Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

New Consortium Promotes Proper Data Sanitization Practices

The International Data Sanitization Consortium (IDSC) will create guidelines and best practices for sanitizing data on hardware devices.

A group of security experts has created the International Data Sanitization Consortium (IDSC) in a move to eliminate confusion over what constitutes data sanitization and the potential repercussions of incorrect wiping of data from devices.

Approximately 12 million data records have been exposed since January, according to the Identity Theft Resource Center (ITRC). Such problems can arise when devices are recycled, resold, or discarded and the holders of these devices assume that performing a factory reset on the device, or reformatting the hard drive, will permanently remove the data before giving up the device.

"Our surveys indicate that the percentage is just above 50% that believe deletion/reformatting is effective. There are many reasons for this, not the least of which is Microsoft’s warning pop-up that asks if you want to permanently remove a file or directory when you are deleting it or emptying the trash bin. Most people equate 'can’t see the file in my directory' with it being gone," says Richard Stiennon, IDSC director and chief strategy officer of Blancco Technology Group. "They fail to think about how easy it is to recover deleted files with a simple forensics tool that can be downloaded for free from the Internet."

The IDSC is seeking to develop terminology, standards, guidelines, and best practices for sanitizing data on such products as hard drives used in data centers, laptops, desktops, medical equipment, automobiles, cell phones, tablets, and wearables. It plans on working with organizations and standards bodies to influence standards, security and privacy laws, and regulations, the group notes.

Although IDSC membership is open to educators, analysts, software and hardware vendors, and companies, Stiennon says ianyone with an interest in data sanitization can join.

Data Sanitization Myths

Companies frequently believe that reformatting hard drives and resetting devices back to factory reset will remove all traces of their data. However, Paul Henry, an IDSC member, and information security and forensics expert, says that is not the case.

The IDSC defines sanitized devices as no longer having residual data, or data that can be retrieved even with forensics tools.

In explaining the difference between reformatting a hard drive to wipe the data clean and sanitizing the data, Henry says with data sanitization a user is overwriting the data, which renders it completely unrecoverable.

"Many users mistakenly believe that reformatting magically destroys their data," Henry says. "Reformatting simply marks all drive space as unallocated and available to the operating system. All of that data potentially can be recovered with data carving using headers and footers."

A factory reset on a device has a similar result – the data has the potential to be recovered.

"A factory reset is similar to reinstalling an operating system. A clean file allocation table is created and the operating system files are reinstalled," Henry says. "This does not overwrite the users' data, which is no longer linked to the file allocation table. The data does in fact still exist in unallocated space and is fully recoverable."

But companies that use data wiping are engaging in a form of data sanitization, Henry notes. To undertake this task, a user needs to over write the data in an unallocated space on the hard drive to make it non-recoverable. Another way to clean a file is to remove all the sensitive information from a classified document or other message, so that the document can then be distributed to a broader audience at a lower classification level, says Henry.

Despite a desire to securely and thoroughly erase data from devices, not all companies do so, says Stiennon.

"The biggest challenge is that most organizations do not have a mature data security lifecycle policy. If anything, they have tried to build processes around protecting PII but have not gone the next step to classify and track all data types or created data retention policies," he says. Once that's accomplished, the organization will look for data sanitization processes either internally, or from a third-party provider.

"If you do not use effective data sanitization methods, you are playing data roulette. Eventually, you can expect your data to see the light of day," Stiennon says. "Every year, we sponsor a lab which purchases hard drives and devices off the Internet and we always find data on them. We even see devices where the owner reformatted the device, yet we can still extract the data."

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-5285
PUBLISHED: 2019-11-15
Null pointer dereference vulnerability exists in K11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime in NSS before 3.26, which causes the TLS/SSL server using NSS to crash.
CVE-2009-5047
PUBLISHED: 2019-11-15
Jetty 6.x before 6.1.22 suffers from an escape sequence injection vulnerability from two different vectors: 1) "Cookie Dump Servlet" and 2) Http Content-Length header. 1) A POST request to the form at "/test/cookie/" with the "Age" parameter set to a string throws a &qu...
CVE-2013-4584
PUBLISHED: 2019-11-15
Perdition before 2.2 may have weak security when handling outbound connections, caused by an error in the STARTTLS IMAP and POP server. ssl_outgoing_ciphers not being applied to STARTTLS connections
CVE-2013-7087
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has WWPack corrupt heap memory
CVE-2013-7088
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has buffer overflow in the libclamav component