[unisog] number of IT security staff - Web Mining Justification

Jim Dillon Jim.Dillon at cusys.edu
Wed Feb 2 00:30:02 GMT 2005


Since a few of you asked originally for feedback on the Web mining questions I posed a couple of months ago, and since the result integrates nicely into this request (see end of message), perhaps this will help.  If you are not interested in changing management's risk understanding or in finding sensitive data using search engines, then stop now - a long post follows.

As a result of the Web Mining audit/testing, (and coincidentally a small data incident :) ), management is paying attention to the consequences of data loss with slightly more open eyes.  The response to sensitive data threats includes the creation of a centralized CSO type function responsible for coordination with campus CSOs and key data owners.  What this means is it is likely we'll see as many as 4 or 5 more positions dedicated to security policy development, training, and best practices deployment over the next 2 to 3 years.  That on top of about 5 full-time positions at present (approx. 45-50k students, 3 campuses.)  This is speculative, but it appears to be management's direction.  The keys to driving this action here:

1. Awareness of some costly incidents at other U's this year, e.g. San Diego, Kansas, etc.
2. A small incident of our own and the resulting pain.
3. Several audit reports demonstrating the amount of sensitive data floating around, the need for contracting controls, the ubiquity of poor Web site management and security in the distributed realms, removal of SSN as an identifier, and the need for better definition and uniformity in security preparedness and response.
4. Sensitive data discovery doing Web Mining.
5. A Chief Operating Officer type or Chancellor that understands his/her own personal liability in this area, and he's/she's not willing to let that go unchallenged.
6. Enough other bad press in unrelated areas to generate a strong desire to control more bad press.

So for Joe and Kathy, you need some recent pain (unfortunately - borrow it from someone else if you don't have any) and you need to build and present to management a good case for how much pain is just waiting to explode should you leak some sensitive info.  Take enough time to prove just how far flung the sensitive info is distributed (walk it out to end-users, I did that here, it was a very high percentage of admin desktops) and you've got your case for action.  One good avenue to explore is the consequences of failure in credit card controls - see the VISA CISP standards and the consequences for failure to comply to help enlighten management to the risk level you face.  No one will disagree that loss of credit card/Visa operations is a significant hit to the U's business model.

The Web Mining effort I mentioned was essentially a dedicated 300+ hours of trying freeware "Web Hacking" tools, search engines, and uniquely qualified search terms to locate and expose sensitive info leaking from university Web sites.  Useful in this effort were:

1. Foundstone's SiteDigger freeware.  Uses the Google API/.net extensions.
2. Athena, a European improvement to SiteDigger for what I was doing.  It allowed the use of other search engines such as Yahoo, Teoma, and Alta Vista.
3. The http://johnny.ihackstuff.com/ site and information I gleaned there.  Definitely the source for Google Hacking.
4. The best thing found I didn't get to employ in the audit, it's too new, but it looks more useful than an apple peeler in Washington.  WIKTO, by Sensepost, has by far the most promise in this area.  It uses the entire Google-Hacks list from the Johnny site (more than 600 "google hacks" in an XML file) and should combine and enhance everything I learned from the first 3. As with the other tools it uses Google's API/.net interface.

The combination of running a tool like WIKTO and adding a few dozen of your own crafted queries against your institution's domains can reveal leaking SSNs and grades, rosters, server weaknesses such as SQL injection vulnerability, passwords, and .bak or config file leakage, email repositories, sensitive data collection, and credit card transactions or repositories.  I found enough using the tools to be convincing that some things about how we do business need to change.  At present I believe it will work to accomplish what Joe and Kathy are asking for.

There is an art to getting the right queries.  I learned that searching for 521 (the first three numbers of typical colorado residents' SSN) was more successful than searching for terms like SSN and SID.  Searching for the phrase "Conference Registration" was more useful than searching for "Credit Card #".  This is the art in analyzing your own domains, and I don't know an alternative to just expending the energy to see what works for you.  I found that some of these worked well at some campuses, and not at others.

Anyway, I'd encourage you all to consider some time doing "Google searches" on your domains for sensitive info, it can be revealing and may be helpful in generating additional security attention from your strategic planners.


Jim Dillon, CISA
IT Audit Manager
University of Colorado Internal Audit
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of Joe Ferris
Sent: Tuesday, February 01, 2005 2:30 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] number of IT security staff

Kathy -

Please help us all justify expanding the security staff, we could use
the help.  Here at Florida State University, we have three dedicated
security staff positions and currently no OPS or student workers.  If
there is anything else that I can do to help you, please let me know.


Joe Ferris
Florida State University
OTI - User Services
Computer Security Team

On Mon, 2005-01-31 at 10:43 -0500, Kathy Bergsma wrote:
> In order to help justify expansion of the UF IT security team, I would like to 
> know the number of staff dedicated to IT security at comparable institutions. 
> Please respond with the name of your university, the number of students, and the 
> number of dedicated IT security staff.

More information about the unisog mailing list