Moving and disposal of equipment [CISMP]
The course is part of this learning path
It’s important that your work environment enables employees to safely and securely dispose of any assets containing information that attackers could seize and use to their advantage.
Earlier in this Learning Path, you were made aware of the potential impact of having personal data lying around. Let’s start by seeing exactly how some of these threats are manifested, before finding out what secure disposal methods should be used.
The threats that businesses are exposed to which derive from information that can be recovered from either paperwork or media not being disposed of properly, are a significant problem. If paperwork is shredded using a typical office shredder, a patient attacker can piece the ‘shreds’ together again and read the original document. If you dump rubbish in bins at the back of your building, believe it or not, attackers can rummage through these bins and glean a wealth of information they can use in an attack (dumpster diving).
This problem has existed since we started writing things down. However, in the electronic world, it’s even more prevalent, as it’s not always obvious your information could be exposed to unauthorised persons.
You may think that when deleting files from your computer, that’s the end of it, they’ll never see the light of day! When in fact, even if you empty the recycle bin, data can be recovered. The same applies when formatting hard drives, the data still lives on. It is surprising what can be recovered (by a specialist) when you take the disk out and remove the platters. These methods all remove the pointers (indexes) to the deleted files, but the data itself remains on the storage media.
Did you know, most modern technological gadgets contain storage media? Printers, photocopiers, MFDs, satellite navigation equipment, walkie talkies, and even televisions, come with built-in storage that can retain both settings and potentially confidential information.
Before you dispose of any modern device, you need to check the manufacturers specification and maybe even open it up to see inside. If it’s got storage media, you might need to consider erasing or destroying it.
Security managers play an important role in organising secure disposal and need to be constantly aware of the likelihood of threats from this activity. Here are some key questions they’ll want to consider.
If you employ a contractor to dispose of paperwork or electronic data, are you sure the disposal at the end site is as secure as you need it to be?
What about if you have a recycling programme where old PCs are given to charity or sold to a third world country for school children?
How do you know that the PCs are not being forensically checked by a competitor or foreign government before going to the end customer?
Security managers will need to work with their internal teams, external subcontractors and implement checks in their procedures to prove the process works, cradle to grave.
By not protecting information according to the various statutes of law dictating the requirements, such as the Data Protection Act in the UK, businesses could face massive fines (as much as €20 million, or 4% annual global turnover), not to mention reputational damage that could be impossible to recover from. Your business will need to comply with confidential information management and data destruction requirements.
To learn more about data disposal concerns, read this report from Blancco.
Earlier, when considering a clean desk policy, you looked at what might happen if paperwork with personal information was left lying around. One of the lessons here is that your work environment has safe places for data to be kept and managed. Some other guidance here, may include:
- Don’t print customer data unless you really need to.
- Set reminders on your calendar to delete it – you can only legally keep relevant data for the time you absolutely need it.
- Regularly clear out customer data on your computer and servers – it’s not just about printed data storage.
- Delete or destroy data safely – shred don’t bin.
Picking up on the last point here, shredding of paperwork is one aspect of destruction that needs serious consideration. Now that you’ve finished with that CONFIDENTIAL document, you don’t just toss it in the bin, cross shred it!
Low-end, cheap shredders cut the paper into strips that at first glance look well destroyed. However, there are many techniques available today for reconstituting documents that have been shredded even to what might look a rigorous level, so moving to a high-end shredder might be vital for secrecy.
Shredders designed to ensure data cannot be recovered are available, with die cutters in place that cut in more than one direction, and to a very fine size. This way, the shards of a document left in the container will mingle and mix with other documents parts, making reconstitution of any one document practically impossible. Companies such as Intimus provide hardware capable of shredding documents classified up to the protective marking of SECRET.
Famed former conman Frank Abagnale, as depicted by Leonardo DiCaprio in the film Catch Me If You Can, now offers his talents for good by helping others avoid becoming victims of identity theft. Abagnale states that he shreds everything with a micro-cut shredder, as it “cuts paper into confetti, so it absolutely impossible to put back together.” (Source)
Disposal of removable media
Like the requirements for paper shredding, the disposal requirements for optical media and other kinds of storage devices are all covered in local legislation, such as the Data Protection Act in the UK. Massive fines for not disposing of data in a proper and thorough way are not uncommon, so this is an area of exposure to risk that your business can easily mitigate with simple processes.
Some shredders can break up optical media, such as CDs and DVDs, so a combined unit is worth considering when you’re purchasing a device.
Users should be explicitly instructed not to break or cut CDs or DVDs in half and throw them in the bin, as data is still recoverable from the tracks using specialised equipment.
Some businesses implement strict control over their optical media, such as cataloguing all the CDs and DVDs in the organisation. In some cases where more sensitive information is being handled, the use of media with pre-printed serial numbers is common. If a user requires one of these devices to move some data around, the serial number can be recorded in a log against that user’s name, and the user would be held accountable for the whereabouts of the disc.
Regular audits of the whereabouts of discs that have not been disposed of will show the security controller if anything has gone missing. Only when the disc is destroyed and is attested to by either the company destroying it, or the local security person responsible for shredding it, can it be struck off the log.
USB Flash Drives
USB devices are now very cheap, small, portable, and extremely useful for storing lots of information. But they’re not as secure as you think.
They can hold many gigabytes of sensitive information should someone with access decide to write that data to the device. Therefore, policies, procedures, technical controls, and end-of-life controls all need to be considered. If USB devices are used in your workplace, you need to include an acceptable usage policy that shows how these should be used, and train your users on how they should handle, transport, and dispose of them.
You should consider technical security too, such as using an approved, certified product, and encrypting your data to the required standard. If you plan to store confidential information on this device, you should consider a product with FIPS 140-3 (September 2021) certification, with an encryption algorithm such as AES 256-bit encryption. Companies like Kingston provide a whole range of encrypted flash memory devices, some of which have been FIPS approved.
If you have finished with a memory stick and wish to retire it from service, you should consider an approved method for disposal. This can be accomplished using a variety of methods but degaussing (using powerful magnets to wipe the data) or physical destruction are recommended. It’s worth noting that the old-fashioned smashing method does not logically destroy the data, instead it renders the media itself totally inoperable.
Hard discs and backup tapes
Earlier we learned that if a user deletes files, the data can still be recoverable from the hard disk, even after the device has been formatted, or if the platters (disks) of a drive are physically removed. Therefore, it’s important to dispose of hard disks and backup devices in the correct way.
Before we consider disposal, it’s worth noting that hard disks and backup devices are prone to loss, in the same way as the smaller USB flash memory drives, mentioned in the previous step. While the risk of inadvertent loss, maybe from a pocket or briefcase, is a lot lower, theft of a device is still possible.
However, the real threat comes from end-of-life disposal of these components. This may occur when your systems go through a technical refreshment programme, or where new PCs replace the old ones, and the old ones are sold off to third world countries or some other kind of charitable scheme. If, like most businesses, you routinely store confidential or even personal information on your computer systems, then you should consider secure erasure of the data prior to disposal. By using a disposal service provider such as Blancco, you can have some certainty that data is unrecoverable from your hard discs if they end up in the wrong hands.
If you store more sensitive information on your discs, such as data protectively marked SECRET or TOP SECRET, you’ll need to consider a witnessed physical destruction method. Using a subcontractor, that comes to your facility and physically destroys your media, is the most cost-effective solution. Disk Demolition specialise in the destruction or secure erasing of all sorts of media. But be aware, other companies have provided certificates proving the data has been destroyed, however on several occasions, data has been recoverable. It’s recommended that a test sample is checked to make sure the process of destroying the data is working correctly.
It’s easy to leave things in a cupboard gathering dust, but should any assets of a sensitive nature fall into the wrong hands, the results could be catastrophic. Proper disposal of assets is one of the most effective ways you can protect your organisation, as is a combination of any of the security controls you’ve explored in this Learning Path. In the final Course, you will see how many of these controls are put into practice, in delivery and loading areas.
This Course covers the proper ways in which to move property and securely dispose of equipment, factoring in the possible risks and threats to you along the way.
A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.