Re: PII Scanning Recommendations

["Mclaughlin, Kevin (mclaugkl)" <mclaugkl () UCMAIL UC EDU>]

Hi Drew:

About 5 years ago we took our first crack at this using Rapid 7 - that experience was horrible for many reasons but the 
one that really pushed me away is that the algorithm they were using at the time made it so that a machine that had 
multiple minor vulnerabilities got escalated up to a critical or catastrophic vulnerability level - even if it had no 
critical or catastrophic vulnerabilities.  This didn't work with the process/approach that I wanted to take.  What I 
like to do (started this a decade or so ago when I worked for Procter&Gamble) is only scan for the top 100 or so 
threats (we compile those via SANs, X-Force, MicroSoft, etc.) and then only react or follow up on the critical or 
catastrophic ones.   This saves us from sending out thousands of reports to every IT coordinator, and it makes it so 
that the reports we do send out are 5-10 pages in length (or less) and not 250 pages in length.   Example:  we 
currently scan about 10,000 systems and have to follow up on about 110 of them on a monthly basis.   We are using ISS 
but that is only because I signed a 5 year contract so that I could spread the payment out over 5 years, once IBM 
bought them I have been less than happy with the tool, the support and the reporting mechanism.

At UC we use a 3 strike rule which basically goes like this:    if you own a box that is determined to have a critical 
or catastrophic vulnerability you receive notice from us that it needs remediated and you also receive the report that 
tells you how to remediate.  Our notice lets you know that we will scan again in X (30 or 60 days).  If the system is 
found to have the same vulnerability on the second scan then you as the system owner get another memo and your 1 up 
manager does as well.  On the 3rd. scan the memo goes to you, your one up, and the VP of the unit with a note that the 
system will be removed from the network in 10 days.  I then call the VP and let them know that the system is slated to 
be taken off UCNet.  To date we've not had to take a system down this way.  The 3 strike rule was the only way that I 
could get the "We Can Take a Vulnerable System off the Network" policy through my Governance channels so it works for 
us.

btw- a side benefit to only scanning for the top threats is that we have never (knock on wood) caused any performance 
issues to systems during our scans - and yes I realize the downside is that we may miss something but any system owner 
can call us and request a full in-depth scan of their systems - some actually do so.

Hope this helps and have a great weekend,
- Kevin


Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified
Assistant Vice President, Information Security & Special Projects
University of Cincinnati
513-556-9177

The University of Cincinnati is one of America's top public research institutions and one of the region's largest 
employers, with a student population of more than 41,000.

[cid:image001.gif@01CC6EC8.8F6DBCF0]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drew 
Perry
Sent: Thursday, September 08, 2011 5:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PII Scanning Recommendations

I'm in the middle of our quarterly PII scans to our web-facing data servers. Typically we scan with a combination of 
SENF and Spider, while I manually audit the results (i.e. check each and every file myself). As I'm sure you all know, 
this results in a HUGE list of false-positive reviews. As yet, we do not have a large budget for this aspect of 
Information Security. I have investigated PII products like Seek-N-Secure and Identity Finder, which are infinitely 
better. But in the cost/benefit analytical world of "So we have one that works for free, but costs your time; or we can 
spend $10,000 or so for better tools for each of our data servers...." And I'm sure you know who wins out.

So my question is this: What are you guys doing? Has anyone come up with a middle-ground solution to this problem? The 
free tools are good, not great, but free. The expensive tools are great, not perfect, but expensive. What's the 
upper-middle class response to PII scans?

Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry () murraystate edu<mailto:aperry () murraystate edu>

P  Save a tree. Please consider the environment before printing this message.