Forum Discussion
DLP policy is detecting fake BSN-numbers as well
I want to create a DLP-policy which blocks BSN-numbers, but the policy also seems to block fake/example BSN-numbers. Is there a way to exclude these fake numbers?
4 Replies
Useruser2323 Hi, you could use checksum validation (elfproef).
BSN numbers follow a validation called “elfproef,” a checksum method to ensure that the number is valid.
Many fake or sample numbers fail this check. You can improve your DLP policy by adding logic that checks whether the BSN passes the elfproef before blocking it.
To implement this, modify the DLP rule to include a checksum validation for BSN numbers.
Only numbers that pass the elfproef should be blocked, ensuring that false numbers are ignored.micheleariis Hi, thanks for the suggestion. And how to do this?
Useruser2323 I'll try to give you a guideline that clearly needs to be tested 🙂
1. Understand Elfproef (11-Proof) validation:
BSN numbers must pass a check called "elfproef" or "11-proof", which is based on a mathematical operation performed on each digit of the number. Here's how it works:
- Multiply the first eight digits by 9, 8, 7, 6, 5, 4, 3 and 2 respectively.
- Add the results of the multiplications.
- Subtract the ninth digit from the total.
- The final result must be divisible by 11 for the number to be valid.BSN example: 123456782
- Calculation: \(1 * 9 + 2 * 8 + 3 * 7 + 4 * 6 + 5 * 5 + 6 * 4 + 7 * 3 + 8 * 2 = 165\)
- Subtract the ninth digit (2) from 165 = 163
- Since 163 is not divisible by 11, this BSN is invalid.2. Modify the DLP policy to include Regex and Elfproef check:
- Start with a regex that detects the format of BSNs (example: `\b\d{9}\b` for a nine-digit number).
- Next, apply a script or rule in the DLP system to validate the detected numbers using the elfproef method.Many DLP platforms (such as Microsoft Purview, Symantec, Forcepoint, etc.) allow the integration of custom functions or scripts into the detection criteria. If your platform supports it, you can insert a script that verifies the validity of the BSN via elfproef before blocking the number.
Example pseudocode for validation:
-python code-
def is_valid_bsn(bsn_number):
Convert the BSN to a list of integers
digits = [int(digit) for digit in str(bsn_number)]Calculate the validity according to the Elfproef (11-proof)
checksum = (9 * digits[0] + 8 * digits[1] + 7 * digits[2] + 6 * digits[3] +
5 * digits[4] + 4 * digits[5] + 3 * digits[6] + 2 * digits[7]) - digits[8]Check if the result is divisible by 11
return checksum % 11 == 0
-python code-3. Integrate validation into the DLP system:
- Check the capabilities of your DLP platform. Some platforms allow you to integrate custom logic into your detection criteria or apply conditions based on external validators.
- If your platform supports advanced matching or scripting, use this feature to validate BSNs before blocking or reporting them.4. Test the policy:
- Enter both valid and invalid BSNs (both real and fake) to test the policy.
- Monitor the results to ensure that only valid BSNs are blocked and fake BSNs are ignored.Benefits:
- Reduced false positives: With elfproef checking, fake or sample numbers used in tests or documents will not trigger the DLP rule.
- Increased accuracy: Only BSNs that correctly follow the validation rule will be blocked, improving the efficiency of your DLP policy.Example scenario:
- Fake BSN (example): `111222333`
- This number fails the elfproef check, so it will not be blocked.
- Real BSN: `123456782`
- If it passes the elfproef check, it will be blocked by the DLP policy.By integrating elfproef validation logic into your DLP policy, you can ensure that only valid BSNs are blocked, improving compliance and reducing the chances of blocking false data.
