Threat Intelligence

New Consortium Promotes Proper Data Sanitization Practices

The International Data Sanitization Consortium (IDSC) will create guidelines and best practices for sanitizing data on hardware devices.

A group of security experts has created the International Data Sanitization Consortium (IDSC) in a move to eliminate confusion over what constitutes data sanitization and the potential repercussions of incorrect wiping of data from devices.

Approximately 12 million data records have been exposed since January, according to the Identity Theft Resource Center (ITRC). Such problems can arise when devices are recycled, resold, or discarded and the holders of these devices assume that performing a factory reset on the device, or reformatting the hard drive, will permanently remove the data before giving up the device.

"Our surveys indicate that the percentage is just above 50% that believe deletion/reformatting is effective. There are many reasons for this, not the least of which is Microsoft’s warning pop-up that asks if you want to permanently remove a file or directory when you are deleting it or emptying the trash bin. Most people equate 'can’t see the file in my directory' with it being gone," says Richard Stiennon, IDSC director and chief strategy officer of Blancco Technology Group. "They fail to think about how easy it is to recover deleted files with a simple forensics tool that can be downloaded for free from the Internet."

The IDSC is seeking to develop terminology, standards, guidelines, and best practices for sanitizing data on such products as hard drives used in data centers, laptops, desktops, medical equipment, automobiles, cell phones, tablets, and wearables. It plans on working with organizations and standards bodies to influence standards, security and privacy laws, and regulations, the group notes.

Although IDSC membership is open to educators, analysts, software and hardware vendors, and companies, Stiennon says ianyone with an interest in data sanitization can join.

Data Sanitization Myths

Companies frequently believe that reformatting hard drives and resetting devices back to factory reset will remove all traces of their data. However, Paul Henry, an IDSC member, and information security and forensics expert, says that is not the case.

The IDSC defines sanitized devices as no longer having residual data, or data that can be retrieved even with forensics tools.

In explaining the difference between reformatting a hard drive to wipe the data clean and sanitizing the data, Henry says with data sanitization a user is overwriting the data, which renders it completely unrecoverable.

"Many users mistakenly believe that reformatting magically destroys their data," Henry says. "Reformatting simply marks all drive space as unallocated and available to the operating system. All of that data potentially can be recovered with data carving using headers and footers."

A factory reset on a device has a similar result – the data has the potential to be recovered.

"A factory reset is similar to reinstalling an operating system. A clean file allocation table is created and the operating system files are reinstalled," Henry says. "This does not overwrite the users' data, which is no longer linked to the file allocation table. The data does in fact still exist in unallocated space and is fully recoverable."

But companies that use data wiping are engaging in a form of data sanitization, Henry notes. To undertake this task, a user needs to over write the data in an unallocated space on the hard drive to make it non-recoverable. Another way to clean a file is to remove all the sensitive information from a classified document or other message, so that the document can then be distributed to a broader audience at a lower classification level, says Henry.

Despite a desire to securely and thoroughly erase data from devices, not all companies do so, says Stiennon.

"The biggest challenge is that most organizations do not have a mature data security lifecycle policy. If anything, they have tried to build processes around protecting PII but have not gone the next step to classify and track all data types or created data retention policies," he says. Once that's accomplished, the organization will look for data sanitization processes either internally, or from a third-party provider.

"If you do not use effective data sanitization methods, you are playing data roulette. Eventually, you can expect your data to see the light of day," Stiennon says. "Every year, we sponsor a lab which purchases hard drives and devices off the Internet and we always find data on them. We even see devices where the owner reformatted the device, yet we can still extract the data."

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.