managing pii with identity finder paul hanson iet-data center and client services university of...
TRANSCRIPT
MANAGING PII WITHIDENTITY FINDERPaul Hanson
IET-Data Center and Client Services
University of California, Davis
Agenda
What is PII and where’s the value?
What is Identity Finder? Alternative Solutions What can Identity
Finder Scan? How does Identity
Finder handle the results?
Identity Finder Architecture
Architecture Overview Client UI INI Files Custom MSI
Architecture Overview Management Console
IET DCCS Implementation
IET DCCS Architecture Lessons Learned Breaking News Questions
What is PII and where’s the value? Cybersecurity (UC Davis) Massachusetts 201 CMR 17.00 Protected Health Information (PHI) Health Insurance Portability and
Accountability Act (HIPAA) FACT Red Flag Rules Incident Response Sysadmins may not know the data is
there.
What is Identity Finder
Identity Finder searches the deepest recesses of a computer to locate and secure data that is vulnerable to identity theft - even when you don’t know it exists. The information is then presented to you to permanently shred, quarantine to a secure location, or encrypt with a password. Source: http://www.identityfinder.com/Products/Identity_Finder.html
Primarily Supports Windows & Mac Feature rich Continuously improving
Alternative Solutions
Windows
MacLinux/Unix
Virginia Tech Find_SSNs
X X X
Cornell Spider X X XPowerGREP ? ? ?
Identity Finder Architecture
Enterprise Client Installed on the workstation/server & does the heavy lifting
Management Console (Really just a reporting server) Dedicated system running IIS w/MSSQL
OS Compatibility Clients for Windows and Mac Linux/Unix systems are scanned remotely
What can Identity Finder Scan?
Microsoft Office (Excel, PowerPoint, Word, and OneNote including 2007)
Adobe Acrobat PDF (including 9.x) Cookies and instant messenger logs HTML files (htm, asp, js, etc.) Text files (ANSI, Unicode, Batch, Source code) Rich text files (rtf format) files within the My Documents folder of your personal computer files anywhere on your personal computer removeable hard drives connected to your PC Create custom folder lists for seaching (ability to include and
exclude subfolders) compressed files (zip, gzip, bzip, tar, rar, and z) Microsoft Access database files (including 2007) Any other known or unknown file type
Source: http://www.identityfinder.com/Products/Identity_Finder_Feature_List.html
What else does Identity Finder scan?
Database connector OLEDB (i.e., SQL, Oracle, Sybase, DB2, etc.)
Website crawler HTTP or HTTPS
Remote file shares (SMB, NFS, Samba) Email – Mailboxes, PST’s, MBOX, Tbird IE & Firefox Cache AnyFind vs. Specific Values (e-discovery
requests)
What does Identity Finder do with the results? Save as secured Identity Finder file (*.idf) using FIPS 140-2
validated 256 bit AES Save as HTML Summary Report Choose specific information for custom reports to be saved Save as Full Export into Comma Separated Value format Save as Executive Summary Report Upload to Management Console What about the hits?
Secure – encrypts the file using FIPS 140-2 validated 256 bit AES Shred – based on DOD 5220.22-M standard Ignore Quarantine – Secures a copy of the file and shreds the original Recycle – same as the windows recycle bin. Not a secure method. Will clean web browser cache & registry
Architecture Overview
Client Configuration
User Interface INI Files MSI Customization Boot from CD
Management Console IIS & SQL
Architecture – Client UI
Main What to Search for Where to Search Tools and Options Settings Scheduling
Architecture – INI Files
Creating an INI File Created in UI Copied over
Run on demand or scheduled task /jobmode /inifile=“<filename>.ini”
Architecture – Custom MSI Creating the environment
Download Windows SDK (~1.1GB for Vista) Install Orca.msi Add system variables
Extract MSI Run lictomsi.cmd Import Tables Schtasks for all systems Include Management Console phone home No x64 bit support…. Yet.
Identity Finder Client
Lab
Architecture – Management Console
Single server, dual purpose WS2003/2008 (x86 or x64)
IIS6 or IIS7 w/Metabase compatibility .Net Framework 3.5 SP1 Microsoft Report Viewer
Redistributable 2008 Creates Client Registry
Settings (x86 & x64) SQL 2005/2008
(Express, Std, Ent) Certificates & Encryption
IET DCCS Implementation
Powershell installation script Started with custom MSI
x86 was fairly smooth Users couldn’t modify settings to rescan
x64 required some extra work No support for x64 so had to use INI files anyway
Moved to INI files No reason to support two methods Users can tweak settings and rescan systems
Scans launched using the system account
IET DCCS Architecture
Mangement Console Separate virtual systems for IIS & SQL
Certificates Clients
Leveraged Powershell to script installation Verify connectivity to MC Check system type Include password check Check for and uninstall previous versions Import registry key for MC Create INI Delete old scheduled task Schedule new scan
Lessons Learned
MC is a resource hog. Nuances with schtasks. Clients were configured to search for SSN &
CC but also pulled up Back Account information.
Be prepared for False-Positives. Password check really slows down the scan. When configured as background service, it
will allocate the remaining resources.
Breaking News
Features in the next version of Identity Finder.
Questions?
Identity Finder Management Console
Lab