Educause Security Discussion mailing list archives
Sensitive data detection
From: Curt Wilson <curtw () SIU EDU>
Date: Fri, 20 Apr 2007 12:40:05 -0500
Dear Educause security community, For those that are currently working on a project involving the identification of sensitive data across campus, I have some items of potential interest. I know that Teneble (Nessus) recently announced a module that can check (with host credentials) a host for the presence of selected types of sensitive data, but what we have chosen is Proventsure's Asarium software. We are in the early stages of testing, but it looks to be a tremendously helpful tool for such a large task (depending upon the size of your institution). In addition to locating selected types of sensitive data (SSN, credit card, bank numbers, etc) in a variety of file formats including office files, Asarium does various other checks as well. Within an emerging enterprise-class client-server framework, it gives us the ability to do a proactive or post-mortem analysis of a system, perform host integrity checks, identify packed binaries, check for trojans, and pull other valuable data from a system. The only other decent tools I've found for post-compromise checking are the Microsoft WOLF toolkit (which doesn't search for sensitive data), the FirstOnScene kit (similar to WOLF), and maybe a couple of others. Of course, Helix, Encase or other tools are needed for a proper forensics investigation where legal action is to be taken and the evidence needs to be preserved properly. I'm not aware of anything else though that will specifically locate sensitive data, other than Asarium. The idea of trying to do it manually is non-sustainable. With a tool such as this, and some IDS signatures (from bleeding edge threats) to detect the presence of sensitive data as it passes the wire (prone to false positives and evasion, of course), the ability to track sensitive data is getting easier. I expect more tools to target this area of need. Since this is a critical area of interest for a variety of .edus due to all of the .edu compromises, I'm curious to hear what others are doing on this front, and would recommend checking into Asarium if you have a similar project. -- Curt Wilson IT Network Security Officer Southern Illinois University Carbondale 618-453-6237 GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc
Current thread:
- Sensitive data detection Curt Wilson (Apr 20)
- <Possible follow-ups>
- Re: Sensitive data detection Peter Wan (Apr 20)
- Re: Sensitive data detection Harold Winshel (Apr 20)
- Re: Sensitive data detection Josh Drummond (Apr 20)
- Re: Sensitive data detection Randy Marchany (Apr 20)
- Re: Sensitive data detection Wyman Miles (Apr 20)
- Re: Sensitive data detection Brad Judy (Apr 21)