Pointsec for PC - Home | Security
Download
Report
Transcript Pointsec for PC - Home | Security
Identifying and Encrypting
Personal Information
Using Cornell Spider and
Pointsec for PC
Benjamin Stein
Doreen Meyer
[email protected]
1
Overview
• What is personal information?
• Searching for personal information using Cornell
Spider
• Mitigating risk of exposure of personal
information
• Encryption Policy, Encryption Options
• Whole disk encryption using Pointsec for PC
• Questions
2
Personal Information and
HIPAA
• HIPAA: Health Information Portability and
Accountability Act
• Psychological Services
• Medical Records
• http://www.hhs.gov/ocr/hipaa/
3
Personal Information: CA
SB1386 and Civil Code 1798
•
•
•
•
•
•
•
Account access number and password
Bank/financial account number
California identification card number
Credit/debit card number
Driver’s license number
Social Security number
http://www.privacy.ca.gov/code/ipa.htm
4
Personal Information: FERPA
• Family Education Rights and Privacy Act of
1974 (FERPA)
• Class level, class schedule, academic status,
grades, instructors, transcripts
• Student ID number, Social Security number
• Fees paid, loan collection records, financial aid
records, etc.
• http://www.ed.gov/policy/gen/guid/fpco/ferpa/ind
ex.html
5
Searching for personal
information
• Data focus: credit card numbers and
Social Security numbers
• UCD supported products: Cornell Spider
and PowerGREP
6
Mitigating Risk of Exposure of
Personal Information
• Higher cost (time, tools) for administering
a system containing personal information.
• IET supports the Cyber-safety program
and a number of tools that assist in
protecting personal information, including
Tripwire, Spider/PowerGREP, self-directed
Nessus scans, and Pointsec.
7
Maintain a list of systems
containing sensitive data
• Catalog the system name, IP, owner, type
of service running on the system, type of
sensitive data residing on the system
• Share this information with the technical
support staff and the unit administrative
managers
• Confirm and update this information on a
regular basis
8
Monitor when the data is
accessed or modified
• Use Tripwire to identify file and directory
changes.
• Write logs to a central logging server
(syslogng, snare, MOM).
• Turn on auditing of successful and
unsuccessful logins.
• Read your logs on a regular basis.
9
Restrict access to the system
and its sensitive data
• No group accounts (cannot audit access)
• Access system and data using encrypted
protocols such as ssh (sftp, scp), ssl
(https), rdp, ipsec
• Evaluate physical security
• Use host-based and hardware firewalls
10
Use, share, or transfer restricted
data in a safe manner
• Do not use email to send unencrypted restricted
data.
• Do not use restricted data as a key in a
database.
• Do not use restricted data on a test or
development system.
• When sharing restricted data, ensure that users
are aware that the data should be handled
carefully and in compliance with policies.
11
Cornell Spider Demo
12
Encryption Policy
• UC Davis whole disk encryption policy draft:
http://security.ucdavis.edu/encryption_policydraft
.pdf
• UCOP protection of personal information
policies:
http://www.ucop.edu/irc/itsec/infoprotect.html
13
Encryption Options
• Windows OS
TASK
Product
Central Key
Whole disk
encryption
Pointsec for PC
Yes
Files and
directories
Pointsec ME,
standalone EFS
No
Files and
directories
Active directory
EFS
Yes
Files and
directories
truecrypt
No
Whole disk
encryption for
Vista
bitlocker
No ?
14
Encryption Options
• Mac OSX
Task
Product
Central Key
Encrypt home
directory as a
single encrypted
disk image
FileVault
No
Whole disk
encryption or file
encryption
Commercial PGP
Yes
Whole disk
encryption or file
encryption
gnupg
No
15
Encryption Options
• Linux
Task
Product
Central Key
Whole disk
encryption
Pointsec for Linux Yes
Whole disk
encryption, files
and directories
Commercial PGP
Yes
Whole disk
encryption, files
and directories
gnupg
No
16
Pointsec for PC at UCD
• http://security.ucdavis.edu/encryption.cfm
17
Pointsec for PC
• If a drive is lost or stolen, the encrypted
partitions and everything on them are
reasonably secure.
• Meets certain legal requirements
18
What it isn’t
• Pointsec for PC is not a complete
encryption solution
– Currently limited to 2000 and XP
– Only encrypts partitions
– Does not encrypt network drives
19
Features
•
•
•
•
•
Whole disk encryption
Multiple user access
Configuration options
Recovery tools
Enterprise management
– Logging
– Enforceable policies
– Permissions
20
Experience
•
•
•
•
Login screen at boot
System tray icon
Transparent to OS
Minimal performance impact
21
Example:
22
23
System Tray Icon:
• While encrypting:
• Fully encrypted:
24
How to install
•
•
•
•
•
•
•
Available to individuals and departments
Check requirements
Request license from IET Security
Decide on default or custom configuration
Get install media
Return recovery file
After encryption completes return log file
25
Requirements
•
•
•
•
Windows 2000, XP and Vista soon
No dual boot
No servers
No fancy disk configurations
26
Preparing the System
•
•
•
•
Backup!
Defrag
Scan for viruses, etc
Uninstall and disable the unnecessary
services
• Check the disk(s)
27
Installing the Software
•
•
•
•
•
•
•
Use administrative account
Launch installer
Reboot
Login to Pointsec
Login to OS
Grab recovery file
Encryption begins
28
Demo
29
Encryption Process
• Encryption proceeds at 10-20GB/hr
• Depends on disk size not amount of data
• System can be used, shut down or
rebooted
• After encryption completed grab log file
30
Support
•
•
•
•
•
•
Remote password reset
Managing users
Uninstall
Updates and upgrades
Recovery disk
Bart’s disk
31
Managing Users
• Types of users
– Normal, Service, Temp
• Types of permissions
– Privileged and plain permissions
• Creating additional users
34
Uninstall
• Requires two accounts with rights
• Can be faster to clone or recover than
decrypt
35
Updates, Upgrades and
Reinstalls
• Updates
– Change users, passwords, certs or settings
• Upgrades
– Major product upgrade?
• Reinstalls
– Add additional partitions or disks
36
Recovery Disk
• Create from recovery file or target
computer
• Requires two admin accounts
• Decrypts
37
Bart’s PE with Plug-in
• Requires version specific plug-in
• Must boot and login
• Ctrl + F10 for alternative boot menu
• Bart’s then has full access to disk
38
Customizing
• Default configuration will meet most
needs, however, there are lots of
options…
• Configuration worksheet
• Alternative profiles
39
Review
•
•
•
•
•
Whole Disk Encryption
Low overhead
Quick default install
Support options
Highly customizable
42
Additional Resources
• Product documentation
• Pointsec 24 x 7 tech support
• IET: [email protected]
43
Questions & Answers
44
45