01:53 PM
The Staff of Dark Reading
The Staff of Dark Reading
Connect Directly

Top 10 Most Overlooked Aspects of IT Security

Before you hunker down, all comfy and cozy, in front of a crackling holiday fire, hold the fruitcake and eggnog: Feel like you're forgetting something?

IT people hate dealing with trash. Attackers, on the other hand, love it. That should tell you something right there.

Each day, corporations dump tons of material on the curb, most of it useless landfill. But companies that don't have strong policies on garbage disposal may be leaving bits of gold for hackers seeking passwords, customer information, or other sensitive data. And if they're not careful, those organizations may just be throwing out the keys to their most valuable information.

One of the most frequently-overlooked treasures for attackers is the discarded hard drive. As companies upgrade their old machines, they often donate them to recycling centers, charities, or simply mark them as trash. But some IT departments are lax in their efforts to wipe those old hard drives clean, creating potentially damaging data leaks.

In a study published in August, researchers at the U.K.'s University of Glamorgan and Australia's Edith Cowan University bought more than 300 hard drives in auctions and computer fairs all over the world. What they found was a surprising array of data that should have been erased long before the drives were sold or tossed. Some of the data included payroll information, employee names and photos, IP addresses, network information, mobile phone numbers, copies of invoices, and financial information such as bank and credit card accounts. (See Second-Hand Drives Yield First-Class Data.)

And the problem isn't limited to hard drives. In a separate study also published in August, security firm Trust Digital made similar purchases of used cell phones and PDAs on eBay, and researchers were able to recover sensitive data on nine of ten devices in the study.

"The file system on your cell phone or PDA is just like the one on your PC's hard drive," said Norm Laudermilch, CTO at Trust Digital. "If you delete a file, you're not really overwriting the data. All it's doing is changing the index of the file system, or the file's pointers." (See Study: Used Cell Phones, PDAs Contain Confidential Data.)

And companies shouldn't overlook one of the oldest forms of stolen data: paper trash, experts say. Jim Stickley, CTO at penetration testing company TraceSecurity, says he has found a wealth of sensitive information -- including user identities and passwords -- simply by dumpster-diving on unshredded company trash. "Shred, shred, shred," he says. (See 'Analog Hackers' Overlooked, Undetected.)

3 of 10
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.