Protecting Your Company from an Embedded Data Breach

Embedded data is any data that’s stored on media that is easily overlooked when assessing a security risk posed by a particular device. This means that every device, including servers, computers, smartphones, tablets, etc., used by your employees may have sensitive, hidden company or customer information stored on them. When they’re not disposed of properly, these devices and the data stored on them (or, embedded data) can pose a security risk to both your company and your customers. Here are some tips to help protect your company from an embedded data breach.

Begin with the end in mind. Proper identification and inventory of embedded data-bearing devices is an essential first step. You need to define, in advance, how you will eradicate data on devices at end-of-life, including all of the specific process steps and associated costs. You need to ensure that you have a documented, quality assured process in place. This includes making sure that you train and certify the people performing the tasks in this process.

The types of data and the storage points you need to track

It is important to account for all of the data you may be storing on various devices during the inventory process so that it can be monitored properly online and erased/destroyed at end-of-life. We recommend that businesses implement a strategy to identify where embedded data may be hidden and develop the appropriate tactics to manage it. For example, you need to know which board on the switch has the drive on it. Is there sensitive information on it that you need to destroy? Chances are the answer to this question is YES.

Here are some common types of embedded data that may be stored on your devices:

• IP Addresses
• VLANs
• Administrator user IDs
• Passwords
• Login information
• Device information
• Company proprietary information
• Confidential information, such as patient information, social security numbers, financial information
• The list is growing …

Where do I find embedded data?

• CDs/DVDs
• USB Drives
• IP Phones, including Handset and Controller Units
• Networking Devices
• Portable Devices
• Storage Controllers
• Wireless Technologies
• Climate Controllers
• Power Distribution Systems
• Firewalls / Network Intrusion Detection
• Copiers
• Faxes / Scanner / Multifunction Devices
• Medical Equipment
• Banking Equipment
• Cell Phones
• Tablets

Transitioning to dumb clients may appear to present little risk since they hold little resident data. However, the fact that they have network connectivity rights and login to cloud apps also make them a vulnerability point.

The IT industry focuses on electronic attempts to breach their firewalls, but a more comprehensive approach includes recognition of the threat that comes from off-network devices as well. This is especially true given the fact that most companies are not able to determine the root cause of breaches. The growing prevalence of embedded data contained in off-network and decommissioned devices, and the people responsible for the decommissioning process and their vendors, are largely overlooking the threat that it represents. Brass Valley is changing that by bringing attention to the impact of the mishandling of embedded data.

To learn more about the threat that embedded data can post to your company, please download our white paper: Embedded Data: Your “Hidden Secret” to Stopping a Major Data Breach — A call for awareness to the security threat of embedded data. It aims to educate customers and the public at large about the potential exposure and hidden dangers posed by embedded media.