Threat Intelligence

8/8/2017
06:25 PM
50%
50%

New Consortium Promotes Proper Data Sanitization Practices

The International Data Sanitization Consortium (IDSC) will create guidelines and best practices for sanitizing data on hardware devices.

A group of security experts has created the International Data Sanitization Consortium (IDSC) in a move to eliminate confusion over what constitutes data sanitization and the potential repercussions of incorrect wiping of data from devices.

Approximately 12 million data records have been exposed since January, according to the Identity Theft Resource Center (ITRC). Such problems can arise when devices are recycled, resold, or discarded and the holders of these devices assume that performing a factory reset on the device, or reformatting the hard drive, will permanently remove the data before giving up the device.

"Our surveys indicate that the percentage is just above 50% that believe deletion/reformatting is effective. There are many reasons for this, not the least of which is Microsoft’s warning pop-up that asks if you want to permanently remove a file or directory when you are deleting it or emptying the trash bin. Most people equate 'can’t see the file in my directory' with it being gone," says Richard Stiennon, IDSC director and chief strategy officer of Blancco Technology Group. "They fail to think about how easy it is to recover deleted files with a simple forensics tool that can be downloaded for free from the Internet."

The IDSC is seeking to develop terminology, standards, guidelines, and best practices for sanitizing data on such products as hard drives used in data centers, laptops, desktops, medical equipment, automobiles, cell phones, tablets, and wearables. It plans on working with organizations and standards bodies to influence standards, security and privacy laws, and regulations, the group notes.

Although IDSC membership is open to educators, analysts, software and hardware vendors, and companies, Stiennon says ianyone with an interest in data sanitization can join.

Data Sanitization Myths

Companies frequently believe that reformatting hard drives and resetting devices back to factory reset will remove all traces of their data. However, Paul Henry, an IDSC member, and information security and forensics expert, says that is not the case.

The IDSC defines sanitized devices as no longer having residual data, or data that can be retrieved even with forensics tools.

In explaining the difference between reformatting a hard drive to wipe the data clean and sanitizing the data, Henry says with data sanitization a user is overwriting the data, which renders it completely unrecoverable.

"Many users mistakenly believe that reformatting magically destroys their data," Henry says. "Reformatting simply marks all drive space as unallocated and available to the operating system. All of that data potentially can be recovered with data carving using headers and footers."

A factory reset on a device has a similar result – the data has the potential to be recovered.

"A factory reset is similar to reinstalling an operating system. A clean file allocation table is created and the operating system files are reinstalled," Henry says. "This does not overwrite the users' data, which is no longer linked to the file allocation table. The data does in fact still exist in unallocated space and is fully recoverable."

But companies that use data wiping are engaging in a form of data sanitization, Henry notes. To undertake this task, a user needs to over write the data in an unallocated space on the hard drive to make it non-recoverable. Another way to clean a file is to remove all the sensitive information from a classified document or other message, so that the document can then be distributed to a broader audience at a lower classification level, says Henry.

Despite a desire to securely and thoroughly erase data from devices, not all companies do so, says Stiennon.

"The biggest challenge is that most organizations do not have a mature data security lifecycle policy. If anything, they have tried to build processes around protecting PII but have not gone the next step to classify and track all data types or created data retention policies," he says. Once that's accomplished, the organization will look for data sanitization processes either internally, or from a third-party provider.

"If you do not use effective data sanitization methods, you are playing data roulette. Eventually, you can expect your data to see the light of day," Stiennon says. "Every year, we sponsor a lab which purchases hard drives and devices off the Internet and we always find data on them. We even see devices where the owner reformatted the device, yet we can still extract the data."

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12959
PUBLISHED: 2018-07-19
The approveAndCall function of a smart contract implementation for Aditus (ADI), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all contract balances into their account).
CVE-2018-14336
PUBLISHED: 2018-07-19
TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.
CVE-2018-10620
PUBLISHED: 2018-07-19
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code t...
CVE-2018-14423
PUBLISHED: 2018-07-19
Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in lib/openjp3d/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).
CVE-2018-3857
PUBLISHED: 2018-07-19
An exploitable heap overflow exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain...