Campus Meeting on CSUID Implementation – SSN Purgehttp://csuid.colostate.edu

Pat Burns and Steve LovaasACNSJuly 28, 2006

Outline

Burns Background Authority Scope The CSUID The “Purge” Process Roles and responsibilities

Lovaas Scanning systems Encryption techniques

All: Q&A

Background

HB 03-1175: cease and desist using SSN’s or portions thereof as primary identifiers for students effective July 1, 2004 CCHE exception granted until fall 2006

Federal/state mandates/laws Paccione legislation GLBA, SOX, HIPAA,… Impending “Identity Theft Protection Act”

Authority

CSU IT Security Policy version 1.7, approved by the ITEC July 11, 2006 Prohibition of SSN’s on systems unless approved by the

AVPIIT Scanning files permitted

SSN “purge” process, approved by the ITEC July 11, 2006 Letter from SVP/Provost to Deans, Directors and

Department Heads (ddd’s) SSN Attestation Form SSN Exception Form

The CSU IT Security Policy ver. 1.7 Approved by the ITEC on July 11, 2006 New material:

SSN’s not allowed on systems, unless approved by the AVPIIT

SSN’s on portable devices must be encrypted Authority to scan files/systems for sensitive

information For the purpose of identifying sensitive information Location information returned only to the owner of the

file, for appropriate action

Moreover

It is the “right” thing to do Our constituents deserve no less than diligent

protection of their personal information

Scope

All employees All systems

No automatic exceptions

The New CSUID

The ID card office is replacing all ID cards, and this will be completed at the start of the fall 2006 semester

PID will be replaced by CSUID on all central systems (except ISIS) on August 17, 2006 Including the data warehouse Including class rolls and grade rolls SSN’s generally unavailable thereafter

Also need to “purge” SSNs from all systems

Risk Mitigation

Avoid – purge SSNs from systems Reduce – remove unnecessary SSNs from

systems Transfer – use SSNs on central systems Accept – accept risk where we must

The “Purge” Process

Ddd’s distribute, collect and return SSN Personal Attestation Forms for their employees All employees must complete an SSN Personal

Attestation Form Employees who check “Yes” (SSNs used) assess

their level of effort Suggest they work with IT staff to scan systems

Exceptions

Must be applied for and approved by the AVPIIT

Request ddd’s to collect and return SSN Exception Forms Must be endorsed by IT staff, or if IT staff is the

applicant, by their supervisor Form available at

http://csuid.colostate.edu/?page=forms All forms, including SVP memo, available there

Role of IT Staff

Work with users to scan systems for SSNs and CCN’s Scan systems Return lists of files to users for their actions Endorse SSN Exception Forms Provide feedback to ACNS

Remove all requests for SSNs from hardcopy and electronic forms/programs

Reprogram all applications not to use SSNs

Role of AVPIIT

Coordinate the process Process Exception forms Report outcome to SVP/Provost

Role of ACNS

Provide a solution for scanning systems and files for SSN’s and CCN’s

Provide a solution for encrypting files, and central archival of encryption keys Horror stories about individuals losing or

“forgetting” their encryption key, not like a system password that can be reset

Scanning and Encryption

Steve Lovaas, ACNS Scanning

Spider Encryption

TrueCrypt Key escrow

Scanning Systems for SSN’s and CCN’s Cornell’s Spider A Note on Exchange Approach for Linux/Mac and Windows

Architecture Features Usage

Gotchas

Cornell University’s Spider – the product In-house tool from Cornell

Originally a Helix forensic boot disk tool New version written for Windows EDUCAUSE distribution effort

Uses regular expressions to scan for SSNs, with extensions to look into some of the more popular file formats

Note: Credit card numbers already a no-no; this tool helps purge them too!

Cornell University’s Spider at CSU Hosting code and documentation locally

http://csuid.colostate.edu/?page=tools ACNS developed custom regular expressions

and CSU-default configurations Hosting local copies of original Cornell docs Please don’t flood Cornell with questions

spider_help@colostate.edu

Using Spider – results and procedures False positives

There will be a lot You or the user get to sort through them Extension skip list to minimize them

Notifying users of potential hits Avoid anything that actually sends SSNs over the

network (email users file paths only, or describe over the phone…)

Remember to protect the results Encrypt or store off-line

A note on Exchange Servers

Spider doesn’t search Exchange stores Cornell doesn’t use Exchange Microsoft protection of Exchange

ACNS will scan CSU Exchange farm with custom tools

Colleges/departments with Exchange? Contact Nick Smith in ACNS Nick.Smith@colostate.edu

Spider for Linux - Architecture

Written in Perl Uses several modules and other utilities

2 parts: Client does scanning Server listens for and logs results

Recommended approach Run on a single machine Mount other machines via NFS or Samba This is the best way to scan Mac OS X

Spider for Linux - Features

Older, stable version of forensic tool Command line only No recent feature upgrades Limited view into Microsoft file formats

Spider for Linux - Usage

Resources on CSUID tools page Instructions, config hints, recommendations Custom REGEX file to replace defaults

Man page in the distribution All the switches and config details

Spider for Windows - Architecture Native executable

Many features compiled in, many options Requirements:

Administrative access 2000/XP/2003 with .NET 1.1 Must reboot after installing tool

Run locally or map remote drives Speed vs load

Spider for Windows - Features

Newer product CSU IT Security Technical Subcommittee has

been submitting feedback and bug reports Many recent feature additions and revisions, bug

fixes CSU has chosen the latest Beta rather than the

last stable release, due to advanced features (after extensive ACNS testing)

Easy-to-use GUI

Spider for Windows - Usage

Resources on the CSUID tools page Instructions, config hints, recommendations CSU-customized .reg file with default settings ACNS’ best guess at a good list of extensions to

skip Recommended approach

Easier to install than Linux version Single scanning machine vs one-by-one Balance of time vs resources

Spider - Gotchas for both flavors

Some file types not scanned or don’t work Linux can do Word, but not Excel or Access Windows has trouble with some PDF files Very large files will sometimes stall the program

Email attachments are difficult to scan Log files are a roadmap to all this data

Save to USB device or CD Encrypt anything remaining on fixed disks

(Windows version does this itself)

Encrypt What’s Left

Some systems will receive exemptions Need to store SSNs or CCNs locally

Policy says encrypt What tools? Risks of encryption

Encryption – Choice of Tools

Basic options Operating system features (Windows EFS) Commercial products (PGP Desktop) Open source products (TrueCrypt)

Metrics to choose by Price Ease of use Reliability/risk

Encryption – Windows EFS

Pros Available out of the box in 2000 and XP Very easy, intuitive user experience Free

Cons If user login is compromised, data is accessible Default key recovery agent is Administrator Need an enterprise CA to be flexible enough Self-destruct feature in XP without a CA

Encryption – TrueCrypt

Pros Free, Open Source Fairly easy to use Available key escrow without a CA Separate password from Windows login Available for Linux as well

Cons A separate product to install

Encryption with TrueCrypt - concept Volume encryption

An entire hard drive A whole logical drive An entire removable device (USB stick) A single file on any of these as a virtual filesystem

Not OS-dependent Application + password (+ keyfile) Single USB device usable on Windows, Linux

Encryption with TrueCrypt - features Virtual filesystem

Mount a file or drive as a separate mount point Treated just like a drive – defrag, virus scan, etc Can be backed up

Key escrow Administrator installs program, creates volume Backs up header, then sets a user password Recovery of header restores original admin

password

Encryption with TrueCrypt - usage Windows

Launch the GUI Create an encrypted volume Mount the volume to make it available Drag and drop files in and out Dismount when done (reboot dismounts too)

Linux Command line only Same procedures and features

Encryption with TrueCrypt – usage (2) Encryption strength

AES (256-bit) Hashing function only for randomization in

creating the volume, so SHA-1 is OK Key escrow HIGHLY RECOMMENDED

ACNS will provide storage of volume headers If you use this (or any) encryption product without

recovery ability, data could be lost forever The cure could be worse than the disease

Key Escrow

Crucial to acceptance of an encryption tool Loss of password must not = loss of data forever

ACNS will provide hosting Offline, redundant storage (not networked) Physical security (monitored, locked, alarmed) Consistent naming conventions (for scalability)

May be intermediate step toward a future CA Better scalability, automation, ease of use Support for email encryption, client certificates

Summary of Resources

http://csuid.colostate.edu Forms Spider

Executables, configs, documentation TrueCrypt

Local user instruction document External links to download installers and documentation

ACNS spider_help@colostate.edu key_escrow@colostate.edu

Discussion

Is most welcome