Educause Security Discussion mailing list archives

Sensitive data detection

From: Curt Wilson <curtw () SIU EDU>
Date: Fri, 20 Apr 2007 12:40:05 -0500

Dear Educause security community,

For those that are currently working on a project involving the
identification of sensitive data across campus, I have some items of
potential interest. I know that Teneble (Nessus) recently announced a
module that can check (with host credentials) a host for the presence of
selected types of sensitive data, but what we have chosen is
Proventsure's Asarium software. We are in the early stages of testing,
but it looks to be a tremendously helpful tool for such a large task
(depending upon the size of your institution).

In addition to locating selected types of sensitive data (SSN, credit
card, bank numbers, etc) in a variety of file formats including office
files, Asarium does various other checks as well. Within an emerging
enterprise-class client-server framework, it gives us the ability to do
a proactive or post-mortem analysis of a system, perform host integrity
checks, identify packed binaries, check for trojans, and pull other
valuable data from a system. The only other decent tools I've found for
post-compromise checking are the Microsoft WOLF toolkit (which doesn't
search for sensitive data), the FirstOnScene kit (similar to WOLF), and
maybe a couple of others. Of course, Helix, Encase or other tools are
needed for a proper forensics investigation where legal action is to be
taken and the evidence needs to be preserved properly. I'm not aware of
anything else though that will specifically locate sensitive data, other
than Asarium. The idea of trying to do it manually is non-sustainable.

With a tool such as this, and some IDS signatures (from bleeding edge
threats) to detect the presence of sensitive data as it passes the wire
(prone to false positives and evasion, of course), the ability to track
sensitive data is getting easier. I expect more tools to target this
area of need.

Since this is a critical area of interest for a variety of .edus due to
all of the .edu compromises, I'm curious to hear what others are doing
on this front, and would recommend checking into Asarium if you have a
similar project.

--
Curt Wilson
IT Network Security Officer
Southern Illinois University Carbondale
618-453-6237

GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc

Current thread:

Sensitive data detection Curt Wilson (Apr 20)
- <Possible follow-ups>
- Re: Sensitive data detection Peter Wan (Apr 20)
- Re: Sensitive data detection Harold Winshel (Apr 20)
- Re: Sensitive data detection Josh Drummond (Apr 20)
- Re: Sensitive data detection Randy Marchany (Apr 20)
- Re: Sensitive data detection Wyman Miles (Apr 20)
- Re: Sensitive data detection Brad Judy (Apr 21)