Threat Intelligence

8/8/2017
06:25 PM
50%
50%

New Consortium Promotes Proper Data Sanitization Practices

The International Data Sanitization Consortium (IDSC) will create guidelines and best practices for sanitizing data on hardware devices.

A group of security experts has created the International Data Sanitization Consortium (IDSC) in a move to eliminate confusion over what constitutes data sanitization and the potential repercussions of incorrect wiping of data from devices.

Approximately 12 million data records have been exposed since January, according to the Identity Theft Resource Center (ITRC). Such problems can arise when devices are recycled, resold, or discarded and the holders of these devices assume that performing a factory reset on the device, or reformatting the hard drive, will permanently remove the data before giving up the device.

"Our surveys indicate that the percentage is just above 50% that believe deletion/reformatting is effective. There are many reasons for this, not the least of which is Microsoft’s warning pop-up that asks if you want to permanently remove a file or directory when you are deleting it or emptying the trash bin. Most people equate 'can’t see the file in my directory' with it being gone," says Richard Stiennon, IDSC director and chief strategy officer of Blancco Technology Group. "They fail to think about how easy it is to recover deleted files with a simple forensics tool that can be downloaded for free from the Internet."

The IDSC is seeking to develop terminology, standards, guidelines, and best practices for sanitizing data on such products as hard drives used in data centers, laptops, desktops, medical equipment, automobiles, cell phones, tablets, and wearables. It plans on working with organizations and standards bodies to influence standards, security and privacy laws, and regulations, the group notes.

Although IDSC membership is open to educators, analysts, software and hardware vendors, and companies, Stiennon says ianyone with an interest in data sanitization can join.

Data Sanitization Myths

Companies frequently believe that reformatting hard drives and resetting devices back to factory reset will remove all traces of their data. However, Paul Henry, an IDSC member, and information security and forensics expert, says that is not the case.

The IDSC defines sanitized devices as no longer having residual data, or data that can be retrieved even with forensics tools.

In explaining the difference between reformatting a hard drive to wipe the data clean and sanitizing the data, Henry says with data sanitization a user is overwriting the data, which renders it completely unrecoverable.

"Many users mistakenly believe that reformatting magically destroys their data," Henry says. "Reformatting simply marks all drive space as unallocated and available to the operating system. All of that data potentially can be recovered with data carving using headers and footers."

A factory reset on a device has a similar result – the data has the potential to be recovered.

"A factory reset is similar to reinstalling an operating system. A clean file allocation table is created and the operating system files are reinstalled," Henry says. "This does not overwrite the users' data, which is no longer linked to the file allocation table. The data does in fact still exist in unallocated space and is fully recoverable."

But companies that use data wiping are engaging in a form of data sanitization, Henry notes. To undertake this task, a user needs to over write the data in an unallocated space on the hard drive to make it non-recoverable. Another way to clean a file is to remove all the sensitive information from a classified document or other message, so that the document can then be distributed to a broader audience at a lower classification level, says Henry.

Despite a desire to securely and thoroughly erase data from devices, not all companies do so, says Stiennon.

"The biggest challenge is that most organizations do not have a mature data security lifecycle policy. If anything, they have tried to build processes around protecting PII but have not gone the next step to classify and track all data types or created data retention policies," he says. Once that's accomplished, the organization will look for data sanitization processes either internally, or from a third-party provider.

"If you do not use effective data sanitization methods, you are playing data roulette. Eventually, you can expect your data to see the light of day," Stiennon says. "Every year, we sponsor a lab which purchases hard drives and devices off the Internet and we always find data on them. We even see devices where the owner reformatted the device, yet we can still extract the data."

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.