Feb 27, 2007 (11:02 AM EST)
How To Keep Your Data From Being Destroyed
Read the Original Article at InformationWeek
If the thought of employees stealing confidential data makes IT and security managers restless at night, then the prospect of those employees destroying that confidential data is enough to make them feel like they're sleeping on a bed of nails. The recent case of insider theft and attempted erasure of confidential product information at chemicals-maker DuPont highlights this growing problem. Yet, despite the plethora of tools available for wiping hard drives clean, there are several measures that companies can take to protect themselves from this malicious behavior.
Former DuPont research chemist Gary Min next month faces sentencing of up to 10 years in prison, a fine of $250,000, and restitution for stealing $400 million worth of company trade secrets. Equally as troubling as his violation of DuPont's trust, however, was his attempt to conceal the crime. Law enforcement arrived to search Min's home shortly after the crime had been revealed only to find a software erasure program in the process of wiping evidence from one of Min's external disk drives.
The DuPont case is the tip of the iceberg when it comes to a company's vulnerability at the hands of its own employees, says Rian Piccolo, PC engineering manager with DriveSavers Data Recovery, a firm specializing in the recovery of data from damaged computing equipment. "We're seeing a lot more of this, insiders taking information and intellectual property," he adds.
"We regularly do recovery for law enforcement so that we can provide them with an image that they can use to get forensic evidence," says DriveSavers director of PC engineering Michael Hall. DriveSavers doesn't actually handle the forensic evidence, but it does provide law enforcement with a restored drive and data that officials can use to conduct an investigation.
The availability of data erasure tools online means insiders and other criminals don't have to be as technologically savvy as before. A layman can find via a search engine the software needed to delete and wipe a drive. This includes open-source freeware such as Darik's Boot and Nuke, which renders data on PC hard drives unrecoverable, as well as commercial products such as Kroll OnTrack's Data Eraser, CyberScrub's Cybercide, and software from Finland's Blancco, all of which work on PCs and storage media. Deletion also comes as a feature with certain EMC and IBM storage and records management products.
One of the more common data deletion tools that's used is BCWipe, which claims to be fully integrated into Windows so that it can digitally "shred" file data so that recovery by any means is impossible. "Then there's my personal favorite, Evidence Eliminator," says Kristin Haworth, managing director of LECG's forensic investigative services division. "How do you defend yourself if you're caught using a product with this name?"
While none of these products is marketed as a tool that should be used to cover up a crime, IT managers need to be aware of data-wiping utilities surreptitiously installed on their company's PCs. Outside of IT department personnel, other employees have a hard time making a case for using this type of software. IT managers also must be careful in the handling of PCs that have maliciously been wiped. "If you see a drive has been wiped, you do not want to touch the drive because the courts will want to know why the drive was tampered with after being discovered," Haworth says.
Once IT departments get a better understanding of what's on their PCs, they have a few other factors working in their favor in guarding against destroyed data. Wiping a hard drive isn't an easy or smart thing to do, Haworth says, adding that it can take about four hours to properly wipe a drive, depending on its size. Not to mention, destroying data is highly incriminating behavior, regardless of whether the person destroying the data is actually guilty of anything. "If you wipe a hard drive, then we say that everything on that hard drive must have been relevant to your case," she says. "But you probably have less incriminating information on your computer than you think."
The two most common ways to delete data are to do a logical delete or to actually physically damage the hard drive. Often, insiders will perform a logical delete rather than wiping a drive because they don't know any better. "If you delete files on the PC, they still exist on a physical level on the drive," DriveSavers' Hall says. "As long as the person doesn't overwrite that data, we can get it back."
In fact, data theft often can leave a long trail that's difficult to erase, even if hard drives are wiped. Haworth is familiar with one case where sales employees of a company attempted to destroy client account data on their computers before leaving to work for a competitor. These employees were smart enough to hire a firm to properly wipe their drives, but they didn't think to delete the AOL e-mails they exchanged when planning to do this.