Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ③] Data Protection by Design and by Default: Technological Measures

Just over five months from now, the GDPR will be enforced for a stricter, thorough, and fair protection of personal data of all EU citizens, and the organizations with the presence in the EU have a tough task of GDPR compliance in their hands. To lighten the burden, we wrote a checklist of requirements for the organizations to follow on our earlier blog. Continuing our blog series on the GDPR, we will take a closer look at a technological aspect of compliance and how organizations can approach it.

For starters, where should the organizations begin to comply with the technological requirements of the GDPR? We turn our attention to “Data Protection by Design and by Default”, or Article 25. It explains that the organizations that fall under the GDPR scope must implement appropriate technical and organizational measures, which are designed to implement data-protection principles to integrate the necessary safeguards in order to:

  1. meet the requirements of this Regulation and protect the rights of data subjects, and
  2. to ensure that only personal data which are necessary for each specific purpose of the processing are processed.

The organizations are explicitly required to implement appropriate technical measures for personal data protection. However, with a plethora of data security solutions out there, some organizations may feel lost. From the technological point of view, we understand the Article 25 as the organizations’ responsibility to apply a cohesive blend of multiple data security principles to the full extent of data life cycle, which largely consists of data storage, processing, and erasure. We believe that this approach will serve as a backbone from which the organizations can start preparing for the GDPR.

After collecting personal data by complying with the GDPR requirements, data storage follows. The fundamental security principle here is to store all the personal data in one or more secure data repositories, separate from, but accessible by individual PCs via local network. The most common data repository is the file server, which is often operated and managed in multiple numbers, dedicated to multiple groups of users that will only be allowed to work on the files while being restricted from unauthorized file exports. To make sure your file servers are kept safe from potential dangers, organizations must consider some of the key security principles as below.

  1. Physical security to prevent intruder breaches
  2. Encryption to ensure protection of data against hackers or theft
  3. Keeping it off Internet to restrict potentially malicious or accidental access from outside of your LAN
  4. Anti-virus solutions to prevent cyber attacks from the outside
  5. Maintain high availability to ensure continuity of work productivity in case of accidental or malicious disruption to file server(s)

Once personal data is stored in the file servers, it will be subject to data processing by diverse personnel such as employees, contractors, partners, and consultants. It is critical to realize that data processing is the breeding ground for both accidental and malicious data leak threats from inside and out. The most common form of data leaks is accidental, due to employee negligence, operational mistakes, or lack of education. However, organizations cannot overlook the risk of malicious data leaks that can be caused by greed, ego, and competition. Therefore, a stringent data security system is required to ensure that only the certain files and folders are accessible by authorized users. Furthermore, all user, file, and folder activities must be logged for auditing and only allowed to be accessible by certain users. When processing personal data, employees may also transfer or share it outside the secure premises. For secure processing of personal data, organizations can consider some of the general countermeasures as below to mitigate the risks of leaking data.

  1. Data loss prevention (DLP) detects potential data leaks by monitoring the important data and blocking it from leaving the secure premises from the end-points.
  2. Enterprise digital rights management (EDRM) provides file access control and file activity restriction features that are persistent and manageable even outside the secure premises.
  3. Virtual desktop infrastructure (VDI) runs multiple user desktops inside virtual machines (terminals) with persistent data security policies that only allows users to access the data within the centralized data center(s).

Once the processing of personal data is complete, organizations may undertake data erasure to free up their storage space, or to ensure that personal data remains unavailable to others. Data erasure is closely related to the Article 17, which states that the data subjects have the right to erasure, or the right to be forgotten. Therefore, organizations must be prepared to erase personal data, rendering it unrecoverable in any situation. In this case, direct data erasure on the storage devices, through one or a combination of the general methods as below, is the safest procedure.

  1. Data erasure software by overwriting with randomized data
  2. Degaussing, or elimination of magnetic fields on storage devices to erase all stored data
  3. Brute destruction of storage devices

Despite the advantage of complete data erasure, degaussing and brute destruction carry two distinct disadvantages. Firstly, they make the storage devices unusable, and secondly, they require the devices to be transported to the external facilities, risking them to potential theft or loss. On the other hand, data erasure via software bypasses the two disadvantages by allowing the organizations to ‘recycle’ their storage devices and perform data erasure within their office premises. Therefore, organizations can ensure complete and secure data erasure with a software initially, and by subsequently degaussing or brutely destroying devices.

Meeting the technological requirements of the “Data protection by design and by default” can help organizations to get off to a solid start in achieving GDPR compliance before the deadline. We recommend the organizations to consider implementing the technological measures for the three steps of data life cycle: storage, processing, and erasure. This approach allows the organizations to devise a cohesive blend of multiple data security solutions, which will protect personal data from leaks and breaches from both internal and external threats. Capping off our blog series on the GDPR, we will discuss how Secudrive solutions can technologically help you to achieve “Data protection by design and by default” to prepare for the GDPR.

Blog Posts in this Series:
① The GDPR Summary: The 5 Key Points
② Checklist for the Organizations to Comply with the GDPR
→ Data Protection by Design and by Default: Technological Measures
④ How to Comply with GDPR

Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ②] Checklist for the Organizations to Comply with the GDPR

May 25, 2018, the deadline for GDPR compliance is approaching, and organizations around the world are gearing up to identify what to do and where to begin. More comprehensive and ambiguous than its predecessor, European Data Protection Directive, the GDPR promises to be difficult to comply with. Through its requirements, the GDPR not only places more obligations on the organizations but also gives more power to the EU citizens. If your organization falls within the GDPR’s territorial scope, it is responsible for organizational, operational, and technological requirements to ensure that personal data of the EU citizens are protected.

Some organizations might have a long way to go to meet the GDPR requirements, whereas others might be closer. However, for any organization, meeting these requirements will be unquestionably difficult. To help you prepare to comply with the GDPR, we have drawn up a checklist for you to follow, and ultimately identify what you need to do and where to begin.

Assess the Current Situation. The GDPR and its potential impact on data security and day-to-day operations must be acknowledged on an organization-wide basis, starting with the key decision makers. Initially, it is critical to identify the gaps that may cause non-compliance issues under the GDPR, and arrange the ways to make up those gaps. The next step is to know what the organizations are and will be dealing with, by asking the question “which data can be defined as personal data?” According to the Article 4 of the GDPR, “‘personal data’ means any information relating to an identified or identifiable natural person… directly or indirectly.” Forms of personal data for identification of natural person ranges from common forms like name and identification number, to more specific forms like physiological, economic, and social information. Then, how about when collecting new personal data? Since the Article 13 requires the organizations to communicate how and why the personal data is collected and used, and Article 12 requires the communications to be transparent, organizations must first review their current privacy notice or consent, and make necessary revisions to be GDPR-compliant.

Know the Rights of the Data Subjects. The GDPR gives more rights to the EU citizens; therefore, organizations must examine whether their procedures cover all these rights as declared. Considering these rights, organizations can potentially revise existing procedures and go further, by evaluating their capabilities when the data subjects exercise their rights as manifested in the Articles from 13 to 22.

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision-making including profiling

Data Protection by Design and by Default. The Article 25 explicitly articulates that organizations have a general obligation to implement technical and organizational measures to demonstrate that they have integrated data protection into everyday processing activities. This requirement can be considered as one of the key GDPR principles, as the legislators have recognized that privacy cannot be completely guaranteed only by laws, but that it must become a backbone in the design and maintenance of information systems and processing for each organization. In simpler terms, this requirement aims to guide the organizations to meet the GDPR requirements and protect the rights of data subjects through the means of technical and organizational measures. This requirement serves an equal purpose, but there is no one right answer; every organization must approach it differently by adhering to various data security principles and technologies. Specifically, where personal data processing could pose a risk to individuals, the Article 35 declares Data Protection Impact Assessments (DPIA) as mandatory in the situations. For example, if an organization is deploying new technology, such as artificial intelligence and profiling systems, or is processing personal data on a large scale, such as patient and medical data in health institutions, DPIA must be conducted.

Notify Data Breaches. According to the Article 33 and 34, organizations must ensure that appropriate procedures are in place to detect and investigate personal data breaches, and to notify the details to both supervising authorities and affected data subjects. Even though not all personal data breaches are subject to reporting, breaches that carry a risk to the rights and freedom of the affected data subjects, such as discrimination, damage to reputation, financial loss, loss of confidentiality, or other serious economic or social disadvantage, must be reported. However, the GDPR also provides exceptions to this requirement, if an organization has

  • implemented appropriate technical and organizational protection measures that render the personal data unintelligible to those without authorization for access;
  • taken actions to ensure that personal data breaches do not risk the rights and freedom of the affected data subjects; and
  • determined that notification to each affected data subject would “involve a disproportionate effort.”

Appoint A Data Protection Officer. As a core part of organizational requirements by the GDPR, organizations must appoint a data protection officer (DPO) in some cases. The Article 37 and 38 reveal the legal details on the designation and position of the DPOs. If your organization falls under the GDPR scope and satisfy the three conditions as below, you must appoint one or more DPOs.

  • Your organization is of public authority
  • Your organization conducts monitoring of individuals on a large scale
  • Your organization conducts processing of specific types of data such as criminal records

The Article 39 explains the minimum tasks of the DPOs as below:

  • inform and advise the organization and its employees for the purpose of GDPR compliance
  • monitor the processing of data to maintain GDPR compliance; and
  • act as the first point of contact for the supervisory authorities and for individuals whose data is processed.

However, who do they need to appoint as the DPOs? Not everyone can perform as a DPO, after all. While the GDPR does not specify the definite qualifications which the DPOs are expected to have, it requires that DPOs must be experienced and educated in the field of data protection law.

With organizational, operational, and technological requirements, this checklist may seem overwhelming. It is no doubt that getting started is the most difficult, yet the most significant step to take. However, how can we really get started for GDPR compliance? Among the requirements, we believe the organizations can start technologically. Head to our next blog and find out what the key technological requirements are for GDPR compliance.

Blog Posts in this Series:
① The GDPR Summary: The 5 Key Points
→ Checklist for the Organizations to Comply with the GDPR
③ Data Protection by Design and by Default: Technological Measures
④ How to Comply with GDPR

Categories
Blog Data Erasure Device Control File Server Security USB Sescurity

[General Data Protection Regulation ①] The GDPR Summary: The 5 Key Points

After four years of discussion and preparation by the European Parliament, the Council of the European Union, and the European Commission, the General Data Protection Regulation (GDPR) is now ready to become effective on May 25, 2018 to achieve more comprehensive enforcement of personal data protection laws for all EU citizens. The importance of protecting personal data with legitimacy has been a major talking point in the recent times, and the EU is taking its bold step to set the bar for the rest of the world to follow.

Leading up to the GDPR

Let’s roll back the years to 1995, when the European Data Protection Directive was imposed to regulate the processing of personal data in the EU. Back then, personal data was simply a component of vast information database in the private scope, and was protected solely under the notion of ‘right to confidentiality.’ Fast forward to now, personal data plays a key role in achieving prolonged growth and greater success for global enterprises, as collecting, processing, and exchanging personal data has become the cornerstone of any business activity. This transition has been apparent and rapid with the various technological and business innovations like social media, complex data analytics, and data storage to achieve superior customer relationships. To keep pace with this unstoppable transition, global enterprises required, and have been obtaining a much wider range of personal data from more people around the globe. Consequently, personal data protection laws had to be reformed to acknowledge the notion of ‘right to protection,’ rather than that of ‘right to confidentiality.’

Understanding the GDPR

Come May 25, 2018, all organizations, even outside the EU, that are currently processing or planning to process personal data of the EU citizens must be prepared to comply with the GDPR. Unfortunately, it does not seem to be an easy task; therefore, we have summarized the GDPR into five key points.

One Law for 28 EU Members. Superseding the former European Data Protection Directive, the GDPR is unified legislation that applies to all 28 member states of the EU. Under one set of laws, each EU member state will establish independent Supervisory Authorities (SA) that will receive and investigate complaints or data breaches, issue warnings or fines, and cooperate with other SAs if required. This change can be considered as welcoming, as the organizations are only required to comply with one set of laws, even if their activities are widespread across multiple EU member states.

More Power to the Data Subjects. The GDPR promises increased power for the data subjects. Data subjects are the natural persons whose personal data is processed by an organization. First and foremost, the organizations must provide clear and concise consent to the data subjects before collecting their personal data, signifying the end of long, illegible terms and conditions that are full of legalese. Furthermore, data subjects can lawfully request the organizations for the access, rectification, erasure, restriction of processing, portability, and objection of their personal data. Accordingly, the organizations must provide documentation that proves the completion of the data subjects’ request(s). Also, the GDPR provides the data subjects with the explicit right to lodge a complaint with the SAs, if any processing of their personal data infringes the GDPR requirements.

Strengthened Authority and Heavier Sanctions. The GDPR declares strengthened authority and heavier sanctions for non-compliance. Through the SAs, written warnings or periodic data protection audits will be imposed in cases of the first and unintentional infringement. Severe infringements may be punishable by a fine up to 20 million Euros or 4% of the annual worldwide turnover. Stricter sanctions dictated by the GDPR certainly put pressure on enterprises and organizations to invest substantial capital and resources to ensure that personal data remains protected and data subjects’ right and freedom are not harmed by non-compliance.

Data Protection by Design and by Default. It is the organizations’ legal responsibility to establish appropriate organizational and technological measures to meet the requirements of the GDPR and protect the rights of data subjects. Organizational measures pertain to appointing appropriate personnel, who can dedicate their expertise and responsibility for the GDPR compliance, while technological measures are associated with the integration of necessary security into the processing of personal data to ensure that rights of the data subjects are protected. This responsibility alludes to the GDPR’s new obligation of appointing Data Protection Officers (DPO) and establishing organization-wide data security.

Data Breach Notification. Unfortunately, data breaches can always occur. In this case, DPOs must take it seriously and notify it to the SAs immediately, or within 72 hours of discovery, by specifying the details such as the number of affected individuals. Furthermore, the affected individuals must be notified of the data breaches as soon as possible. Failure or refusal to notifying such data breaches to the SAs can result in sanctions.

Due to comprehensive and strengthened enforcement, complying with the GDPR will neither be an easy nor avoidable task for many organizations that wish to operate in the EU. As our commitment to data security stays true, we felt obliged to seriously approach and understand the GDPR, and share its implications to data security. The deadline to compliance, May 25, 2018 is approaching rapidly, and we hope that your journey to GDPR compliance will start off positively with Secudrive.

Blog Posts in this Series:
→ The GDPR Summary: The 5 Key Points
② Checklist for the Organizations to Comply with the GDPR
③ Data Protection by Design and by Default: Technological Measures
④ How to Comply with GDPR

Categories
Blog Data Erasure

The 3 Types of Disk Wiping Software

Many organizations use overwrite-based disk wiping software before reuse and disposal of old disks and PCs since it is secure, eco-friendly, and cost-effective. In addition to their fundamental requirement of adopting global standard overwrite algorithms and their compatibility with various disk types, disk wiping solutions have begun to place more emphasis on management with features such as remote deployment, remote wiping, and detailed logging and reporting.

CD/USB Type

In order to wipe entire system disks, including the operating system (OS), traditional existing solutions need to load an additional because the wiping program cannot wipe its own OS. Often referred to as a CD/USB type, this type requires that a USB or CD that has been loaded with the wiping software and the additional OS be inserted into the machine and the booting priority be reordered in the BIOS so that the additional OS will run instead of the system OS. After doing so, the wiping program will be booted from the additional OS and will be able to erase the system disk OS.

Many disk wiping solution vendors offer this type of solution because it can be used in multiple situations such as when the machines are offline or do not have a working OS. But, typically, this type of solution is used by specialists since there are some required procedures such as BIOS setup, algorithm selection, and amount of overwrites selection which may be difficult for the average user. It has been common practice for companies to gather decommissioned PCs into a separate storage space, usually located with an in-house security team or with a 3rd party service company, for a certain period of time before a specialist would individually wipe all of the collected disks. The CD/USB type was purposed for this type of situation but there are concerns that data might be left vulnerable since the disks and computers are left unwiped while in storage or when transporting them.

EXE Type

More recently, vendors such as Blancco, WipeDrive, and Bluestsoft have begun offering wiping solutions that can be launched via EXE file. These types of solutions can be convenient since they do not require any additional booting device or BIOS setup. When the exe file is launched, the ISO file would be saved to the local disk and would register the additional OS to the boot file (boot.ini). By doing so, once the computer has been rebooted, the boot manager would be launched allowing the user to choose to boot the additional OS. Once selected, the wiping process would begin. Though the process is similar to the CD/USB type since the booting device is replaced with an ISO file, it can allow the specialist to wipe disks remotely before moving it to storage or for permanent disposal. However, this process can still be troublesome since each PC needs to be individually granted administrator rights in order to download, install, and run the exe file as well as instruct the user how to use the boot manager and which wiping type and settings to be used.

With both the EXE and CD/USB types, Windows PE and Linux are widely used as the additional OS. For Windows PE, this may be partly because of the familiarity of the Windows system. But if Windows PE is used as the additional OS, there are a couple of limitations due to Microsoft license policy which would require end-users to have to integrate Windows PE with the wiping software themselves and the OS would restart itself every 72 hours. Linux is a fairly unfamiliar OS for the average user. Also, both of these additional operating systems require the installation of additional drivers in order to make it possible to detect and recognize RAID systems. Overall, the limitations of the additional operating systems themselves can result in many inconveniences as well.

Native Type

SECUDRIVE has recently launched a new method of disk wiping, referred to as the Native type. This type makes it possible to wipe the entire disk, including the OS, without any additional OS or booting device. This type keeps the existing OS and uses native API to launch the wiping process before the Windows API is activated. There are no limitations due to licensing policies of OS vendors and disk systems, including RAIDs, can be recognized without any driver installation. The administrator can preset the wiping algorithm and number of overwrites according to their corporate security policy. Users can then download the wiping client and wipe their entire disk with the click of a button. Alternatively, the administrator can even forcibly wipe target disks remotely after deploying an MSI file to the users’ PCs using Active Directory’s Group Policy (GPO). A manager can monitor the wiping process in real-time and can then check the detailed log and report prior to transporting the PC. This will make it possible to wipe PCs effortlessly and immediately, before moving them into storage or for permanent disposal.

The traditional disk wiping process where decommissioned PCs are sent to storage to be wiped collectively at a later time needs to be changed. In terms of security, it is extremely risky to move unwiped, ownerless PCs to storage and leave them there for an extended period of time to collect dust. But now, a security manager can remotely wipe hundreds of disks simultaneously without moving them from their original location, all from the comfort of their own chair. They can monitor the wiping events through the network and then gather detailed logs and reports once the wiping process has finished. Undoubtedly, the native type would be the most secure and most convenient for corporate disk wiping.

Categories
Blog Data Erasure

3 Ways to Securely Destroy Data and their Associated Pains

Before disposing or reusing old company computers, it is imperative that data be securely destroyed in order to prevent leakage of corporate information. It is common knowledge that the computer’s deletion function as well as formatting does not completely wipe data. Most companies utilize one of these three methods for securely destroying data: Overwriting, degaussing, and physical destruction.

Overwrite

Disk overwriting is a data destruction method that uses software to overwrite data a certain amount of times using a specific number (such as “0”) or a series of randomly generated characters. Many of these solutions utilizes global standard algorithms such as DoD 5220.22-M or Guttman which can overwrite the area multiple times.

This solution are generally difficult for the average user because it often requires some sort of setup at the system level usually via a BiOS setup and an additional booting device (usually a USB or CD). Disk overwriting is seen as a secure, eco-friendly, and cost effective way to wipe data since drives can be reused in a safe manner. There is no need to remove disks from their machines but disk overwriting usually takes hours to complete. Also, the only visual confirmation of deletion is the log or report that is generated after the wiping has complete.

The solutions vary from freeware all the way up to enterprise-class solutions and the recommended solution and algorithm may differ according to how important or confidential the stored data may be.

Deguassing

Deguassing is the process of decreasing or eliminating the magnetic field on storage media. This process is incredibly fast as it takes less than a minute per hard drive. Generally, the disks have to be removed from the machine and hand fed into the degausser and the disks cannot be reused afterwards.

Degaussers can be fairly expensive with prices ranging from 10,000 USD to almost 100,000 USD. It is important to make sure that the degausser is always functioning properly or it could potential pose a security risk because feedback from the machine is the only way to discern whether to the process has been completed since there is not physical change on the disk.

Physical Destruction

Physically destroying the hard drives by using a hammer, a punching machine, or an industrial shredder is probably the most secure and sure-fire way of destroying data. The destruction process can be seen firsthand unlike in the degausser and disk overwriting methods.
Drives must be physically removed from the machine and cannot be reused afterwards. A dedicated and possibly separated space may be required since some of the machines can be fairly large and disruptive to an office environment.

Outsourcing Woes

Many companies actually outsource the secure data destruction process to third-party companies because of the associated manual labor and since it is likely not a part of their core business. Companies would rather not want to spend time, human capital, and physical space requirements to perform the data deletion if possible.

Meanwhile, companies that opt to use a third-party service can often be left feeling anxious or concerned that disks may be missed during transport or during the destruction process. In order to relieve some of the anxiety, some data destruction services will provide pictures or videos of the process and other may even provide destruction services onsite and then ship the destroyed drives out from the office for disposal.

It seems that companies tend to prefer degaussing or physical destruction in comparison to disk overwriting, despite overwriting being acceptable in most cases. This trend is most likely attributed to the definitiveness and speed of destruction. But, generally, drives can be left vulnerable during transport and it is safest to perform the data destruction without ever having to move a machine if possible.

Hybrid method

Recently, some companies have adopted a hybrid data destruction method where they combine overwriting and physical destruction. Drives would be overwritten without having to remove or move them, and detailed logs and reports can be generated. Then, the drives could either be reused or sent to an outsourced data destruction service for safe disposal. Companies can actually reduce the associated risks of using a third-party data destruction service, effectively destroy data while still being able to possibly reuse or recycle old drives and computers. The “hybrid method” is probably the most secure and eco-friendly of them all.

Categories
Blog Data Erasure Device Control File Server Security Insider threats USB Copy Protection USB Sescurity

Securing Data throughout its Life Cycle

We believe that protection should be implemented throughout the data’s entire life cycle. Otherwise, data can be easily compromised from multiple areas.

Looking for information security solutions can be difficult because of the wide variety of security solutions available. It is also hard to implement a solution if you don’t know all of the problems.

In order to effectively assess a company’s risk, each stage of the data life cycle should be taken into consideration. Each stage has its own inherent risks and security solutions must be able to protect data at each stage in order to mitigate any vulnerabilities.

We aim to protect information at each stage of the data life cycle: Creation, Access, Storage, Transmission/Mobilization, Alteration, and Deletion.

SECUDRIVE can protect important corporate data from creation to deletion by utilizing Intellectual Property (IP) protection, using encrypted IP protected USBs, blacklisting foreign devices, and remotely wiping out disks that contain corporate data.

Secure Data Life Cycle Solution

Secure File Sharing with DRM
-IP protection for Windows File Server
-Encrypted File Import/Export to SECUDRIVE USBs
-Access management
-User/Manager activity logging
-Integrated with Active Directory (AD)

Secure USB Flash Drives with DRM
-Secure Hardware Encrypted USBs
-IP protected USBs
-Integrated Management
-Encrypted import/export to SECUDRIVE File Server and USBs
-USB Activity Logging
-Integrated with Active Directory (AD)

Secure Data Eraser
-Windows-based managed disk wiping
-True remote wiping
-One-click wiping
-Detailed logging, monitoring, and reports

Device Control
-Blacklist foreign devices
-Port blocking control
-Activity logging

Categories
Blog Data Erasure Device Control File Server Security Insider threats USB Copy Protection USB Sescurity

The Other Side of Edward Snowden Case

Thanks to the whistleblower case of Edward Snowden, the public is now aware of the level of private information gathering that has been performed by the U.S. government through agencies such as the NSA. Snowden release of top-secret NSA materials was referred to as “the most significant leak in US history according to the Daniel Ellsberg a former U.S. military analyst who is most famous for leaking the Pentagon Papers in 1971. What was most shocking was the degree of how much private information had been gathered in which case had brought back the fears and insecurities of when the Patriot Act was legislated in order to indiscriminately collect information under the banner of anti-terrorism.

Many journalists and information security specialists who have criticized the indiscriminate collection of private information have suggested that individuals should use client-side encryption solutions for private information, especially since storage solutions such as the cloud were becoming ever more popular. Since the Snowden case, however, public cloud services have been negatively impacted due to the heightened awareness of the lack of privacy of personal information.

In regards to information security, the Snowden case provides us, the public, with another large implication. Snowden worked for the NSA and its affiliated organization which has arguably one of the strongest internal information control systems in the world. Yet, he was able to gain access to highly confidential information that had the potential to impede national interests as well as the organization’s interests. Snowden was then able to copy the confidential information onto a USB flash drive and take it out of the office. For an organization such as the NSA and the affiliated organizations who are supposed to have a sound security infrastructure, this was a huge breach of their internal information security system, thus, making it clear that they had failed in managing internal information access and assessing the user’s ability to handle such information.

This case brings us to think more about the current situation of internal information security management systems of many U.S. organizations. A study conducted by Forrester stated that only 25 percent of data breach cases are from external attackers, meaning 75 percent of attacks are from within an organization. Even so, many organizations cannot easily integrate an internal information leakage prevention system because it often puts a damper on work efficiency. In some organizations, the management argues that it is almost impossible to prevent internal information leakage by utilizing a technological security solution and instead, they relieve themselves by getting employees’ to agree to a non-disclosure agreement and take some rudimentary education on information security. Though this is still needed, it is a much too passive solution.

It has become acceptable for workers to bring their own private devices such as laptops, tablets, and smartphones to their office to work. They store a lot of the organization’s confidential information onto the devices and are now taking the private information with them when they bring their laptop or tablet to a Starbucks, or pretty much everywhere when they bring around their smartphone. This is a huge security risk and it is important to be responsible for the security of the device as well as the information itself.

Now with cloud storage systems becoming more widely used, when companies decide to send designs for a new product, that their company spent a lot of time and money developing, through the cloud to an employee that is offsite, the company no longer has any ability to control the usage of the design. In this situation, all the organization can do is hope that nothing happens by fully trusting the non-disclosure agreement, information security education program, and their employees. Though it is good to have trust in your employees, blindly trusting them is plain idiocy. Without some sort of security system set in place, if a top-secret document is lost by employee carelessness, robbery, or even leaked by an employee with malicious intent, the organization may never find out who did it, where it happened, or even how it happened. Even if they do know the “who”, “what”, and “how”, the damage that follows often cannot simply be compensated by the dismissal of an employee or civil and criminal actions.

Ultimately, it comes down to the need for change: A need to restructure the way internal information leakage prevention systems are viewed and utilize preemptive security solutions. In order for organizations to prevent cases such as Snowden, there needs to be a push towards preemptive security solutions that can be used with existing technologies such as encryption, which only focuses on preventing leakage when the device is lost or stolen. It’s because many chose to be oblivious the fact that those that are authorized to use the data are possibly the biggest threat in terms of information leakage.

A possible solution to the prevention of internal information leakage, are storage devices that utilize features such as copy protection. Secudrive (www.secudrives.com) provides solutions that even small and medium companies can easily integrate into their security policy. They provide products that can prevent unauthorized copy of A/V files, office files and even CAD files, supporting various storage devices such as USB flash drives, file servers, and public cloud storage systems. Alongside their copy protection products, Secudrive also provides device control products that allow only registered devices, such as USB flash drives, tablets, and smartphones, to be able to access a port of a registered PC.

Categories
Blog Data Erasure

“Deleted” Data that is not completely Deleted

A PC generally keeps most of the data stored on it whether it has or hasn’t been deleted, up to the moment of being disposed of if no complete erasure is done. It is common for people to tend to think “erase” or “delete” in Windows means that the file is gone forever and unrecoverable. People with a bit more security awareness feel comfortable after they format all data of partition before disposing of the PC. However, it is common knowledge that deleted and formatted data in Windows can be easily recovered by using simple recovery software that is easily accessible on the Internet.

In the United States and the U.K., they are famous for their stricter industry-standard, government regulations, and laws in comparison with other countries. The following data leakage from used disk relating to government organizations reminds us of the importance of completely wiping disk drives.

In 2009, the United States Department of Veteran Affairs had one of their hard drives fail, which contained records of millions of U.S. veterans. Without destroying the data first, they sent the failing hard drive back to the vendor for repairs, risking potential data breach that could have affected 760,000 people. This accident is claimed to be the single largest release of personally identifiable information by the government in history.

In 2010, there was a sensitive case with NASA’s preparation for the end of the space shuttle program. Selling their surplus of supplies, old computers were on the list. However, fourteen computers from the Kennedy Space Center failed tests to determine whether they were properly sanitized of sensitive and confidential information. Ten of the computers had already been released to the public at that point, creating a serious data security issue and breaches to NASA’s IT security practices. Information on the computers could have helped hackers gain access to NASA’s internal computer network.

Also in 2010, an army officer, Captain Robert Sugden sold his broken laptop for “spare and repair” parts for around $32 USD. However, the laptop contained military secret files such as troop numbers, patrol details, ammunition stock lists and locations of police command posts, none of which required passwords. Such information could be fatal if put it was in the hands of terrorists. When the shocked buyer returned the laptop to the U.K.’s Ministry of Defense, it was also discovered that the laptop contained hundreds of photos and names, risking the lives of those that joined the Afghan National Police and Afghan National Army.

In the previous mentioned cases, it was fortunate that the government authorities went ahead with inspection and prevented the data from being leaked and misused by other parties. There are cases where those who were not wary of the dangers of data leakage from a used hard disk. The two U.S. cases mentioned above were only discovered because of an audit done by the government while in the case of the U.K., a buyer let the government know of the situation. It is reasonable to say that there are many potential cases out there that can lead to great risk just like the ones brought up in this entry.

In 2008, an illegal content distribution scandal took place in Hong Kong, China. Although this case does not involve the government, it does involve an individual’s privacy. Dubbed the “Edison Chen Photo Scandal,” a personal computer was sent in for repairs where hundreds of private photos were taken, copied, and distributed without consent, allegedly by the computer repair shop. The PC’s owner, Edison Chen stated that the photos that were distributed were deleted before being sent in for repairs, but with the advancement and accessibility of data recovery technology, about 1,300 of Chen’s sexual and celebrity photos were recovered, taken and copied, only to be distributed for the world to see. This case severely damaged his reputation and his career in China.

Over 250,000 used computers and over 100,000 used laptops are waiting to be sold on eBay by the end of April 2013. Many people carefully erase the data by deleting files and reformatting the hard drive to feel more secure when selling computers. This blog entry was created to raise data security awareness to prevent such data leakage incidents, which may creep up on us someday.

Categories
Blog Data Erasure NEWS News Letter Press Release

SECUDRIVE Sanitizer Portable Released

A new hard disk wipe solution now available from Brainzsquare, SECUDRIVE Sanitizer Portable allows users to easily delete data on hard drives completely, including the OS, without the need to enter BIOS setup or use additional booting devices.

Brainzsquare announced its release of SECUDRIVE Sanitizer Portable(SDSP), a simple hard drive erasure solution that doesn’t require additional booting devices or the BIOS setup.

The only requirements of running SDSP are connecting the USB flash drive, choosing an erase algorithm, and selecting the disk to be wiped within the same PC environment. SDSP erases various kinds of disk drives such as ATA/IDE, SATA, SCSI, USB, and FireWire. SDSP utilizes world-known to erase algorithms such as the Gutmann algorithm (35 times overwrite), the DoD5220.22-M algorithm (3 and 7 times overwrite), etc. to wipe the PC including the OS.

In addition, the details of the erase procedure (disk info, erase algorithm, etc.) are recorded on the report log which is embedded into the hardware. SDSP’s software also allows the user to erase multiple computers and disk drives simultaneously and can be used as many times as needed within a single location.

“Due to the difficulty and complicated nature of having to set up BIOS and having to use additional booting devices such as CD or USB flash drive when wiping the disk, IT specialists were often necessary. SDSP was developed with a solution in mind. The goal of SDSP is to allow even the casual users to be able to completely wipe their computer with extreme ease,” said Simon Kang, CEO of Brainzsquare.

About Brainzsquare:
Founded in 2000, Brainzsquare has been serving specialized and innovative data security solutions into the market. With the launch of the SECUDRIVE product line in 2006, Brainzsquare has been providing products ranging from secure USB flash drives and data erasure products to copy protection software, device control, and file server security for corporate customers and content publishers.
If you have any questions or inquiries about this article or its contents, please contact us.

(Secudrive Drive Eraser is an improvement and a replacement of Secudrive Sanitizer Portable now, 0823/2019)

Categories
Blog Data Erasure

How to Delete the Hard Drive and the OS

Even after I emptied the recycle bin and formatted the PC, why would I need to use deletion software when I dispose of my old PC?

Well, the answer is simple: Because even after all you just did, I could still recover everything you have entered on your computer.

We obliviously store everything on our computers. So, knowing how to handle confidential data and personal information such as your bank account number, financial data, bank card number and private information is an essential precaution you have to take, in order to protect your personal information against data leakage or theft. Many people believe that formatting their PC hard drive will remove all of their input information. But the truth of the matter is, just because you can no longer see the file, it doesn’t mean it is gone. File traces are digitally left behind on the OS and potential ‘data thieves’ are able to recover your confidential data that was supposedly ‘deleted.’

You need to have hard drive deletion software.

For safe PC disposal, you need to have some sort of deletion software that will completely delete all of the information on the PC. There is deletion software that uses a constant number deletion mechanism, in which the entire sector is overwritten once by a predetermined constant value. What does that mean? It simply means that your recycle bin or your confidential data will get completely wiped clean using the algorithm to overwrite the data that was stored in your hard drive. This deletion mechanism causes all file traces unrecoverable and completely deletes the digitally stored data in the hard drive, thus, preventing data loss or confidential information recovery after PC disposal.

Where can I get deletion software, that won’t hurt my wallet?

We provide a FREE deletion software, SECUDRIVE Sanitizer Free that uses the same deletion algorithm as stated above. It also has the capability to detect bad sectors and efficiently delete the hard drive until completion. SECUDRIVE Sanitizer Free adopted the automatic deletion mechanism to completely delete all of the data and file traces, giving the user safe hard drive disposal at home.

Compared to other hard drive deletion software, that requires you to make a decision every time a bad sector is found or make you wait for hours just to get you disappointed with an error message in the end, SECUDRIVE Sanitizer Free keeps deleting until the deletion process is completed (pretty hardworking program in my opinion)! When a bad sector is detected in the hard drive by this software, SECUDRIVE Sanitizer Free automatically skips the sector until the total deletion of the hard drive is complete.

(Secudrive Sanitizer Free for individual use is not available. We only provide Secudrive Drive Eraser for businesses, a commercial version of it, now. 08/23/2019)