Delete vs Erase: How Are Companies Wiping Active Files

© 2016 Blancco Oy Ltd. All Rights Reserved.

Delete vs. Erase: How Are Companies Wiping Active Files

Richard Stiennon, Chief Strategy Officer, Blancco Technology Group

Steve Hunt, Hunt Business Intelligence


Steve HuntCISO Mentor and Principal, Hunt Business Intelligence www.huntbi.com Steve Hunt, is Distinguished Fellow and Hall of Fame inductee in the ISSA. Long-time head of Forrester’s security and risk management practice, he is a cyber security and risk management executive whose expertise includes strategy and leadership to emerging technologies.

Our Speakers

Today

Richard StiennonChief Strategy OfficerBlancco Technology Group Leads long-term strategic planning, product positioning, public affairs, analyst relations, joint ventures and industry partnerships. Former VP Research Gartner. Author: There Will Be Cyberwar


What We’ll Cover:

How Data Deletion Errors Put Companies at Serious Risk of Data Breaches

How to Remedy the Problem: Coupling Secure Data Removal Methods, Processes and Technology Solutions With Data Retention Policies

Regulatory Compliance: Where Erasing Data Is Critical


IT Professionals Don’t Always Know Right from Wrong When It Comes to Data Security*• 77% hit the ‘delete’ button

and/or drag files to Recycle Bin on computers/laptops to get rid of files on a regular basis – ranging from 6-10 times a day to once a week.

• What’s worse is that over half (51%) believe files are permanently gone once they’ve emptied the Recycle Bin on their computers/laptops.

• And 51% believe performing a quick format or reformatting an entire drive permanently erases data so it can never be recovered.

*Source: Blancco Delete v Erase Report

Once you empty the Recycle Bin on desktop computers/laptops, are those files

permanently gone?

Yes 51%No 45%

I don’t know 4%

Does performing a quick format and/or full reformat of a computer’s entire drive

permanently erase all data so it can never be recovered?

Yes 51%No 42%

I don’t know 7%

Delete vs EraseThe stats


Insecure Data Removal Is More Common Than Organizations Realize

More Than Half of IT Pros Employ Insecure Data Wiping Methods• Over half (51%) believe files are

permanently gone once they’ve emptied the Recycle Bin on their computers/laptops.

• Another 51% believe performing a quick format or reformatting an entire drive permanently erases data so it can never be recovered.

• 77% hit the ‘delete’ button and/or drag files to Recycle Bin on computers/laptops to get rid of files on a regular basis – ranging from 6-10 times a day to once a week.

5


How Is Data Removal Typically Approached?

The Most Common Data Deletion Methods• Reformatting & Simple

Overwriting: This fails to overwrite data a sufficient number of times.

• Factory Resets: This only removes the pointers to the data, not the data itself.

• Physical Destruction & Degaussing: These methods are effective only to a certain degree because they don’t apply to drives that are in active use.

6

Delete

Erase


Computer servers at Sony Pictures Entertainment were hacked in 2014. The breach included the posting online of internal company emails and employees’ personal information. At least 10 former Sony employees sued the company in U.S. District Court in Los Angeles over the breach.

Sony Pictures Data Breach

7

A data breach at Panamanian law firm, Mossack Fonseca, leaked 11.5 million confidential documents dating from the 1970s through late 2015. Attackers may have compromised the Mossack Fonseca network and elevated privileges to that of a domain administrator or email administrator and used these elevated privileges to access and download all the data contained on the e-mail server.


Secure Data Erasure’s Place in the Cyber Kill Chain

8

IT Asset DisposalWiping Executives’

Devices

Reduction of Total Targets

Data Hygiene


Regin can conduct a wide range of operations once it infects a system, including screenshot-capturing, taking control of mouse functions, stealing passwords, monitoring network traffic and recovering deleted files.

Example: ‘Regin’ Malware Recovers “Deleted” Files

9


• Most encryption is based on drive encryption and is unlocked when system is being operated.

• Encryption key management is always a challenge

• Executive travelers can also be ordered to unlock encryption on lap-tops when crossing sensitive borders

A Layered Data Protection Approach: Including Certified File Erasure

In a layered approach to data security, attacks that are missed by one defensive layer are defeated by another. File erasure represents a last line of defense in protecting your data.

Encryption is not enough:

10

NIST Cybersecurity Framework


EU GDPR• Requires a Data Protection Officer• Requires auditable procedures and

routines to be in place• Includes the “right to erasure” of data• Requires active reporting of any data

breach• Could result in up to 4% of turnover in

fines

Global trend• Increasing laws on data protection• Tougher penalties and more active

enforcements

National & Updated EU Laws: Increasing Demand on Active Data Retention Policies to Avoid Data Breaches

11


“Policies and procedures must be in place both to remove any stored data ……”

Achieving PCI Compliance Is Important

12

“……as well as making sure no access to data can be achieved in any way throughout the lifecycle”


• The Sarbanes-Oxley Act of 2002 is a very high level law passed in the wake of the Enron debacle. It's most onerous effect is to require the CEO, CFO, and outside auditors to attest to some level of control measures and their effectiveness.

• In addition, ‘§ 1520. Destruction of corporate audit records, requires audit records, notes, etc. to be kept for at least five years. This impacts record retention management. The question remains: how are records destroyed on schedule after five years?

• Thus security measures are not really mentioned in SOX. There is only the implied requirement from "adequate controls" which implies the use of a security framework, say COBIT or ITIL, which in turn usually defer to ISO 27001.

SOX: Impacting Corporate Data

Security Routines

13

• HIPAA is more explicit since it deals directly with protecting health records from being exposed.

• HIPAA has two rules of interest to IT security; the Privacy Rule and the Security Rule. In 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act, was enacted to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

• It includes such measures as breach notification for secured protected health information.

• Current best practices for HIPAA compliance include:

• Construct a security plan for data disposal• Remove data from reusable hardware• Track all reprocessed hardware• Back up all data from all hardware


• Support for all leading and approved erasure standards around the globe.

• Erase data actively on regular basis on both clients and servers.

• Support for both Windows and Unix platforms for broad implementations.

• Transparent for end users or with user interface based on policy

• Detailed reporting and auditing options.

• Integrates with existing asset management routines such as active directory and group policy files

Blancco File: Enables Implementation of Enterprise-Wide Policies for Data Erasure

14


6 RULES TO FOLLOW WHEN ERASING FILES THROUGH POLICY

15


6 RULES TO FOLLOW WHEN ERASING FILES THROUGH POLICY

16

Q&A

Thank you! Here’s some further information you my find useful:

“Delete vs. Erase: How Companies Wipe Active Files”, Research Study

“Integrating File Erasure with Active Directory”, White Paper

“6 Rules to Follow When Erasing Files Through Active Directory”, Infographic

http://info.blancco.com/en-rs-delete-vs-erase-how-companies-wipe-active-files.html





http://info.blancco.com/integrating-file-erasure-with-active-directory.html



http://download.blancco.com/download/6-rules-to-follow-when-erasing-files-through-active-directory.pdf

