Why wiping decommissioned IT assets should be a must
Last week I’ve written about the ways confidential data can leak outside the organization if the IT security team doesn’t pay attention to printers, shredders, or employees are plainly leaving documents where they shouldn’t be. Today I’m going to illustrate an even bigger issue – proper IT asset disposition.
We all know the enormous amount of data a modern computer can store on the cheap, so the proper destruction of that data is essential before the workstation leaves the organization. Unfortunately, many tend to disregard this issue and simply swap the computers with new ones or merely format the drives without securely wiping the data.
A few years ago, British researchers found top secret U.S. missile defense system data while examining 300 hard drives bought at computer auctions, computer fairs and eBay. I’m sure that if someone did a similar research today, they would still discover sensitive data leaking into the wild.
“99% of problems happen before a disposal vendor touches equipment. No vendor can destroy data if they don’t receive an asset, which is why we strongly encourage clients to destroy data before any move. Better safe than sorry. Of course, disposal vendors should destroy data (again) regardless,” says Kyle Marks, CEO of Retire-IT.
Retire-IT looked at tracking data from 1072 corporate disposal projects encompassing 233 different companies. Here are two shocking figures:
- 4 out of 5 projects (81.5%) had at least one missing asset. Contrast that with only 1 out of 8 (11.6%) had a negative variance. The devil is in the details, but nobody looks very closely.
- Only 79% of the serial numbers were able to be matched. This is when they allowed subjective matching. Without subjective matching, only 58% of serial numbers were able to be matched.
After the identification of data-sensitive equipment that requires appropriate handling before disposal, there are different software and hardware solutions to automate the process of wiping the data, preventing that confidential information fall into the wrong hands.
Sandro S??ffert, CTO at APURA CyberSecurity Intelligence, offers the following tips for Help Net Security readers:
Computers – My tool of choice is the Derik Boot and Nuke Linux Live CD for full disk wiping. It supports many types of wiping, including the DoD 5220.22-M method with 3 passes.
Starting with Windows Vista (and Windows 2008 Server), the Microsoft OS overwrites the contents of each sector when you do a Slow Format on your media. My recommendation is Microsoft’s SDelete for wiping files on Windows.
If you’re using OS X there’s the Disk Utility. On Linux, the “wipe”, “srm” or “shred” commands are available to securely sanitize files on most distributions.
Printers and copiers – Versions of the documents processed are saved on internal hard drives – consult the manual to find out how to clear the memory. You can also use third-party software to wipe the hard drive.
Mobile devices – Check the manual for directions on how to wipe the device’s memory. Do not forget to remove the phone or tablet SIM card.