What is Identity Finder?
Identity Finder searches a computer for Personally Identifiable Information (PII) such as credit card, social security, and bank account numbers. It also provides a way to manage such data once identified
Why is UNC-Chapel Hill using Identity Finder?
As part of the information security strategy that the University is moving forward with, data identification software was purchased to help discover sensitive data stored on University-owned computers. UNC-Chapel Hill is using Identity Finder to proactively locate and secure sensitive data on computers and servers so that the data are not left vulnerable to potential unauthorized access.
How do I obtain a copy?
There are three phases of the Identity Finder rollout.
- Phase I
- Beta testers
- Phase II
- Preview version
- Phase III
- Centralized server implementation
The client software distribution was limited to approved Beta Testers in order for them to familiarize themselves with the software and its capabilities.
The preview version will allow a larger group of users to become familiar with the Identity Finder interface. The preview client has the same functionality as the Enterprise client, except that you cannot scan network-attached drives. Lastly, the deployment of the centralized server will allow end-user clients to be locked down so that users cannot use certain features of the Enterprise client (e.g. be able to scan remote web servers).
Iinformation Security Liaisons (ISLs) or their delegates can obtain a copy of the preview version at http://software.unc.edu/identityfinder/IdentityFinderSetup.exe. Note that you must also have an activation license card. If more licenses are desired, please send a Remedy ticket to the Information Security Remedy group and let us know how many more licenses you would like. Any ISL or their delegate may request additional licenses.
I’m a faculty/staff member at UNC-CH and would like to obtain a copy of Identity Finder. Whom do I contact?
During the initial phases of the Identity Finder project, the software is only made available to the Beta Testers and then to ISLs. Information regarding wider distribution will be disseminated during Fall 2013.
How much will Identity Finder cost?
Identity Finder is a centrally funded initiative from ITS and is available at no cost to end-users (faculty and staff) at the University.
Where can I find Identity Finder?
The Enterprise client will be available at the ITS Software Acquisition site in Fall of 2013.
Is there a Unix/Linux client?
No. But the Windows and Macintosh clients can scan network drives mapped either via SMB or AFS.
Are there any precautions I should be aware of before I begin to use Identity Finder?
Yes. Identity Finder is a very powerful tool. It can be used to encrypt or shred data (render it unrecoverable). It can also be used to scan remote file shares and remote servers. Used without forethought, it could potentially bring down a remote-server.
Are there any recommendations to keep in mind when working with Identity Finder??
- Initially, accept the Search defaults (what type of data to scan and where to scan it).
- For your first scan, choose a non-mission critical and unimportant system, such as a desktop. Familiarize yourself with Identity Finder by running searches on that system.
- Practice moderation. Scan only as much as you can address in a reasonable amount of time.
- Identify in advance where you will store sensitive data should you discover it.
Are there University policies I should review in conjunction with beginning to use Identity Finder??
We recommend that you be familiar with the Incident Management Policy and with the University records retention policy.
Where can I find out more detailed instructions on downloading, installing, and configuring Identity Finder?
Help with using the Windows software can be found here: http://www.identityfinder.com/Help/Client_Win <http://www.identityfinder.com/Help/Client_Win>
Is there an Identity Finder Users’ Group here at UNC-CH?
Yes. Send an email message to email@example.com. Let the subject of the message be blank. In the body of the message, simply include subscribe identity-finder-users-group. Doing so will add you to the Identity Finder Users’ Group mailing list, which is used for discussion of issues and also to announce meeting times and places for the users’ group itself.
What information does Identity Finder locate?
Identity Finder is capable of finding the following Identity Types on your computer.
- Social Security Numbers
- Credit Card Numbers
- Bank Account Numbers
- Driver License Numbers
- Dates of Birth
- Phone Numbers
- Other (using pattern matching)
By default, Identity Finder searches for password entries, SSNs and credit card numbers.
SSNs: Identity Finder searches for formatted SSNs (NNN-NN-NNNN) and unformatted SSNs (NNNNNNNNN).
However, to get a hit on an unformatted SSN there are restrictions. The file has to also have the keyword SSN or Social Security somewhere in the file. For most files, there also have to be three hits for this type of number before Identity Finder will notify the person making the scan. For a PDF only one hit is needed, as many PDF travel forms require an SSN to be provided. Because UNC-CH PIDs typically follow the pattern of an unformatted SSN, the false positives are reduced greatly by the need for the keywords SSN or Social Security. Formatted SSNs do not have the same restrictions.
Credit Card Numbers: Identity Finder searches for MasterCard, Visa, Discover, American Express, Diners Club.
Password Entries: Identity Finder comprehensively searches for passwords using a logic similar to that used for unformatted SSNs.
Also, Identity Finder is configured to not reset timestamps during search.
What can I do with information that Identity Finder locates?
Shred: Permanently deletes the entire file containing PII.
Warning! This feature should only be used if you are certain that none of the information contained within the file needs be retained for the conduct of University business. If you are unsure, DO NOT SHRED the file. Shredding a file renders the data unrecoverable.
Scrub: Removes only the characters in the file that constitute PII.
This feature should be used if actual numbers or words are identified but you still wish to save the rest of the file. The characters identified as PII will be replaced with capital Xs.
Secure: When a text based file (i.e., .txt, .html, etc.) has sensitive identity match information in it and you wish to keep the file on your computer, use Secure to secure the file within an encrypted compressed file. Depending on the software you use for uncompressing files, you should be careful to choose the correct encryption options.
There are two ways to secure a single file:
- Single click the file result with the left mouse button to highlight it and click the Secure button on the Main ribbon. If you are signed in to your Profile, that password will be automatically used. To use an alternate password, click the down-arrow on the Secure button and select Secure with Alternate Password.
- Single click the file result with the right mouse button to highlight it and bring up a context menu, then highlight and left-click on Secure.
Quarantine: Moves the PII to a separate folder to be acted upon later.
Quarantine is a last resort method for handling PII. When a location containing PII has been identified but the entire file is absolutely necessary, the Quarantine feature can be used to relocate that data to a separate folder, the location of which you will be prompted for. You will then be required to encrypt the information by your own means or by consulting with your IT support staff.
Ignore: Adds the file location to a list that Identity Finder will ignore in future searches. This feature should only be used if the data identified as PII is not actually PII. For example, Identity Finder may find a string of numbers in a file that appear in the same format as a credit card or social security number. This is known as a false positive and does not need to be removed. CAUTION: DO NOT USE IGNORE UNLESS YOU ARE 100% POSITIVE THE DATA IS NOT PII.
Where can I find the recommended scanning configuration for Identity Finder?
When using the preview (not centrally-managed) client for Windows, we recommend the default settings: search for Social Security Numbers, Credit Card Numbers, and Password Entries in Files and Compressed Files, E-mails and Attachments, and Browsers folders.
What happens when Identity Finder locates incorrect PII?
Sometimes Identity Finder will find data that appears to be PII, but is in fact not. This is known as a false positive. When this occurs, select Ignore to keep the data and prevent Identity Finder from accidentally locating it again.
Will a scan slow my computer?
The first time Identity Finder is run it may take a while and the scan may affect the computer’s performance. Subsequent scans should be much faster and should not affect system performance as much.
How long does a scan take to complete?
The length of time to complete a scan depends on your computer’s performance capabilities and the amount of data being searched.
How often should I run an Identity Finder scan?
How often Identity Finder should be run is up to you. The more often your job function requires dealing with sensitive data, the more frequently you should consider running a scan.
Where does Identity Finder search on my computer?
By default, Identity Finder for Windows will search the following locations for PII
- Files and Compressed Files
- E-mails and Attachments
What are Anyfind, Multifind, and Onlyfind?
You can run the AnyFind search by clicking the appropriate Identity Type buttons on the Identities Windows ribbon. Identity Types are the various PII that might be located on your computer.
OnlyFind allows you to search for only an individual’s specific personal information instead of any person’s information. Instead of finding all numbers with the SSN format, you specify the unique SSN.
MultiFind is Identity Finder’s advanced, proprietary technology that automatically searches computers for various Identity Types together in a single location. MultiFind is a way to require AnyFind Identity Types to be dependent on each other.
How do I Search for Sensitive Data?
You can customize what you want to search for by choosing options on the Identities ribbon and Locations ribbon.
How do I Search for HIPAA information?
HIPAA-protected information may be located using by selecting Health Information as one of the types of files that Identity Finder searches for. More information can be found using the following links:
How can I search for credit card (PCI) information?
PCI-protected information may be located using Identity Finder’s MultiFind technology, and selecting PCI Information. More information can be found using the following links:
Why am I receiving a licensing error?
Beta testers who receive licensing errors should send a Remedy ticket to ITS-Security.
How Frequently Should You Search Your Data?
The frequency is up to you. Obviously, running it on a weekly or even daily basis will insure a higher level of security for your computer. New PII can be exposed on your computer every day, so the more frequent searches are run, the more effective they will be. You can also schedule Identity Finder to run automatically on a periodic basis via the Results Wizard, the Scheduling button, or the Settings dialog box.
How do I reset my Profile Password?
The Identity Finder client application provides the ability to save settings, configuration information, and sensitive data across sessions through the use of a profile password. It is not possible to recover a lost password; however, it is possible to delete a profile and create a new one. When the profile password is created, that password is used to encrypt the profile. The profile password is not stored anywhere and therefore if it is lost or forgotten, then all of the information in the profile will be lost. The following data will be lost when deleting a profile:
- Custom Folders, Remote Computers and authentication credentials
- OnlyFind Identities
- Ignore list entries
- Password Vault entries
- Database connection information
- Websites list
How do I delete a profile using Identity Finder?
A profile can be deleted by logging into Identity Finder as a guest by skipping the password screen, opening the Profile page within Settings/Preferences, and clicking the Delete profile button.
How do I manually delete a profile?
To manually delete a profile, remove the file identityinfo.dat from the specified location(s) found in Windows and MAC on-line user guides.
What is a Digital Shredder?
The shredder technology is based on the United States Department of Defense Directive 5220.22-M, which provides baseline standards for the protection of classified information. It uses multiple levels of deletion so that the file you delete may not be recovered, even by undelete programs. You can read more on the Defense Technical Information Center website.
Why is my virus scanner creating alerts during Identity Finder searches?
During the course of an Identity Finder search, anti-virus applications may create an alert for files created in a subfolder of IDFTmpDir located in the user profile folder. This is not a problem with Identity Finder, but rather indicates that the user’s system already contains one or more infected files.
The files in IDFTmpDir are created during a search, specifically and most commonly when extracting files from archives (e.g., .zip files) or when detaching them from e-mail messages. To search these files, Identity Finder places them in a temporary folder and then attempts to open them for read access. If the file has a virus, the act of extracting or detaching the file to the temporary folder and/or the attempt to read the file may trigger the anti-virus application (depending on its configuration). If Identity Finder is configured to log Locations Searched, you may be able to determine the specific archives or messages that contain the infected file(s); however, in these instances, it is recommended that you perform a full anti-virus scan of the user’s system ensuring a search within archive files and e-mail attachments.
For additional details on the location of the user profile folder for each operating system, please refer to the Windows or Macintosh configuration guide.
Do I need to run Identity Finder on public computers?
If the computer in question is a public computer (does not have a specific owner but is rather managed by an organization such as a library or computer lab, etc.) and is set up for re-imaging on a frequent basis, it should not need to be scanned. To verify that a computer is exempt, please contact the Information Security Office (919-445-9393, firstname.lastname@example.org, or Remedy ticket to ITS-Security).