Data Disposal and Electronics Recycling are inherently dangerous processes to undertake in terms of data security. Because of the nature of data, whenever a drive is disposed of or recycled, whatever is left on that drive (either on purpose or accidentally) is exposed in a way it never would be in a data center or in the hardware itself.
Accordingly, identifying the various data security issues surrounding these two topics is key to ensuring long-term data security, both during the ownership of data and after data ownership. Today, we’re going to take a look at the data issues inherent in these practices, and how to mitigate them.
Inherent Threats in Data Disposal and Electronics Recycling
Data Disposal and Electronics Recycling are fundamentally insecure. While they can be made more secure, you must keep in mind that the action of moving data storage systems outside of the internal system will always result in security concerns.
Think of it this way. Your wallet is your main method of payment and identity, securing your data in a fundamentally secure way. Now imagine that you’ve taken your wallet from your home, and have left it out on a table in the open. When you take data out of a secure center, that’s fundamentally what you’re doing – you’re removing a secure system from a secure area and placing it in a non-secure area.
While there are means to mitigate this and make the risk much less dangerous, this entire process should be treated as what it is – a fundamentally insecure one that deserves heavy attention and effort to mitigate threats.
The primary danger in this process is leftover data. When a device is pulled from production, it’s often pulled because the data is no longer considered needed or valuable. Even if that’s true, there’s still an inherent danger in the data being exposed. This is because the real value of data is typically not in the data itself but in the relations between data. Even data that has been deemed “safe” can often have unseen value in relation to other “safe” data.
This is especially true when it comes to removable media such as CDs or DVDs. This media is often hard written and not easily “erasable”, so is often simply thrown out. This is very dangerous, as there can be leftover data on the disc that is still valuable.
In terms of recycling, this is also an issue because items like hard drives might contain data that has been improperly secured. Most people buying recycled items are going to be standard users, but there is the possibility of hackers and data thieves buying devices to comb through data – and with such a threat, sanitization needs to be a priority.
Forensic Data Recovery
There is of course the threat of forensic data to contest with. Forensic data is data that is leftover from incomplete data erasure or wiping. When a hard drive erases data in a modern operating system, it typically only marks the data for overwriting, not actually overwriting it at the time. This is a huge time saver, as writing over deleted data every time would very quickly become untenable.
While this saves time, it presents some obvious security risks. When a device that has been marked like this is disposed of or recycled, it’s often very easy to recover this data, as not only is it sitting on the drive still, it’s typically marked with a deletion flag, allowing thieves to pinpoint what you thought was valuable and extract it specifically.
The same issue occurs on removable media like thumb drives, as well. Often, thumb drives are an even worse culprit, as they often contain persistent records of the data stored in case the drive is suddenly removed or a write fault occurs. Sanitizing this media is hugely important.
Another issue that is often not talked about is the fact that data left on the drive can inform as to the nature of your network and systems. Drives often have certain data stored to them, and this data can be used to build a partial image of your networks and their capabilities. Any sort of data pertaining to this type of security information can result in a breach of security if enough is collected.
Additionally, security systems often write logs to certain drives, and if these drives are not sanitized, security vulnerabilities, fixes, and successful attack logs can be reverse engineered to perform additional successful attacks. Be leery of such security systems, and ensure that logs are not written to production systems.
With all of these threats in mind, how can we effectively sanitize our drives?
First and foremost, sanitize your drives before you dispose of or recycle them. Use a secure data wiping system to completely erase the drives, doing as many passes as necessary to ensure that all forensic data is securely wiped. When it comes to hard drives, this should often be a good enough solution, as long as you are using multiple passes and adhering to data erasure standards.
For thumb drives, the process is very closely related, though specific solutions must take in mind the relatively limited lifespan of the device and the types of data stored. The better solution would be to not store this kind of data on thumb drives in the first place.
A good alternative to thumb drives is CDs and DVDs. While the data on these mediums cannot be erased (unless they are rewritable, in which case technically they can, though this is not advised), they are relatively cheap and thus qualify as excellent candidates for destruction. Passing files via DVD or CD and then literally shredding this media can be a good way to securely and temporarily store data, as the shredded components are beyond recoverable past a certain processing threshold.
Another point of consideration when it comes to recycling is the source and destination. While data erasure should always be done at its highest level, the destination of the device does grant some leeway. A good practice would be to recycle internally, rather than externally. When buying new drives for data storage, moving the old, sanitized drives into lower-demand production systems or workstations can be a huge economic saving and can negate much of the threat of data theft.
That being said, these devices should absolutely still be sanitized to the best of your ability, and should maintain a high level of data security, with logs of each action generated to ensure compliance and establish a chain of custody for processing.
A perfect solution for your data needs is ClaraWipe. ClaraWipe is a professional data erasure program that matches a wide range of standards and practices, including some world class erasure patterns. These standards include:
• Sarbanes-Oxley Act (SOx)
• HIPAA & HITECH
• The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
• US Department of Defense 5220.22-M
• NIST 800.88
• CSEC ITSG-06
• Payment Card Industry Data Security Standard (PCI DSS)
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• EU data protection directive of 1995
• Gramm-Leach-Bliley Act (GLBA)
• California Senate Bill 1386