Where to Search for Confidential Data
This article applies to: Security Essentials for IT Professionals
The standard confidential data scan scenario is one person scanning one computer that contains one hard disk. In that case, the search and remediation process is straightforward, with few challenges or pitfalls.
Unfortunately, the majority of computing environments on campus do not fit that standard scan scenario. Common non-standard situations include:
- External drives
- USB thumb drives
- Removable media
- Network file shares
- Computers for which no suitable scan tool exists
- Computers with multiple users (shift workers and other multi-user environments)
Even in these non-standard situations, it's possible to apply a highly-capable data discovery tool. The following rules can guide the process.
- For computers with multiple users, the scan must either be run by each user on their own profile or account or the entire machine should be scanned from an administrator account.
- The scan process should closely represent normal work habits. That is, scans from other machines or other operating systems, unusual ways to gain access to files or disks, or any other out of the ordinary operation should be used only as a last resort.
- Most external drives, CD/DVD media, or networked file storage can be reduced to the most basic example. These storage locations generally present themselves as another hard disk and can be scanned as such.
- Where tool or technology limitations prevent the application of rule 1 or 2, try to make the data accessible to the platform with the most capable data discovery tool. This is particularly useful in server environments whose operating systems don’t support more feature-rich search tools. Data discovery tool capabilities are severely limited in UNIX but quite mature under Windows. Scanning from the latter operating system greatly improves discovery. UNIX file servers can present a Windows file sharing environment through Samba.
Backups, Rebuilt, Migrated, and Transferred Machines or Data
Rebuilt or Migrated Machines and Backup Data: When a machine is rebuilt or migrated, the data may be restored from a backup file. As a precaution against reintroducing confidential data, the machine should be scanned after the data is in place.
Transferred Machines: When a machine is transferred from one user to another, it's possible for files to be carried over that are not owned by the current machine user. During a scan for confidential data, those files are not detectable and are not scanned. When transferring a machine to a new owner, make sure all files have the correct ownership and permissions so they can be included in the scan.
For tool-specific, step-by-step instructions for scanning external drives, removable media such as CDs and DVDs, and network file shares, see Identity Finder.