Secure data destruction and network router disposal go hand in hand when it comes to office network security.
However, a recent study by the ESET research team has revealed that many businesses are unknowingly putting themselves at risk of cyberattacks by failing to properly dispose of old routers.
The ESET researcher team purchased several used routers to set up a test environment to assess the secure data destruction practices of the respective firms
They found that in many cases, previously used configurations had not been wiped and the data on the devices could be used to identify prior owners along with details of their network configurations, pointing out significant faults in network router disposal.
This is not just a case of lack of secure data destruction or proper network router disposal, but a violation of cybersecurity laws and business norms, CyberFIT Solutions CEO and co-founder Santosh Kamane told The Cyber Express.
“NIST, ISO27001, GDPR, US Privacy act etc have “secure media disposal” control as a requirement. Privacy regulations such as GDPR, CCPA, PDPA include “right to erasure” clauses that gives right to data subject to demand permanent erasure of his data by the data processor,” he said.
“This is crucial requirement and ensure complete data protection when it comes protecting personally identifiable data.”
Secure data destruction and network router disposal
The ESET study was conducted on 18 routers, and configuration details and data were found on over 56% of them, pointing towards the need of more involved steps in secure data destruction.
The network router disposal norms were literally non-existent, and none of the prescribed network router disposal methods were followed.
“In the wrong hands, the data gleaned from the devices – including customer data, router-to-router authentication keys, application lists, and much more – is enough to launch a cyberattack,” said the ESET report
“A bad actor could have gained the initial access required to start researching where the company’s digital assets are located and what might be valuable.”
The study also found that a used router purchased for a few hundred dollars, which without too much effort provides network access, could provide a cybercriminal with a significant return on investment.
The current average price for access credentials to corporate networks, according to research by KELA Cybercrime Prevention, is around $1,100.
Despite clear markers and specific data, many companies were unresponsive to attempts to alert them to the issue of their data being accessible in the public domain, said ESET report.
Data disposal is a crucial phase in data lifecycle management, especially when it comes to endpoint and servers, traditional delete or format utilities do not guarantee permanent erasure, and data can be recovered, leading to severe cybercrimes, including identity and data theft, Kamane pointed out.
Network router disposal: Why and how should you do it
Mr. Kamane recommends building a disciplined data disposal policy with clear roles and responsibilities as a key element in every security program.
Companies should also use data destruction software, such as Wipeout, to overwrite all data on the storage device with random data patterns, making it virtually impossible to recover any of the original data.
“Just like paper shredder, an electronic shredder for digital data is must to permanently shred the data. Employee must be educated, and these risks should be covered in employee awareness trainings,” he told The Cyber Express.
However, thorough due diligence must be conducted prior with third parties that offer physical destruction services. For reliable physical data destruction, data on assets should be destroyed using software Wipeout by internal teams before handing over physical assets to third parties, he said.
When disposing of laptops and servers, software wiping can generate certificates of destruction, potentially serving as audit artefacts, he suggested.
NIST recommends software wiping as a primary disposal option, which can later be complemented by other methods.
The US Cybersecurity and Infrastructure Security Agency (CISA) recommends certain methods for permanently erasing data from your devices. Because methods of sanitization vary according to device, the agency recommends using methods that applies to that particular device.
“Before sanitizing a device, consider backing up your data. Saving your data to another device or a second location can help you recover your data if you accidently erase information you had not intended to, or if your device is stolen,” the CISA guideline report read.