The Metadata Era

4 Useful Regular Expressions and Algorithm Combinations for Finding Credit Card Numbers

Data classification is a critical piece of the data governance puzzle.  In order to be successful at governing data, you have to know—at all times—where your sensitive data is concentrated, unencrypted, and potentially overexposed.

One of the standard ways to find sensitive data is to use Regular Expressions (RegEx) to match patterns. Used by themselves, regular expressions often identify too much—some of the numbers they find are not really credit numbers, even though they match the pattern you’re looking for.  These “false positives” can be reduced by using algorithmic verification, such as Luhn, or IBAN.  If you don’t know what Regular Expressions are, or you are a bit rusty on the syntax, there are some excellent tutorials on the web (start here or here). If you’d like some help validating your results with Luhn, a good article can be found here (The Varonis IDU Classification Framework has algorithmic validation built-in).

What’s considered sensitive?

Well, that really depends on who you’re asking.  Many organizations have idiosyncratic data such as customer or patient IDs, payroll codes, etc. that they want to keep confidential.  But some things are universally considered sensitive – like credit card numbers.

Thus, we figured credit card numbers would be a perfect place to start our RegEx compendium.  Enjoy!

Mastercard

Regular expression:

(?<first>\b(?<![:$.,_'-])5[1-5][0-9]{2}[ -][0-9]{4}[ -][0-9]{4}[ -][0-9]{4}(?![:$.,_'-])\b)|(?<second>\b(?<![:$.,_'-])5((\d)(?!\2{4,})(?!(12345|23456|34567|45678|56789|98765|87654|76543|65432|54321))){15}(?![:$.,_'-])\b)

Suggested Algorithm for Verification: Luhn

AMEX – validate with Luhn

(?<first>\b(?<![:$.,_'-])3[47][0-9]{2}[ -][0-9]{6}[ -][0-9]{5}(?![:$.,_'-])\b)|(?<second>\b(?<![:$.,_'-])3[47]((\d)(?!\2{4,})(?!(12345|23456|34567|45678|56789|98765|87654|76543|65432|54321))){13}(?![:$.,_'-])\b)

Discover – validate with Luhn

(?<first>\b(?<![:$.,_'-])6(?:011|5[0-9]{2})[ -][0-9]{4}[ -][0-9]{4}[ -][0-9]{4}(?![:$.,_'-])\b)|(?<second>\b(?<![:$.,_'-])6((\d)(?!\2{4,})(?!(12345|23456|34567|45678|56789|98765|87654|76543|65432|54321))){15}(?![:$.,_'-])\b)

Visa – validate with Luhn

(?<first>\b(?<![:$.,_'-])4[0-9]{3}[ -][0-9]{4}[ -][0-9]{4}[ -][0-9]{4}\b)|(?<second>\b(?<![:$.,_'-])4((\d)(?!\2{4,})(?!(12345|23456|34567|45678|56789|98765|87654|76543|65432|54321))){15}\b)|(?<third>\b(?<![:$.,_'-])4((\d)(?!\2{4,})(?!(12345|23456|34567|45678|56789|98765|87654|76543|65432|54321))){12}(?![:$.,_'-])\b)

Special thanks to the Varonis Systems Engineering team for their contributions! In future posts, we’ll share tips for finding other sensitive data using regular expressions, algorithmic verification, and other metadata like permissions and access activity.

Photo credit: Shawn Rossi - http://www.flickr.com/photos/shawnzlea/527857787/

In a previous post, Fixing the Open Shares Problem, we talked about some of the challenges we face when trying to remediate access to open shares. One of the main problems is minimizing the impact these clean-up activities can have on the day to day activities of business users.

Think about it: if a global access group is removed from an ACL, the odds are very high that someone who has been using that data will now be restricted.  We find ourselves in a catch 22 between remediating global access and weeks of business disruption as they try and respond to the problems caused by the “fix.”

IT: “I’m sorry that you’re unable access your data.  We’re working on fixing it now.  I assure you, the only reason this happened is because we were trying to make things better.”

Business user: “I totally understand.  Thank you!  You should get a raise!”

(We all know this is not how the conversation goes).

There’s a better way.

Varonis DatAdvantage provides the ability to simulate permission changes and see the probable outcome before you commit those changes to production. How? DatAdvantage correlates every audit event with the permissions on an ACL and then analyzes the impact of each simulated ACL  and/or group change. Through this sandbox, IT can identify the users who would have been affected by that change had it already been made—those users who would have called up the help desk screaming that they couldn’t access data they needed.

Once you’ve verified that those users really need access, you can continue to configure the ACL and group members within DatAdvantage to provide them access, and keep simulating until you’re confident that your permissions changes will not disturb people’s work. If you have the credentials to be able to make changes, DatAdvantage lets you commit all permissions and group changes right through the interface (over all platforms), either immediately or scheduled to hit a change management window later.

These simulation capabilities eliminate the risks of manually cleaning up open shares, since IT is able to fix the problem without ever impacting legitimate use.  Most IT departments have seen the results of trying to solve this problem manually: lots of broken ACLs and annoyed users. It’s a lot of fun to show them a better way.

You can request a free 1:1 demo of the Varonis suite here or watch our next live demo on the web.

Varonis is pleased to announce the Varonis Data Governance Awards 2012. The awards are designed to reward the innovation, determination and dedication that our customers apply, every day, to protecting and managing their data with our products. We want to showcase top-class performance and reward achievement, whatever its form.

The awards are free to enter, and are open to all of our customers, regardless of size, location, business type or product deployed. Winning an award will be a sign of excellence, and a distinction that shows that our customers have achieved something to be proud of.

The awards are free to enter for any Varonis customer, and the deadline for entry is July 9^th, 2012. More information including details of the awards, how to enter, terms and conditions and FAQ is available at www.varonis.com/awards.

Journaling and Diagnostics Logging are services to monitor and audit activity on Microsoft Exchange servers. They provide basic auditing functionality for email activity (e.g. who sent which message to whom) and, if collected and analyzed, may help organizations answer basic questions about email, as well as comply with  policies and regulations. (Note: Varonis DatAdvantage for Exchange does not require journaling or diagnostics to monitor Exchange activity.)

Journaling records email communication traffic and processes messages on the Hub Transport servers. The information collected by the journaling agent can be viewed through journaling reports, which include the original message with all the attachments.

Diagnostics writes additional activities to the event log (visible in Windows Event Viewer), such as “message sent as” and “message sent on behalf of” actions. Diagnostics can be configured through the Manage Diagnostics Logging Properties window in the Exchange Management Console.

Journaling and Diagnostics Logging collect significant amounts of events and generate a large amount of raw log data, so it is critical to plan which mailboxes and messages will be monitored and allocate additional storage before enabling.

Here are the steps to enable Journaling and Diagnostics in your Exchange Server.

Setting up Journaling in Exchange

There are two types of Journaling: standard and premium. Standard provides journaling of all the messages sent and received from mailboxes on a specified mailbox database, while premium provides the ability journal individual recipients by using journaling rules.

Here are the high-level steps to setup journaling on your Exchange server:

1. First, create a journaling mailbox. This mailbox will be configured to collect all the journaling reports, and should ideally be setup with no storage limits to avoid missing any. The process to create the mailbox is:
   1. Select a different OU than the default
   2. Assign a display name
   3. Assign user logon name (user will use to login to this mailbox)
   4. Setup a password—take into account that journaling mailboxes may contain sensitive information, as a copy of the message is stored with the report.
2. To enable standard Journaling it is necessary to modify the properties of the mailbox database. Under the Organization Configuration/Mailbox/Database Management/Maintenance tab, you will need to specify the journaling mailbox where you want the journaling reports sent.
3. Premium Journaling requires an Exchange Enterprise Client license. To setup premium journaling, it is necessary to create journal rules, which are used to setup journaling for specific recipients. Using the EMC (Exchange Management Console) the journal rules can be created under the Hub Transport section of the Organization Configuration; on the Journal Rules tab. The fields to configure a journal rule are the following:
   1. Name
   2. Send reports to email
   3. Scope
      • Global – all messages through the Hub transport
      • Internal – messages sent and received by users in the organization
      • External – messages sent to or from recipients outside the organization
   4. Journal messages for recipient – journal messages sent to or from a specific recipient
   5. Enable rule – checkbox

Make sure the status on the completion page is “Completed” to verify that the rule was created successfully.

Setting up Diagnostics in Exchange

Diagnostics logging is configured separately for each service on each server. The steps to configure diagnostics logging are:

1. In the Exchange Management Console (EMC), click on Server Configuration.
2. Right-click on an Exchange server  to enable Diagnostics Logging on it.
3. Click on Manage Diagnostics Logging Properties.
4. On the Manage Diagnostics Logging window, select the services you want to enable diagnostics for.
5. Choose the level of diagnostics you would like on that service.
   • Lowest – log only critical events
   • Low – log only events with logging level 1 or lower
   • Medium – log events with logging level 3 or lower
   • High – log events with logging level 5 or lower
   • Expert – log events with logging level 7 or lower
6. Click on configure. The system will provide a confirmation screen.

In a future post, we will go over the Mailbox Audit Logging in MS Exchange 2010.

Answer:  Both may affect the way businesses determine what constitute appropriate security measures.

In February, Senators Joe Lieberman, Susan Collins, John D. Rockefeller IV, and Dianne Feinstein introduced the Cybersecurity Act of 2012. The intent of the Act is to give the Department of Homeland Security (DHS) additional power to set cyber security standards for private companies that operate the nation’s critical infrastructure. Simply speaking, the intent of the bill is to:

1. Identify risk via cooperation between DHS and private corporations
2. Protect critical infrastructure (although what exactly constitutes critical infrastructure is yet to be defined)
3. Improve information sharing about security issues and events between DHS and private corporations

According to the Homeland Security Website:  “The bill would authorize the Secretary of Homeland Security, together with the private sector, to determine cyber security performance requirements based upon the risk assessments. The performance requirements would cover critical infrastructure systems and assets whose disruption could result in severe degradation of national security, catastrophic economic damage, or the interruption of life-sustaining services sufficient to cause mass casualties or mass evacuations. The bill would only cover the most critical systems and assets in a given sector, and only if they are not already being appropriately secured.”

The website goes on, “Owners of “covered critical infrastructure” would have the flexibility to meet the cybersecurity performance requirements in the manner they deem appropriate. The private sector also would have the opportunity to develop and propose performance requirements for “covered critical infrastructure.”

http://www.hsgac.senate.gov/download/the-cybersecurity-act-of-2012-s-2105_-summary

In this regard, if this bill is passed, companies that operate anything that might be lumped into the category of critical infrastructure (i.e. financial, energy, food, medical, healthcare, etc.) may need to rethink their risk tolerance, security engineering methodologies and security operations practices.  If your company does operate critical infrastructure,  the Department of Homeland Security may soon police your security engineering efforts.

Coincidentally, the Insurance industry is also affecting how Security Admins determine appropriate security measures for their companies.  Cyber insurance was created to protect the interests of companies in the event of a loss due to a variety of different issues including data breaches, cyber-extortion, content liability, penalties for civil actions resulting from failure to comply with a specific regulation, virus liability, cyber terrorism, loss of income due to hacking, DOS attacks, etc. While cyber insurance may be worthwhile, as those of us with homeowners or automobile Insurance know, insurance policies always contain a list of exclusions.

Cyber Insurance is no different.  Notable exclusions can include such vague statements such as:

• Loss caused by an employee, officer, director, owner, independent contractors
• Failure to follow minimum required practices
• Failure to take reasonable security measures

Given that Security Admins are paid to take “reasonable” security measures, it’s hard to imagine how these exclusions will be interpreted in the event of a breach.  Only an attorney can determine the actual impact of these exclusions.  Ultimately, Security Admins are compelled to work with their legal department and other business areas to ensure that their Cyber Insurance policy provides coverage in the event of a breach.   In this regard, insurance companies may influence your security engineering efforts, as well.

In a recent trade show, an attendee told me that his company was forced to purchase Cyber Insurance.  When I asked him why, he indicated that one of his customers required Cyber Insurance as a condition of doing business with them.  This customer understood that a prerequisite to determining which Cyber Insurance policy was appropriate was to involve business data owners who are best prepared to determine the risk associated with their area of interest.  Many companies have recognized the value of including business areas and specifically data owners in security engineering planning.

The Cyber Security Act of 2012 and Cyber Insurance are two motivating factors which will encourage companies to better understand risk and tolerance, and foster cooperation between IT security and data owners.

http://www.iqpc.com/uploadedFiles/EventRedesign/USA/2011/November/20810001/Assets/2011-The-Rapidly-Evolving-Nature-of-Cyber-Risk.pdf

http://www.cpcusociety.org/file_depot/0-10000000/0-10000/3267/conman/CPCUeJournalDec08article.pdf