Denys Rudyi - Fotolia


Uncover PII security risks with free tools

Personally identifiable information can live outside the databases on corporate networks, and it needs to be locked down so attackers can't get it. Luckily, there are free tools IT can use to improve PII security.

Personally identifiable information lives on the networks of the largest enterprise to the smallest office and...

all types of businesses in between. Without proper protection, it's just waiting to be exposed by carelessness, ill-intent, malware or another threat.

Much of information security's focus is on protecting personally identifiable information (PII), and for good reason. We are approaching 1 billion PII records exposed over the past 10 years.

PII -- such as Social Security Numbers (SSNs) and credit card information -- can live practically anywhere on the corporate network. It can be in Word documents, Excel spreadsheets, PDF files and even text files such as application logs. These sensitive assets are dubbed "unstructured information" because they're not in a database, and many organizations don't have PII security measures in place.  It's there for the taking -- viewing, copying, deleting -- and when something bad happens, companies may never know about it.

Tools to improve PII security

Companies can't afford to be unaware or underprotected. The first step toward fixing security issues is acknowledging the problem. The good news is there are great free tools -- such as SoftPerfect's Network Scanner, Microsoft's ShareEnum and vulnerability scanners such as Nexpose -- IT administrators can use to find open shares that leave PII unprotected on Windows workstations across the network.

Here's an example of SoftPerfect Network Scanner's findings:

Network Scanner shows the open shares on the network
Network Scanner shows the open shares on the network

The various open shares are listed as manila folders with red exclamation points in the IP Address column on the left, and the share permissions are under the respective Shared Folder columns on the right.

Admins should run these scans on their network segment(s) with domain authentication to see what other users see. There are a couple different configuration options available for seeking out open shares in SoftPerfect Network Scanner, including options to enter in Windows credentials:

View of available options for scanning shares.
View of available options for scanning shares.

Once the scanner finds the open shares -- especially the ones that grant full rights to the Windows Everyone group -- admins can use Windows search or a tool such as FileLocator Pro to find instances of PII in files on the open shares. This is based on search queries such as "SSN" or specific regex entries for whatever file types admins search for. For example, here's a search for "SSN" in FileLocator Pro:

A query in FileLocator Pro.
A query in FileLocator Pro.

Taking this approach to uncovering PII security gaps is sort of a poor man's data loss prevention (DLP); it's just a start. Many shops need a full-fledged DLP system, cloud access security broker, or both to fully inventory and protect sensitive unstructured information.

Keep in mind that there's likely as much intellectual property to be protected in the enterprise and it's at risk in the same ways as PII. However, for whatever reasons, many executives and their legal counsel foolishly believe that contracts and other legal-based protective measures are enough to keep that information in check. Don't forget about sensitive information in databases that may be exposed as well, in SQL Express instances running on random workstations, for example.

Be sure to look in all areas of the network for the many various sensitive assets. Regardless of any specific nuances, make finding and protecting this information on enterprise desktops a top priority.

Next Steps

More on PII and privacy retention

Are passport numbers PII?

How to keep PII out of access logs

Dig Deeper on Network intrusion detection and prevention and malware removal