Patrick Lambert reminds IT pros about the importance of securely wiping hard disks clean, especially if you're in the process of disposing, selling, or donating old computers and other devices.
Now that 2012 is getting closer, and the end of the world may be close by (or not), it's time for a public service notice that everyone should keep in mind -- something that's been said before, but bears repeating. You too can help prevent the apocalypse, at least for your own private data, or your corporate data, before computer systems or any type of memory gets passed to the wrong hands. Just this month, we learned that a large computer store, Staples, was still selling used computers without clearing the previous data on their disks. The thought that to this day, this basic precaution wouldn't be taken, can be quite shocking. If such a high-volume store can make this mistake, anyone can. Of course, as IT pros, we'd never think about selling a used system that contains confidential information. Well, that is, unless we forget; hence, the reminder. If one of your end-of-year tasks is to inventory and get rid of old equipment, here are a few tips.
Securely wiping computer hard drives
It doesn't take much to recover deleted data. Let's not forget that when something like a file gets deleted on a modern operating system, the only item that is truly wiped is the file descriptor at the front of the disk. The actual file remains intact, until something else comes along and overwrites that data. And with the sizes of disks today, that may take a long time to happen. Dragging a document to the recycle bin has no impact on the actual data on the disk, and there are dozens of tools out there that can bring a file back to life, using all sorts of techniques, from simple ones like undeleting the file, to complex forensic software that can piece together a document that has been partially overwritten. Some people have a lot of time on their hands, and access to all of these programs, which is why a complete disk wiping is crucial.
Since simply deleting the file won't do, you need special software that you can use on any disk that may be going out of your hands, such as when your business changes its PCs, and sells the old ones off. A favorite for years now is Disk Boot And Nuke, or DBAN, which has helped clean up disks for many years now. Since then, many more programs have appeared, and certainly you can find dozens with a quick Google search. They all operate fairly similarly. The idea is to overwrite the whole disk with random data, and to do it several times. The reason is because of residual data, which can leave just enough information for the bad guys to get those confidential documents back. Each hard drive maker also provides a utility to do a clean disk wipe, which can work well if you want a free alternative. Most of these programs will allow you various levels of erasure, and usually you should make sure the disk gets completely overwritten at least three times.
Don't forget the flash drives
So now that you know what it takes to safely wipe a disk, and you remember to actually do it for every system you're about to ship off, you can feel secure that your computers won't leak out secret information. Remember that even if your department knows what to do, if you're in a large company and several departments have the authority to sell off used equipment, they must all adhere to this policy. Once that's done however, there are still a few places that can easily be forgotten. The first one is flash drives. Those aren't often sold, usually they are used until they die and then thrown away. But a dumpster diver can easily recover them, and the same tools can be used to retrieve documents from them. For any kind of flash media, you can use one of the tools made especially for this type of media, like Roadkil DiskWipe, which will perform a similar function, wiping the data completely by overwriting it. This can work for any media that has a drive letter, and should be done before you throw away any old SD card or thumb drive.
Smartphones and tablets
Finally, there's the issue of data contained on other devices, such as smartphones and tablets. There really isn't any standard for secure deletion from those items, and it can be a challenge to transfer them securely. At a minimum, you should do a factory reset, but someone could still hack into the phone, root it, and recover the data. You could always store old phones in a drawer and not sell them or throw them away, but that may end up taking a lot of room. When there's no obvious solution, there's always the more brutal, physical way to deal with the problem, by using a magnet, or simply destroying the device, making it physically impossible for any data to survive. This can be somewhat costly however, and that's where you need to decide how crucial your smartphone data really is.
We all know the risks of sending off used computing equipment outside the corporate firewall, and the need for wiping out old data, but it can be daunting to realize just how many devices we have in our possession that contain sensitive information, and how hard it is to safely wipe every bit of data on every type of device out there. Still, by knowing the problem, we can keep this in mind, and apply proper protocols that will ensure a minimum of risk.
Do you have favorite tools or methods for secure data deletion? Share them with us below.