I\'m looking for ways to check for the presence of credit-card data and other pe

Question

I'm looking for ways to check for the presence of credit-card data and other personally identifiable information in files on a network I'm testing.

Currently i'm doing this manually with the usual tools like grep and some terrible reg-ex but a nice stand-alone application would be ideal. Especially something i can use the output of and drop in a report. If i query the files from a terminal looking for card-numbers, it spits them back out, which also means i have to redact them. Ideally I need a count and a list of 'anonymized card numbers' as well as which files they were in.

Any suggestions on alternate ways of finding this data or tools that can be used to achieve this would be most welcome.

Explanation / Answer

ccsrch is a tool for exactly this purpose. I have seen QSAs use this as part of their audits.

Personally, I'm not fond of it. I've run it against a file with 100k cards and it found all 50k of them. I got better hit rates with a python script I threw together in an afternoon. And the output requires lots of manual review to weed out false positives.

But, again, QSAs use it, and it's better than nothing.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.