Don’t Throw the Baby Out With the Bath Water

What does an infant’s bath time have to do with information security? Think of your data as your baby and all becomes clear. And like an infant, a challenge.

Right now, write a paragraph describing how the laptop you just issued your employee (or authorized them to purchase) is tracked, from its initial provisioning, right through to its final moments within the company’s footprint.

Did you think of recycling the hardware in a green manner and ensuring the data stored on the device is securely erased? If you did, congratulate yourself. You are one of the few who understand the need to have in place an IT Asset Disposition (ITAD) process and procedure.

We reached out to Brian Honan, cybersecurity expert and founder of the Irish Reporting and Information Security Service (IRISS), or Ireland’s CSIRT, for his thoughts on ITAD.

Safe Disposal of IT Assets - Explained

Honan commented, "When disposing of IT assets, never assume it is just the hardware you are dumping. Those devices may contain sensitive data. Disks may hold important information that needs to be destroyed in a secure manner. Other devices, for example printers, smartphones, tablets, or photocopiers, may have embedded storage containing cached copies of documents processed through the device. Those old routers, firewalls, and switches destined for the scrap heap may hold details on your network infrastructure or indeed administrator passwords which could be used to access your core network. Disposable storage such as external drives, tapes, USB sticks, and CD ROMs all should be disposed of in a secure manner. You need to ensure there is a well-written policy with supporting processes and tools to secure data before the medium it is on is destroyed.”

There, in one paragraph, Honan provides a concise rationale as to why and what you should be looking at when retrieving and recycling hardware. In addition, the question of what happens to devices which are in the employee’s hands when they are updated or when the employee departs, needs to also be addressed.

How Bad is This Data Exposure Issue, Really?

Let’s look to where the rubber hits the road. In a 2016 study conducted by Blancco Technology Group, Blancco purchased 200 used hard disk drives and solid-state drives from eBay and Craigslist.

Their findings were sobering:

  • 67 percent of the used hard disk drives and solid state drives held personally identifiable information, and 11 percent contain sensitive corporate data.
  • Upon analyzing the 200 used drives, company emails were recovered on 9 percent of the drives, followed by spreadsheets containing sales projections and product inventories (5 percent) and CRM records (1 percent).
  • 36 percent of the used HDDs/SSDs containing residual data had data improperly deleted from them by simply dragging files to the ‘Recycle Bin’ or by using the basic delete button.

Convinced? Read on.

How to Properly Protect Corporate Data

So how does a company go about ensuring their devices are cleanly wiped or appropriately destroyed so that sensitive data is not inadvertently leaked when the next owner takes possession of the device, thinking they had purchased a “gently used device?” 

Kyle Marks, CEO of RetireIT, spoke with us about how we should all look to put in place an ecosystem which ensures devices containing company data are tracked from tooth to tail… from purchase to disposal. He noted, however, how he has observed a general lack of interest in managing the IT asset disposal process and how this is putting companies both big and small at risk.

An easy first step, according to Marks, is to tag retired devices with a prominent “DISPOSAL” tag, the more outrageous the color the better. In this manner, the device is kept separate from in-use devices. Marks’ commentary duplicated that of Honan, restating and emphasizing the fact that the need for a clearly defined process is of absolute importance.

“Executives look at device theft as material theft and not information theft,” said Marks. Companies must have checks and balances in place to ensure that equipment earmarked for destruction is actually destroyed, and not pilfered or misused.

He shared the example of the employee of a Fortune 100 company who had an employee who “borrowed” 55 laptops. The employee, in charge of asset disposal, was keeping and not disposing of the equipment. Over the course of several years, he accumulated 55 laptops belonging to his employer. The laptops had not been sterilized; indeed, they contained the personnel files on 18,000 employees, and an additional 56,000 instances of sensitive data.

That has the makings of a bad day for all involved. 

Case in point: this article in Gizmodo shows how an electronic voting machine had the personal information of 650,000 voters still stored on the machine. This is easy to remedy and we must remember to protect our data by wiping it securely when we're offboarding it.

What Should Companies Do to Ensure They Have a Process Which Can be Tested and Verified?

“Do Man-Overboard drills,” Marks stated, and then with emphasis added, “test us, don’t trust us.” He emphasized how any piece of equipment leaving the premises should be sanitized prior to giving your equipment to a recycler. Having an ITAD is clearly a must for every company.

Brooks Hoffman, Principal Product Manager for Security ITAD at Iron Mountain, also shared his thoughts with us on the topic. He noted that the primary benefit of a proper ITAD program is that it reduces risk of the inadvertent exposure of sensitive information.

Additionally, Hoffman noted, “Many end-of-life IT assets still have value. IT components can either be refurbished or assessed and remarketed. Identifying this value is best done by a partner that has the expertise and familiarity with the secondary market.”

How can we be sure data on storage devices is rendered unrecoverable? Hoffman noted that at Iron Mountain, when media is not going to be reused, “Degauss and shredding is performed on magnetic media. Shredding and disintegration are used for SSD. Shredded plastic media is incinerated. Shredded HDD material is smelted for metal recovery and reuse.”

In summary, don’t simply focus on keeping your endpoint devices secure just while your employees are using them. Make sure they are accounted for during their entire lifespan. Putting a process in place for secure IT asset handling and disposal throughout the life of the device is highly doable for companies of any size. Do it yourself, or bring in the experts, but do it - ITAD should be a part of your infosec lexicon.

And once you have your ITAD process in place, test it thoroughly, to be sure you aren’t throwing the baby out with the bathwater.

About Christopher Burgess

About Christopher Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher served 30+ years within the Central Intelligence Agency. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, Secrets Stolen, Fortunes Lost - Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008).