In Depth

PC Disposal: Hard-Disk Risk

Are all those old hard drives you're getting rid of completely wiped clean of important company data? Don't be so sure.

By Simson Garfinkel

Page 3

The best disk sanitizers come on a bootable floppy or CD-ROM. You insert the removable media into the computer to be wiped clean, boot the computer and verify your intentions to the program. It does the rest. Clearly, these programs can be dangerous in the hands of a disgruntled employeeone reason it's always a good idea to restrict physical access to your most important systems. One disk sanitizer I'm particularly fond of is called Autoclave. You can download it from staff.washington.edu/jdlarios/autoclave, write it to a floppy and go to town.

But the study that Abhi and I did shows that many organizations are simply not taking the problem seriously.

One key reason for today's poor disk sanitization practices is that it's very difficult to tell the difference between a disk that has been properly sanitized and one that's simply been reformatted. Both look blank to the untrained technicianyou need forensic tools to tell the difference. You also need to put the drive in a working computer. So simply checking to see if a disk is sanitized can be prohibitively expensive in many cases.

Another reason, we suspect, is that most people don't appreciate the riskthe used-computer market is literally awash with personal information from businesses and individuals, yet there are relatively few cases of that information being used for nefarious purposes.

Is data left on salvaged hard drives a problem for the typical CSO? I think it is. We spend so much time and money trying to protect the information on our computers, it's utterly irresponsible for us to then just throw it out. Why should the confidentiality of data in your organization depend on the good intentions of a person who buys one of your used drives?Search and RecoveryThis whole world of disk sanitization can be very off-putting to the average CSO. Many people maintain that shadowy organizations such as the National Security Agency can retrieve data from a hard drive even after that data has been overwritten with a random pattern. Some say that you need to overwrite a hard drive not once, but seven or even 22 times.

Such lore has even made its way into the disk sanitization programs. SuperScrubber from Jiiva, one of the few Macintosh data sanitization products, offers five so-called security levels: Simple (not secure), Simple + Verify (not secure), Strong, Military and Paranoid. Why in heaven's name would a security professional use a security program in a manner that the program itself claims is not secure? Such attitudes and programs make the task of erasing hard drives seem so daunting that many people are apparently scared away. Why try to solve a problem that's basically unsolvable?

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors