Campus Meeting on CSUID Implementation SSN Purge http:csuid.colostate.edu

1
Campus Meeting on CSUID Implementation SSN
Purgehttp//csuid.colostate.edu

• Pat Burns and Steve Lovaas
• ACNS
• July 28, 2006

2
Outline

• Burns
• Background
• Authority
• Scope
• The CSUID
• The Purge Process
• Roles and responsibilities

• Lovaas
• Scanning systems
• Encryption techniques
• All
• QA

3
Background

• HB 03-1175 cease and desist using SSNs or
  portions thereof as primary identifiers for
  students effective July 1, 2004
• CCHE exception granted until fall 2006
• Federal/state mandates/laws
• Paccione legislation
• GLBA, SOX, HIPAA,
• Impending Identity Theft Protection Act

4
Authority

• CSU IT Security Policy version 1.7, approved by
  the ITEC July 11, 2006
• Prohibition of SSNs on systems unless approved
  by the AVPIIT
• Scanning files permitted
• SSN purge process, approved by the ITEC July
  11, 2006
• Letter from SVP/Provost to Deans, Directors and
  Department Heads (ddds)
• SSN Attestation Form
• SSN Exception Form

5
The CSU IT Security Policy ver. 1.7

• Approved by the ITEC on July 11, 2006
• New material
• SSNs not allowed on systems, unless approved by
  the AVPIIT
• SSNs on portable devices must be encrypted
• Authority to scan files/systems for sensitive
  information
• For the purpose of identifying sensitive
  information
• Location information returned only to the owner
  of the file, for appropriate action

6
Moreover

• It is the right thing to do
• Our constituents deserve no less than diligent
  protection of their personal information

7
Scope

• All employees
• All systems
• No automatic exceptions

8
The New CSUID

• The ID card office is replacing all ID cards, and
  this will be completed at the start of the fall
  2006 semester
• PID will be replaced by CSUID on all central
  systems (except ISIS) on August 17, 2006
• Including the data warehouse
• Including class rolls and grade rolls
• SSNs generally unavailable thereafter
• Also need to purge SSNs from all systems

9
Risk Mitigation

• Avoid purge SSNs from systems
• Reduce remove unnecessary SSNs from systems
• Transfer use SSNs on central systems
• Accept accept risk where we must

10
The Purge Process

• Ddds distribute, collect and return SSN Personal
  Attestation Forms for their employees
• All employees must complete an SSN Personal
  Attestation Form
• Employees who check Yes (SSNs used) assess
  their level of effort
• Suggest they work with IT staff to scan systems

11
Exceptions

• Must be applied for and approved by the AVPIIT
• Request ddds to collect and return SSN Exception
  Forms
• Must be endorsed by IT staff, or if IT staff is
  the applicant, by their supervisor
• Form available at
• http//csuid.colostate.edu/?pageforms
• All forms, including SVP memo, available there

12
Role of IT Staff

• Work with users to scan systems for SSNs and
  CCNs
• Scan systems
• Return lists of files to users for their actions
• Endorse SSN Exception Forms
• Provide feedback to ACNS
• Remove all requests for SSNs from hardcopy and
  electronic forms/programs
• Reprogram all applications not to use SSNs

13
Role of AVPIIT

• Coordinate the process
• Process Exception forms
• Report outcome to SVP/Provost

14
Role of ACNS

• Provide a solution for scanning systems and files
  for SSNs and CCNs
• Provide a solution for encrypting files, and
  central archival of encryption keys
• Horror stories about individuals losing or
  forgetting their encryption key, not like a
  system password that can be reset

15
Scanning and Encryption

• Steve Lovaas, ACNS
• Scanning
• Spider
• Encryption
• TrueCrypt
• Key escrow

16
Scanning Systems for SSNs and CCNs

• Cornells Spider
• A Note on Exchange
• Approach for Linux/Mac and Windows
• Architecture
• Features
• Usage
• Gotchas

17
Cornell Universitys Spider the product

• In-house tool from Cornell
• Originally a Helix forensic boot disk tool
• New version written for Windows
• EDUCAUSE distribution effort
• Uses regular expressions to scan for SSNs, with
  extensions to look into some of the more popular
  file formats
• Note Credit card numbers already a no-no this
  tool helps purge them too!

18
Cornell Universitys Spider at CSU

• Hosting code and documentation locally
• http//csuid.colostate.edu/?pagetools
• ACNS developed custom regular expressions and
  CSU-default configurations
• Hosting local copies of original Cornell docs
• Please dont flood Cornell with questions
• spider_help_at_colostate.edu

19
Using Spider results and procedures

• False positives
• There will be a lot
• You or the user get to sort through them
• Extension skip list to minimize them
• Notifying users of potential hits
• Avoid anything that actually sends SSNs over the
  network (email users file paths only, or describe
  over the phone)
• Remember to protect the results
• Encrypt or store off-line

20
A note on Exchange Servers

• Spider doesnt search Exchange stores
• Cornell doesnt use Exchange
• Microsoft protection of Exchange
• ACNS will scan CSU Exchange farm with custom
  tools
• Colleges/departments with Exchange?
• Contact Nick Smith in ACNS
• Nick.Smith_at_colostate.edu

21
Spider for Linux - Architecture

• Written in Perl
• Uses several modules and other utilities
• 2 parts
• Client does scanning
• Server listens for and logs results
• Recommended approach
• Run on a single machine
• Mount other machines via NFS or Samba
• This is the best way to scan Mac OS X

22
Spider for Linux - Features

• Older, stable version of forensic tool
• Command line only
• No recent feature upgrades
• Limited view into Microsoft file formats

23
Spider for Linux - Usage

• Resources on CSUID tools page
• Instructions, config hints, recommendations
• Custom REGEX file to replace defaults
• Man page in the distribution
• All the switches and config details

24
Spider for Windows - Architecture

• Native executable
• Many features compiled in, many options
• Requirements
• Administrative access
• 2000/XP/2003 with .NET 1.1
• Must reboot after installing tool
• Run locally or map remote drives
• Speed vs load

25
Spider for Windows - Features

• Newer product
• CSU IT Security Technical Subcommittee has been
  submitting feedback and bug reports
• Many recent feature additions and revisions, bug
  fixes
• CSU has chosen the latest Beta rather than the
  last stable release, due to advanced features
  (after extensive ACNS testing)
• Easy-to-use GUI

26
Spider for Windows - Usage

• Resources on the CSUID tools page
• Instructions, config hints, recommendations
• CSU-customized .reg file with default settings
• ACNS best guess at a good list of extensions to
  skip
• Recommended approach
• Easier to install than Linux version
• Single scanning machine vs one-by-one
• Balance of time vs resources

27
Spider - Gotchas for both flavors

• Some file types not scanned or dont work
• Linux can do Word, but not Excel or Access
• Windows has trouble with some PDF files
• Very large files will sometimes stall the program
• Email attachments are difficult to scan
• Log files are a roadmap to all this data
• Save to USB device or CD
• Encrypt anything remaining on fixed disks
  (Windows version does this itself)

28
Encrypt Whats Left

• Some systems will receive exemptions
• Need to store SSNs or CCNs locally
• Policy says encrypt
• What tools?
• Risks of encryption

29
Encryption Choice of Tools

• Basic options
• Operating system features (Windows EFS)
• Commercial products (PGP Desktop)
• Open source products (TrueCrypt)
• Metrics to choose by
• Price
• Ease of use
• Reliability/risk

30
Encryption Windows EFS

• Pros
• Available out of the box in 2000 and XP
• Very easy, intuitive user experience
• Free
• Cons
• If user login is compromised, data is accessible
• Default key recovery agent is Administrator
• Need an enterprise CA to be flexible enough
• Self-destruct feature in XP without a CA

31
Encryption TrueCrypt

• Pros
• Free, Open Source
• Fairly easy to use
• Available key escrow without a CA
• Separate password from Windows login
• Available for Linux as well
• Cons
• A separate product to install

32
Encryption with TrueCrypt - concept

• Volume encryption
• An entire hard drive
• A whole logical drive
• An entire removable device (USB stick)
• A single file on any of these as a virtual
  filesystem
• Not OS-dependent
• Application password ( keyfile)
• Single USB device usable on Windows, Linux

33
Encryption with TrueCrypt - features

• Virtual filesystem
• Mount a file or drive as a separate mount point
• Treated just like a drive defrag, virus scan,
  etc
• Can be backed up
• Key escrow
• Administrator installs program, creates volume
• Backs up header, then sets a user password
• Recovery of header restores original admin
  password

34
Encryption with TrueCrypt - usage

• Windows
• Launch the GUI
• Create an encrypted volume
• Mount the volume to make it available
• Drag and drop files in and out
• Dismount when done (reboot dismounts too)
• Linux
• Command line only
• Same procedures and features

35
Encryption with TrueCrypt usage (2)

• Encryption strength
• AES (256-bit)
• Hashing function only for randomization in
  creating the volume, so SHA-1 is OK
• Key escrow HIGHLY RECOMMENDED
• ACNS will provide storage of volume headers
• If you use this (or any) encryption product
  without recovery ability, data could be lost
  forever
• The cure could be worse than the disease

36
Key Escrow

• Crucial to acceptance of an encryption tool
• Loss of password must not loss of data forever
• ACNS will provide hosting
• Offline, redundant storage (not networked)
• Physical security (monitored, locked, alarmed)
• Consistent naming conventions (for scalability)
• May be intermediate step toward a future CA
• Better scalability, automation, ease of use
• Support for email encryption, client certificates

37
Summary of Resources

• http//csuid.colostate.edu
• Forms
• Spider
• Executables, configs, documentation
• TrueCrypt
• Local user instruction document
• External links to download installers and
  documentation
• ACNS
• spider_help_at_colostate.edu
• key_escrow_at_colostate.edu

38
Discussion

• Is most welcome