Security at risk from failure to wipe disks

Much of the focus on IT security procedures in recent years has concentrated on hackers, viruses and other malicious threats.

But many organisations are overlooking some very basic protection measures.

An investigation by the University of Glamorgan's Information Security Research Group (ISRG), revealed exclusively to Computing, discovered highly-sensitive data on used computer disk drives bought from various public sources, including eBay.

In two cases involving multinational companies, enough information was found that would allow the security of both organisations to be breached. The data obtained, including staff records, passwords, emails and financial data, was less than one year old.

There was also enough information to allow a hacker to map the companies' computer systems in sufficient detail to make an attack likely to succeed, says Dr Andy Jones, security research group leader for BT Exact, who examined the disks.

'On at least seven of the disks there was enough information to allow a hacker to get into an organisation,' he said. 'The data there allows a hacker to understand what's behind a firewall and what they need to do to get in, but as there were passwords and user names, they were through and that's game over.'

Among other data easily retrieved from the disks was personal information on children from a primary school, including school reports, an extensive list of pupils, letters to parents and psychological information.

The ISRG study also revealed data from some universities that would have allowed access to central systems, and which contained personal staff emails.

In one case, researchers discovered an official document template for printing the university's degree certificates.

'The single most striking thing that came out of this was that companies and organisations that are meant to be data wiping are not,' said Dr Andrew Blyth, head of the ISRG.

The implications of such confidential information reaching the public domain are widespread - from criminals gaining access to systems, to legal issues such as breaching the Data Protection Act (DPA).

Tony Neate, head of industry liaison at the National Hi-Tech Crime Unit, says the ISRG research shows how easy it is to access information that is not adequately protected.

'Encryption and other security measures are vital to ensure that security is not compromised,' he says. 'Something as simple as a hard disk drive password can deter the opportunist.'

Data protection watchdog the Information Commission says proper measures are vital.

'It is essential that companies have appropriate procedures in place to ensure that personal records on computer hard drives are rendered unrecoverable when they dispose of computer equipment,' said assistant commissioner Phil Jones.

'Under the DPA, companies have a duty to store personal information securely and delete it when it is no longer required.'

There is no shortage of freely available guidance on safe disposal of computer equipment. The international IT security standard, ISO/IEC 17799, says: 'Information can be compromised through careless disposal or reuse of equipment.

'Storage devices containing sensitive information should be physically destroyed or securely overwritten rather than using the standard delete function.'

The British Educational Communications and Technology Agency (Becta) has issued advice to schools.

'Schools have legal responsibilities for the personal data which will be on hard disks. Just deleting files or even formatting the disk is not sufficient, since widely available software programs can recover some or all of the information,' say the Becta guidelines.

And the Communications Electronics Security Group, the information assurance arm of GCHQ, has issued Infosec Standard 5, a list of recommendations for government that is considered best practice.

Many security vendors obtain accreditation of their products to this standard. Jon Godfrey, managing director of one such company, LCS, says it costs just £3 to wipe a disk properly.

An unsuccessful attempt had been made to destroy the data on nearly half of the disks in the ISRG study. Blyth says the university used the most basic methods to recover information.

'Everything that we did could have been done by an individual with a little bit of know-how and some freeware that is easily obtained from the web,' he said.

How to erase data securely

* The government issues official guidance, sets standards, and provides product certification for secure data erasure through the Communications-Electronics Security Group (CESG)

* CESG's guidance on the reuse or disposal of computer storage media is detailed in Infosec Standard 5, which also covers secure data erasure. See www.cesg.gov.uk/site/publications/media/directory.pdf

* Secure data erasure requires overwriting every sector of the disk to destroy any pre-existing data. Deleting or reformatting discs are reversible processes, and therefore inadequate

* Specialist software can be used to perform any number of overwrite passes depending on the sensitivity of the data. The more overwrite passes performed on a disk, the more secure - but time-consuming - the process

* At CESG's 'baseline' level, the software overwrites every sector of the disk with one pass of randomly generated data. At 'enhanced' level every sector is overwritten three times. For most companies' routine data-wiping needs, the 'baseline' standard is usually adequate.

Source: Computer Aid International

www.computer-aid.org