Security Ripcord

Explaining Sensitive Information

July 11th, 2007 cutaway Posted in Sensitive Information 1 Comment » 3,415 views

Classification of data starts with defining that data. Unfortunately there are many definitions for personal or private information and these definitions are often different depending on country, state, organization, regulation, and other factors.

Ferpa gives the following guidance:

Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record.

Schools may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance.

The State of Texas provides these definitions in the Texas Administrative Code 202:

Confidential Information–Information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.

Mission Critical Information–Information that is confidential or is defined by the institution of higher education, or state agency to be essential to the institution of higher education, or state agency function(s).

estricted Personal Information–Includes an individual’s social security number, or data protected under state or federal law (e.g., financial, medical or student data).

All of these statements leave something to be desired when trying to provide specific guidance. As an information security manager for a university in Texas I have taken to referring to the Texas Statue “BUSINESS & COMMERCE CODE CHAPTER 48. UNAUTHORIZED USE OF IDENTIFYING INFORMATION SUBCHAPTER A. GENERAL PROVISIONS” which states:

(1) “Personal identifying information” means information that alone or in conjunction with other information identifies an individual, including an individual ’s:

  • (A) name, social security number, date of birth, or government-issued identification number;
  • (B) mother ’s maiden name;
  • (C) unique biometric data, including the individual ’s fingerprint, voice print, and retina or iris image;
  • (D) unique electronic identification number, address, or routing code; and
  • (E) telecommunication access device.

(2) “Sensitive personal information”:

  • (A) means an individual ’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
    • (i) social security number;
    • (ii) driver ’s license number or government-issued identification number; or
    • (iii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual ’s financial account; and
  • (B) does not include publicly available information that is lawfully made available to the general public from the federal government or a state or local government.

Although this does leave some area for debate, it is more informative than other sources.

What sources do you use for explaining the types of information that need to be protected within your organization?

You can post your responses here or you can head over to the Security Catalyst Community to see what other information security professionals have to say about their sources. Just look for the post titled “How do you explain the definition of “Sensitive Information”?“.

Go forth and do good things,
Cutaway

Technorati Tags , , ,

Data Classification and Media Destruction Methods

June 24th, 2006 cutaway Posted in NIST, Security, Sensitive Information, Tools 1 Comment » 3,711 views

I recently mentioned that NIST had released Draft Special Publication 800-88: Guidelines for Media Sanitization.  This document outlines the concerns involving roles and responsibilities, data classification, and destruction of the information stored on any media.  We all know that this generally includes hard drives but when you start to sit down and think about it there are so many other media types that we must consider:  Floppies, CD/DVD disks, DVD RAM, MiniCD disks, tapes, Thumb drives, Zip/Super disks, iPods and other MP3 devices, external hard drives, etc.  One item (of many) that my list is missing is system memory.  Although this has not necessarily been an issue to this point, in the June 3, 2006 episode of  CyberSpeak Jesse Kornblum talked about retrieving residual process information from memory after a system has been rebooted.  (Check the CyberSpeak show comments for several links to more information about this issue as posted by several of CyberSpeak's listeners.) 

According to the NIST document there are three ways to deal with information on any of these media types.

  • Clean – is achieved by overwriting the memory so that the information on it cannot be easily retrieved by attempting to access the data through normal system operations.
  • Purge – involves degaussing or executing the "Secure Erase " feature on Serial ATA drives.
  • Destroy – can be accomplished through disintegration, pulverization, melting, incineration, shredding, or sanding depending on the type of media being destroyed.

Each one of these methods has its own challenges and drawbacks.  Cleaning a system by overwriting the media can be very time consuming depending on the size of the media and the overwriting algorithm being used for the process.  Purging through degaussing is know to make certain media types unusable.  Destruction can be a huge and costly undertaking in resources and man-hours as well as the environmental issues.  However, it is the overall consensus of Pub 880-88 that any media leaving the control of the original owners should be destroyed to avoid any possible exposure of information.  

Let's face reality.  Destroying media can turn into a relatively expensive proposition.  Especially when the media can be reused in other departments within an organization.  We all know what is really going to happen.  When a person or department needs a new system for more processing or storage capabilities their old system is redistributed to replace an older system in a different department.  The older system is then redistributed in the same fashion or it is retired.  In these cases "cleaning" the media is generally the course taken.  Of course common sense needs to be used when redistributing a system.  It is probably not advisable to permit a hard drive or other media from a business or financial department to be rotated to another department that may not use the same types of media protection procedures.  However, end user activity can also increase the sensitivity of the stored information through casual personal use or outright inappropriate behavior such as was seen in the recent disclosure of Veteran's Affair information.

One method that can be leveraged to determine the sensitivity of a piece of media is to scan it with a tool that will search through its stored files and identify files that contain potentially sensitive information.  A tool that I have recently been exposed to is Spider which is maintained and distributed by Cornell University's IT Security Department.  This software has versions that run on Linux and Windows systems.  It will search through a mounted file system for specific information that includes:  Social Security numbers (SSN), credit card numbers, and any regular expression as defined by the user.  The results are output to a text or comma delimited file for easy investigation.  Investigation of the results is necessary due to the potential for false positives.

In an attempt to familiarize myself with this tool's functionality I created several files with a bogus SSN in it.  I created several different types of files:

  • txt – text file
  • doc – Microsoft Word document
  • xls – Microsoft Excel document
  • ppt – Microsoft PowerPoint document
  • odt – Open Office Writer document
  • ods – Open Office Calc document

For each of these documents I created two different files.  One that contained a SSN separated by dashes (123-45-6789) and one without dashes (123456789). All of these files were located in a folder on the Desktop of a Windows XP system.  After a full system scan was completed the results identified the txt, doc, ppt, and xls files that contained the dashed SSN.  Only one document that did not contain dashes in the SSN was flagged and that was the Microsoft Word document.  None of the Open Office documents were flagged as containing a SSN.  Additionally, six other files were flagged as containing a SSN but these were easily discounted as false positives.  We can conclude from these results that this is not necessarily a full proof solution but it is definitely a step in the right direction.

In conclusion, storage media has to be properly maintained and disposed of once it has reached the end of its life cycle.  Identify media containing sensitive information by monitoring how and who has used it and by utilizing software designed to help identify files containing sensitive information.  At a minimum "clean" any media that is going to be redistributed within your organization and "destroy" anything that is going to leave your control.

Go forth and do good things,

Cutaway 

Technorati Tags , , , , , ,