Presentation is loading. Please wait.

Presentation is loading. Please wait.

Campus Meeting on CSUID Implementation – SSN Purge Pat Burns and Steve Lovaas ACNS July 28, 2006.

Published byTheodore Barton Modified over 9 years ago

Similar presentations

Presentation on theme: "Campus Meeting on CSUID Implementation – SSN Purge Pat Burns and Steve Lovaas ACNS July 28, 2006."— Presentation transcript:

1 Campus Meeting on CSUID Implementation – SSN Purge http://csuid.colostate.edu http://csuid.colostate.edu Pat Burns and Steve Lovaas ACNS July 28, 2006

2 Outline Burns  Background  Authority  Scope  The CSUID  The “Purge” Process  Roles and responsibilities Lovaas  Scanning systems  Encryption techniques All:  Q&A

3 Background HB 03-1175: cease and desist using SSN’s or portions thereof as primary identifiers for students effective July 1, 2004  CCHE exception granted until fall 2006 Federal/state mandates/laws  Paccione legislation  GLBA, SOX, HIPAA,…  Impending “Identity Theft Protection Act”

4 Authority CSU IT Security Policy version 1.7, approved by the ITEC July 11, 2006  Prohibition of SSN’s on systems unless approved by the AVPIIT  Scanning files permitted SSN “purge” process, approved by the ITEC July 11, 2006  Letter from SVP/Provost to Deans, Directors and Department Heads (ddd’s)  SSN Attestation Form  SSN Exception Form

5 The CSU IT Security Policy ver. 1.7 Approved by the ITEC on July 11, 2006 New material:  SSN’s not allowed on systems, unless approved by the AVPIIT  SSN’s on portable devices must be encrypted  Authority to scan files/systems for sensitive information For the purpose of identifying sensitive information Location information returned only to the owner of the file, for appropriate action

6 Moreover It is the “right” thing to do Our constituents deserve no less than diligent protection of their personal information

7 Scope All employees All systems  No automatic exceptions

8 The New CSUID The ID card office is replacing all ID cards, and this will be completed at the start of the fall 2006 semester PID will be replaced by CSUID on all central systems (except ISIS) on August 17, 2006  Including the data warehouse  Including class rolls and grade rolls  SSN’s generally unavailable thereafter Also need to “purge” SSNs from all systems

9 Risk Mitigation Avoid – purge SSNs from systems Reduce – remove unnecessary SSNs from systems Transfer – use SSNs on central systems Accept – accept risk where we must

10 The “Purge” Process Ddd’s distribute, collect and return SSN Personal Attestation Forms for their employees  All employees must complete an SSN Personal Attestation Form  Employees who check “Yes” (SSNs used) assess their level of effort  Suggest they work with IT staff to scan systems

11 Exceptions Must be applied for and approved by the AVPIIT Request ddd’s to collect and return SSN Exception Forms  Must be endorsed by IT staff, or if IT staff is the applicant, by their supervisor Form available at  http://csuid.colostate.edu/?page=forms http://csuid.colostate.edu/?page=forms  All forms, including SVP memo, available there

12 Role of IT Staff Work with users to scan systems for SSNs and CCN’s  Scan systems  Return lists of files to users for their actions  Endorse SSN Exception Forms  Provide feedback to ACNS Remove all requests for SSNs from hardcopy and electronic forms/programs Reprogram all applications not to use SSNs

13 Role of AVPIIT Coordinate the process Process Exception forms Report outcome to SVP/Provost

14 Role of ACNS Provide a solution for scanning systems and files for SSN’s and CCN’s Provide a solution for encrypting files, and central archival of encryption keys  Horror stories about individuals losing or “forgetting” their encryption key, not like a system password that can be reset

15 Scanning and Encryption Steve Lovaas, ACNS Scanning  Spider Encryption  TrueCrypt  Key escrow

16 Scanning Systems for SSN’s and CCN’s Cornell’s Spider A Note on Exchange Approach for Linux/Mac and Windows  Architecture  Features  Usage Gotchas

17 Cornell University’s Spider – the product In-house tool from Cornell  Originally a Helix forensic boot disk tool  New version written for Windows  EDUCAUSE distribution effort Uses regular expressions to scan for SSNs, with extensions to look into some of the more popular file formats Note: Credit card numbers already a no-no; this tool helps purge them too!

18 Cornell University’s Spider at CSU Hosting code and documentation locally  http://csuid.colostate.edu/?page=tools http://csuid.colostate.edu/?page=tools ACNS developed custom regular expressions and CSU-default configurations Hosting local copies of original Cornell docs Please don’t flood Cornell with questions  spider_help@colostate.edu spider_help@colostate.edu

19 Using Spider – results and procedures False positives  There will be a lot  You or the user get to sort through them  Extension skip list to minimize them Notifying users of potential hits  Avoid anything that actually sends SSNs over the network (email users file paths only, or describe over the phone…) Remember to protect the results  Encrypt or store off-line

20 A note on Exchange Servers Spider doesn’t search Exchange stores  Cornell doesn’t use Exchange  Microsoft protection of Exchange ACNS will scan CSU Exchange farm with custom tools Colleges/departments with Exchange?  Contact Nick Smith in ACNS  Nick.Smith@colostate.edu

21 Spider for Linux - Architecture Written in Perl  Uses several modules and other utilities 2 parts:  Client does scanning  Server listens for and logs results Recommended approach  Run on a single machine  Mount other machines via NFS or Samba  This is the best way to scan Mac OS X

22 Spider for Linux - Features Older, stable version of forensic tool Command line only No recent feature upgrades Limited view into Microsoft file formats

23 Spider for Linux - Usage Resources on CSUID tools page  Instructions, config hints, recommendations  Custom REGEX file to replace defaults Man page in the distribution  All the switches and config details

24 Spider for Windows - Architecture Native executable  Many features compiled in, many options Requirements:  Administrative access  2000/XP/2003 with.NET 1.1  Must reboot after installing tool Run locally or map remote drives  Speed vs load

25 Spider for Windows - Features Newer product  CSU IT Security Technical Subcommittee has been submitting feedback and bug reports  Many recent feature additions and revisions, bug fixes  CSU has chosen the latest Beta rather than the last stable release, due to advanced features (after extensive ACNS testing) Easy-to-use GUI

26 Spider for Windows - Usage Resources on the CSUID tools page  Instructions, config hints, recommendations  CSU-customized.reg file with default settings  ACNS’ best guess at a good list of extensions to skip Recommended approach  Easier to install than Linux version  Single scanning machine vs one-by-one  Balance of time vs resources

27 Spider - Gotchas for both flavors Some file types not scanned or don’t work  Linux can do Word, but not Excel or Access  Windows has trouble with some PDF files  Very large files will sometimes stall the program Email attachments are difficult to scan Log files are a roadmap to all this data  Save to USB device or CD  Encrypt anything remaining on fixed disks (Windows version does this itself)

28 Encrypt What’s Left Some systems will receive exemptions  Need to store SSNs or CCNs locally Policy says encrypt What tools? Risks of encryption

29 Encryption – Choice of Tools Basic options  Operating system features (Windows EFS)  Commercial products (PGP Desktop)  Open source products (TrueCrypt) Metrics to choose by  Price  Ease of use  Reliability/risk

30 Encryption – Windows EFS Pros  Available out of the box in 2000 and XP  Very easy, intuitive user experience  Free Cons  If user login is compromised, data is accessible  Default key recovery agent is Administrator  Need an enterprise CA to be flexible enough  Self-destruct feature in XP without a CA

31 Encryption – TrueCrypt Pros  Free, Open Source  Fairly easy to use  Available key escrow without a CA  Separate password from Windows login  Available for Linux as well Cons  A separate product to install

32 Encryption with TrueCrypt - concept Volume encryption  An entire hard drive  A whole logical drive  An entire removable device (USB stick)  A single file on any of these as a virtual filesystem Not OS-dependent  Application + password (+ keyfile)  Single USB device usable on Windows, Linux

33 Encryption with TrueCrypt - features Virtual filesystem  Mount a file or drive as a separate mount point  Treated just like a drive – defrag, virus scan, etc  Can be backed up Key escrow  Administrator installs program, creates volume  Backs up header, then sets a user password  Recovery of header restores original admin password

34 Encryption with TrueCrypt - usage Windows  Launch the GUI  Create an encrypted volume  Mount the volume to make it available  Drag and drop files in and out  Dismount when done (reboot dismounts too) Linux  Command line only  Same procedures and features

35 Encryption with TrueCrypt – usage (2) Encryption strength  AES (256-bit)  Hashing function only for randomization in creating the volume, so SHA-1 is OK Key escrow HIGHLY RECOMMENDED  ACNS will provide storage of volume headers  If you use this (or any) encryption product without recovery ability, data could be lost forever  The cure could be worse than the disease

36 Key Escrow Crucial to acceptance of an encryption tool  Loss of password must not = loss of data forever ACNS will provide hosting  Offline, redundant storage (not networked)  Physical security (monitored, locked, alarmed)  Consistent naming conventions (for scalability) May be intermediate step toward a future CA  Better scalability, automation, ease of use  Support for email encryption, client certificates

37 Summary of Resources http://csuid.colostate.edu  Forms  Spider Executables, configs, documentation  TrueCrypt Local user instruction document External links to download installers and documentation ACNS  spider_help@colostate.edu spider_help@colostate.edu  key_escrow@colostate.edu key_escrow@colostate.edu

38 Discussion Is most welcome

Download ppt "Campus Meeting on CSUID Implementation – SSN Purge Pat Burns and Steve Lovaas ACNS July 28, 2006."

Similar presentations

File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.

1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Chapter 12 - Backup and Disaster Recovery1 Ch. 12 – Backups and Disaster Recovery MIS 431 – Created Spring 2006.

Chapter 12 - Backup and Disaster Recovery1 Ch. 12 – Backups and Disaster Recovery MIS 431 – Created Spring 2006.
Keeping You Connected Through Citrix Access your applications Access your network shares and documents Access your email …and do it remotely!

Keeping You Connected Through Citrix Access your applications Access your network shares and documents Access your …and do it remotely!
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Chapter 7: Configuring Disks. 2/24 Objectives Learn about disk and file system configuration in Vista Learn how to manage storage Learn about the additional.

Chapter 7: Configuring Disks. 2/24 Objectives Learn about disk and file system configuration in Vista Learn how to manage storage Learn about the additional.
(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.

(NHA) The Laboratory of Computer Communication and Networking Network Host Analyzer.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
1 Chapter Overview Managing Compression Managing Disk Quotas Increasing Security with EFS Using Disk Defragmenter, Check Disk, and Disk Cleanup.

1 Chapter Overview Managing Compression Managing Disk Quotas Increasing Security with EFS Using Disk Defragmenter, Check Disk, and Disk Cleanup.
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008

STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008
Cap 333 Network Administration. Grades  20 marks distributed on  Assignments / Project Activities Individual Pairs  1 or 2 tutorial quizzes.

Cap 333 Network Administration. Grades  20 marks distributed on  Assignments / Project Activities Individual Pairs  1 or 2 tutorial quizzes.
Basic Computer Maintenance Basic Computer Maintenance Clean and Cool Deleting Temporary Files Scandisk Backup Your Data How to.

Basic Computer Maintenance Basic Computer Maintenance Clean and Cool Deleting Temporary Files Scandisk Backup Your Data How to.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Security SIG August 19, 2010 Justin C. Klein Keane

Security SIG August 19, 2010 Justin C. Klein Keane
Using Cornell’s Spider to scan for sensitive information January 27, 2009 Steve Lovaas, ACNS Colorado State University.

Using Cornell’s Spider to scan for sensitive information January 27, 2009 Steve Lovaas, ACNS Colorado State University.
Chapter 5 Roles and features. objectives Performing management tasks using the Server Manager console Understanding the Windows Server 2008 roles Understanding.

Chapter 5 Roles and features. objectives Performing management tasks using the Server Manager console Understanding the Windows Server 2008 roles Understanding.

Similar presentations

Ads by Google