Educause Security Discussion mailing list archives
Re: Identify Finder
From: "Shamblin, Quinn (shamblqn)" <shamblqn () UCMAIL UC EDU>
Date: Thu, 28 Feb 2008 13:25:12 -0500
If you want to experiment with a version of this product that can scan remote systems, you can contact this person. He has been very helpful as we have been testing. Also, it is possible to script the use of this tool to automate scans across multiple systems. Todd Feinman [mailto:todd.feinman () identityfinder com] 212-399-2449 Regards, Quinn R. Shamblin Information Security Officer GCFA, CISSP, PMP University of Cincinnati (513) 556-0803 quinn.shamblin () uc edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy Sent: Thursday, February 28, 2008 11:21 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Identify Finder Yes, I forgot about this feature. I believe the custom config of the more advanced versions will also allow you to use a custom keyword (like "Student ID") with an SSN check, but it's been a while since I've looked at it, so I could be wrong. I agree that it's more user friendly than Spider (our recommended tool for Windows) and SENF (our recommended tool for other platforms), but we weren't willing to invest in a commercial tool until, at the very least, it supported both Windows and Mac. Naturally, it would also have to demonstrate a value that justified the cost over the open source options. Brad Judy IT Security Office University of Colorado at Boulder -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theodore Pham Sent: Wednesday, February 27, 2008 6:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Identify Finder The Professional and Enterprise versions of Identity Finder have incorporated unformatted SSN searching. By default, it requires the file to have some keyword (SSN, Social Security Number, SS#, etc) and have at least 3 potential SSNs in it in order to declare it a "match". This of course helps cut down on false positives. You can opt to remove the keyword criteria or reduce the number of potential SSNs required for a match through the options page. You can also completely disable unformatted SSN search or restrict it to only Excel and CSV files. Of course modifying the defaults increases search time and false positive rates, but you have the options. For more details, see: http://www.identityfinder.com/help/AnyFind_Settings_Page.htm We've site licensed the Enterprise version and started our deployment last month on a voluntary basis to all faculty, students and staff for use on both university owned and personal equipment. Previously we had suggested the use of Spider and were looking at customizing it, but Spider just wasn't user friendly enough in its current incarnations. So far our biggest hurdle has been convincing both our admins and end users that the tool is really simple enough for almost everyone to use. I think they were expecting it to be more like Spider so they were reluctant at first, but we're making headway. Having folks run it for the first time and seeing how much of their own personal information is floating around has really helped open eyes, not to mention how easy it to clean things up with the interface. Our next step is continuing to educate our mid and upper level management about the risks and options so that they will set appropriate local policies for their departments. It takes so long to pass a university policy much less attempt to enforce it in a distributed support environment like ours that partnering on a local level should give us broader adoption more quickly. Not saying that executive mandate isn't a good thing to have, but it's easier to convince management when you've got some positive momentum. We asked for an MSI installer version from the vendor (got it in about 3 days) and bundled it with our license file for the initial deployment. We're starting to work with our admins to deploy via Active Directory GPO and to target our high risk populations. So my point is that the whole PII cleanup effort is a very social problem. And so far we've found Identity Finder to be a nice fit to tackling that problem even with it's technical shortcomings. The vendor is very willing to work with us on Identity Finder's rough edges. And it's got an assortment of rough edges. Ted Pham Information Security Office Carnegie Mellon University Brad Judy wrote:
FYI: The approach I've recommended for the non-hyphenated formats is
to
search using the most common first three digits for your students.
This
catches most large lists of SSN's while minimizing false positives. Additionally, I highly recommend the use of boundary conditions for
any
regular expression searches. =20 For example, here's a simple regular expression that could be used for one portion of Colorado SSN's: \b65[0-3]\d{6}\b I beleive the more advanced versions of Identity Finder allow for
custom
regular expression searches, so one could add a check like the one above. In my experience, the vast majority of large SSN repositories/lists
use
a straight nine digit format, so skipping it will likely mean not detecting your highest impact files. When it comes to data breaches, finding these large repositories is a higher priority than the ability to look into a variety of files types to find single items. =20 Brad Judy IT Security Office University of Colorado at Boulder -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Isac Balder Sent: Wednesday, February 27, 2008 4:53 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Identify Finder So far we are impressed. Though it skips information not in a dashed format. We had a few instances were home brew apps were handling data without the dash and Identity finder missed it. On the other hand
I'll
take that over a slew of false positives on straight nine digit
numbers.
I have heard that the vendor is working on a central reporting / management server. Yes it only finds data that is resident and not in transmission. But
we
have found that most users are not even aware of the data that is on their system.=20 Step 1) identitfy, Step 2) eduacate, Step 3) mitigate the transmission factor. The thing we really liked about Identity Finder was the ease of use
for
the average user, the fact that it scans the Outlook PST files (were
we
tend to find the block of data), and none ASCII files like PDF. I.B. --- "McNeil, Sharon McLawhorn" <McLawhorns () ECU EDU> wrote:Does anyone have experience with the scanning tool "Identify Finder"? We're looking for a tool to assist us in discovering sensitive
data=20
such as SSN's, credit card numbers, etc. =20 =20 =20 Thanks, =20 =20 =20 Sharon M. McNeil =20 IT Security Analyst =20 Dept. of ITCS =20 East Carolina University =20 252-328-9112 (Phone) =20 252-328-4258 (Fax) =20 mclawhorns () ecu edu =20 =20 =20 =20=20
________________________________________________________________________
____________ Looking for last minute shopping deals? =20 Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=3Dshopping
Current thread:
- Re: Identify Finder, (continued)
- Re: Identify Finder Petreski, Samuel (Feb 27)
- Re: Identify Finder Isac Balder (Feb 27)
- Re: Identify Finder Brad Judy (Feb 27)
- Re: Identify Finder Theodore Pham (Feb 27)
- Re: Identify Finder Allison Dolan (Feb 28)
- Re: Identify Finder Nick Silkey (Feb 28)
- Re: Identify Finder Howell, Paul (Feb 28)
- Re: Identify Finder Mike Lococo (Feb 28)
- Re: Identify Finder Brad Judy (Feb 28)
- Re: Identify Finder Roger Safian (Feb 28)
- Re: Identify Finder Shamblin, Quinn (shamblqn) (Feb 28)
- Re: Identify Finder Felecia Vlahos (Feb 28)