questions need to be addressed in partnership with your department administrators:
  • Can the data be removed from the system?
  • If not, can it be encrypted?
  • What measures can be put in place to ensure the data is secure?
steps to securing personal information continued
Steps to Securing Personal Information, continued
  • Follow Cyber-safety guidelines
  • Maintain a list of sensitive systems
  • Monitor data access or modification
  • Restrict access to the system and its data
  • Use, share, or transfer the data securely
  • Secure applications that can access the personal data
campus security program
Campus Security Program
  • IET supports the Cyber-safety program and a number of tools that assist in protecting personal information, including Tripwire, Spider/PowerGREP, self-directed Nessus scans, and Pointsec. IET will soon support a web application security evaluation product.
maintain a list of systems containing sensitive data
Maintain a List of Systems Containing Sensitive Data
  • Catalog the system name, IP, owner, type of service running on the system, type of sensitive data residing on the system
  • Share this information with the technical support staff and the unit administrative managers
  • Confirm and update this information on a regular basis
monitor when the data is accessed or modified
Monitor When the Data is Accessed or Modified
  • Use Tripwire to identify file and directory changes.
  • Write logs to a central logging server (syslogng, snare, MOM).
  • Turn on auditing of successful and unsuccessful logins.
  • Read your logs on a regular basis.
restrict access to the system and its sensitive data
Restrict Access to the System and its Sensitive Data
  • No group accounts (cannot audit access)
  • Access system and data using encrypted protocols such as ssh (sftp, scp), ssl (https), rdp, ipsec
  • Evaluate physical security
  • Use host-based and hardware firewalls
use share or transfer restricted data safely
Use, Share, or Transfer Restricted Data Safely
  • Do not use email to send unencrypted restricted data.
  • Do not use restricted data as a key in a database.
  • Do not use restricted data on a test or development system.
  • When sharing restricted data, ensure that users are aware that the data should be handled carefully and in compliance with policies.
secure your web site
Secure your Web Site
  • Many databases are subject to SQL Injection attacks via web interface
  • May web sites with forms and blogs are subject to email injection attacks
  • Web security tool available this summer to assist with web site security evaluation
secure your database
Secure Your Database
  • Encrypt sensitive data fields within a database
  • Use separate hardware and separate databases for public/private data
securing personal information49
Securing Personal Information

Administrative and technical support costs increase when managing a system containing personal information.

resources
Resources
  • http://www.cit.cornell.edu/computer/security/tools/Cornell spider
  • http://security.ucdavis.edu/personalinfo.cfmSecurity Site on Personal Identity
  • http://security.ucdavis.edu/secure/sysadminresource/pgrep_spider_manual.pdfGuide to Using Spider and Powergrep
  • cuspider-l@cornell.edu Spider Mailing list
  • Questions: cybersecurity@ucdavis.edu