It is quite common to experience panic when files and folders are permanently removed from the recycle bin on the desk top The good news is that even though the data appears to be gone forever, it is still on the system, albeit in a much more difficult place to locate. The bad news is that when these digital device are sold, recycled or even sent to the tip, the data is still there.
Few of us, stop to think of the amount of sensitive data that we store on our; computers, laptops mobile devices, cameras, USB drives and even printer and fax machines. Bank information; passwords, medical data, job applications, personal photos, contact lists, tax returns are just a few examples of personal data that is processed and stored by them on a daily basis.
Deleting files, reformatting storage devices or even using ‘back to factory settings’ does not remove this data! As such, the information is vulnerable to unauthorised - and even malicious - access.
The term ‘dumpster diving’, where criminals sift through waste to commit identity theft, applies just as much to technology as it does un-shredded documents.
EXAMPLES OF DATA BREACHES
On a printer used by a New York construction company, CBS News found "design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks."
On another machine, used by a New York insurance company, "300 pages of individual medical records." were discovered with "everything from drug prescriptions, to blood test results, to a cancer diagnosis."
WHAT CAN I DO?
1. OVERWRITING: This is a process of preparing media for reuse by writing random 0s or 1s over the entire storage device. Overwriting data uses multiple passes and the more overwrites the better. However, data may still be retrievable, especially on hard drives which have ‘bad sectors’. Think of these as areas on your hard drive that once stored important information, but are now faulty.
There are many open source tools, that will allow you to overwrite, including DBAN, Active@Kill Disk or CCleaner. Many SSD devices also include a ‘secure erase’ feature but this is by no means fool proof.
2. DEGAUSSING: This generates a heavy magnetic field to corrupt the data on magnetic media beyond the point of retrieval. This works reasonably well for tapes, floppy disks and some hard drives, but there is still no guarantee. You should also remember that degaussing will not work on CDs and DVDs (which are optical) or SSDs (which are integrated circuits).
3. DESTRUCTION: This is the most secure method of sanitising media and includes; incineration, crushing, shredding, disintegration and dissolving using acidic chemicals. Like degaussing, destruction often requires the services of an accredited disposal company and can be quite expensive. However, reputable companies will issue a certificate of disposal, which provides a guarantee that the data is irretrievable.
THE UNIQUE CHALLENGES OF CLOUD COMPUTING
In Cloud Computing, the cloud vendor will not destroy hardware when a customer leaves. Instead, they are repurposed for other users. Nor is it common to overwrite media, because the data is usually in a constant state of flux within in a pool of resources.
To ensure data is safe from unauthorised access in the cloud, therefore, an organisation must make sure that sensitive data is encrypted. When cloud services are no longer required, the keys to access this information are destroyed. The storage of these keys and their destruction (known as ‘cryptographic erasure’) must be carefully considered before moving into this type of environment.
Many devices are able to encrypt data as it is stored; adding an additional layer of security when devices are disposed of.
Best practice dictates that if storage media is to be reused, subsequent data must be of the same sensitivity/classification as the original data. For example, a hard drive that stores ‘Secret’ data would not be downgraded to ‘Unclassified’.
Make sure that all digital devices, to be disposed of, are securely stored pending collection by a disposal company.
See something not quite right? Email: EMSOUCyberProtect@leicestershire.pnn.police.uk