1 / 50

Protecting Personal Identity Records: Policy and Search Tools

Protecting Personal Identity Records: Policy and Search Tools Doreen Meyer dimeyer@ucdavis.edu cybersecurity@ucdavis.edu Securing Personal Information The problem of the theft of personal information Policies describing personal information How to identify personal information

mike_john
Download Presentation

Protecting Personal Identity Records: Policy and Search Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Personal Identity Records: Policy and Search Tools Doreen Meyer dimeyer@ucdavis.edu cybersecurity@ucdavis.edu

  2. Securing Personal Information • The problem of the theft of personal information • Policies describing personal information • How to identify personal information • Using Cornell spider to identify personal information • Mitigating risk of exposure of personal information on identified systems

  3. Identity Theft • From the CDW-G 2006 IT in Higher Ed Survey, • 55% reported a security incident • 33% reported data loss of theft • 9% reported loss of student personal data • Identity theft is one of the fastest growing crimes in the US

  4. HIPAA (2003) • HIPAA: Health Information Portability and Accountability Act • Psychological Services • Medical Records • http://www.hhs.gov/ocr/hipaa/

  5. Common Data Sources • Student Health Center records • Human Resources records

  6. CA SB1386 and CA Civil Code 1798 (2003) • Account access number and password • Bank/financial account number • California identification card number • Credit/debit card number • Driver’s license number • Social Security number • http://www.privacy.ca.gov/code/ipa.htm

  7. Common Data Sources • Grant application forms • Travel authorization forms • Personal financial documents • Email • Admission applications • Scholarship applications • DaFIS, BANNER, Financial Aid web sites

  8. FERPA (1974) • Family Education Rights and Privacy Act of 1974 (FERPA) • Class level, class schedule, academic status, grades, instructors, transcripts • Student ID number, Social Security number • Fees paid, loan collection records, financial aid records, etc. • http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

  9. Common Data Sources • Course rosters • Grant application forms • Homework assignments • Email • Admission applications • Scholarship applications • Banner, Financial Aid web sites

  10. SSN Remediation at UC Davis • Beginning with the students entering in Fall 2000, students were assigned student ID numbers, nine digit numbers beginning with the number 8 • SSNs converted to student ID in 2001 • Staff and faculty have been assigned nine digit numbers, and these numbers may overlap with SSNs and UCD student IDs

  11. Steps to Securing Personal Information • Obtain support from your department administration • Agree on a goal • work directly with the content owner

  12. Steps to Securing Personal Information • Identify a sample data set • Test expressions • Refine and retest • Review resulting log

  13. More steps to securing personal information • Consider key words as search terms (SSN, class) • Using your tested expressions, scan the system. Log data to password-protected CSV file • Work on and store the CSV file on a protected system • Share the results with the content owner and management.

  14. And more steps • Can the data be removed from the system? • If not, can it be encrypted? • What measures can be put in place to ensure the data is secure?

  15. Tools that you can use to identify personal information • PowerGREP • Cornell spider • Both tools are available through http://software.ucdavis.edu • PowerGREP requires approval for subsidy • Cornell spider is free • Guide to Using Spider and Powergrep at http://security.ucdavis.edu

  16. Cornell Spider • Developed by Wyman Miles at Cornell • Cornell spider runs on Mac, Linux, and Windows. The Linux version may be used to scan Windows systems off-line. • Product focus: Windows spider 3.0

  17. Cornell Spider 3 (beta)

  18. Cornell Spider 3 Configuration

  19. Cornell Spider 3 Configuration

  20. Paths to Skip (default) • DELL • I386 • System volume information • WIN • Paths to consider adding to the list? SYMANTEC, for example

  21. File Extensions to Skip • Skip binary files were data cannot be read • Default skip extension list in Spider 3 includes: IDX, HIV, INI, ICO, CHM, INF, JS, ISO, EPS, BKF, TIFF, CPP, MDS, WAV, CAB, WMDB, TTF, VSD, PSD, XML, JPEG, TIF, LNK, TOC, WMB, EXE, GIF, MPG, AVI, JPG, VMDX, WMV, MA, MPEG, MSC, MOV, MSI, MST, SYS, CLASS, BM, MP3, PNG, SWP, DLL, HLP, CSS

  22. Spider and Mailboxes • The windows version of spider 3 cannot evaluate .pst files (outlook, exchange) • The linux-bootable version can only evaluate pre-2003 .pst files • Other mail formats such as the one used by Eudora and other campus email clients can be scanned

  23. What else does spider scan? • pdf • mbox • Excel, Word • Access • OpenXML • OpenDocument • Zip, gzip, bzip • Tar, rar, arj, zoo

  24. Cornell Spider 3 Configuration

  25. Cornell Spider 3 Configuration

  26. Cornell Spider 3 Configuration

  27. Cornell Spider 3 Configuration

  28. Cornell Spider 3 Configuration

  29. Regular Expressions • Windows version uses .NET extensions • Linux-bootable version uses libprce extensions

  30. American Express Credit Card Expression ####-######-##### pattern 1234-123456-12345 example \d{count} expression for number of digits \d{4} \d{6} \d{5} count

  31. Credit Card Expression ####-######-##### pattern 1234-123456-12345 example - luckily, a hyphen is a hyphen in this case \d{4} - \d{6} - \d{5} hyphen

  32. Credit Card Expression ####-######-##### pattern 1234-123456-12345 example \b content \b word boundary \b\d{4} - \d{6} - \d{5}\b

  33. American Express Credit Card Expression \b\d{4} - \d{6} - \d{5}\b

  34. Credit Card Expressions • AMEX American Express Card and _b\d{4} - \d{6} - \d{5}\b\d{4} - \d{6} - \d{5}\b • VMCD and VMCD_b (Visa and Mastercard)\d{4}-\d{4}-\d{4}-\d{4}\b\d{4}-\d{4}-\d{4}-\d{4}\b

  35. SSN Expressions • SSN9 and SSN9_b\d{9} and \b\d{9}\b • SSN324 and SSN324_b\d{3}-\d{2}-\d{4}\b\d{3}-\d{2}-\d{4}\b

  36. UberSSN Expression from U Colorado (?<! (\w|-))(?!000) (?!666) ([0-6]\d\d|7[01256] \d|73 [0123]| 77[012] )([-]?)(?!00)(\d{2})\3(?!0000)(\d{4})(?! (\w|\-))

  37. UberSSN • (?<! (\w|-)) (?!000) (?!666) ([0-6]\d\d|7[01256] \d|73 [0123]| 77[012] ) ([-]?) (?!00)(\d{2}) \3 (?!0000)(\d{4}) (?! (\w|\-)) • Boundary • Delimiter (hyphen or space or blank, same in both cases)

  38. UberSSN from U Colorado • (?!000) (?!666) ([0-6]\d \d |7[01256] \d |73 [0123]| 77[012] ) • Cannot be 666 or 000 • If begins with 0-6, next two digits can be any number • It can begin with 7 and be followed by 01256 then any digit • It can begin with 73 then 0123 OR begin with 77 then 012

  39. Log Options

  40. Steps to Securing Personal Information • If you do find sensitive data on a system, recognize that the following questions need to be addressed in partnership with your department administrators: • Can the data be removed from the system? • If not, can it be encrypted? • What measures can be put in place to ensure the data is secure?

  41. Steps to Securing Personal Information, continued • Follow Cyber-safety guidelines • Maintain a list of sensitive systems • Monitor data access or modification • Restrict access to the system and its data • Use, share, or transfer the data securely • Secure applications that can access the personal data

  42. Campus Security Program • IET supports the Cyber-safety program and a number of tools that assist in protecting personal information, including Tripwire, Spider/PowerGREP, self-directed Nessus scans, and Pointsec. IET will soon support a web application security evaluation product.

  43. Maintain a List of Systems Containing Sensitive Data • Catalog the system name, IP, owner, type of service running on the system, type of sensitive data residing on the system • Share this information with the technical support staff and the unit administrative managers • Confirm and update this information on a regular basis

  44. Monitor When the Data is Accessed or Modified • Use Tripwire to identify file and directory changes. • Write logs to a central logging server (syslogng, snare, MOM). • Turn on auditing of successful and unsuccessful logins. • Read your logs on a regular basis.

  45. Restrict Access to the System and its Sensitive Data • No group accounts (cannot audit access) • Access system and data using encrypted protocols such as ssh (sftp, scp), ssl (https), rdp, ipsec • Evaluate physical security • Use host-based and hardware firewalls

  46. Use, Share, or Transfer Restricted Data Safely • Do not use email to send unencrypted restricted data. • Do not use restricted data as a key in a database. • Do not use restricted data on a test or development system. • When sharing restricted data, ensure that users are aware that the data should be handled carefully and in compliance with policies.

  47. Secure your Web Site • Many databases are subject to SQL Injection attacks via web interface • May web sites with forms and blogs are subject to email injection attacks • Web security tool available this summer to assist with web site security evaluation

  48. Secure Your Database • Encrypt sensitive data fields within a database • Use separate hardware and separate databases for public/private data

  49. Securing Personal Information Administrative and technical support costs increase when managing a system containing personal information.

  50. Resources • http://www.cit.cornell.edu/computer/security/tools/Cornell spider • http://security.ucdavis.edu/personalinfo.cfmSecurity Site on Personal Identity • http://security.ucdavis.edu/secure/sysadminresource/pgrep_spider_manual.pdfGuide to Using Spider and Powergrep • cuspider-l@cornell.edu Spider Mailing list • Questions: cybersecurity@ucdavis.edu

More Related