Serious data breach threats from inadequate “end-of-life” IT procedures Monday 21 November 2011 PDF Print Reading, Berkshire – Osirium (www.osirium.com) a leader in Privileged User & Infrastructure Management has today launched recent security research findings which show that UK organisations aren’t certain that all data and settings are deleted from devices prior to disposal. Worryingly 40% of all the organisations questioned said that they were not confident that all data was deleted but more shockingly the survey found that in the Finance and Retail sectors around 7% of organisations didn’t delete data at all. Corporate devices have varied levels of confidential data and company specific settings stored on them and access credentials all of which are recoverable. In the wrong hands it could be possible to not only gain access to the networks through recovered group admin credentials but also to compromise data which could constitute a serious data privacy breach. “As the IT industry moves towards 100 gigabit per second Ethernet and 100 megabit per second broadband connections the need to replace routers, firewalls, load-balancers and content filtering devices, amongst others, is also becoming more urgent,” said David Guyatt, CEO at Osirium. “Some devices may be reusable and will therefore have a second-hand value, whilst others will only be fit for the dump. Either way, at some point in the refresh cycle all devices will ultimately end up in the hands of third-parties and as their eventual destination cannot be guaranteed or controlled the appropriate care must be taken.” Interestingly, Guyatt is able to recount a personal experience of this when Osirium purchased two devices from eBay – being sold by local councils. The first was a Juniper SA found to have configuration information still on it including administration credentials which were recoverable whilst the second was a Bluecoat Proxy SG device which was set up to use Active Directory (AD). This not only had credential information which would allow a person to gain access to AD. Bob Tarzey, Analyst and Director at Quocirca isn’t surprised about this; “around 40% of respondents in Quocirca’s new research report are not sure they managed to delete sensitive data from IT devices when they reach end of life. Even those that claim to do so may not have actually safely removed the data. Simple deletion is not good enough, a determined hacker may still be able to retrieve it,” he explains. “Only disk shredding and/or reformatting tools can ensure devices are completely safe to dispose of. Doing so need not be a hassle, technology is available to automate the process and provide an auditable record that data was deleted.” Ensuring data deletion processes are followed to the letter is critical. The reason this is so important is because if identified administration passwords turn out to be group administration credentials then it allows hackers to access other, similar, devices - and if these credentials are also used across multiple vendor devices then the risk is further extended. “Even if organisations use IT asset disposal companies their data might not be deleted,” continued Guyatt. “The companies offering these services are of course strong on disk wiping & disposal processes but do they have deeper knowledge of all the differing infrastructure devices, so they don’t overlook, or not even be aware of, something that needs to be wiped? I doubt it.” About the Research The research was completed by Quocirca in August 2011 and 100 interviews were collected. At the time of answering the questions, those surveyed were not aware that the research was being conducted on behalf of Osirium. Respondents were qualified in as follows: – Must be involved in IT management with one of the following job functions: IT manager, IT security manager, IT infrastructure manager – Must answer yes to: “are you involved with, or knowledgeable in how your organisation views and manages issues relating to privileged users (that is how the granting of the extra privileges that IT administrators require to do their jobs is controlled), the automation of IT admin tasks and how these issues relate to your organisation’s ability to meet the regulatory requirements that govern it?” About Osirium Osirium drives down operational risk and eases the pain of managing and maintaining multi-vendor IT infrastructures by providing a central, secure access point and a “built-in” best practice foundation which tracks all SysAdmin changes in the infrastructure and enables you to easily meet and maintain compliance. Osirium dramatically improves productivity and reduces human error by automating routine and repetitive SysAdmin tasks and delegating them to less costly help desk staff, to provide faster problem resolutions with fewer errors. Osirium is establishing itself as a new and unique IT infrastructure security solution and is already helping some of the world’s biggest brands and public sector bodies. For more information please see: www.osirium.com Media contact: Clare Shephard maillot jaune communications tel: 07736 793332 eml: email@example.com Osirium contact: Andre Armstrong tel: 0118 324 2444 eml: firstname.lastname@example.org This press release was distributed by ResponseSource Press Release Wire on behalf of Maillot Jaune Communications in the following categories: Business & Finance, Computing & Telecoms, for more information visit https://pressreleasewire.responsesource.com/about.