Facing PII Security Risks? Try these Free Tools!

By CIOReview | Wednesday, August 10, 2016

It all started like a hacking scene in a 90s movie! Looming image of a fiery skeleton! Employees meeting with the sound of gunfire when logging on to the network! Tiny zombified heads of Sony’s top two executives! All elements required to horrify Sony employees were unleashed! But before Sony’s IT team could move a needle, half of Sony’s data on its global network was wiped. Everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers was erased. Emails, salary lists, and more than 47,000 Social Security numbers were mortified.

Fotune termed this cyber attack as “Hack of the Century”, and rightly so! In the snap of some hours, Personal Identifiable Information (PII) worth millions was lost!

Sony’s data breach wasn't the first, and it certainly won't be the last. Smart criminals, lethargic audit team, or outdated security measures, there are plenty of reasons to which organizations lose their PII. Databases on corporate networks don’t host PII. This data lives outside the corporate databases and must be locked down so attackers can't get it. This is where free tools to improve PII Security can be life savior for the organizations.

Tools to Improve PII Security

Social Security Numbers (SSNs), salary slips, or credit card information, all fall under the PII category. This data can practically live anywhere on the corporate network. It can be in Word docs, Excel spreadsheets, PDF files and even text files such as application logs. Because this ‘sensitive’ data doesn’t reside in a structured database, many organizations don't have PII security measures in place.

SoftPerfect Network Scanner

With a modern interface and many advanced features, SoftPerfect Network Scanner is a free multi-threaded IPv4/IPv6 scanner. It has been fabricated while keeping both the system administrators and computer security interested general users in mind. Pinging computers, scanning TCP/UDP ports and discovering shared folders, including system and hidden ones are some of the many applications of this tool.

Additionally any information about network computers via WMI, SNMP, HTTP, NetBios can be retrieved by this tool. Resolving host names and auto-detecting the local and external IP address range are some of the other features. The tool also supports remote shutdown and Wake-On-LAN to assist the network administration. There are a couple different configuration options available for seeking out open shares in SoftPerfect Network Scanner, including options to enter in Windows credentials.

Microsoft's ShareEnum

ShareEnum fills the void of having no built-in tools to list shares viewable on a network and their security settings as it allows organization to lock down file shares in their network. The tool also manages the most common security flaw of users defining file shares with lax security by not allowing unauthorized users to see sensitive files. The tool scans all the computers within the domains accessible to it by using NetBIOS enumeration, and shows file and print shares and their security settings.

ShareEnum is most effective when you run it from a domain administrator account as only he/she has the ability to view all network resources. The tool enumerates domains and the computers within them by using WNetEnumResource and enumerates shares on computers with the help of NetShareEnum.

Rapid7’s Nexpose

Nexpose feeds fresh data, granular risk scores, and knowledge of what attackers look for to an organization’s vulnerability management program enabling them to act as the change happens. Using Nexpose Adaptive Security, an organization has the data they need to assess risk as it happens.

Its vulnerability analysis feature enables the tool to automatically ask and answers the right questions for organizations without requiring any data. The result helps an organization in prioritizing their process of where to look for vulnerability, what to do first, and the impact of their action. The tool also transforms the exposure management data of an organization into detailed visualizations so they can focus resources and easily share each action with security, IT, compliance, and the C-Suite.


A computer is scanned for Social Security Numbers by CUSpider and a list of files is produced to take immediate actions for vulnerability remediation. The tool is a modification and repackaging of Spider2008 version 4.0.2 (Latrodectus), an open-source program PII-scanning program developed by Cornell University and Wyman Miles, the founder.

Due to the method CUSpider uses to discover potentially sensitive files, it may produce false alarms. Each file must be opened and examined before decisions can be made concerning what actions must be taken.


OpenDLP is a free and open source, agent and agentless-based, centrally-managed, massively distributable data loss prevention tool released under the General Public License (GPL). Given appropriate Windows, UNIX, MySQL, or MSSQL credentials, the tool can simultaneously identify sensitive data at rest on hundreds or thousands of Microsoft Windows systems, UNIX systems, MySQL databases, or MSSQL databases from a centralized web application.

It has two components:

• A web application to manage Windows agents and Windows/UNIX/database agent-less scanners
• A Microsoft Windows agent used to perform accelerated scans of up to thousands of systems simultaneously

Identity Finder

Identity Finder has developed the next generation technology in Sensitive Data Manager for accurately identifying and classifying business critical, regulated and sensitive data in an organization. AnyFind technology is featured by this Sensitive Data Management tool which enables it to host a four-part methodology for managing sensitive data through its lifecycle.

The tool allows an organization to search everywhere, including laptops, workstations, file servers, email servers, databases, websites, SharePoint, and cloud storage. Results are presented in simple, intuitive reports and dashboards—and people can implement controls directly from the centralized management console.


The Sony case was just a beginning and the losses incurred by the organization were massive. On April 6th, 2016 Los Angeles Times reported “A judge approved a multimillion-dollar settlement Wednesday in a class-action lawsuit filed by former Sony Pictures Entertainment employees whose private information was stolen in a massive data breach.” Under the judgment, Sony agreed to provide the identity theft protection, as well as an optional service that will cover up to $1 million in losses and create a fund to cover any additional losses.

Better PII security tools would have saved Sony from law suits, revenue losses, reputational losses, and what not! Organizations need to learn a lesson and prioritize addressing their PII security tools.