Identifying and Encrypting Personal Information

1
Identifying and Encrypting Personal Information

• Using Cornell Spider and
• Pointsec for PC
• Benjamin Stein
• Doreen Meyer
• cybersecurity_at_ucdavis.edu

2
Overview

• What is personal information?
• Searching for personal information using Cornell
  Spider
• Mitigating risk of exposure of personal
  information
• Encryption Policy, Encryption Options
• Whole disk encryption using Pointsec for PC
• Questions

3
Personal Information and HIPAA

• HIPAA Health Information Portability and
  Accountability Act
• Psychological Services
• Medical Records
• http//www.hhs.gov/ocr/hipaa/

4
Personal Information CA SB1386 and Civil Code
1798

• Account access number and password
• Bank/financial account number
• California identification card number
• Credit/debit card number
• Drivers license number
• Social Security number
• http//www.privacy.ca.gov/code/ipa.htm

5
Personal Information FERPA

• Family Education Rights and Privacy Act of 1974
  (FERPA)
• Class level, class schedule, academic status,
  grades, instructors, transcripts
• Student ID number, Social Security number
• Fees paid, loan collection records, financial aid
  records, etc.
• http//www.ed.gov/policy/gen/guid/fpco/ferpa/index
  .html

6
Searching for personal information

• Data focus credit card numbers and Social
  Security numbers
• UCD supported products Cornell Spider and
  PowerGREP

7
Mitigating Risk of Exposure of Personal
Information

• Higher cost (time, tools) for administering a
  system containing personal information.
• IET supports the Cyber-safety program and a
  number of tools that assist in protecting
  personal information, including Tripwire,
  Spider/PowerGREP, self-directed Nessus scans, and
  Pointsec.

8
Maintain a list of systems containing sensitive
data

• Catalog the system name, IP, owner, type of
  service running on the system, type of sensitive
  data residing on the system
• Share this information with the technical support
  staff and the unit administrative managers
• Confirm and update this information on a regular
  basis

9
Monitor when the data is accessed or modified

• Use Tripwire to identify file and directory
  changes.
• Write logs to a central logging server (syslogng,
  snare, MOM).
• Turn on auditing of successful and unsuccessful
  logins.
• Read your logs on a regular basis.

10
Restrict access to the system and its sensitive
data

• No group accounts (cannot audit access)
• Access system and data using encrypted protocols
  such as ssh (sftp, scp), ssl (https), rdp, ipsec
  
• Evaluate physical security
• Use host-based and hardware firewalls

11
Use, share, or transfer restricted data in a safe
manner

• Do not use email to send unencrypted restricted
  data.
• Do not use restricted data as a key in a
  database.
• Do not use restricted data on a test or
  development system.
• When sharing restricted data, ensure that users
  are aware that the data should be handled
  carefully and in compliance with policies.

12
Cornell Spider Demo
13
Encryption Policy

• UC Davis whole disk encryption policy draft
  http//security.ucdavis.edu/encryption_policydraft
  .pdf
• UCOP protection of personal information policies
  http//www.ucop.edu/irc/itsec/infoprotect.html

14
Encryption Options

• Windows OS

15
Encryption Options

• Mac OSX

16
Encryption Options

• Linux

17
Pointsec for PC at UCD

• http//security.ucdavis.edu/encryption.cfm

18
Pointsec for PC

• If a drive is lost or stolen, the encrypted
  partitions and everything on them are reasonably
  secure.
• Meets certain legal requirements

19
What it isnt

• Pointsec for PC is not a complete encryption
  solution
• Currently limited to 2000 and XP
• Only encrypts partitions
• Does not encrypt network drives

20
Features

• Whole disk encryption
• Multiple user access
• Configuration options
• Recovery tools
• Enterprise management
• Logging
• Enforceable policies
• Permissions

21
Experience

• Login screen at boot
• System tray icon
• Transparent to OS
• Minimal performance impact

22
Example
23
(No Transcript)
24
System Tray Icon

• While encrypting
• Fully encrypted

25
How to install

• Available to individuals and departments
• Check requirements
• Request license from IET Security
• Decide on default or custom configuration
• Get install media
• Return recovery file
• After encryption completes return log file

26
Requirements

• Windows 2000, XP and Vista soon
• No dual boot
• No servers
• No fancy disk configurations

27
Preparing the System

• Backup!
• Defrag
• Scan for viruses, etc
• Uninstall and disable the unnecessary services
• Check the disk(s)

28
Installing the Software

• Use administrative account
• Launch installer
• Reboot
• Login to Pointsec
• Login to OS
• Grab recovery file
• Encryption begins

29
Demo
30
Encryption Process

• Encryption proceeds at 10-20GB/hr
• Depends on disk size not amount of data
• System can be used, shut down or rebooted
• After encryption completed grab log file

31
Support

• Remote password reset
• Managing users
• Uninstall
• Updates and upgrades
• Recovery disk
• Barts disk

32
Remote Password Reset

• Depends on accounts name and password or
  certificate
• Challenge and response
• Also one-time for forgotten tokens

33
(No Transcript)
34
Managing Users

• Types of users
• Normal, Service, Temp
• Types of permissions
• Privileged and plain permissions
• Creating additional users

35
Uninstall

• Requires two accounts with rights
• Can be faster to clone or recover than decrypt

36
Updates, Upgrades and Reinstalls

• Updates
• Change users, passwords, certs or settings
• Upgrades
• Major product upgrade?
• Reinstalls
• Add additional partitions or disks

37
Recovery Disk

• Create from recovery file or target computer
• Requires two admin accounts
• Decrypts

38
Barts PE with Plug-in

• Requires version specific plug-in
• Must boot and login
• Ctrl F10 for alternative boot menu
• Barts then has full access to disk

39
Customizing

• Default configuration will meet most needs,
  however, there are lots of options
• Configuration worksheet
• Alternative profiles

40
(No Transcript)
41
UCLA beat USC

• Final score 13 - 9

42
Review

• Whole Disk Encryption
• Low overhead
• Quick default install
• Support options
• Highly customizable

43
Additional Resources

• Product documentation
• Pointsec 24 x 7 tech support
• IET cybersecurity_at_ucdavis.edu

44
Questions Answers
45
(No Transcript)