Prof John Walker (Europe) - When Good Green goes Black

In a society where Green IT is paramount, Prof John Walker, a prominent memeber of ISACA and CAMM, discusses the complications of pressing IT green policies too far.

Like most developed societies, the residents of the UK live and work within a social structure which recognizes the need to protect the environment, and the wider global habitat of the precious planet. We now work and play in socialized surroundings in which recycling has become the norm, both at work, and at home. We are the entrants, and graduates of a new era which is striving to save the planet by employing environmentally responsible practices. We are, in effect the new ‘Green Society'.

As businesses gradually morph into this new greener world of encouraged ecofriendly practices, it has become the norm in the majority of organizations seeking to establish their green credentials to take proactive steps to reduce their unacceptable carbon footprint to a minimum. For example, by encouraging employees to participate in the company car-sharing scheme, or say by promoting the use of technological solutions, in the form of those much underused, and expensive teleconferencing facilities. In some cases, organizations are even striving to achieve carbon offsets by engaging with tree planting projects, or by sponsoring green missions which protect the delicate sub-worlds of both flora, and fauna. No matter the approach, the desired end result is the same, to reduce the levels of atmospheric pollution, possibly followed by proactive measures to improve the environment.

There may be some way to go, but most large businesses want to do their bit, and do the right thing when it comes to being seen to be green. There are also encouraging incentives which may be leveraged from the world of Corporate PR - let's face it, no self-respecting business today wants to be branded as an uncaring, and dirty neighbor. There may also be some motivations in the form of financial compensations, so being seen to be green just may start to have some potential in the greater scheme of things. However, if this newly founded keenness-for-greenness is not managed correctly, such ecotistic practices can, and have resulted in security exposures, and information breaches, albeit based on good intentions.

One such example of such green missions is related to the recycling of those unloved, and unwanted out-of-date cellphones.  On several occasions I have been witness to initiatives in both the public and private sectors which have encouraged their employees to hand in their old cast off cellphones for recycling. And in every one of these cases, not a jot of consideration was given to the potential for the existence of a security exposure. In fact, in one such recycling mission, a sample of cellphones was extracted, and then subsequently subjected to some very simple analysis, of which the revelations were astounding!  A high percentage of the sample contained personal information (60%), as well holding remnant commercially interesting titbits (around 20%).

Of the sample of cellphones subjected to analysis, three contained SIMM cards, four contained mini data cards, with all of the remainder containing some fragments of information. In one case, the content lent itself increased the potential of Identity Theft and personal compromise, as it also hosted personal banking details in the form of an electronic mini bank statement. However, as we are now in the era of the much more powerful SmartPhones, the vector of threat just got bigger. These new devices are highly intelligent, and host the potential to store enormous amounts of personal and business information so be warned.

Of course, one may always invoke a 'Factory Reset' to remove all traces of remnant information. However, although the average user can't see beyond the graphical user interface of the cellphone, remnants of information are highly likely to still remain deep within the device. In fact any novice with some basic skills and access to low cost specialist applications can subject a recovered SIMM to interrogation to extract the supposedly deleted data artifacts - See Fig1.

 [image_library_tag 005953f1-112d-4e59-a0ed-704bee4c650e 594x367 alt="fig1" title="fig1" width="594" height="367"class="center "]

And also be aware, there are no certainties where such recycled devices will end up. As for my old phones, call me paranoid but when they leave my possession, not only will they never provision the capability of making a phone call again, but they are unrecognizable!


By Professor John Walker, London Chapter ISACA Security Advisory Group and Director of Communications Common Assurance Maturity Model Certified, Accredited Security Professional, Visiting Professor, and Author.