Looking for PIIIf you’re not, who is?

Krizi Trivisani – CSO, The George Washington University Gary Golomb – Principal Security EngineerOctober 26, 2006

Agenda• Security Today• In a Previous Episode…• Data Classification• SISP Version 2• Safety Analyzer• Important Projects• Questions

Security today…“The cost of notifying and offering assistance to those individuals who have had their privacy information compromised can run into the hundreds of thousands of dollars for each incident. Increased regulatory requirements also make it imperative that the University be able to show a level of due diligence in the protection of its systems and confidential data.”

In a Previous Episode...• GW conducted an audit project

of 236+ departmentally controlled servers for security and PII (aka: Server Information Security Project, or SISP)

– Project commissioned by EVP&T and CIO

– Audited configuration of computers and detection of SSNs

Where and When

•A PII audit projects should/could be used:–Before or while developing a data-handling policy

–Post-policy development compliance checking

–Annual security audits

Data Classification Policy

• Provides the framework necessary to identify and classify data in order to assess risk and implement an appropriate level of security protection based on categorization.

• Provides the framework necessary to comply with legislation, regulations, and internal policies that govern the protection of data

• Provides the framework necessary to facilitate and make the Incident Response process more efficient. The level in which the data is classified determines the level of response.

Why is a Data Classification Policy Necessary?

Data Classification - CRITICAL

• Communicates data categories to the University community and provides examples of how data should be classified

• Communicates the high level requirements necessary to protect data based on category

• Communicates the roles and responsibilities of various members of the University community and external associates as it relates to GW owned data

Objectives of Data Classification Policy:

Matrix of Security & Ops Standards

ConfidentialOfficialPublic

EnterpriseSystem

DepartmentServer

DesktopLowest Security

Lowest Operations

Privacy LevelsOperationsLevels

Highest SecurityHighest Operations

1

3 2

Note, numbers in boxes suggest the priority levels for mitigating risks.

342

2 2

1

Security Tool KitTo provide departments managing

systems outside of the GW Data Center with standard guidelines and procedures

Sections• Policies• Systems Checklist - Departmental Servers and

Enterprise Systems • Best Practices for Department Server and Enterprise

System Checklist • Server Management Best Practices • Security Controls Matrix for Data Classification • Information Security Training and Awareness• Resources

Other Implications

•Politics•Culture•Awareness

Lessons Learned• PII on almost 50% of servers admins

thought is was NOT on

• About 75% of computers that were compromised had completely up-to-date antivirus and/or firewalls

• Security efforts focused mostly on protecting servers as opposed to data

Why SISP version 2•Were changes made in

response to last years efforts?

•Far more end-user computers have PII, but who’s?

•Rewards for last years efforts...

Scope of SISPv2•Address problems in first pass

•Include all computers with *access* to sensitive data, not only known storage

•Contrast locations of PII to current security architecture

Implications of Scope• Desktops versus servers...

• Integration with patch management systems?

• Secure reporting

• Log parsing by junior-level security staff

Safety Analyzer • Sensitive Data Detection

– SSNs with heuristics– Credit Card numbers with Luhn

algorithm validation

• Compromise Detection– Trojan file detection– Kernel-level rootkit detection– IR-related data harvesting

SA Compromise Detection

• Win 2003 servers example...

win2k.exe Routing

HKU\S-1-5-21-602162358-1993962763-725345543-500\SOFTWARE\

Microsoft\Windows\CurrentVersion\Run

urx_old.exe Sygate

Personal Firewall HKU\S-1-5-21-602162358-1993962763-725345543-500\

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

serv454.exe Rout111

HKU\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

c:\winnt\system32\l33t.exe

MicrosoftWindows

HKU\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Comp Detection Cont...

Hidden *.exe: C:\winnt\system32\psniffc.exeHidden *.exe: C:\winnt\system32\psniffcc.exeHidden *.exe: C:\winnt\system32\rvahlhhe.exeHidden *.exe: C:\winnt\system32\tzrepwgo.exeHidden *.exe: C:\winnt\system32\secthuty.exe

PII Detection• An algorithmic approach...

C:\documents and settings\stnic\Application Data\Adobe\Designer\en\objects\custom\U.S. Social Security Number.xfo xxx yy zzzz

C:\documents and settings\stnic\Local Settings\Temporary Internet Files\Content.IE5\0H2VOH6F\default[3].htm xxx yy zzzz

C:\documents and settings\stnic\Local Settings\Temporary Internet Files\Content.IE5\0H2VOH6F\default[3].htm xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\Cardscanbackup\Business Cards.CDB xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\selfeval2001.doc xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\Staff evaluation start dates2.xls xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\Salary Review Notices 01 ORG.xls xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\Salary_Review_Notices_01_NEW.xls xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\SRNTEST.xls xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\SRN_FY02_TEMPLATE.xls xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\T06322NEW.xls xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\SRN_FY02\SRN_FY02.xls xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals00\Andrew Mngr pref-eval's.doc xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals00\Jonathan Mngr pref-eval's.doc xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals00\Mark Mngr pref-eval's.doc xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals00\Ron Mngr pref-eval's.doc xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals01\Andrew Mngr pref-eval's.doc xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals01\Andrew Mngr pref-eval's_FY01.doc xxx yy zzzz

C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals01\Angela exempt eval.doc xxx yy zzzz

Future of SA?TRUE Risk Calculation and Protection

– PII detection and protection – GUI-based metrics and trending across hundreds

to thousands of computers– Advanced data detection with high-performance

algorithms– Configuration auditing

– Innovative compromise detection and IR

capabilities

http://www.proventsure.com

Other Important Projects

–Cisco Clean Access

–Novell Patchlink – Covers about 4000 employee (faculty and staff)

–GWid project – Moved off of SSN as the primary ID

–Migration of confidential servers –

–NIST Level III –Reached NIST Level III (Security Assessment Framework)

Other Important Projects

– Application/Program Security Reviews –In depth assessment for new application development efforts within ISS

– WebInspect –Web application security scanning. Bringing this capability in house saves approximately $7000 per assessment

– Technical/System Security Reviews – Conducted over 300 technical security reviews in the past year; Safety Analyzer is critical to completing these reviews

– Security Internship Program – Successfully partnered with academic departments to recruit and train interns

Happy Halloween! Questions?• Contact:

– Krizi Trivisani krizi@gwu.edu

– Gary Golombcoach@gwu.edu

• Download:

http://home.gwu.edu/~coach/SA.zip