A professor in Brazil has found his research set back by six months due to the theft of a computer from a university building. The initial assumption was that the computer was stolen so that it can be resold, but the professor is not so sure now. While not mentioned, it's quite apparent that drive encryption software was not used to secure the contents of the stolen computer, which could be a good thing (possibly).
Professor Luís Figueiredo, at the Polytechnic Institute of Guarda (Escola Superior de Tecnologia e Gestão do Politécnico da Guarda), has been researching and developing since 2004 a software package for disabled people. Dubbed "MagicKey," it allows disabled people to control computers with the movement of the eyes. It seems the only backup of the software was done at the beginning of the year which, honestly, is the good professor's fault. I'm sure he's a busy man, and he's got plenty of things on his plate, but he should have periodically made backups. I mean, what if he didn't lose his data because his laptop got stolen? What if he had dropped the computer while carrying it around? His research would still be set back by 6 months, and in that case there literally would be no one else to blame but himself. There are many facets to data security. One of them is preventing its theft so others won't "share" that data with you (preventing a case of "you have it; they, too, have it"); the other form of data security is ensuring continued access to the data no matter what (i.e., they may or may not have access to it, but you certainly don't). Backing up data is the only method of ensuring the second scenario does not take place, especially if one's laptop gets stolen.
Professor Luís Figueiredo, at the Polytechnic Institute of Guarda (Escola Superior de Tecnologia e Gestão do Politécnico da Guarda), has been researching and developing since 2004 a software package for disabled people. Dubbed "MagicKey," it allows disabled people to control computers with the movement of the eyes.
It seems the only backup of the software was done at the beginning of the year which, honestly, is the good professor's fault. I'm sure he's a busy man, and he's got plenty of things on his plate, but he should have periodically made backups.
I mean, what if he didn't lose his data because his laptop got stolen? What if he had dropped the computer while carrying it around? His research would still be set back by 6 months, and in that case there literally would be no one else to blame but himself.
There are many facets to data security. One of them is preventing its theft so others won't "share" that data with you (preventing a case of "you have it; they, too, have it"); the other form of data security is ensuring continued access to the data no matter what (i.e., they may or may not have access to it, but you certainly don't).
Backing up data is the only method of ensuring the second scenario does not take place, especially if one's laptop gets stolen.
There are signs, however, that Prof. Figuereido's laptop wasn't just a random theft. First, there is the fact that the computer was stored in a cabinet at the far end of a corridor with minimal traffic. Indeed, the only reason one might find himself on that corridor is because he has to go to that cabinet. The second is that other items of value in the vicinity were not stolen. Stored inside the cabinet, right next to the laptop, were a cellular phone and a digital camera. There is also the fact that a security camera pointing towards the cabinet was broken since April, and couldn't record images. (This is either a heck of a coincidence or a carefully planned-out theft.)
There are signs, however, that Prof. Figuereido's laptop wasn't just a random theft. First, there is the fact that the computer was stored in a cabinet at the far end of a corridor with minimal traffic. Indeed, the only reason one might find himself on that corridor is because he has to go to that cabinet.
The second is that other items of value in the vicinity were not stolen. Stored inside the cabinet, right next to the laptop, were a cellular phone and a digital camera.
There is also the fact that a security camera pointing towards the cabinet was broken since April, and couldn't record images. (This is either a heck of a coincidence or a carefully planned-out theft.)
The professor has made an appeal for the thief to allow him access to his research. He doesn't really need the laptop back, just his work. Apparently, there is software installed on the stolen laptop that will allow him to make backups remotely. Of course, this implies there is no encryption software like AlertBoot installed on this particular computer. Assuming that the computer was not stolen because of the MagicKey software, it may be fortunate that hard disk encryption was not used. On the other hand, it's a less than ideal situation. What should have happened: the professor should have encrypted the contents of his laptop and made backups of his work (which also would require encryption.)
The professor has made an appeal for the thief to allow him access to his research. He doesn't really need the laptop back, just his work. Apparently, there is software installed on the stolen laptop that will allow him to make backups remotely.
Of course, this implies there is no encryption software like AlertBoot installed on this particular computer.
Assuming that the computer was not stolen because of the MagicKey software, it may be fortunate that hard disk encryption was not used. On the other hand, it's a less than ideal situation.
What should have happened: the professor should have encrypted the contents of his laptop and made backups of his work (which also would require encryption.)
Related Articles and Sites:http://www.novaguarda.pt/noticia.asp?idEdicao=184&id=12224&idSeccao=2510&Action=noticia
Another article, this time from the irishtimes.com, shows how second-hand hard drives sold on on-line auction sites contain enough information to make identity thieves very happy. A twist on this particular story, however, is that these drives are being traced back to employees who work at home on their personal computers (personal as in the state of ownership, not the size of the computer). Information protection services like AlertBoot data encryption software would help prevent such breaches...but can a company dictate that employees use encryption on their home PCs?
Another article, this time from the irishtimes.com, shows how second-hand hard drives sold on on-line auction sites contain enough information to make identity thieves very happy.
A twist on this particular story, however, is that these drives are being traced back to employees who work at home on their personal computers (personal as in the state of ownership, not the size of the computer). Information protection services like AlertBoot data encryption software would help prevent such breaches...but can a company dictate that employees use encryption on their home PCs?
A study by Ernst & Young has revealed that used drives bought for as little as five Euros can contain extremely sensitive information such as bank account details, confidential e-mails, etc. In most cases, the sellers hadn't even erased the information, and were readily accessible. Some had gone through the process of deleting files or reformatting the drive; however, as the E &Y guys correctly pointed out, it's still easy to retrieve data. Reformatting the drive, for example, doesn't really erase data. What it does is the following: Erases data on the address tables (i.e., bookkeeping information to keep track of where your data files can actually be found. Information for the same file can be separated into chunks and saved in different parts of your drive, and is reassembled when called for) Runs disk checks to figure out sector reliability, and mark the bad ones as unusable Creates a new address table since the old one was erased In other words, most of your data is still there...it's just that the computer can't find it on its own (on account of having deleted the address tables). However, there is plenty of cheap software out there that can recover this information for you. Likewise, deleting data just marks a particular area in the hard drive as "available for data to be written."
A study by Ernst & Young has revealed that used drives bought for as little as five Euros can contain extremely sensitive information such as bank account details, confidential e-mails, etc.
In most cases, the sellers hadn't even erased the information, and were readily accessible. Some had gone through the process of deleting files or reformatting the drive; however, as the E &Y guys correctly pointed out, it's still easy to retrieve data.
Reformatting the drive, for example, doesn't really erase data. What it does is the following:
In other words, most of your data is still there...it's just that the computer can't find it on its own (on account of having deleted the address tables). However, there is plenty of cheap software out there that can recover this information for you.
Likewise, deleting data just marks a particular area in the hard drive as "available for data to be written."
Technically, there is no way to "delete" data. As pointed out, what gets deleted is essentially the way for the computer to retrieve that particular piece of information. The only way to "delete" data is to replace it. And, the only way to replace data is to write over it with new data. In fact, what your IT department does prior to tossing a hard disk is pretty simple: use data writing software on them to write random information throughout the disk. Run it three times or so for modern disks, and it's pretty much guaranteed that the old data--the sensitive e-mails, bank account numbers, etc.--will not be recoverable.
Technically, there is no way to "delete" data. As pointed out, what gets deleted is essentially the way for the computer to retrieve that particular piece of information. The only way to "delete" data is to replace it.
And, the only way to replace data is to write over it with new data. In fact, what your IT department does prior to tossing a hard disk is pretty simple: use data writing software on them to write random information throughout the disk.
Run it three times or so for modern disks, and it's pretty much guaranteed that the old data--the sensitive e-mails, bank account numbers, etc.--will not be recoverable.
The use of encryption software can also achieve the same degree of security, since information is stored in a random format (it only turns back into usable information when a password is provided). Assuming the password to access the encrypted disk is not attached to the drive, the contents of the drive are secure when one decides to sell it on eBay. The problem is--and I'm not lawyer but I think this sounds about right--a company can't dictate what one does with his personal property. I guess the correct solution would be not to allow corporate files to be downloaded to home computers, or to only allow encrypted files to be downloaded, or even to give corporate laptops employees working from home. Since that particular computer is company property, installing encryption and protecting the contents would be feasible.
The use of encryption software can also achieve the same degree of security, since information is stored in a random format (it only turns back into usable information when a password is provided). Assuming the password to access the encrypted disk is not attached to the drive, the contents of the drive are secure when one decides to sell it on eBay.
The problem is--and I'm not lawyer but I think this sounds about right--a company can't dictate what one does with his personal property. I guess the correct solution would be not to allow corporate files to be downloaded to home computers, or to only allow encrypted files to be downloaded, or even to give corporate laptops employees working from home.
Since that particular computer is company property, installing encryption and protecting the contents would be feasible.
Related Articles and Sites:http://www.irishtimes.com/newspaper/finance/2009/0703/1224249965663.html
State Rep. Frank Dermody, a Pennsylvania state representative, has had his state-issued laptop computer stolen. There was no sensitive data on the computer, according to the Pittsburgh Tribune-Review. This is probably the best type of data security one could have: no sensitive data means no data breach. But, this doesn't preclude the need for data security software like hard disk encryption from AlertBoot.
The problem with computers is that generally one can't be absolutely sure that there was no sensitive information stored on them. Sure, they start out being used for some "official" purpose, and documents are signed and initialed to establish that a computer user has read and understood an agency's computer security policies. But soon enough, the use of that computer devolves to other things as well, especially for laptop computers. Why? Because they are portable, and can be taken outside a workplace; and once they're out of the workplace... Maybe the kids will want to surf the net, and the home computer has been sent for repairs, so one turns to the work computer. Or maybe the home computer can't be trusted, and one knows the workplace computer is better protected and maintained, so that's used for on-line banking...which actually turns out to be a phishing scam. So, even though it may not be the case in this particular instance, the use of information security programs like encryption software, antivirus software, and other programs (as needed) should be installed on a computer.
The problem with computers is that generally one can't be absolutely sure that there was no sensitive information stored on them. Sure, they start out being used for some "official" purpose, and documents are signed and initialed to establish that a computer user has read and understood an agency's computer security policies.
But soon enough, the use of that computer devolves to other things as well, especially for laptop computers. Why? Because they are portable, and can be taken outside a workplace; and once they're out of the workplace...
Maybe the kids will want to surf the net, and the home computer has been sent for repairs, so one turns to the work computer. Or maybe the home computer can't be trusted, and one knows the workplace computer is better protected and maintained, so that's used for on-line banking...which actually turns out to be a phishing scam.
So, even though it may not be the case in this particular instance, the use of information security programs like encryption software, antivirus software, and other programs (as needed) should be installed on a computer.
In the case of our state representative above, I get the feeling that disk encryption was used on the now-missing laptop. According to the Pittsburgh Tribune-Review, the legislature's IT department "erased [Rep. Dermody's] password" when he contacted them about the laptop's theft. Which, outside the context of encryption, doesn't make much sense. For example, let's say that there was password-protection on that computer. If one gets rid of the password...well, what's protecting it? On the other hand, if an encrypted computer's password is deleted, encryption still protects the contents of that computer. In fact, getting rid of the password is probably the best policy if a computer gets stolen. This way, the only way to gain access to the computer is by figuring out the encryption key, which is harder to randomly guess than a password (well, assuming your IT guy did his job properly).
In the case of our state representative above, I get the feeling that disk encryption was used on the now-missing laptop. According to the Pittsburgh Tribune-Review, the legislature's IT department "erased [Rep. Dermody's] password" when he contacted them about the laptop's theft.
Which, outside the context of encryption, doesn't make much sense. For example, let's say that there was password-protection on that computer. If one gets rid of the password...well, what's protecting it?
On the other hand, if an encrypted computer's password is deleted, encryption still protects the contents of that computer. In fact, getting rid of the password is probably the best policy if a computer gets stolen. This way, the only way to gain access to the computer is by figuring out the encryption key, which is harder to randomly guess than a password (well, assuming your IT guy did his job properly).
Related Articles and Sites:http://www.pittsburghlive.com/x/pittsburghtrib/news/breaking/s_631883.html
Definition of "breach of security" and "personal information" What to do in the event of a breach Notifications - How To New Jersey's personal information data breach laws contain a safe harbor for entities that use encryption (specifically, the New Jersey Statute 56:8-161 and 56:8-163). I'm not a lawyer, but thankfully the law is written clearly and is easy to follow.
New Jersey's personal information data breach laws contain a safe harbor for entities that use encryption (specifically, the New Jersey Statute 56:8-161 and 56:8-163). I'm not a lawyer, but thankfully the law is written clearly and is easy to follow.
As defined under 56:8-161, when it comes to data, a "breach of security" is ...unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [my emphasis] Of course, the law being the law, a definition of "personal information" is also required. It's actually a combination of factors. First, personal information must include a last name and either a first name or the first initial, and it must be combined with any of the following: Social Security number; Driver's license number or State identification card number; or Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
As defined under 56:8-161, when it comes to data, a "breach of security" is
...unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [my emphasis]
Of course, the law being the law, a definition of "personal information" is also required. It's actually a combination of factors. First, personal information must include a last name and either a first name or the first initial, and it must be combined with any of the following:
If your company loses, say, a laptop computer or a USB stick, and it was not protected via encryption software, it will have to disclose said breach to customers. The law does give the company some leeway. According to 56:8-163, disclosure is not necessary if the company "establishes that misuse of the information is not reasonably possible." One can see how such a provision could be abused. For example, even if hard disk encryption was not used on a stolen laptop with sensitive info, one could (in a state of denial or drug-induced misjudgment) come to the conclusion that there's no risk to the customers. Which is why the law also requires that "any determination shall be documented in writing and retained for five years." In other words, you may have to justify your conclusions if the law comes knocking around.
If your company loses, say, a laptop computer or a USB stick, and it was not protected via encryption software, it will have to disclose said breach to customers.
The law does give the company some leeway. According to 56:8-163, disclosure is not necessary if the company "establishes that misuse of the information is not reasonably possible."
One can see how such a provision could be abused. For example, even if hard disk encryption was not used on a stolen laptop with sensitive info, one could (in a state of denial or drug-induced misjudgment) come to the conclusion that there's no risk to the customers. Which is why the law also requires that "any determination shall be documented in writing and retained for five years."
In other words, you may have to justify your conclusions if the law comes knocking around.
OK, so you make the determination that you've got announce a data breach and contact those who were affected. How do you do it? According to 56:8-163, if the cost of providing notice is $250,000 or less, it must be a "written notice" or an electronic notice that is consistent with "section 101 of the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. s.7001)." A substitute notice to the above can be made if: Notification cost exceeds $250,000; or, People to be notified exceeds 500,000; or, There isn't sufficient contact information to notify all directly Substitute notices must include Notification to major statewide media; and, E-mail notice; and, Posting on the company's website And that's just for getting in touch with people whose information was exposed. There are other requirements dealing with law enforcement, consumer reporting agencies, and other issues. I guess the gist of the law is, use encryption programs to secure any sensitive information at your company. Oh, and it goes withouth saying, get yourself a good lawyer...
OK, so you make the determination that you've got announce a data breach and contact those who were affected. How do you do it?
According to 56:8-163, if the cost of providing notice is $250,000 or less, it must be a "written notice" or an electronic notice that is consistent with "section 101 of the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. s.7001)."
A substitute notice to the above can be made if:
Substitute notices must include
And that's just for getting in touch with people whose information was exposed. There are other requirements dealing with law enforcement, consumer reporting agencies, and other issues.
I guess the gist of the law is, use encryption programs to secure any sensitive information at your company. Oh, and it goes withouth saying, get yourself a good lawyer...
6,000 current and former employees at Sutter Health in Sacramento are being notified that they should keep an eye on their credit reports. The warning stems from a surprise laptop data breach which looks to be contained. Had a data security measure like laptop encryption software been used, the entire incident could have been avoided. Nevertheless, Sutter should be counting its blessings.
Sutter Health officials only learned of the data breach when a computer repair service called them last month regarding a laptop computer. While there aren't enough details in the media as of yet, it looks like the computer was brought in for repairs, and in that process, the technicians found a file with sensitive information--SSNs and names, at least--and contacted Sutter. Sutter officials did not realize that the laptop was out and about. According to an article at cbs13.com, it was believed that the laptop in question was still in possession of the employee who had been issued this computer back in 2007. It is not known who brought in the laptop for repairs, or what prompted the technicians to call up Sutter...which is pretty weird. I mean, if a Sutter employee brings in a Sutter computer for repairs, what's so unusual about that? So, the actions on the part of the technicians seems to imply that something was fishy about the entire affair.
Sutter Health officials only learned of the data breach when a computer repair service called them last month regarding a laptop computer. While there aren't enough details in the media as of yet, it looks like the computer was brought in for repairs, and in that process, the technicians found a file with sensitive information--SSNs and names, at least--and contacted Sutter.
Sutter officials did not realize that the laptop was out and about. According to an article at cbs13.com, it was believed that the laptop in question was still in possession of the employee who had been issued this computer back in 2007.
It is not known who brought in the laptop for repairs, or what prompted the technicians to call up Sutter...which is pretty weird. I mean, if a Sutter employee brings in a Sutter computer for repairs, what's so unusual about that? So, the actions on the part of the technicians seems to imply that something was fishy about the entire affair.
Sutter Health's computer technicians (not the repair guys) checked out the hard drive, and found that it was not accessed by anyone since 2007 (except for the guys who called in), according to cbs13.com. Wha-? The thing was issued back in 2007, it was unaccessed since 2007, and it only surfaced about a month ago? Plus, Sutter didn't realize the laptop was missing, so the employee who had been issued the computer either a) only used the computer for a very short time since it was issued and lost it quite recently or b) lost it over one year ago and never reported it (nor was he required to produce it as part of a regular inventory checkup). There is also the possibility that the employee is being the fall guy: he could have returned the laptop in question, but the company lost track of it and ended up somewhere--like eBay. Regardless, it makes management look quite unfit (at least, as far as data security is concerned). But, that doesn't mean that management is incompetent. Since the breach, Sutter is quite belatedly starting to use encryption software on all laptop computers. Employees are also being told not to save files locally, on hard drives, but on network drives that can be monitored and secured by the company. Furthermore, old computers will be kept track of when disposed, so that data breaches can't happen at the end of a computer's life.
Sutter Health's computer technicians (not the repair guys) checked out the hard drive, and found that it was not accessed by anyone since 2007 (except for the guys who called in), according to cbs13.com.
Wha-?
The thing was issued back in 2007, it was unaccessed since 2007, and it only surfaced about a month ago? Plus, Sutter didn't realize the laptop was missing, so the employee who had been issued the computer either a) only used the computer for a very short time since it was issued and lost it quite recently or b) lost it over one year ago and never reported it (nor was he required to produce it as part of a regular inventory checkup).
There is also the possibility that the employee is being the fall guy: he could have returned the laptop in question, but the company lost track of it and ended up somewhere--like eBay.
Regardless, it makes management look quite unfit (at least, as far as data security is concerned). But, that doesn't mean that management is incompetent. Since the breach, Sutter is quite belatedly starting to use encryption software on all laptop computers. Employees are also being told not to save files locally, on hard drives, but on network drives that can be monitored and secured by the company.
Furthermore, old computers will be kept track of when disposed, so that data breaches can't happen at the end of a computer's life.
The use of encryption is very important when it comes to digital data, since these can be easily copied, transferred, and made publicly available (a fact that anyone in the media industry can readily attest to). So, how does encryption protect said data? Basically, encryption software like AlertBoot will take your original data--composed of 1's and 0's--and scramble them up, in a logical fashion. Of course, it's a little more complicated than that, but that's the gist of the matter. And don't let the simplicity fool you: encrypted data using strong encryption is so powerful that the ability to hack it is measured in geologic terms (eons, really).
The use of encryption is very important when it comes to digital data, since these can be easily copied, transferred, and made publicly available (a fact that anyone in the media industry can readily attest to).
So, how does encryption protect said data? Basically, encryption software like AlertBoot will take your original data--composed of 1's and 0's--and scramble them up, in a logical fashion. Of course, it's a little more complicated than that, but that's the gist of the matter.
And don't let the simplicity fool you: encrypted data using strong encryption is so powerful that the ability to hack it is measured in geologic terms (eons, really).
Related Articles and Sites:http://cbs13.com/local/sutter.health.laptop.2.1066081.htmlhttp://www.news10.net/news/local/story.aspx?storyid=62294&catid=2
Journalists have found a computer hard drive that contained sensitive documents belonging to US defense contractor Northrop Grumman. They found this disk drive--of all places--in a market in Ghana. The disk didn't feature hard drive encryption software like AlertBoot, so the contents were readily accessible. The cost? $40.
It may be a fluke or it might be a worrisome sign; however, one thing's for sure: Northrop was pretty lucky that the drive was found by reporters working for Frontline, the investigative journalism show for PBS (and one of the reasons for supporting this TV channel--beats Fox News or CNN any day of the week, in my opinion). While the contents of those drives were not revealed, it was disclosed that the electronic documents were marked as "competitive sensitive." That sounds like contracts were and other competitive practices were involved, and thankfully, it implies that, if crap were to hit the fan, it would have been Northrop Grumman that would have been most affected. On the other hand, a well-written contract gives one enough details to know what's going on. It may not be as good as a weapon's blueprint, but it could give outsiders a good idea on what to expect in terms of future armament or shields, or what type of research and development is being carried out. Plus, other information was recorded as well, such as "how to recruit airport screeners" and "data security practices."
It may be a fluke or it might be a worrisome sign; however, one thing's for sure: Northrop was pretty lucky that the drive was found by reporters working for Frontline, the investigative journalism show for PBS (and one of the reasons for supporting this TV channel--beats Fox News or CNN any day of the week, in my opinion).
While the contents of those drives were not revealed, it was disclosed that the electronic documents were marked as "competitive sensitive." That sounds like contracts were and other competitive practices were involved, and thankfully, it implies that, if crap were to hit the fan, it would have been Northrop Grumman that would have been most affected.
On the other hand, a well-written contract gives one enough details to know what's going on. It may not be as good as a weapon's blueprint, but it could give outsiders a good idea on what to expect in terms of future armament or shields, or what type of research and development is being carried out.
Plus, other information was recorded as well, such as "how to recruit airport screeners" and "data security practices."
Northrop Grumman has announced that they don't know how the drive could have ended up in Ghana. The drive belonged to an employee in Fairfax, Virginia, and it's a long way from the suburbs of DC to the Dark Continent. I think the assumption is that an outside contractor that was supposed to dispose of the hard drive did not. Whether this was an accident, an egregious breach of duty, or theft...who knows? This is the funny thing, though: it's weird for a used hard drive to end up in Africa. For example, if I were an employee who had filched a hard drive from work, just to sell on eBay, you can bet I wouldn't be sending things to a continent that includes Nigeria (sorry, Nigeria, but your country's name is tied to scams for the time being, even if it's unwarranted). About the only way that I could imagine an American hard drive ending up in Africa? If it were one of a batch of used hard drives. The truth is, many developing countries are dumping grounds for electronic waste, which are reclaimed for the precious metals and other materials that are contained in them. A batch of hard drives implies...well, that perhaps Northrop should possibly be worried about other hard drives that were not uncovered by the journalists.
Northrop Grumman has announced that they don't know how the drive could have ended up in Ghana. The drive belonged to an employee in Fairfax, Virginia, and it's a long way from the suburbs of DC to the Dark Continent.
I think the assumption is that an outside contractor that was supposed to dispose of the hard drive did not. Whether this was an accident, an egregious breach of duty, or theft...who knows?
This is the funny thing, though: it's weird for a used hard drive to end up in Africa. For example, if I were an employee who had filched a hard drive from work, just to sell on eBay, you can bet I wouldn't be sending things to a continent that includes Nigeria (sorry, Nigeria, but your country's name is tied to scams for the time being, even if it's unwarranted).
About the only way that I could imagine an American hard drive ending up in Africa? If it were one of a batch of used hard drives. The truth is, many developing countries are dumping grounds for electronic waste, which are reclaimed for the precious metals and other materials that are contained in them.
A batch of hard drives implies...well, that perhaps Northrop should possibly be worried about other hard drives that were not uncovered by the journalists.
There's a problem with recommending that disk drives be protected with encryption software when they're about to be discarded into the maw of a crushing and grinding machine. It doesn't seem to make sense. What's the use? Who's going to glue together a mound of fine sand and metal together, and return it to its previous, uncrushed state? Is it even possible? On the other hand, it doesn't make sense only because one makes the assumption that the disk will, indeed, be destroyed. As the above case shows, there is no such guarantee. Had Northrop been paranoid enough, it would have encrypted their computers' disks while in use, and kept them encrypted when they were sent to be destroyed. And, if someone had stolen one of these disks to drive his business on the side, the contents of Northrop's drives would have remained safe. If that's not an option, at least Northrop should have contracted out the job to a business that will drive the crushing machine to Northrop's facilities. They'll crush the drives on-site, while an employee watches, and issue certificates with serial numbers and the works for auditing purposes.
There's a problem with recommending that disk drives be protected with encryption software when they're about to be discarded into the maw of a crushing and grinding machine. It doesn't seem to make sense. What's the use? Who's going to glue together a mound of fine sand and metal together, and return it to its previous, uncrushed state? Is it even possible?
On the other hand, it doesn't make sense only because one makes the assumption that the disk will, indeed, be destroyed. As the above case shows, there is no such guarantee. Had Northrop been paranoid enough, it would have encrypted their computers' disks while in use, and kept them encrypted when they were sent to be destroyed.
And, if someone had stolen one of these disks to drive his business on the side, the contents of Northrop's drives would have remained safe.
If that's not an option, at least Northrop should have contracted out the job to a business that will drive the crushing machine to Northrop's facilities. They'll crush the drives on-site, while an employee watches, and issue certificates with serial numbers and the works for auditing purposes.
Related Articles and Sites:http://itworld.com/security/69758/reporters-find-northrop-grumman-data-ghana-market