In the world of business networking, upgrading and replacing hardware is a routine operation that businesses often carry out. However, what businesses do with the old hardware is just as important as with the new equipment. A lot of businesses overlook the sensitive data that could still potentially be present on the old hardware and dispose of it without proper precautions, leaving behind a massive data security risk.
Recently, the ESET research team purchased a few used routers to set up a test environment, and what they found was a cause for concern. In many cases, previously used configurations had not been wiped from the routers, and worse, the data present on them could be used to identify prior owners, along with their network configurations.
To investigate further, the team purchased 18 routers. After adjusting certain purchases, they discovered that over 56% of the devices still contained configuration details and data. If such data falls into the hands of a cyber-criminal, it could lead to a cyber-attack. Cyber-attackers can use the data gleaned from these devices, such as customer data, router-to-router authentication keys, application lists, and much more, to launch attacks intending to cause businesses irreparable harm. Moreover, this data can provide a cyber-criminal with initial access to start researching the most valuable company’s digital assets.
Unfortunately, some companies are not doing enough to stop the issue of their data being accessible in the public domain. In some cases, businesses were receptive to contact from ESET researchers. Some confirmed that they had passed the devices to other companies for secure destruction or wiping, and the process had clearly not taken place. However, there were still companies that ignored the repeated contact attempts.
The research carried out by ESET emphasizes the importance of a rigorous process of device cleansing. Any device leaving your company should be cleansed of any data, and the process of cleansing must be certified and audited regularly. Failure to implement proper data security measures can lead to sensitive data becoming easily available to unauthorized people who could use it to launch a cyber-attack.
The value of unauthorized entry into a company’s network is immense. The current average price for access credentials to corporate networks is around $2,800, according to recent research. This means that crooks could use used routers, purchased for a few hundred dollars, to provide network access. Such unsanitized hardware can provide cyber-criminals with a significant return on investment, even if they only plan to sell data on the black market.
It is essential to learn from the ESET research; it highlights how sensitive data can be unintentionally disclosed by disposed-of devices still containing configuration details through the process of upgrading and replacing hardware. To prevent this from happening, every business should ensure their security processes are up to date and certified. They should also check the process in their organizations to ensure that no data is unintentionally disclosed, just as the ESET research team has recommended.
Finally, it is suggested that businesses review the white paper produced by ESET, which outlines the process that should be followed to ensure data is securely erased from hardware. It also references NIST Special Publication 800.88r1, Guidelines for Media Sanitization. By following the guidelines in the white paper, businesses can ensure that their data stays secure without any unintentional breaches.