When researchers at the University of Glamorgan in Wales, Edith Cowan University in Australia and British Telecommunications (BT) bought and scanned more than 300 used hard drives at computer fairs, auctions and over the Internet, they found payroll information, invoices, employee names and photos, IP addresses, mobile telephone numbers and even financial data such as bank account and credit card numbers.
Of the disks purchased, 49 percent contained personal information and 47 percent had corporate data. Although most of the drives appeared to have had their data superficially removed, data recovery utilities, including widely available freeware, were capable of revealing files that had been deleted but were not sufficiently overwritten or destroyed.
This startling research indicates that, despite highly publicized examples, organizations and individuals continue to take a ‘laissez-faire' approach to data disposal and information security. In order to safeguard data and mitigate risk (i.e., identity theft, public embarrassment, lawsuits, fines and possibly even jail time), organizations need to put stringent policies in place and adopt state-of the art security technologies. Here are some best practices and safeguards that will help ensure sensitive data does not end up falling into the wrong hands.
Discarded But Not Destroyed
The average computer user has been lulled into a false sense of security by the Recycle Bin on their Windows desktops or the Trash Can on their Macs. Neither approach thoroughly eliminates data with a typical delete; the computer simply removes the index entry or pointer to the trashed data file, earmarking that region of the disk for eventual re-use. Partitioning a disk or formatting a drive also does not erase hard drive data properly.
The Linux operating system makes it a little more difficult to recover a deleted file, but data still remains stored in disk sectors even after it has been “deleted.” Even storage devices such as flash media or USB sticks, smart phones and iPods give the impression that data is deleted when it is not.
In yesterday's office, paper shredders sufficed for most data destruction tasks. Today, digital media has overtaken — though not replaced — paper documents, posing new challenges.
The U.S. Department of Defense (DoD) and NATO recommend overwriting data on computers three times to ensure that files are unrecoverable with a standard called DOD5220.22-M. This specification requires that every single location on a magnetic media device is written to three individual times, first by writing a fixed value of (0x00), then its complement value of (0xff), and finally random values.
Many data delete programs offer the DoD standard, as well as other deletion standards, including the highly regarded Gutmann method, which is a time-consuming algorithm that writes a series of 35 patterns over a shredded region, including 27 random-order passes using specific data and eight passes with random data.
Data Delete Programs on the Market
BT Software ranks disk wipe methods according to grades. Grade 1 is assigned to Super Fast disk wipe with “low security,” and Grade 14 indicates “very high security” (with no mention of how long it might take), which combines DoD 5220.22-M with the Gutmann Method. BT rates the DoD standard as Grade 10; Its product, FILExtinguisher, covers off all 14 levels.
Other vendors include White Canyon, which offers a variety of programs for permanent erasure of computer files, including Wipedrive, Media Wiper (for external hard drives, diskettes, memory cards and USB drives) and Wipe Drive PRO, for IT professionals who need to erase hard drive data on an unlimited number of computers.
Finland 's Blancco offers two products: Data Cleaner cleans an entire hard disk with “100-percent secure erasure,” while File Shredder permanently erases selected information on hard drives and other digital media.