Transcript managing pii with identity finder

MANAGING PII WITH
IDENTITY FINDER
Paul Hanson
IET-Data Center and Client Services
University of California, Davis
Agenda







What is PII and where’s the
value?
What is Identity Finder?
Alternative Solutions
What can Identity Finder
Scan?
How does Identity Finder
handle the results?
Identity Finder Architecture
Architecture Overview



Client UI
INI Files
Custom MSI

Architecture Overview






Management Console
IET DCCS Implementation
IET DCCS Architecture
Lessons Learned
Breaking News
Questions
What is PII and where’s the value?







Cybersecurity (UC Davis)
Massachusetts 201 CMR 17.00
Protected Health Information (PHI)
Health Insurance Portability and Accountability Act
(HIPAA)
FACT Red Flag Rules
Incident Response
Sysadmins may not know the data is there.
What is Identity Finder

Identity Finder searches the deepest recesses of a computer to locate and
secure data that is vulnerable to identity theft - even when you don’t know
it exists. The information is then presented to you to permanently shred,
quarantine to a secure location, or encrypt with a password.
Source: http://www.identityfinder.com/Products/Identity_Finder.html



Primarily Supports Windows & Mac
Feature rich
Continuously improving
Alternative Solutions
Windows
Virginia Tech
Find_SSNs
Cornell Spider
PowerGREP
Mac
Linux/
Unix
X
X
X
X
?
X
?
X
?
Identity Finder Architecture

Enterprise Client


Management Console (Really just a reporting server)


Installed on the workstation/server & does the heavy lifting
Dedicated system running IIS w/MSSQL
OS Compatibility

Clients for Windows and Mac

Linux/Unix systems are scanned remotely
What can Identity Finder Scan?













Microsoft Office (Excel, PowerPoint, Word, and OneNote including 2007)
Adobe Acrobat PDF (including 9.x)
Cookies and instant messenger logs
HTML files (htm, asp, js, etc.)
Text files (ANSI, Unicode, Batch, Source code)
Rich text files (rtf format)
files within the My Documents folder of your personal computer
files anywhere on your personal computer
removeable hard drives connected to your PC
Create custom folder lists for seaching (ability to include and exclude subfolders)
compressed files (zip, gzip, bzip, tar, rar, and z)
Microsoft Access database files (including 2007)
Any other known or unknown file type
Source: http://www.identityfinder.com/Products/Identity_Finder_Feature_List.html
What else does Identity Finder scan?

Database connector


Website crawler





OLEDB (i.e., SQL, Oracle, Sybase, DB2, etc.)
HTTP or HTTPS
Remote file shares (SMB, NFS, Samba)
Email – Mailboxes, PST’s, MBOX, Tbird
IE & Firefox Cache
AnyFind vs. Specific Values (e-discovery requests)
What does Identity Finder do with the
results?







Save as secured Identity Finder file (*.idf) using FIPS 140-2 validated 256
bit AES
Save as HTML Summary Report
Choose specific information for custom reports to be saved
Save as Full Export into Comma Separated Value format
Save as Executive Summary Report
Upload to Management Console
What about the hits?






Secure – encrypts the file using FIPS 140-2 validated 256 bit AES
Shred – based on DOD 5220.22-M standard
Ignore
Quarantine – Secures a copy of the file and shreds the original
Recycle – same as the windows recycle bin. Not a secure method.
Will clean web browser cache & registry
Architecture Overview

Client
 Configuration
 User
Interface
 INI Files
 MSI Customization
 Boot from CD

Management Console
 IIS
& SQL
Architecture – Client UI






Main
What to Search for
Where to Search
Tools and Options
Settings
Scheduling
Architecture – INI Files

Creating an INI File



Created in UI
Copied over
Run on demand or scheduled task

/jobmode /inifile=“<filename>.ini”
Architecture – Custom MSI

Creating the environment









Download Windows SDK (~1.1GB for Vista)
Install Orca.msi
Add system variables
Extract MSI
Run lictomsi.cmd
Import Tables
Schtasks for all systems
Include Management Console phone home
No x64 bit support…. Yet.
Identity Finder Client
Lab
Architecture – Management Console


Single server, dual purpose
WS2003/2008 (x86 or x64)






IIS6 or IIS7 w/Metabase compatibility
.Net Framework 3.5 SP1
Microsoft Report Viewer
Redistributable 2008
Creates Client Registry
Settings (x86 & x64)
SQL 2005/2008
(Express, Std, Ent)
Certificates & Encryption
IET DCCS Implementation


Powershell installation script
Started with custom MSI

x86 was fairly smooth


x64 required some extra work


Users couldn’t modify settings to rescan
No support for x64 so had to use INI files anyway
Moved to INI files
No reason to support two methods
 Users can tweak settings and rescan systems


Scans launched using the system account
IET DCCS Architecture

Mangement Console



Separate virtual systems for IIS & SQL
Certificates
Clients

Leveraged Powershell to script installation








Verify connectivity to MC
Check system type
Include password check
Check for and uninstall previous versions
Import registry key for MC
Create INI
Delete old scheduled task
Schedule new scan
Lessons Learned






MC is a resource hog.
Nuances with schtasks.
Clients were configured to search for SSN & CC but
also pulled up Back Account information.
Be prepared for False-Positives.
Password check really slows down the scan.
When configured as background service, it will
allocate the remaining resources.
Breaking News

Features in the next version of Identity Finder.
Questions?
Identity Finder
Management Console
Lab