Why is a Data Classification Policy Necessary?
advertisement
Looking for PII If you’re not, who is? Krizi Trivisani – CSO, The George Washington University Gary Golomb – Principal Security Engineer October 26, 2006 Agenda • • • • • • • Security Today In a Previous Episode… Data Classification SISP Version 2 Safety Analyzer Important Projects Questions Security today… “The cost of notifying and offering assistance to those individuals who have had their privacy information compromised can run into the hundreds of thousands of dollars for each incident. Increased regulatory requirements also make it imperative that the University be able to show a level of due diligence in the protection of its systems and confidential data.” In a Previous Episode... • GW conducted an audit project of 236+ departmentally controlled servers for security and PII (aka: Server Information Security Project, or SISP) – Project commissioned by EVP&T and CIO – Audited configuration of computers and detection of SSNs Where and When • A PII audit projects should/could be used: –Before or while developing a datahandling policy –Post-policy development compliance checking –Annual security audits Data Classification Policy Why is a Data Classification Policy Necessary? • Provides the framework necessary to identify and classify data in order to assess risk and implement an appropriate level of security protection based on categorization. • Provides the framework necessary to comply with legislation, regulations, and internal policies that govern the protection of data • Provides the framework necessary to facilitate and make the Incident Response process more efficient. The level in which the data is classified determines the level of response. Data Classification - CRITICAL Objectives of Data Classification Policy: • Communicates data categories to the University community and provides examples of how data should be classified • Communicates the high level requirements necessary to protect data based on category • Communicates the roles and responsibilities of various members of the University community and external associates as it relates to GW owned data Matrix of Security & Ops Standards Privacy Levels Operations Levels Public Official Confidential Highest Security Highest Operations Enterprise System 2 2 Department Server 3 2 1 3 2 Desktop Lowest Security Lowest Operations 4 1 Note, numbers in boxes suggest the priority levels for mitigating risks. Security Tool Kit To provide departments managing systems outside of the GW Data Center with standard guidelines and procedures Sections • Policies • Systems Checklist - Departmental Servers and Enterprise Systems • Best Practices for Department Server and Enterprise System Checklist • Server Management Best Practices • Security Controls Matrix for Data Classification • Information Security Training and Awareness • Resources Other Implications • Politics • Culture • Awareness Lessons Learned • PII on almost 50% of servers admins thought is was NOT on • About 75% of computers that were compromised had completely up-to-date antivirus and/or firewalls • Security efforts focused mostly on protecting servers as opposed to data Why SISP version 2 • Were changes made in response to last years efforts? • Far more end-user computers have PII, but who’s? • Rewards for last years efforts... Scope of SISPv2 • Address problems in first pass • Include all computers with *access* to sensitive data, not only known storage • Contrast locations of PII to current security architecture Implications of Scope • Desktops versus servers... • Integration with patch management systems? • Secure reporting • Log parsing by junior-level security staff Safety Analyzer • Sensitive Data Detection – SSNs with heuristics – Credit Card numbers with Luhn algorithm validation • Compromise Detection – Trojan file detection – Kernel-level rootkit detection – IR-related data harvesting SA Compromise Detection • Win 2003 servers example... win2k.exe urx_old.exe serv454.exe c:\winnt\ system32\ l33t.exe Routing HKU\S-1-5-21-6021623581993962763-725345543500\SOFTWARE\ Microsoft\Windows\ CurrentVersion\Run Sygate Personal Firewall HKU\S-1-5-21602162358-1993962763725345543-500\ SOFTWARE\Microsoft\Windows\ CurrentVersion\Run Rout111 HKU\DEFAULT\SOFTWARE\ Microsoft\Windows\ CurrentVersion\Run Microsoft Windows HKU\DEFAULT\SOFTWARE\ Microsoft\Windows\ CurrentVersion\Run Comp Detection Cont... Hidden Hidden Hidden Hidden Hidden *.exe: *.exe: *.exe: *.exe: *.exe: C:\winnt\system32\psniffc.exe C:\winnt\system32\psniffcc.exe C:\winnt\system32\rvahlhhe.exe C:\winnt\system32\tzrepwgo.exe C:\winnt\system32\secthuty.exe PII Detection • An algorithmic approach... C:\documents and settings\stnic\Application Data\Adobe\Designer\en\objects\custom\U.S. Social Security Number.xfo xxx yy zzzz C:\documents and settings\stnic\Local Settings\Temporary Internet Files\Content.IE5\0H2VOH6F\default[3].htm xxx yy zzzz C:\documents and settings\stnic\Local Settings\Temporary Internet Files\Content.IE5\0H2VOH6F\default[3].htm xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\Cardscanbackup\Business Cards.CDB xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\selfeval2001.doc xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\Staff evaluation start dates2.xls xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\Salary Review Notices 01 ORG.xls xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\Salary_Review_Notices_01_NEW.xls xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\SRNTEST.xls xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\SRN_FY02_TEMPLATE.xls xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\T06322NEW.xls xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\budget\SRN_FY02\SRN_FY02.xls xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals00\Andrew Mngr pref-eval's.doc xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals00\Jonathan Mngr pref-eval's.doc xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals00\Mark Mngr pref-eval's.doc xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals00\Ron Mngr pref-eval's.doc xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals01\Andrew Mngr pref-eval's.doc xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals01\Andrew Mngr pref-eval's_FY01.doc xxx yy zzzz C:\documents and settings\stnic\My Documents\GWDOCS\HR\evals01\Angela exempt eval.doc xxx yy zzzz Future of SA? TRUE Risk Calculation and Protection – PII detection and protection – GUI-based metrics and trending across hundreds to thousands of computers – Advanced data detection with high-performance algorithms – Configuration auditing – Innovative compromise detection and IR capabilities http://www.proventsure.com Other Important Projects – Cisco Clean Access – Novell Patchlink – Covers about 4000 employee (faculty and staff) – GWid project – Moved off of SSN as the primary ID – Migration of confidential servers – – NIST Level III –Reached NIST Level III (Security Assessment Framework) Other Important Projects – Application/Program Security Reviews –In depth assessment for new application development efforts within ISS – WebInspect –Web application security scanning. Bringing this capability in house saves approximately $7000 per assessment – Technical/System Security Reviews – Conducted over 300 technical security reviews in the past year; Safety Analyzer is critical to completing these reviews – Security Internship Program – Successfully partnered with academic departments to recruit and train interns Happy Halloween! Questions? • Contact: – Krizi Trivisani krizi@gwu.edu – Gary Golomb coach@gwu.edu • Download: http://home.gwu.edu/~coach/SA.zip
