WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
Answer this question: What happens to your data when systems are decommissioned? Do you know? Do you want to know? All the data weve been talking about keeping secure, where does it go?
Lets talk about the machines themselves. Generally, three things can happen to machines:
External recycling occurs when the machine is donated to schools, charities, or simply carted off by an entity unaffiliated with the company. This may be a contract disposal company or the janitor. The important part is you have no way of knowing where it ends up.
When machines are repurposed, you might think the data hasnt really changed hands. This is simply not true. Sure, the assistant works for the boss, is the bosss right hand, knows everything necessary to keep things running smoothly and to keep the boss out of trouble. But theres an old adage that applies here: just because I taught you everything you know, doesnt mean I taught you everything I know.
Because the assistant is familiar with the majority of material on his department heads computer, doesnt mean he has any reason to have access to the rest of it. Additionally, the boss probably has information, he emphatically doesnt want his subordinate to have.
Performance evaluations, pay structures and personal business data are all excellent examples. What happens if the assistant is disgruntled?
Repositioned machines pose a different risk. You take your old business system home, to let your kids install games and other applications so they can play on line. Your youngest child has a completely annoying habit of clicking whatever pops up on the screen "to see where it goes."
You already know from hard, cold experience that this involves adware, spyware, viruses and all the other things you fight day in and day out at the office. Frankly, you are just too tired to deal with it at home too.
Since the kids are the only one who use the computer (OK, you occasionally balance your check book and pay bills on line) its just not that big of a deal. What about your data from the office?
Finally, the machine is recycled and some rogue from Sales takes it and disappears back into the darkness from whence he came. The next thing you know, some top secret document even your boss doesnt know about is all over the corporate network, and it doesnt look good for you. Youll eventually be vindicated, but between now and eventually is a long, long time.
Recycling a machine to the outside world? You can just imagine the threats, the pitfalls, the unemployment line youre exposed to here. You have no control over what happens to that data after its been released to the general public. Just because you hire a commercial disposal firm doesnt mean you hired an ethical one.
Looking at the Options
By now youre having nightmares over the loss of your corporate assets in one form or another. You basically have three options: software wiping, magnetic degaussing, or, my personal favorite, physical destruction.
There are applications available that will boot your system to a CD and then overwrite the entire drive with 1s and random letters, random characters or some combination of letters, characters and numbers. You can choose from DOD, paranoid, German, Russian, Schneier or 8-way random, based on level of risk.
A modest sized hard drive (40Gig) takes approximately 36 hours to wipe using the lowest setting. Clearly this is not scalable. Additionally, you cant pipeline the process without multiple copies of the software.
Next you can employ a magnetic degaussing system. You can do multiple disks at once and it takes up less room. But you have to take the drive out of the case, and there is a much larger initial expense for equipment. They can also be loud, and they make some people nervous about magnetic fields and health issues.
Physical destruction is an option if youre going to go to take them out of the case. Gather a set of drives that need to be destroyed; have an organizational picnic (your team, division, department, site, company, whatever). Sell tickets for the opportunity to pound a hard drive into the ground with a sledge hammer. Donate the proceeds to charity, along with the carcasses now devoid of disks. Consider purchasing replacement disks, as a measure of good will, and a tax write-off. Moreover, company assets have been safeguarded.
'Tis better to light a single candle than to curse the darkness. Although cursing the darkness is more emotionally fulfilling.
Smashing hard drives may be emotionally fulfilling, but its not an efficient way to provide data security for decommissioned computer systems. You might be tempted to put drives in a box in a dark corner for later, but remember the bad guys live in a dark corner waiting for the opportunity to make off with sensitive data.
As usual, theres no easy solution but we have to find something workable to protect ourselves and our companys collective assets. You may find the answer lies in more than one solution, but you wont find the answer lies in no solution at all.