Dumpster-diving for e-data
Dumpster-diving -- going through trash bins in hopes of finding paper records with valuable information like customer names or future product plans -- is alive and well in the age of USB flash drives and portable music players.
Every user who throws away (or loses) a keychain-size flash drive could be unintentionally leaking critical information to a competitor. Any of the tens of millions of desktop and notebook computers disposed of each year in landfills, junkyards, and yard sales could be a rich trove of corporate data left on a hard drive by lazy users or IT departments.
Dumpster-diving remains "an extremely effective way of gathering a lot of information quickly," says Dennis Szerszen, senior vice president at patch management and security software vendor PatchLink. "It's become even more of a threat with the added dynamic that removable media brings to the table."
But any IT manager who lets sensitive data get out the door into the trash can -- or anywhere else PCs or mobile devices are disposed of -- has only himself to blame. Tools ranging from low-cost or free disk-wiping software to low-cost encryption and more-expensive "disintegration" machines for disk drives are available for any IT manager with the will and awareness to use them.
Risk Factors "Dumpster-diving" originally referred to going through the trash looking for paper records that might hold valuable information such as customer names, product plans or budget projections. Paper records still pose a challenge, of course.
As an estimated 50 million or more PCs, notebooks and servers are disposed of each year, the information they hold also poses a new and growing risk for their former owners. New portable storage devices, such as USB flash drives and portable music players, can store gigabytes of data and make it easier for a disgruntled insider to download and walk out the door with sensitive information. Moreover, handheld computing and communications devices such as BlackBerries and PDAs can, via e-mail, funnel sensitive data out of the organization -- or let viruses or other malware in.
Converge Global Trading Exchange in Peabody, Mass., offers an IT asset disposal service called NextPhase. Chris Adam, director of NextPhase says "the hot topic now is portable devices, BlackBerries and other PDAs, cell phones and even USB drives. We get requests all the time [asking] 'How do we secure those?'"
Lines of defense
The easiest, least expensive technology for protecting digital information is encryption. Observers say modern encryption software is inexpensive and easy to use and is capable of protecting virtually any organization against the theft of data on devices after they are disposed of -- or if they are lost or stolen.
Among the vendors offering free or low-cost encryption, are TrueCrypt Foundation, PGP, and Voltage Security, according to Paul Kocher, president and lead scientist at Cryptography Research, a security consulting and technology licensing firm in San Francisco. "In a lot of cases organizations already have the software they need," he says, citing the BitLocker encryption included in some versions of Microsoft's Windows Vista operating system. "It's just a question of getting the configuration right and the policies right and training users."
"Encryption," says Szerszen, "is far too available not to be making use of it."
Kocher notes that modern notebooks and desktops are powerful enough that encryption won't significantly slow down other applications. The larger obstacle, he says, is that encryption creates "one more password for somebody to remember," and that the IT staff must create processes to recover encrypted data "if somebody loses their password or leaves" the organization.
Encryption is so widely available and easy to use that the loss of unprotected ata "speaks loud words" about the IT policies of the company involved, says Neel Mehta, team leader of X-Force Advanced Research & Development at IBM Internet Security Systems. His group strongly recommends that its customers encrypt sensitive data wherever it resides, whether it's at rest on a hard drive or being transmitted over a private or public network.