Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DLP and SSN' s
I' ve got a policy/protection profile set up for just outbound email from our public email server and in the DLP rules I' m looking for SSN' s. We are getting quite a bit of false positives in that the numbers look and are formatted like ssn' s but aren' t. Typical example is a reply to an email from Hotmail. Microsoft adds this to their email:
Hotmail: Free, trusted and rich email service. Get it now. ( http://clk.atd=
mt.com/GBL/go/171222984/direct/01/ )
As you can see, the URL has a 9 digit number that looks like a SSN.
Is anybody else using DLP to look for SSN' s or credit card numbers in email/html and is running into this type of problem? We' d really like to continue to use the regex to look for data leaks but it' s becoming a management/helpdesk nightmare.
Also, does anybody know when Fortinet gained the capability to look inside the new MS office file formats(.xlsx and .docx)? I tested pretty extensively with DLP and noticed that the firewall could look inside standard .xls files for SSN' s and find/block them but it couldn' t do the same with .xlsx files. On Tuesday I had a user complain that their email was blocked and it turned out that it had an .xlsx attachment with numbers in it that looked like SSN' s (turns out their were zip codes formatted like this 596015670 instead of 59601-5670) but were not. I hadn' t applied any firmware updates to the firewall so I' m assuming that it was part of an IPS/AV update. I' m also making the assumption that DLP uses IPS to inspect the packets. Is that true? Doesn' t anybody know where I can find out what' s in those updates? I dug around the Fortinet site a bit and didn' t find out anything.
-TJ
-TJ
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tested pretty extensively with DLP and noticed that the firewall could look inside standard .xls files for SSN' s and find/block them but it couldn' t do the same with .xlsx files.Do you have Scan Archive Contents enabled? I believe the Office 2007 formats are zipped by default so you need that setting enabled to examine the contents of these new XML file formats.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: RickPI' m not sure where that setting is so I don' t know if it' s enabled.I tested pretty extensively with DLP and noticed that the firewall could look inside standard .xls files for SSN' s and find/block them but it couldn' t do the same with .xlsx files.Do you have Scan Archive Contents enabled? I believe the Office 2007 formats are zipped by default so you need that setting enabled to examine the contents of these new XML file formats.
-TJ
-TJ
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That setting is at UTM-Data Leak Prevention-Rule. We use the following Regex to scan for US SSNs:
(\b|\W)([0-6]\d{2}|7[0-6]\d|77[0-2])([ \-])\d{2}\3\d{4}(\b|\W)
It will catch the following:
123-45-6789
123 45 6789
test 123-45-6789
test/123-45-6789
test.123 45 6789. test
It will NOT catch the following:
123456789
test123-45-6789
test.123-45-6789test
It allows for a space or hypen in between the groups of numbers. It also verifies a space or special character before and after the SSN in order to trigger. This has worked very well for us.
John
CISSP, FCNSP
Adv(thanks)ance
John CISSP, FCNSP Adv(thanks)ance
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
very cool but that might not help us. Our bean counters tend to not use the hyphens or spaces in their numbers. They' d be liable to send out (on accident, of course) a spreadsheet with 5000 SSN' s in it if I allowed the 9 digits run together. The built in default regex works for us in that case.
that Hotmail url is my bane!!
-TJ
-TJ