NSM: PI detection with grep utils

Here's a simple way to monitor network traffic for compliance with state & federal privacy regulations. Monitoring is especially important on perimeter ISP links, where PI can be seen flying naked into the public Internet.. how embarrassing!

These Ngrep commands will detect unencrypted SSNs and credit card numbers passing through a network:

:: Spaced SSNs: ngrep -d [interface] -q -t '(\s|^)([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2]) \d{2} \d{4}(\s|$)'
:: Dashed SSNs: ngrep -d
[interface] -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}(\s|$)'
:: Dashed CCs (16-digit):
ngrep -d [interface] -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}(\s|$)'
:: Non-spaced CCs  (16-digit): ngrep -d [interface] -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12}(\s|$)'

Storing unencrypted PI on disk is also a big no-no. Here's how to detect these:

:: Spaced/dashed SSNs: pcregrep -r "(\D?\W)([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])( |-)\d{2}( |-)\d{4}\D" [folder/drive/network path to search]
:: Spaced/dashed CCs: pcregrep -r "(\D?\W)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})( |-)\d{4}( |-)\d{4}( |-)\d{4}\D" [folder/drive/network path to search]

No comments: