Saturday, April 21, 2007

IT Security and You! Part 3 - Data and Hardware-Media Disposal

by David Baldwin
We have all heard of the stories where PCs have ended up in Africa or elsewhere and the data has still been on the machines. This is bad, but very common. This is the third of four articles designed to help improve IT security.

IT Security and You!

Did You Lock the Doors and Windows When You Left For Work This Morning?

Part 3: Data and Hardware/Media Disposal

Giving Away PCs and Hardware This article does not discuss the Data Protection Act etc. It is about the proper disposal of information held on hardware and media.

We have all heard of the stories where PCs have ended up in Africa or elsewhere and the data has still been on the machines. This is bad, but very common. I have often worked on PCs that people have acquired from companies when the company upgraded, almost always the data is left on the PC, in one form or another (I will not get into the licensing implications).

Often a PC leaves a company having had the data deleted; the applications and operating systems are left on.

The truth is that most of the data still remains. This is due to the fact that the delete process on a PC normally only removes a reference to a file from the operating system (making the file invisible rather than removing it). Anyone with the right software can get a lot of the data back in seconds.

Sometimes the disks are formatted and an operating system installed with applications, back on the disk. Again; a lot of the data can still be recovered, basically anything that has not been overwritten.

When giving away a PC or hard disk, USB drive or other, you must fully delete data. This normally requires software that will overwrite all data, several times and with random patterns of information. A good system will overwrite areas of a disk making data retrieval impossible, even with hardware tools.

Why should you do this?

Privacy, prevent crime and you are duty bound to protect the data of others that you store.

The software to do this is cheap, £20 or so and is well worth the money.

Here is an example of one instance where a company had not done this...

A medical research company had given an employee a PC, who then left that company. The IT manager of that company had formatted the computer and re-installed software – supposedly!

The individual called me because they had created a long document then accidentally deleted it.

I put the hard disk into a machine I had already loaded with software recovery tools, I used a software package that cost less than £40. I set the software running and made a cup of tea, came back to the PC on which was now listed every deleted file, the one he wanted and all the research and security files from the company that originally had his PC. What’s more, and very concerning, I could restore and read most of the data.

Do you know where all your data is?

Ever watched the TV series 24 on Sky, about as intellectually challenging and as factual Bugs Bunny!

On such programs you see the authorities arrive at a company and the suspect presses a button and the data disappears.

What twaddle!

Any self-respecting individual or business would have regular backups, never stored on the same PC/Server as the original data and often (good practice) a backup taken off-site regularly. Let’s face it, a super villain with a software program of file that can take over the world and make the American authorities run around in circles, would not have just one copy of the file.

Take a leaf out of the super villains book, keep backups!

That being said, keep tabs on backups, backup data can contain even more data than your live systems, data now deleted for instance, but that data could still be of value to someone, it is valuable to you – or you would not have backed it up.

You must know where your data is, how secure it is and what is the most recent copy, any company with a Business Continuity Plan should know what data they need to activate the plan etc.

People forget just how valuable and how much data there is on backup media, many companies do not have a control in place for disposal of backup media, I have seen old tapes and disks put in dustbins. Would you throw all your old letters, bills, statements, emails into a public bin and put a sign on it to say “Personal Data – Get It Here”, I wouldn’t.

So do not just keep track of data on media and backups, but dispose of it properly, wipe data where possible and destroy the media where not. Please also remember that most media like CD’s can now be recycled, even after shredding.

Note, never snap a CD of DVD – you could lose an eye, use a proper shredder.

When I have not had the time or facilities to wipe customers hard drives I have opened them, then scoured the surface with a scouring pad. I have even bent and dismantled hard drives where the data has been very sensitive such a financial details for corporations. Be careful, some hard drives are actually coated glass, try to bend them and they will practically explode in your face, not pleasant!

My advice is use software meant for the purpose of data deletion, or get a profession, trusted company to dispose of the data.

No comments: