Threat Intelligence

8/8/2017
06:25 PM
50%
50%

New Consortium Promotes Proper Data Sanitization Practices

The International Data Sanitization Consortium (IDSC) will create guidelines and best practices for sanitizing data on hardware devices.

A group of security experts has created the International Data Sanitization Consortium (IDSC) in a move to eliminate confusion over what constitutes data sanitization and the potential repercussions of incorrect wiping of data from devices.

Approximately 12 million data records have been exposed since January, according to the Identity Theft Resource Center (ITRC). Such problems can arise when devices are recycled, resold, or discarded and the holders of these devices assume that performing a factory reset on the device, or reformatting the hard drive, will permanently remove the data before giving up the device.

"Our surveys indicate that the percentage is just above 50% that believe deletion/reformatting is effective. There are many reasons for this, not the least of which is Microsoft’s warning pop-up that asks if you want to permanently remove a file or directory when you are deleting it or emptying the trash bin. Most people equate 'can’t see the file in my directory' with it being gone," says Richard Stiennon, IDSC director and chief strategy officer of Blancco Technology Group. "They fail to think about how easy it is to recover deleted files with a simple forensics tool that can be downloaded for free from the Internet."

The IDSC is seeking to develop terminology, standards, guidelines, and best practices for sanitizing data on such products as hard drives used in data centers, laptops, desktops, medical equipment, automobiles, cell phones, tablets, and wearables. It plans on working with organizations and standards bodies to influence standards, security and privacy laws, and regulations, the group notes.

Although IDSC membership is open to educators, analysts, software and hardware vendors, and companies, Stiennon says ianyone with an interest in data sanitization can join.

Data Sanitization Myths

Companies frequently believe that reformatting hard drives and resetting devices back to factory reset will remove all traces of their data. However, Paul Henry, an IDSC member, and information security and forensics expert, says that is not the case.

The IDSC defines sanitized devices as no longer having residual data, or data that can be retrieved even with forensics tools.

In explaining the difference between reformatting a hard drive to wipe the data clean and sanitizing the data, Henry says with data sanitization a user is overwriting the data, which renders it completely unrecoverable.

"Many users mistakenly believe that reformatting magically destroys their data," Henry says. "Reformatting simply marks all drive space as unallocated and available to the operating system. All of that data potentially can be recovered with data carving using headers and footers."

A factory reset on a device has a similar result – the data has the potential to be recovered.

"A factory reset is similar to reinstalling an operating system. A clean file allocation table is created and the operating system files are reinstalled," Henry says. "This does not overwrite the users' data, which is no longer linked to the file allocation table. The data does in fact still exist in unallocated space and is fully recoverable."

But companies that use data wiping are engaging in a form of data sanitization, Henry notes. To undertake this task, a user needs to over write the data in an unallocated space on the hard drive to make it non-recoverable. Another way to clean a file is to remove all the sensitive information from a classified document or other message, so that the document can then be distributed to a broader audience at a lower classification level, says Henry.

Despite a desire to securely and thoroughly erase data from devices, not all companies do so, says Stiennon.

"The biggest challenge is that most organizations do not have a mature data security lifecycle policy. If anything, they have tried to build processes around protecting PII but have not gone the next step to classify and track all data types or created data retention policies," he says. Once that's accomplished, the organization will look for data sanitization processes either internally, or from a third-party provider.

"If you do not use effective data sanitization methods, you are playing data roulette. Eventually, you can expect your data to see the light of day," Stiennon says. "Every year, we sponsor a lab which purchases hard drives and devices off the Internet and we always find data on them. We even see devices where the owner reformatted the device, yet we can still extract the data."

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.