Do You Know What Sensitive Information is on Your Computers?
Thursday, June 18, 2009 2:39In a recent article on PCI , I discussed the need to know what sensitive information your are storing or have on your systems. How, then, do you discover or determine what sensitive information is on your computers and other endpoint devices? An endpoint device is basically the starting point or final destination of all information or data going over a network. They include, but are not limited to, laptops, personal computers, servers, network appliances, network-attached storage, or any other type of device that can connect to a network using wireless, Ethernet or a modem. Depending on your network, this can include many types of devices which makes securing your information even more important.
Today, you constantly hear about laptops being stolen with a wealth of sensitive information stored on the device. The same problem occurs if someone breaks into your business and steals your computers or other endpoint devices. What about your home computer? Do you use it for business? If so, do you have any sensitive information on it or could it be that you have your own personal information on the computer such as billing or account information? Would you want someone having access to this information about yourself, your business or your customers if they gained access to your system, stole the devices or turn out to be a bad employee? How can you protect such information if you don’t know that you have it and where it is located?
In most cases, sensitive information includes credit card data and social security information. I have listed a couple of applications that you can download and run to discover if and where you have such sensitive information. New applications are coming out all time so this is not a complete list, just a starting point. They include:
- Spider - This application was developed to find files on your computers and endpoint devices that contain social security and credit card numbers. There is a Windows, Mac and Unix version of this application. This is a free application that was developed by the university to assist in their identification, review and removal of files with sensitive information.
- Sensitive Document Finder – This is another application that was developed by a university which has the capabilities to discover social security and credit card numbers on a system or in a file. They have instructions on how to install on a Windows system and contact info. to get instructions for a Mac or Linux system.
- Identity Finder – There is a free edition as well as paid editions on the site. The free edition appears to only discover credit card numbers and passwords while the home edition allows you to also find social security information, bank information, date of births and other related information. The professional edition allows the discovery of the same types of information as the home edition but provides customization features as well as searching for such information over the internet. Currently, there is only a Windows version of this software.
For all these applications, review the documentation and site info prior to using the application. I would also test it on a computer prior to using it in your business.
After running the software and collecting the information, what is next? There will, most likely, be some false positives, meaning that a file appears to have sensitive information when it does not. Management of this information can be done in a centralized or decentralized manner. Centralized manner requires all the information to be reviewed by one person where they validate that there is sensitive information and, if necessary, determine the outcome of the information (such as removal or destruction of the data). In a decentralized approach, which I recommend for smaller businesses and organizations, individuals are given the responsibility of reviewing the information to determine if it is or is not sensitive information. The reason I would recommend this is that most employees at a small business fill more than one role and have more intimate knowledge of what is included in files and systems. It will be easier for the employees to determine false positives. The downside of this approach is that the process is harder to organize for larger organizations. Follow-up is key, no mater which approach you use.
Related posts: