Keeping unneeded sensitive data off your computer

During everyday work our computers collect all kinds of information: E-mail is received, browser history is recorded, files are created. In all this exchange, a significant amount of sensitive data can be collected, even without intervention of the user (CC in e-mails).

Most of this data is not of much daily use to a user, and is in fact a liability. It is a very good practice to check what information has the computer gathered over the course of the daily work, and clean out the unnecessary sensitive data.

The definition

First, let's define sensitive data. University of California defines sensitive data as

Information for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be warranted. Unauthorized access to or disclosure of information in this category could result in a serious adverse effect, cause financial loss, cause damage to the reputation, constitute an unwarranted invasion of privacy

The test

Everyone's first reaction is: 'This can't happen to me!'. It is well known that a lot of computers get sold with huge amounts of sensitive data still on them. So we performed a simple test: We ran the tools on the laptop of a university assistant professor. These are the results:

  • 3 of his credit card numbers were saved in the browser history
  • 7 e-mails containing lists of students social security numbers were discovered in e-mails from Student Services where the user was placed in CC, and only briefly read.
  • 4 files with home addresses of project team members and partners were discovered, from a project that has ended 2 years ago.

Anyone making the check will be very unpleasantly surprised at the amount of sensitive data on their computers

The tools

This definition makes a great point: If you don't work with it, remove it! To ensure that your computer is free of sensitive data you can use several tools to locate possible sensitive data. Bear in mind that no tool can determine conclusively what is or is not sensitive data, but automated tolls are great in sifting through gigabytes of information to locate patterns of data that resemble sensitive data.

We have compiled a list of 3 tools that can help you in discovering potential sensitive data on your computer. The tools are ordered in alphabetical order and each is presented with it's own pros and cons.

Identity Finder
  • Commercial application that can be used to find sensitive data, as well as providing other functions such as protection of identified files.
  • Pro: Apart from standard credit card numbers or SSN, it also searches for the string password: and thus can find a lot of cleartext stored passwords. It is quite efficient in it's search and offers quick solutions, like destruction of identified files with sensitive data, or protecting data. It is also capable of searching Outlook PST files. The enterprise version apparently works with web sites, but Shortinfosec was not able to test this functionality
  • Con: It is a commercial application, so you need to pay for it :)

  • A simple Credit Card Number and Social Security Number search tool from the University of Texas designed to look for Social Security Numbers and Credit Cards.
  • Pro: Nearly no configuration effort, just start it and send it searching.
  • Con: Not useful for anything except SSN and Credit Card Numbers.

  • A very good open source tool for finding sensitive data.

  • Pro: Allows great flexibility of searches and is quite near the range of a commercial application. Although not as easy to use as a commercial counterpart, since it supports search for regular expressions, you can search for nearly anything. It is of searching Outlook PST files. Also, it is capable of searching web sites, which functions quite well.
  • Con: you need to know regular expressions to make the most of it, and the presentation of results is not very clear, especially in Outlook PST files

The sensitive data scanners are a very useful set of tools. Although they are all plagued with huge numbers of false positives, they also find the really nasty forgotten sets of data which everyone will be better off without.
So, a periodic scan for left over sensitive data is a very good practice to maintain security of your computer. This is even more true for enterprises, where this check-up should become part of the regular security awareness program and security check of corporate computers. A home user can achieve excellent results with open source tools, but for enterprises which require centralized management and reporting, a commercial solution may be an option.

Talkback and comments are most welcome

Related posts
5 rules to Protecting Information on your Laptop


Annie said...

Well, this is really very useful software, i like your post because it give path to think about small but important points. Thanks for the post.

Anonymous said...

This is old method and we need some advance tricks. Vibrational Manifestation PDF

Anonymous said...

I really love this very much. This trick is my favorite. Manifestation Miracle by Heather Matthews

Anonymous said...

I personally feel Antivirus is just useless in any computer. Teds Woodworking Plan

Anonymous said...

It is good to see you actually talk about this. Visit This Website

Anonymous said...

This is very important information and everyone should read it once. Click Here

Getit said...

Lovely blog it is. Download Zapya for PC to share files and folders easily from PC to Mobile

Anonymous said...

Thanks for this good advice. I will use it.

Anonymous said...

I must your your advice is pure quality. Everyone should follow it for once.

Anonymous said...

Yes it is really important to understand completely about Information Technology. How To Get Your Ex Back reviewprotocol guide

Sunmugam Chidambaram said...

Good post like to Read More Like this
xender for pc

Designed by Posicionamiento Web