Talking trash: Secure information disposal

Information security practitioners need to be on intimate terms with their organizations' garbage. While the thought of rooting through the trash may not top your list of desirable activities, dumpster diving can be a highly effective way for attackers to gather confidential information about your business, processes and systems.

Trash cans yield all sorts of interesting information. During assessments I have conducted, I have found all of the following goodies in corporate trash:

• Bank account numbers and balances
• Credit card numbers
• Travel plans of key employees, which could reveal business plans
• Product design documents
• Marketing studies
• Vendor information
• Customer names

Paper is bad enough, but discarded computer media can multiply the attacker's haul by orders of magnitude. Discarded CD-ROMs, DVDs and hard drives can provide gigabytes of potentially useful information to the bad guys – and they have the advantage of being electronically searchable, making the miscreants' jobs less tedious.

Fortunately, there are a number of simple steps you can take to make your trash a less inviting target for adversaries:

1. Destroy CD-ROMs, DVDs and floppy disks before disposing of them. Shredders specifically designed for these media are available at office supply stores and online.

2. When disposing of hard disk drives, thoroughly erase all information from them by overwriting the entire drive multiple times. An open source solution called Darik's Boot and Nuke (DBAN, available from dban.sourceforge.net) provides a bootable floppy or CD that does the job quite nicely. Better yet, secure your data and work out your aggressions by opening the drive and pounding the heck out of the platters with a hammer.

3. Shred all discarded paper waste. By shredding everything, you relieve employees of the responsibility of deciding what information is confidential and what is not. Besides, seemingly innocuous scraps of paper can be very useful to an attacker -- especially when combined with other seemingly innocuous scraps of paper.

RELATED INFORMATION Learn how to protect your organization's information with this guide Get the latest news and advice about hacking tools and techniques in our resource center

If your office generates a lot of paper or if the noise of shredders would be distracting, there are services that provide outsourced shredding. Typically, these providers place locked trash containers around your office that they periodically empty. Employees can place paper and computer media in these containers for disposal. When the document destruction company collects the contents of the bins, they either take them back to a central location for destruction (less expensive) or will shred it on site in their truck (more expensive). In either case, you are provided with a document certifying the destruction of your information. Firms charge for their services by the container or box load, or by the amount of time required to shred the documents.

Using a document destruction contractor requires some homework. Especially in the case of an offsite document destruction firm, you need to be sure that the company is reputable and that it performs background checks on its employees. Look for companies that are well established, can provide references from organizations you trust and who are willing to let you visit their facilities. The document destruction industry has a trade organization, the National Association for Information Destruction. NAID's Web site (www.naidonline.org) contains a directory of member and certified firms in the US and abroad.

Becoming a garbologist is not the most exciting or glamorous part of info security assessment, but it can be an effective and low cost way to plug information leaks in your organization. So, sit down with your management and talk trash!

About the author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (http://www.liquidnet.com), the #1 electronic marketplace for block trading and the fifth fastest growing private company in America according to Inc. Magazine's 23^rd annual Inc. 500 list of the fastest growing privately held companies in America.

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Data Protection Essentials How to lay the foundation for role entitlement management Single sign-on options for financial services firms Privileged password management steps to success The evolving value proposition and impact of identity management Removable media encryption adds extra layer to laptop security Key management challenges and best practices Using full disk encryption in the battle against laptop data theft Laptop encryption options Case Study: Allstate Insurance Company's Local Data Protection Project Breach prevention: Adding security to the purchasing process Secure data disposal and destruction Bank boosts security after couriers lose backup tapes State Street breach highlights encryption limits, vendor due diligence Best practices for implementing a data disposal policy A path to destruction Week 11: Are you throwing out company secrets? Discarded hard drives can be dangerous RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.