Re: Scanner for sensitive information

[Isac Balder <piis8 () YAHOO COM>]

Wayne,

First let me adress the specific question
> My question is whether there is some product or other
> software that I
> can run centrally that can help me assist webmasters keep
> sensitive
> information inaccessible to the public. Ideally, I would
> like to do this
> on much the same way I use my vulnerability scanner now.

Yes and No.
There are products both commercial and free.
Centrally managed tools will mostly fall in the commercial arena.  Your commercial tools will also get pricey real 
quick as they are often marketed under the buzzwords of DLP, data leakage prevention.
Most of your free tools will be stand alone clients without automated upstream reporting.


You effectively mention two seperate things here
PII on the server harddrive
and
PII accessable to the public

I seperate them mainly because you specifically mentioned web servers.

To address the first.  The two main free tools are
Schedule a time to meet with and coordinate the work with your web team as you will need privelges or someone 
cooperative with privelges.

Univeristy of Texas senf is nice - multi platform java based. 
https://source.its.utexas.edu/groups/its-iso/projects/senf/

Cornell Spider is also nice - windows .net based / seperate *nix client. http://www.cit.cornell.edu/security/tools/

and
recently found University of Illinois's Firefly for Mac (have not played with this one yet) http://firefly.uiuc.edu


Now to address the 2nd item, Information that is actually accessable to the public.  It's a bit manual but I have to 
say goolge hacking, and not just on google, also hit other search engines.

CDC's Goolag is nice to automate the Google searches, just make sure you change the default time settings so that you 
do not get blocked by google.
http://www.goolag.org/


Happy Scanning

I.B.

"Say hello to all the apples on the ground"


--- On Mon, 6/16/08, Wayne Bullock <wayne () FAU EDU> wrote:

> From: Wayne Bullock <wayne () FAU EDU>
> Subject: [SECURITY] Scanner for sensitive information
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Date: Monday, June 16, 2008, 10:58 AM
> I'm being asked to scan our web servers (but perhaps
> others servers such
> as FTP, etc) for sensitive information. We are especially
> looking for
> Social Security numbers, Z-numbers, credit card numbers
> phone numbers,
> etc.
>
>
>
> Currently, we do an external vulnerability scan of the
> University's
> computers several times a year with emphasis on the DMZ
> computers.
> However, this will not search for sensitive information, at
> least with
> the product we are using.
>
>
>
> The software that I have been able to easily identify needs
> to run on
> the web server but, clearly, I don't have privileged
> access to all
> University web servers.
>
>
>
> I know that we can do more to educate our systems managers
> and make them
> responsible for running the spiders on their own systems
> periodically.
> We're working on that.
>
>
>
> My question is whether there is some product or other
> software that I
> can run centrally that can help me assist webmasters keep
> sensitive
> information inaccessible to the public. Ideally, I would
> like to do this
> on much the same way I use my vulnerability scanner now.
>
>
>
> If this exists, I'm sure the bad guys have it by now.
>
>
>
> I appreciate your thoughts. Thanks.
>
>
>
>             --Wayne
>
>
>
> Wayne Bullock, MSCIS, CCNA
> Associate Director, Communication Services Infrastructure
>
> Information Resource Management
> Florida Atlantic University
> 777 Glades Road
> Boca Raton, FL 33431