[unisog] related topic PHI & HIPAA-- scanning for SSN, CC

Harris, Michael C. HarrisMC at health.missouri.edu
Thu May 25 21:50:17 GMT 2006 

As a related topic is anyone running snort (or other IDS) rules that alert on clear text transmission of data that would match a mask for SSN or Credit Card data? With or without check digits? 

We had experimented with Snort rules for tracking Patient Health data identifiers (medical record, visit numbers etc) as triggers for HIPAA data in the clear. 

Mike

--------------------------------------------------------------
Michael C. Harris
System Security Analyst & Instructor
University Of Missouri Health Care
harrismc at health.missouri.edu      KCØPAH
----------------------------------------------------------------- 

A C program (for speed) that knows the format of SSNs and CC numbers (I think both have check digits which will identify a valid number if
calculated) should reduce your false postive rate. Of course it needs to be able to detect and deal with unicode and will likely be fooled by either encryption or compression but perhaps that is good enough. 

Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada 

-----Original Message-----
On Behalf Of Peter Van Epp
Sent: Thursday, May 25, 2006 1:51 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] RealVNC forensics & Complying with state disclosurelaws -- Was RE: VNC scanning?

On Thu, May 25, 2006 at 02:30:04PM -0400, James H Moore wrote:
> Good point about the potential for hiding data, especially looking for the compromise part (one of my questions).
>  
> In our case as we look at the information security breach dislosure law (in our case for NYS), we are looking for information in normally used files by knowledgeworkers.  
>  
> I did run FileLocatorPro, the first time, on all files matching a SSN pattern, and got 26K hits.   I haven't reviewed the results completely yet, but it appears that none of them are real SSNs.
>  
> >From a Windows perspective, is there something better to use to look 
> >for SSNs (and credit card numbers).  Is that why there was discussion 
> >a little while ago on the Educause Security mailing list about the 
> >file scanner written in C (or is it just that it is faster than the 
> >FileLocatorPro swiss army knife)
>  
> Jim
> 

	_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list