Campus Meeting on CSUID Implementation – SSN Purgehttp://csuid.colostate.edu
Pat Burns and Steve Lovaas
ACNS
July 28, 2006
Outline
Burns Background Authority Scope The CSUID The “Purge” Process Roles and responsibilities
Lovaas Scanning systems Encryption techniques
All: Q&A
Background
HB 03-1175: cease and desist using SSN’s or portions thereof as primary identifiers for students effective July 1, 2004 CCHE exception granted until fall 2006
Federal/state mandates/laws Paccione legislation GLBA, SOX, HIPAA,… Impending “Identity Theft Protection Act”
Authority
CSU IT Security Policy version 1.7, approved by the ITEC July 11, 2006 Prohibition of SSN’s on systems unless approved by the
AVPIIT Scanning files permitted
SSN “purge” process, approved by the ITEC July 11, 2006 Letter from SVP/Provost to Deans, Directors and
Department Heads (ddd’s) SSN Attestation Form SSN Exception Form
The CSU IT Security Policy ver. 1.7 Approved by the ITEC on July 11, 2006 New material:
SSN’s not allowed on systems, unless approved by the AVPIIT
SSN’s on portable devices must be encrypted Authority to scan files/systems for sensitive
information For the purpose of identifying sensitive information Location information returned only to the owner of the
file, for appropriate action
Moreover
It is the “right” thing to do Our constituents deserve no less than diligent
protection of their personal information
The New CSUID
The ID card office is replacing all ID cards, and this will be completed at the start of the fall 2006 semester
PID will be replaced by CSUID on all central systems (except ISIS) on August 17, 2006 Including the data warehouse Including class rolls and grade rolls SSN’s generally unavailable thereafter
Also need to “purge” SSNs from all systems
Risk Mitigation
Avoid – purge SSNs from systems Reduce – remove unnecessary SSNs from
systems Transfer – use SSNs on central systems Accept – accept risk where we must
The “Purge” Process
Ddd’s distribute, collect and return SSN Personal Attestation Forms for their employees All employees must complete an SSN Personal
Attestation Form Employees who check “Yes” (SSNs used) assess
their level of effort Suggest they work with IT staff to scan systems
Exceptions
Must be applied for and approved by the AVPIIT
Request ddd’s to collect and return SSN Exception Forms Must be endorsed by IT staff, or if IT staff is the
applicant, by their supervisor Form available at
http://csuid.colostate.edu/?page=forms All forms, including SVP memo, available there
Role of IT Staff
Work with users to scan systems for SSNs and CCN’s Scan systems Return lists of files to users for their actions Endorse SSN Exception Forms Provide feedback to ACNS
Remove all requests for SSNs from hardcopy and electronic forms/programs
Reprogram all applications not to use SSNs
Role of ACNS
Provide a solution for scanning systems and files for SSN’s and CCN’s
Provide a solution for encrypting files, and central archival of encryption keys Horror stories about individuals losing or
“forgetting” their encryption key, not like a system password that can be reset
Scanning Systems for SSN’s and CCN’s Cornell’s Spider A Note on Exchange Approach for Linux/Mac and Windows
Architecture Features Usage
Gotchas
Cornell University’s Spider – the product In-house tool from Cornell
Originally a Helix forensic boot disk tool New version written for Windows EDUCAUSE distribution effort
Uses regular expressions to scan for SSNs, with extensions to look into some of the more popular file formats
Note: Credit card numbers already a no-no; this tool helps purge them too!
Cornell University’s Spider at CSU Hosting code and documentation locally
http://csuid.colostate.edu/?page=tools ACNS developed custom regular expressions
and CSU-default configurations Hosting local copies of original Cornell docs Please don’t flood Cornell with questions
Using Spider – results and procedures False positives
There will be a lot You or the user get to sort through them Extension skip list to minimize them
Notifying users of potential hits Avoid anything that actually sends SSNs over the
network (email users file paths only, or describe over the phone…)
Remember to protect the results Encrypt or store off-line
A note on Exchange Servers
Spider doesn’t search Exchange stores Cornell doesn’t use Exchange Microsoft protection of Exchange
ACNS will scan CSU Exchange farm with custom tools
Colleges/departments with Exchange? Contact Nick Smith in ACNS [email protected]
Spider for Linux - Architecture
Written in Perl Uses several modules and other utilities
2 parts: Client does scanning Server listens for and logs results
Recommended approach Run on a single machine Mount other machines via NFS or Samba This is the best way to scan Mac OS X
Spider for Linux - Features
Older, stable version of forensic tool Command line only No recent feature upgrades Limited view into Microsoft file formats
Spider for Linux - Usage
Resources on CSUID tools page Instructions, config hints, recommendations Custom REGEX file to replace defaults
Man page in the distribution All the switches and config details
Spider for Windows - Architecture Native executable
Many features compiled in, many options Requirements:
Administrative access 2000/XP/2003 with .NET 1.1 Must reboot after installing tool
Run locally or map remote drives Speed vs load
Spider for Windows - Features
Newer product CSU IT Security Technical Subcommittee has
been submitting feedback and bug reports Many recent feature additions and revisions, bug
fixes CSU has chosen the latest Beta rather than the
last stable release, due to advanced features (after extensive ACNS testing)
Easy-to-use GUI
Spider for Windows - Usage
Resources on the CSUID tools page Instructions, config hints, recommendations CSU-customized .reg file with default settings ACNS’ best guess at a good list of extensions to
skip Recommended approach
Easier to install than Linux version Single scanning machine vs one-by-one Balance of time vs resources
Spider - Gotchas for both flavors
Some file types not scanned or don’t work Linux can do Word, but not Excel or Access Windows has trouble with some PDF files Very large files will sometimes stall the program
Email attachments are difficult to scan Log files are a roadmap to all this data
Save to USB device or CD Encrypt anything remaining on fixed disks
(Windows version does this itself)
Encrypt What’s Left
Some systems will receive exemptions Need to store SSNs or CCNs locally
Policy says encrypt What tools? Risks of encryption
Encryption – Choice of Tools
Basic options Operating system features (Windows EFS) Commercial products (PGP Desktop) Open source products (TrueCrypt)
Metrics to choose by Price Ease of use Reliability/risk
Encryption – Windows EFS
Pros Available out of the box in 2000 and XP Very easy, intuitive user experience Free
Cons If user login is compromised, data is accessible Default key recovery agent is Administrator Need an enterprise CA to be flexible enough Self-destruct feature in XP without a CA
Encryption – TrueCrypt
Pros Free, Open Source Fairly easy to use Available key escrow without a CA Separate password from Windows login Available for Linux as well
Cons A separate product to install
Encryption with TrueCrypt - concept Volume encryption
An entire hard drive A whole logical drive An entire removable device (USB stick) A single file on any of these as a virtual filesystem
Not OS-dependent Application + password (+ keyfile) Single USB device usable on Windows, Linux
Encryption with TrueCrypt - features Virtual filesystem
Mount a file or drive as a separate mount point Treated just like a drive – defrag, virus scan, etc Can be backed up
Key escrow Administrator installs program, creates volume Backs up header, then sets a user password Recovery of header restores original admin
password
Encryption with TrueCrypt - usage Windows
Launch the GUI Create an encrypted volume Mount the volume to make it available Drag and drop files in and out Dismount when done (reboot dismounts too)
Linux Command line only Same procedures and features
Encryption with TrueCrypt – usage (2) Encryption strength
AES (256-bit) Hashing function only for randomization in
creating the volume, so SHA-1 is OK Key escrow HIGHLY RECOMMENDED
ACNS will provide storage of volume headers If you use this (or any) encryption product without
recovery ability, data could be lost forever The cure could be worse than the disease
Key Escrow
Crucial to acceptance of an encryption tool Loss of password must not = loss of data forever
ACNS will provide hosting Offline, redundant storage (not networked) Physical security (monitored, locked, alarmed) Consistent naming conventions (for scalability)
May be intermediate step toward a future CA Better scalability, automation, ease of use Support for email encryption, client certificates
Summary of Resources
http://csuid.colostate.edu Forms Spider
Executables, configs, documentation TrueCrypt
Local user instruction document External links to download installers and documentation