[unisog] Identifying data/privacy leakage from infrastructure.
Jim.Dillon at cusys.edu
Mon Aug 16 21:51:41 GMT 2004
I'm undertaking a review of our various campus networks to identify what type of sensitive data is leaking out through the Web. The intent is to use freely available search tools and techniques to see what bleeds out of the far reaches of the organization, just as anyone else on the Web could if they applied themselves. (e.g. lists of identities/grades/SSNs in Excel files.) I've been surprised at how much info about the configuration, security, and protection of network devices actually leaks, this time particularly on *NIX type boxes and Apache servers (for once it isn't an all Microsoft security gripe.)
I've identified the 3 or 4 search engines I'll use (Google, Yahoo, and Teoma primarily), and even a Foundstone tool (Sitedigger) that might be helpful for automating or scripting some of this. I've located and reviewed information on the "Johnny I Hack Stuff" Google site that provides a lot of insight into how to do this primarily for security and configuration leakage.
My question is, has anyone else out here established a protocol or set of good, working practices for this type of analysis? Do you have any favorite Google or Yahoo based searches that typically turn up information? One reality of this exercise so far is that you wade through a lot of "close" or "not quite what I wanted" type info. I'd like the result of the project to be a base list of effective queries that can be run periodically (say each semester) to see who might have carelessly posted what that shouldn't be posted. If you already have such a protocol I'd love to share. My focus will be information of particular value or use in higher education, so that may not be of much use to many of you. Ultimately I hope to identify needed controls that prevent excessive leakage of data.
I'd also appreciate a list of any tools that can be run from a Windows environment that are useful for this task (the task of identifying, and shutting down data leaks).
Anyone with a war chest that would like to help, please contact me off list. If there is enough interest or feedback I'll summarize back some techniques to the list.
Jim Dillon, CISA
IT Audit Manager
University of Colorado
jim.dillon at cusys.edu
Dept. Phone: 303-492-9730
More information about the unisog