looking for pii if you’re not, who is? krizi trivisani – cso, the george washington university...
Post on 13-Jan-2016
213 Views
Preview:
TRANSCRIPT
Looking for PIIIf you’re not, who is?
Krizi Trivisani – CSO, The George Washington University Gary Golomb – Principal Security EngineerOctober 26, 2006
Agenda• Security Today• In a Previous Episode…• Data Classification• SISP Version 2• Safety Analyzer• Important Projects• Questions
Security today…“The cost of notifying and offering assistance to those individuals who have had their privacy information compromised can run into the hundreds of thousands of dollars for each incident. Increased regulatory requirements also make it imperative that the University be able to show a level of due diligence in the protection of its systems and confidential data.”
In a Previous Episode...• GW conducted an audit project
of 236+ departmentally controlled servers for security and PII (aka: Server Information Security Project, or SISP)
– Project commissioned by EVP&T and CIO
– Audited configuration of computers and detection of SSNs
Where and When
•A PII audit projects should/could be used:–Before or while developing a data-handling policy
–Post-policy development compliance checking
–Annual security audits
Data Classification Policy
• Provides the framework necessary to identify and classify data in order to assess risk and implement an appropriate level of security protection based on categorization.
• Provides the framework necessary to comply with legislation, regulations, and internal policies that govern the protection of data
• Provides the framework necessary to facilitate and make the Incident Response process more efficient. The level in which the data is classified determines the level of response.
Why is a Data Classification Policy Necessary?
Data Classification - CRITICAL
• Communicates data categories to the University community and provides examples of how data should be classified
• Communicates the high level requirements necessary to protect data based on category
• Communicates the roles and responsibilities of various members of the University community and external associates as it relates to GW owned data
Objectives of Data Classification Policy:
Matrix of Security & Ops Standards
ConfidentialOfficialPublic
EnterpriseSystem
DepartmentServer
DesktopLowest Security
Lowest Operations
Privacy LevelsOperationsLevels
Highest SecurityHighest Operations
1
3 2
Note, numbers in boxes suggest the priority levels for mitigating risks.
342
2 2
1
Security Tool KitTo provide departments managing
systems outside of the GW Data Center with standard guidelines and procedures
Sections• Policies• Systems Checklist - Departmental Servers and
Enterprise Systems • Best Practices for Department Server and Enterprise
System Checklist • Server Management Best Practices • Security Controls Matrix for Data Classification • Information Security Training and Awareness• Resources
Other Implications
•Politics•Culture•Awareness
Lessons Learned• PII on almost 50% of servers admins
thought is was NOT on
• About 75% of computers that were compromised had completely up-to-date antivirus and/or firewalls
• Security efforts focused mostly on protecting servers as opposed to data
Why SISP version 2•Were changes made in
response to last years efforts?
•Far more end-user computers have PII, but who’s?
•Rewards for last years efforts...
Scope of SISPv2•Address problems in first pass
•Include all computers with *access* to sensitive data, not only known storage
•Contrast locations of PII to current security architecture
Implications of Scope• Desktops versus servers...
• Integration with patch management systems?
• Secure reporting
• Log parsing by junior-level security staff
Safety Analyzer • Sensitive Data Detection
– SSNs with heuristics– Credit Card numbers with Luhn
algorithm validation
• Compromise Detection– Trojan file detection– Kernel-level rootkit detection– IR-related data harvesting
SA Compromise Detection
• Win 2003 servers example...
win2k.exe Routing
HKU\S-1-5-21-602162358-1993962763-725345543-500\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run
urx_old.exe Sygate
Personal Firewall HKU\S-1-5-21-602162358-1993962763-725345543-500\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
serv454.exe Rout111
HKU\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
c:\winnt\system32\l33t.exe
MicrosoftWindows
HKU\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Comp Detection Cont...
Hidden *.exe: C:\winnt\system32\psniffc.exeHidden *.exe: C:\winnt\system32\psniffcc.exeHidden *.exe: C:\winnt\system32\rvahlhhe.exeHidden *.exe: C:\winnt\system32\tzrepwgo.exeHidden *.exe: C:\winnt\system32\secthuty.exe
PII Detection• An algorithmic approach...
C:\documents and settings\stnic\Application Data\Adobe\Designer\en\objects\custom\U.S. Social Security Number.xfo xxx yy zzzz
C:\documents and settings\stnic\Local Settings\Temporary Internet Files\Content.IE5\0H2VOH6F\default[3].htm xxx yy zzzz
C:\documents and settings\stnic\Local Settings\Temporary Internet Files\Content.IE5\0H2VOH6F\default[3].htm xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\Cardscanbackup\Business Cards.CDB xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\selfeval2001.doc xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\Staff evaluation start dates2.xls xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\Salary Review Notices 01 ORG.xls xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\Salary_Review_Notices_01_NEW.xls xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\SRNTEST.xls xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\SRN_FY02_TEMPLATE.xls xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\T06322NEW.xls xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\SRN_FY02\SRN_FY02.xls xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals00\Andrew Mngr pref-eval's.doc xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals00\Jonathan Mngr pref-eval's.doc xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals00\Mark Mngr pref-eval's.doc xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals00\Ron Mngr pref-eval's.doc xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals01\Andrew Mngr pref-eval's.doc xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals01\Andrew Mngr pref-eval's_FY01.doc xxx yy zzzz
C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals01\Angela exempt eval.doc xxx yy zzzz
Future of SA?TRUE Risk Calculation and Protection
– PII detection and protection – GUI-based metrics and trending across hundreds
to thousands of computers– Advanced data detection with high-performance
algorithms– Configuration auditing
– Innovative compromise detection and IR
capabilities
http://www.proventsure.com
Other Important Projects
–Cisco Clean Access
–Novell Patchlink – Covers about 4000 employee (faculty and staff)
–GWid project – Moved off of SSN as the primary ID
–Migration of confidential servers –
–NIST Level III –Reached NIST Level III (Security Assessment Framework)
Other Important Projects
– Application/Program Security Reviews –In depth assessment for new application development efforts within ISS
– WebInspect –Web application security scanning. Bringing this capability in house saves approximately $7000 per assessment
– Technical/System Security Reviews – Conducted over 300 technical security reviews in the past year; Safety Analyzer is critical to completing these reviews
– Security Internship Program – Successfully partnered with academic departments to recruit and train interns
Happy Halloween! Questions?• Contact:
– Krizi Trivisani krizi@gwu.edu
– Gary Golombcoach@gwu.edu
• Download:
http://home.gwu.edu/~coach/SA.zip
top related