Protect confidential data from being sold as ‘scrap’

In recent times, there have been increasing concerns around data breaches and other security threats among companies and individuals alike. The use of new techniques and complex technologies has been both a bane and a boon here. Some stakeholders believe that the risk of data breach increases with growing technology adoption, while others believe that it can be mitigated. In a time when businesses are moving towards a paperless world, it is imperative for both companies and individuals to be aware about safeguarding their digital information.

Understanding the risk quotient

The risks associated with technology adoption cannot be ignored. It has been observed that many organisations may put themselves and their customers at risk by not following the basic procedures to defend themselves from data breaches.

Seasoned cyber criminals could have a defined approach and focus on targeting specific devices, mainly used by top chief executive officers (CEOs) and executives, for obtaining and then selling or utilising the data.

In many large data breaches, the cyber criminals adopted low-tech approach in contradiction to general perception that data breaches involve complex techniques. This revelation led to a need to take a deeper look at how companies could potentially be exposing their confidential data due to oversight and ignorance in areas that are not top priorities in their cyber defence agenda.

We conducted an exercise to highlight how the confidential data of both companies and individuals be available in the open market. As part of the study, previously used (second hand) hard drives and mobile phones were purchased from online portals and local shops that sell used (and old) devices.

The focus of the exercise was to obtain a fairly wide mix of devices, ranging from different models and specifications, which would be used by companies as well as individuals. We prepared a database containing model numbers of hard drives and mobile devices that companies and individuals use. A specific model number of hard drive is typically used on network attached storage devices that store files of employees at a central location. This would generally contain confidential and sensitive data.

The team mined the online and physical market place to identify used devices on sale that matched the required model number.

A forensic data retrieval exercise was conducted on 25 devices, comprising 15 hard disks (of tablets and laptops) and 10 smart phones. This resulted in the recovery of 248,747 documents. Out of these, there were about 15,557 word documents, 22,192 excel sheets, 11,942 PDF documents, and 31 e-mail files. We also identified large amounts of insecurely deleted data, which we could easily recover using basic forensic techniques.

The objective was to evaluate the risks that companies could potentially face due to improper disposal of enterprise storage devices and how forensic data recovery procedures are capable of retrieving confidential data that could compromise organisations. The exercise further revealed that the recovered data could identify the company, individual and financial or strategic information, which in reality could have been misused by cyber-criminals or even competitors. Closer analysis showed that in some cases, users had not wiped their personal data through factory reset or deleted their email configuration on mobile phones. This meant, that on inserting a new SIM card or activating Wi-Fi, the (previous) user’s emails started syncing again and were accessible.

In addition, your current mobile device may be vulnerable to data theft. As most individuals use these for official as well as personal usage, the risk may be higher as they would want to share files or folders from people beyond the company, install multiple applications (open source paid applications), use external hardware to store or transfer files and folders, and even have unauthorised downloads. These may, with or without the intent of the employee or any third party, result in theft or compromise of important confidential enterprise data and credentials.

What could be done?

Safeguarding business data is paramount, and companies could implement mandatory encryption policies on both computers and mobile devices. When disposing old IT assets, their storage can be forensically wiped and a maker-checker control implemented to cover all devices. In case of loss or theft, procedures could be set up for employees to alert the organisation and facilitate wiping the data remotely. Individuals can also enable encryption and remote wipe features on their devices as an added measure.

To minimise losing essential and confidential data, employees can keep separate official and personal devices, or at the least, personal usage should be done in partitions or virtual machines (depending on device) that are configured by the IT security department.

Employees should also refrain from installing any application from unknown or untrusted sources, and inform IT if any specific software or applications are required.

They could also avoid connecting to unknown external devices to transfer data, especially from official laptops, by setting up a strong IT security infrastructure. Companies can also institutionalise strict procedures for disposal of enterprise devices. Most of these will also be relevant and available to individuals, and not just companies to mitigate potential data breaches.

The above article first appeared in Mint and can be accessed here http://bit.ly/2oxatnt

Follow @EY_India and track #EYForensic


One thought on “Protect confidential data from being sold as ‘scrap’

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s