Re: Identify Finder

[Felecia Vlahos <fvlahos () COX NET>]

Sharon,

Here at San Diego State (and in our collective California State University
ISO group) we are studying various SSN and credit card search tools.

When picking a tool our goals at SDSU were to have both a tool that could
be deployed across campus to search for legacy SSN (we switched to a
unique campus ID in 2004, but found our faculty needed to keep grade
sheets with SSN for many years), and to use in incident response to gather
information for potential notification processes.

We are in the final reporting stages of testing various tools, including
Identity Finder, Content Sentinel (just bought by RSA), Spider, Virgina
Tech Find_SSN, Safe Vantage Technologies Deep Scout, and SenfNet.

Our findings on all the tools were pretty dismal for both our goals.

For the goal of incident response assistance: we had data, copied from
laptops just prior to being stolen, that illuminated for us that our
faculty may not use the standard 999-99-9999 or even 9999999 format for
SSNs in a column.  Instead, much of the data in the academic world is in a
format where the SSN is spread across three columns. The tools we tested
cannot find this SSN format.  Therefore we would still have to perform the
painstaking effort of searching through each file manually.

For the second goal of finding static data at rest.  Well, see the
limitations we listed for our first goal, they apply here as well. But
still, if we could find a tool that removed a sizeable portion of the
data, it would still reduce risk, and be worth the investment in the tool
and process.  We were looking for two types of tools in this goal, both a
centralized tool (deployable with Active Directory or other desktop
management software on campus) and a standalone tool (deployable by users
or IT support staff on faculty or stand alone managed systems). We are
very pleased with Virgina Tech's SSN_Find (and improvement over Spider for
finding contiguous SSNs, or SSNs with spaces). Although Spider works on
Windows, Mac, and Unix versions.

For the second goal for enterprise software we looked at Identity Finder,
Tablus Content Sentinel, and a local startup company,  Safe Vantage
Technologies Deep Scout.  We found all three vendors responsive. The
dominator in results and flexibility of use was Content Sentinel.
However, a "gotcha" to these tools is that they give the server direct
access to the information found on the client.  So, if you have a single
server hooked into clients throughout your university, your one server has
access, may include update/delete access, to view all the data.  With this
inadvertent centralized "share mapping" of your SSN/credit card data, one
stop shopping for hackers, and a huge issue for authorized access to the
information.  Content Sentinel has promised their next version, due out in
May, will have better role functionality to eliminate or reduce the threat
of the inadvertent centralized mapping and access from the scanning
server. Also Content Sentinel plans to support Mac and Unix version in
their August version release. We also found Content Sentinel to dominate
in the reporting between the 3 enterprise products.

Bottom line, no silver bullets from one tool to meet our needs.  But,
still some good results to minimize risk as the vendors continue their
development.  We are probably going to look at combinations for our use.

Note: all my info came from work my associate, Alan Belshaw, performed.
Please direct any questions to him directly at Alan Belshaw
<abelshaw () mail sdsu edu>.  Also, for those of you attending Secure IT in
San Diego next week, we will have more details at our display booth.

Thanks
Felecia Vlahos, CISSP
Information Security Officer
San Diego State University
619-594-4049, fvlahos () mail sdsu edu

------- Forwarded message -------
From: "McNeil, Sharon McLawhorn" <McLawhorns () ECU EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Cc:
Subject: [SECURITY] Identify Finder
Date: Wed, 27 Feb 2008 13:16:45 -0800

Does anyone have experience with the scanning tool "Identify Finder"?
We're looking for a tool to assist us in discovering sensitive data such
as SSN's, credit card numbers, etc.

Thanks,

Sharon M. McNeil
IT Security Analyst
Dept. of ITCS
East Carolina University
252-328-9112 (Phone)
252-328-4258 (Fax)
mclawhorns () ecu edu
On Wed, 27 Feb 2008 13:16:45 -0800, McNeil, Sharon McLawhorn
<McLawhorns () ECU EDU> wrote:

> Does anyone have experience with the scanning tool "Identify Finder"?
> We're looking for a tool to assist us in discovering sensitive data such
> as SSN's, credit card numbers, etc.
>
>
> Thanks,
>
>
> Sharon M. McNeil
>
> IT Security Analyst
>
> Dept. of ITCS
>
> East Carolina University
>
> 252-328-9112 (Phone)
>
> 252-328-4258 (Fax)
>
> mclawhorns () ecu edu



--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/