You think your confidential data is deleted, but is it?
With 80 percent of the market subjecting itself to the risk of data theft, and worldwide misconceptions that deleting data is the same as destroying data, SecurityNewsDesk speaks to Paul Henry on how to ensure your valuable data is not compromised.
“What’s the definition of insanity? The definition of insanity would be doing the same things over and over again and expecting a different result. That’s how most organisations are approaching security today.”
Paul Henry, a Senior Instructor with the SANS Institute, security & computer forensic expert and IT security consultant to the Blancco Technology Group, recently spoke with SecurityNewsDesk on data theft and the relative state of data privacy in Europe and the US. Needless to say, he was not impressed with the steps that individuals and companies alike are taking to protect their data.
“We are seeing a widening gap,” Paul stated, when asked whether the threat to our data is increasing, “we continuously see data being exfiltrated and hear about data security breaches, yet we’re not at all changing how we handle things.” Paul drew attention to the Check Point 2015 Security Report, published by Check Point Software Technologies Ltd, which states that 81 percent of the enterprises studied in their survey had sensitive data leaking out of the company. In companies with roughly 10,000 employees or more, the report states that the companies had a file leaving the network every 36 minutes. “Not only this, but the trend suggests we’re not getting any better,” said Paul, the report stating that the loss of propriety information has increased 71 percent over the past three years.
With these worrying statistics, it would be fair to assume that such breaches and leaks are caused by the increasing skill of cyber criminals, and yet, Paul suggests that in fact it is not so much the outside threat that is the problem, but more our “own lack of protecting ourselves.”
Data retrieval: 799 out of 800
In investigation of this ‘lack of self protection’, Paul took upon a project that would send shivers down the spine of anybody who has sold a hard drive in the last decade.“For at least seven or eight years I’ve been buying hard drives on ebay – typically 50 at a time – and out of the 800 that I have, I was able to retrieve data from 799.”
This single one, he explains, had an encryption on that he was unable to break. The remaining 799 hard drives were completely whole and the data had not been protected, wiped or erased whatsoever. Luckily for the 799 owners of these hard drives, they had fallen into trustworthy hands, but with a mixture of personal and organisation owned drives on his desk, imagine if it had not been Paul who had made the purchase on ebay.
So, why is it that the data on 799 of these hard drives had not been protected in any way?
“It’s a couple of things,” explains Paul:
“Firstly, people just don’t understand that when you ‘delete’ something it is not necessarily ‘erased’ – it’s marked as being erased, but its data has not been fully eradicated from the system. Rather, it is now in an unallocated space, so that the system can reuse the space if need be, but the data is still very much on the hard drive. Secondly, there seems to be this misconception that when people trade in, or send their PC in for repair and the hard drive is replaced, that the firm wipes or destroys the hard drive – but that simply is not the case.”
Beyond hard drives, Paul also carries out mobile forensics, and yet again the same misconceptions seem to be opening up personal data to whoever gets their hands on a discarded device. “The issue with mobile phones is that if you do a factory reset it does not actually overwrite the data, meaning that all of the data is still completely retrievable. Using readily-available software I’ve retrieved data from Android, Blackberry, iPhone (before they started using better encryption at iPhone 5). It’s trivial, really.”
What is most worrying about such accessible personal data is that it is not through Paul’s experience in the field that he is able to retrieve the data, but simply by having the inclination to do so and a connection to the Internet. “It is as simple as this,” he explained:
“If you go to the website ‘accessdata.com’ you can download a tool called ‘FTK Imager’. With FTK imager, you can mount the drive and all known files are shown with a red ‘x’. If you simply right click this ‘x’ you can save the file out to an alternative drive, fully recovering the file. It is that easy. The thing is, if you search the brand of the phone itself, on a search engine, with the term ‘erase’, the companies provide information that allows you to properly wipe the data,”
Backed up by a blog post he wrote back in 2012, it is clear that this is a message that Paul has been trying to get across for a long time.
Lack of consideration
From personal mobile devices to huge organisations, there does not seem to be the level of awareness or amount of consideration that there should be over something as important as personal or corporate data. “Consider this,” says Paul:
“If your corporation is hosting servers at a data centre, and the data centre operator files for bankruptcy, what happens to all of their equipment with your data on it? It goes to the bankruptcy court. Is the bankruptcy court going to fully sanitise and erase your data? No, they’re not! They’re going to resell the hard drives, the equipment, the servers, and your data is passed on to who knows where.”
With the amount of important, and in many cases, confidential data running through any corporation, it is hard to believe that security risks such as these, for which there are such simple preventative measures, are overlooked. As well as issues of awareness, and lack of consideration though, there is an issue arguably more persuasive than any – money. “It only requires a simple overwrite, one time, and your data is no longer retrievable – but it does take a little bit of time and effort. Here in my forensics lab I can overwrite at a rate of about 6 gig a minute – but without that it’s going to take a little more time.” With the task taking more time, automatically there is a higher amount of planning and therefore of cost, and “in matters of budget, if something costs money to an organisation its likely not going to get done.”
The Europe/US divide
There seems to be somewhat of a divide in matters of data privacy between Europe and the US though, Paul explains: “Unfortunately in the US, we’ve always put commerce above privacy. In Europe, you tend to put privacy above commerce. I think Europe gets it right, and the US are getting it wrong here. I’ve done a lot of work with organisations in Europe and they have solid regulations and great policies and procedures. I once had to do a penetration test for a European company who were testing an organisation in India that was bidding on providing services to them – they went to the extent of doing a full test on what was only a prospective provider. That is not done anywhere near enough in the US.”
How to protect your data
However, this unfortunately does not mean that all of Europe is properly securing its data. With all of the above in mind, Paul explains that despite the disasters that data breaches can cause, you are able to “rid of 90 percent of your risks by simply doing the basics”:
- Ensure software is up to date: Make sure that you are running the most current version of software from your vendor, as the most current version of anyone’s software is generally the most secure version.
- Misconception: Many organisations turn on Microsoft WSUS (Windows Server Update Services) and believe that everything is patched and up to date. The reality is that you’re around 90 percent patched, because the 10 percent of non-Microsoft applications on your machine are not WSUS, and that leaves you woefully exposed to vulnerabilities. Ensure your machine is up to date throughout.
- Reduce your threat envelope: Do not expose any service to the internet that does not meet your business needs. Many organisations leave too much information exposed to the public internet, needlessly opening themselves up to threat.
- Anti – Malware: Make sure that you are running the most current anti-malware software, beyond Anti-Virus, Paul states, which he believes to be a failed methodology.
- Whitelisting: You should control what files you can execute within your environment by whitelisting – not only the binary files on your hard drives, but also the applications running in RAM.
- Sanitise your systems: Overwrite deleted data. You should regularly overwrite unallocated space on all of your equipment. A single overwrite is enough to make the data irretrievable. This is something that Blancco Technology Group are experts in, and can ensure that the data is truly erased and equipment fully sanitised: whether on servers, mobile devices or in the cloud. Wherever your data is stored. For more information, visit their website.
With the basic steps towards ensuring your valuable data is properly destroyed being so simple, it is almost unbelievable that 80 percent of the market and still leaving themselves open to this severe threat of data theft. “Most people don’t see the value in security until they’ve had an incident and felt pain,” Paul said.
“I do a lot of incidence response work on breach cases, and they’re not spending the time or the money doing the vulnerability scans, or sanitising their equipment before its resold or disposed of. But, once they’ve had an incident, they wake up to the pain very quickly. It is so simple to avoid, and furthermore it’s cheaper to do it right in the first place! It costs significantly more to do it in a rush and panic at the time of the incident, when the pain is real.”
Most people know the pain of losing cherished pictures or important personal information to a device crash or system fault. Imagining that your own or your company’s confidential data has just fallen into the hands of a prying cyber criminal, simply because you hadn’t put the effort in to erase your data fully, is another thing all together. Perhaps it is time to take action.