11.1 Avoid Confusion with CDR

There is a bit of confusion about terms when it comes to file sanitization. After widespread attacks that spread via shared files that contained malware, the security industry responded with solutions that included tools that would strip the content out of a file and then reconstruct it into a new clean file. This is often called file sanitization. A Word doc or an Excel spreadsheet may be weaponized (the attack against RSA Security in 2010 was executed with such a spreadsheet). A file sanitization solution can be deployed at corporate gateways that look into a Word doc or a spreadsheet and extract the words, cells, and formatting; then it builds a new clean file with the correct extension. There are at least nine startups that have solutions for this, including SASA Software, Votiro, and YazamTech. Some of the earliest solutions were deployed in appliances that were located in the lobbies of corporate offices. An employee or visitor would insert a thumb drive into a USB port, and the file would be extracted, scrubbed, and put on an internal file server. Then the user could retrieve a safe file when they connected to the corporate network. To avoid confusion with file erasure, another term being floated is content disarm and reconstruction as a service (CDRaaS). This chapter is about erasing data in files. ...