Dumpster-diving for e-data

Discarded flash drives, laptops, and PCs could be leaking critical information to a competitor

Kocher notes that modern notebooks and desktops are powerful enough that encryption won't significantly slow down other applications. The larger obstacle, he says, is that encryption creates "one more password for somebody to remember," and that the IT staff must create processes to recover encrypted data "if somebody loses their password or leaves" the organization.

Encryption is so widely available and easy to use that the loss of unprotected  ata "speaks loud words" about the IT policies of the company involved, says  Neel Mehta, team leader of X-Force Advanced Research & Development at IBM  Internet Security Systems. His group strongly recommends that its customers encrypt sensitive data wherever it resides, whether it's at rest on a hard drive or being transmitted over a private or public network.

To prevent, or at least detect,  insider data theft, many vendors offer software that can restrict the use of physical ports on a computer or even dictate what types of files they can download to which types of devices.

USB-Defender from TriGeo Network Security, for example, detects the insertion of devices such as flash drives into USB ports, captures details about the device and logs every file copied to or from the device, according to  a company spokesman.

Jeff Fuhler, information security officer at the Nevada Office of Veterans Services, uses Sanctuary device control software from PatchLink (formerly SecureWave) to protect sensitive information. Because Windows will automatically configure portable storage devices such as USB drives, allowing them to upload or download data, he has configured Sanctuary to deny access to such mobile storage devices except for users to whom he has specifically granted access.

Credant Technologies' Mobile Guardian provides server-based control over portable devices, enforcing policies covering areas such as what data can be transferred to or from the devices and the strength of the encryption and the passwords used on them.

Mobile phones and PDAs such as BlackBerries also pose a risk because of their ability to receive and store e-mail. But observers say most of them support encryption and note that administration tools allow administrators to automatically deny access or even wipe the data from them if anyone repeatedly enters an incorrect user name or password.

End of life protection

After a device is disposed of, the Dumpster becomes the greatest risk. Depending on the sensitivity of the data on the drive, IT managers can rely on anything from low-cost manual processes and commercial software to physical destruction to be sure no data can be taken from a disposed-of device.

As most IT managers know, simply reformatting a hard drive just erases the directory information that indicates where data is stored, but doesn't erase the data itself, says Kocher. A wide variety of tools, ranging from freeware and shareware to commercial software do an effective job wiping data from hard drives. Just completely filling a drive with meaningless data does "a reasonably good job of erasing the content," says Kocher. Some users pass a powerful magnet over a disk drive (or magnetic tapes) to scramble the magnetic orientation of bits and bytes that stores the actual data on the media in a process known as degaussing.