SSTA has prepared this memo for its supported users to provide a way of identifying SSNs from past business usage that might be present on their home PC; as well as for their personal use. The intent is for our supported to download the subject tool and run their own scans for review. Follow your department’s recommendation for performing this action.

Remember, it is Best Practice not to have files with sensitive or restricted data stored anywhere except on your designated network drive spaces or in a locked cabinet if on removable media.

1. As of December 2006, SSTA recommends the use of the “Spider” Tool, as developed by Cornell University, to scan for the potential presence of SSNs on a home PC. The Spider Tool is one of the tools used by SSTA to perform recurring SSN scans on our supported network drive spaces.
    
2. We thank our counterparts at Cornell for making this tool available for use.
    
3. With any scanning tool comes the standard disclaimers that:
1. No tool is guaranteed to find each and every instance of the targeted scan.
2. Each tool will identify a number “false positive” hits, thus potential identified files need reviewed.
3. Be careful where you place your log file results as they could contain the same type of information for which you are searching.
    
4. Cornell’s documented considerations for using this tool are located at:
   http://www.cit.cornell.edu/computer/security/tools/
    
5. Cornell’s instructions for downloading, installing, configuring, and running this tool are located at:  http://www.cit.cornell.edu/computer/security/tools/spider-windows.html. The configuration instructions are very specific and explain the possible settings. Most of the default settings are set correctly. The items that definitely need changed are:
1. Setting the target space aka “Start Dir…”
2. Clicking “Recursively process subfolders”
3. Typing in a path and name for the log file on the Logging/Local tab.
    
6. Spider was recommended for this particular situation due to:
1. User friendly interface.
2. Effectiveness in finding the targeted search of 3-2-4 format SSNs with an acceptable level of false positives.
3. Configuration flexibility, including the ability to target and/or exclude specific file types and or target areas.
4. The tool is being improved frequently.
5. The ability to scan any Windows™ mapped drive.
6. The ability to import the log file into most applications (i.e.: Excel™)
7. The ability to add a search for a Straight Nine SSN format by adding a \d{9} Custom RegEx expression. This RegEx will find any numeric string of 9 or more numbers, so false positives will increase due to finding items like phone numbers.

If you have questions about the scanning tool usage, please contact your ISDC. The ISDC can contact Steve Baker for assistance.

Happy and Safe Scanning!