During everyday work our computers collect all kinds of information: E-mail is received, browser history is recorded, files are created. In all this exchange, a significant amount of sensitive data can be collected, even without intervention of the user (CC in e-mails).
Most of this data is not of much daily use to a user, and is in fact a liability. It is a very good practice to check what information has the computer gathered over the course of the daily work, and clean out the unnecessary sensitive data.
First, let's define sensitive data. University of California defines sensitive data as
Information for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be warranted. Unauthorized access to or disclosure of information in this category could result in a serious adverse effect, cause financial loss, cause damage to the reputation, constitute an unwarranted invasion of privacy
Everyone's first reaction is: 'This can't happen to me!'. It is well known that a lot of computers get sold with huge amounts of sensitive data still on them. So we performed a simple test: We ran the tools on the laptop of a university assistant professor. These are the results:
- 3 of his credit card numbers were saved in the browser history
- 7 e-mails containing lists of students social security numbers were discovered in e-mails from Student Services where the user was placed in CC, and only briefly read.
- 4 files with home addresses of project team members and partners were discovered, from a project that has ended 2 years ago.
Anyone making the check will be very unpleasantly surprised at the amount of sensitive data on their computers
This definition makes a great point: If you don't work with it, remove it! To ensure that your computer is free of sensitive data you can use several tools to locate possible sensitive data. Bear in mind that no tool can determine conclusively what is or is not sensitive data, but automated tolls are great in sifting through gigabytes of information to locate patterns of data that resemble sensitive data.
- Commercial application that can be used to find sensitive data, as well as providing other functions such as protection of identified files.
- Pro: Apart from standard credit card numbers or SSN, it also searches for the string password: and thus can find a lot of cleartext stored passwords. It is quite efficient in it's search and offers quick solutions, like destruction of identified files with sensitive data, or protecting data. It is also capable of searching Outlook PST files. The enterprise version apparently works with web sites, but Shortinfosec was not able to test this functionality
- Con: It is a commercial application, so you need to pay for it :)
- A simple Credit Card Number and Social Security Number search tool from the University of Texas designed to look for Social Security Numbers and Credit Cards.
- Pro: Nearly no configuration effort, just start it and send it searching.
- Con: Not useful for anything except SSN and Credit Card Numbers.
- A very good open source tool for finding sensitive data.
- Pro: Allows great flexibility of searches and is quite near the range of a commercial application. Although not as easy to use as a commercial counterpart, since it supports search for regular expressions, you can search for nearly anything. It is of searching Outlook PST files. Also, it is capable of searching web sites, which functions quite well.
- Con: you need to know regular expressions to make the most of it, and the presentation of results is not very clear, especially in Outlook PST files
The sensitive data scanners are a very useful set of tools. Although they are all plagued with huge numbers of false positives, they also find the really nasty forgotten sets of data which everyone will be better off without.
So, a periodic scan for left over sensitive data is a very good practice to maintain security of your computer. This is even more true for enterprises, where this check-up should become part of the regular security awareness program and security check of corporate computers. A home user can achieve excellent results with open source tools, but for enterprises which require centralized management and reporting, a commercial solution may be an option.
Talkback and comments are most welcome
5 rules to Protecting Information on your Laptop