Throwing Your Secrets Out: Why Device Sanitisation Matters
In today’s interconnected world, the secure disposal of hardware is paramount to protect sensitive information. Read on to find out about the significance of device sanitisation and the need for both organisations and third-party disposal businesses to take proactive measures to safeguard valuable data.
Share This Article:
Recent research conducted by ESET revealed some interesting and concerning discoveries about the risks associated with improper device sanitisation. While most standards and frameworks provide advice on how to decommission hardware securely, ESET’s comprehensive analysis of used routers purchased from various hardware recyclers was found to contain critical network information.
The lowdown
This extremely sensitive data, if exploited by malicious actors, could enable substantial reconnaissance activities. Although not explicitly disclosed in the report, numerous large tech companies and organisations were suggested as having exposed information; including critical details such as IP addresses, third-party integrations, network design information and other valuable assets that should be protected.
Moreover, researchers discovered that the compromised routers provided a comprehensive map of the application platforms utilised by these organisations, both locally hosted and cloud-based systems. The configuration files of the routers listed these platforms, leaving them vulnerable to potential exploitation and exposing any vulnerabilities, such as Common Vulnerabilities and Exposures (CVEs), that could be targeted for more offensive operations.
The gravity of the situation became evident when the exposed information encompassed core routing details, including routing protocols, topologies and relationships with other networks. In some cases, IPSEC credentials for VPN tunnels were accessible. This raised serious concerns about the efficacy of device disposal companies entrusted with sanitising the hardware of large organisations, as the report indicated that their efforts were significantly inadequate.
What can you do about it?
To mitigate the risks associated with device disposal, companies must prioritise and focus on the protection of their data and equipment throughout their lifecycle, from on-site operations to decommissioning, recycling, disposal or relocation outside the organisation. Simply relying on third-party equipment disposal businesses is no longer sufficient; verification is also essential to ensure that these companies carry out proper sanitisation procedures and avoid any potential future effect on the organisation.
Further investigation is needed to ascertain whether such improvements in sanitisation practices are being implemented and to determine whether forensic tools can unveil additional network configuration data even after network devices have been ostensibly erased. It is imperative that organisations and disposal companies remain vigilant and adopt robust measures to prevent any inadvertent data leakage.
For practical and straightforward guidance, the Australian Signals Directorate Information Security Manual offers easy-to-follow directions across various sections, including Sections Mobile Device Emergency Sanitisation Processes and Procedures, ICT Equipment Sanitisation and Destruction and ICT Equipment Disposal. These guidelines provide a reliable framework for organisations and can be used to communicate expectations to third-party disposal companies, ensuring compliance with industry best practices.
At Anchoram, we understand the complexity of cyber threats and provide assurance for organisations managing cyber risks such as those associated with supply chains. Our dynamic and experienced staff is dedicated to offering support and comprehensive solutions throughout the process of protecting sensitive data.
In today’s interconnected world, the secure disposal of hardware is paramount to protect sensitive information. Read on to find out about the significance of device sanitisation and the need for both organisations and third-party disposal businesses to take proactive measures to safeguard valuable data.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.