Home » Magazine Archives » September 2007
Security Technology Executive
Most Read
Most Emailed
E-mail Article
Print Article
![[Get Copyright Permissions]](http://license.icopyright.net/images/icopy-w.gif){kind=small}
When ‘Delete' Is Not Enough
Data Destruction in the Digital WorldThe Latest from SIW
Mace to launch dealer program, acquire central station Basics of establishing an employee ID badging system The security week that was: 1/02/09 The top 40 security stories of 2008 Homemade bombs force evacuations in Aspen, Colo. Toronto wraps up municipal surveillance pilot project
When researchers at the University of Glamorgan in Wales, Edith Cowan University in Australia and British Telecommunications (BT) bought and scanned more than 300 used hard drives at computer fairs, auctions and over the Internet, they found payroll information, invoices, employee names and photos, IP addresses, mobile telephone numbers and even financial data such as bank account and credit card numbers.
Of the disks purchased, 49 percent contained personal information and 47 percent had corporate data. Although most of the drives appeared to have had their data superficially removed, data recovery utilities, including widely available freeware, were capable of revealing files that had been deleted but were not sufficiently overwritten or destroyed.
This startling research indicates that, despite highly publicized examples, organizations and individuals continue to take a ‘laissez-faire' approach to data disposal and information security. In order to safeguard data and mitigate risk (i.e., identity theft, public embarrassment, lawsuits, fines and possibly even jail time), organizations need to put stringent policies in place and adopt state-of the art security technologies. Here are some best practices and safeguards that will help ensure sensitive data does not end up falling into the wrong hands.
Discarded But Not Destroyed
The average computer user has been lulled into a false sense of security by the Recycle Bin on their Windows desktops or the Trash Can on their Macs. Neither approach thoroughly eliminates data with a typical delete; the computer simply removes the index entry or pointer to the trashed data file, earmarking that region of the disk for eventual re-use. Partitioning a disk or formatting a drive also does not erase hard drive data properly.
The Linux operating system makes it a little more difficult to recover a deleted file, but data still remains stored in disk sectors even after it has been “deleted.” Even storage devices such as flash media or USB sticks, smart phones and iPods give the impression that data is deleted when it is not.
In yesterday's office, paper shredders sufficed for most data destruction tasks. Today, digital media has overtaken — though not replaced — paper documents, posing new challenges.
The U.S. Department of Defense (DoD) and NATO recommend overwriting data on computers three times to ensure that files are unrecoverable with a standard called DOD5220.22-M. This specification requires that every single location on a magnetic media device is written to three individual times, first by writing a fixed value of (0x00), then its complement value of (0xff), and finally random values.
