H. Morrow Long is an Info security guy from Yale.
Have decided not to scan for sensitive data on the network, but do scan for computers looking for sensitive info.
Had two major data incidents.
Had a large federal contracts investigation, and one large data breach.
Now scan administrative desktops, and require all faculty and staff to scan data on their machines, including laptops. Using IdentityFinder on WIndows, and some open source stuff on MacOS and Linux. Have evaluated several enterprise products: Tablus, Vontu.
Spent first half of 2006 doing data breach planning, which led them to realize that they had to have a data classification program. They have an agreement with the Yale Police to report to them every stolen laptop – started to see more stolen laptops. In beginning of 2007 began a program to do PGP whole disk encryption. In July of 2007 two laptops stolen from Dean’s Office – they had backups, which they scanned for sensitive data (Cornell Spider, Texas SENF program, Va Tech’s
python program). They found 5,000 SSNs on each PC’s backup.
“The plan is fine until the shooting starts” – Patton.
Once you know what’s been lost, then you have to act on it. Criteria for scanning compromised computers – reasonable belief that data may have been exposed – evidence that somebody was on the computer for a length of time, or there’s evidence of data transfer, or if there’s belief that there may have been confidential data on the machine – don’t do scans for every time there’s a virus.
Yale complted an SSN elimination project in 2005 – so why were SSN’s on those stolen machines? Course and student lists in email and spreadsheets which were old and not needed. Discovered that almost everybody had at least one SSN on their machine – their own.
Thief stayed behind in office – stole two laptops. Police caught him the next night, but didn’t recover the laptops. Computers were likely stolen for quick sale, not data. Laptops had BIOS and OS passwords, and 1 had disk interlock password. But Connecticut law requires notification. Learned later that notification is really only required if there’s a name associated with the SSN.
Set up a call center for help, staffed by people in the Dean’s office. Crafted a communications plan, with several letters targeted at different people. Immediately encrypted all the laptops in the Dean’s Office iwth PGP Whole Disk Encryption.
One alum claimed ID theft and contacted the AG and the media. THe AG wanted to know why Yale did not offer credit protection plan. Hired ID Analytics to check the SSN #s for probability of compromise.
They created tools for scanning (Windows only at first), and got the General Counsel to send out letters to specified staff lettint them know that their machines were going to be scanned. Getting users to remediate data is the hard part – confusion, false positives, etc.
Policy for files with SSNs: 1. Remove 2. Move 3. De-identify 4. Encrypt
They use their training management system to record whether people have completed and remediated from their scans.
David Escalanted – Director of Security, Boston College
March 2005 – major data breach that required 100k + letters to alumni.
Realized that users don’t seem to mind people looking at their email for viruses and spam, so should be able to scan for PII. They also started collecting netflow data and Snort IDS. PII finder (Fidelis) “catches stupid people”, not hackers. They didn’t notify the community that they’re running these tools – if it’s legit to look for bad stuff coming in, they figure it’s legit to look for it going out. What happens to offenders? For PII, a VP or Dean is frequently involved.
When the White House invited the hockey team to visit, they wanted a list of all the visitors with their SSN #s. Emailed. They caught that going over the wire.
Encryption kills scanning on the wire.
Shirley Payne is the Directory of IT Security and Policy at the University of Virginia
Considerations for general policy decisions: Consistency with existing policies and norms (especially the physical world ones); compliance with or in consideration of laws.
UVa is sort of the opposite of BU: Not generally monitoring content, blocking websites, or scanning devices without permission. There are, of course some exceptions, like traffic monitoring for virus/worms signatures, etc.
