Watch out for the “Cyber Bag Lady”… Old devices and media may be just what she’s looking for
With the decreasing cost of electronics and media these days, we tend to go for new items rather than maintain the old. But just because we have a new device for short or long term storage doesn’t mean we can carelessly toss the old one aside.
Have a look around your office for used diskettes, recordable CD’s and memory cards. How many of them have labels indicating what’s on them? I’ll bet that maybe some of the CDs have chicken scratched labels. Also, does anyone in your organization use MP3 or digital cameras to tranfer files between your network and laptops or other networks?
Those kinds of media are very hard to secure without making it unusable for its original intended purpose.
Finally, when your computers get too old to do the job, or break down, is anyone responsible for wiping data off their hard disks?
These are all issues caused by our need for speed. We have a job to do, and the sooner we get on with it the better. However, it is well worth it to enforce some discipline when upgrading and casting off older devices. More and more breaches are exposing large amounts of sensitive information in media that aren’t properly tracked and secured. Here are a few important guidelines to ensure data is not picked up by the Cyber Bag Lady…
- Have labeling and handling policies for all removable media. This will allow people to be able to tell what is on something when they see it, and keep things from being left lying around or being thrown out because nobody know what’s on it. It also makes it easier to tell which media can be re-used.
- Use disk encryption for ALL mobile devices that might leave the office. Its relatively easy to implement and will save a lot of headaches if the device falls into the wrong hands. This is true at all levels. Executives may not carry a lot of data, but it may be extremely valuable to people outside the organization (not just competitors).
- Use secure deletion utilities for mobile devices and any rewritable media that is about to be discarded. Because of optimization algorithms used by file systems, many files are still recoverable after you think you’ve deleted them.
- Shred CDs that are no longer useful for scratch copies or archives. Shredders are available that can destroy CDs properly. Sometimes that’s the only way to be sure they are safely disposed of.
- Do not allow unauthorized devices to be used for storing sensitive information. This makes it too hard to control where the information goes, and where it may be left lying around.
- Keep an inventory of all USB and rewritable media. This provides another good reason to have labels on everything. Its much easier to track inventory when its labeled.
mroonie on 31 Aug 2007 at 12:17 pm #
2. Use disk encryption for ALL mobile devices that might leave the office. Its relatively easy to implement and will save a lot of headaches if the device falls into the wrong hands. This is true at all levels. Executives may not carry a lot of data, but it may be extremely valuable to people outside the organization (not just competitors).
This is a great point. It’s interesting because I’ve read similar advice months ago but when I read it now, it just seems more realistic. There are a great many solution out there that are making encryption and information protection much more attainable without too much time/money going into it. They even have Flash drives now that are accompanied with encryption capabilities!
A technique I like to use is to label my CD’s in different colors to show what’s on it. You obviously don’t want to write the words “sensitive data’ on a CD that has sensitive content. So what I do is anything that doens’t have sensitive content, I use a black sharpie to lable what’s on the CD. For CD’s with sensitive content that I know I need to destroy/follow up on, I write with a Red sharpie and just write something like “CD #2″ or some way of letting me know what’s on the CD without actually labeling the CD as such.
For some more tips on protecting sensitive content, I wrote an article about recycling old computer quite a while back. It gives some good tips about why and how to go about doing it if you’re thinking about selling/recycling/donating your old computer…
Scott on 31 Aug 2007 at 10:10 pm #
@mroonie
Good points. I was expecting people to say, “Well if you label media as sensitive, doesn’t that just make casual observers more curious about what’s on it?” So, you have solved part of that problem with a bit of obscurity. You could also argue that if it is encrypted, it won’t matter if they try to look at it. They won’t be able to.
mroonie on 04 Sep 2007 at 1:03 pm #
Yes. Isn’t encryption a great thing? I mean sure people will argue that it’s a hassle which may be true, but you also have to take into consideration that the idea of virtual security and encryption is still relatively young. As the industry grows and the concept becomes more familiar, I believe encryption will soon become an everyday necessity.
Scott on 07 Sep 2007 at 12:08 pm #
@mroonie,
I’m not sure if it’s entirely possible, but I’d like to see encryption become invisible in all modes. Just like how an OS handles file extensions these days, the application or relevant pieces at lower levels of the stack should be able to figure out how to encrypt and decrypt, as required, and go get the keys needed, as required; and integrate with access controls, as required.
We all must dream, right?