Data Destruction andthe Impact on Recycling

“With each passing year, the world of technology evolves and improves.

Unfortunately, cybercriminals are continuously adapting and acquiring new techniques, too, and successfully exploiting emerging technologies in a perpetual game of security leapfrog”

PCWorld – December 2013

Ransomware

• Attackers encrypt your data or lock you out of your PC or device using malware exploits

• Demand payment in exchange for restoring your access

• Report from Dell suggests that CryptoLocker raked in $30 million in only 100 days

• Average cost $300 to unlock PC

PCWorld – December 2013

Mobile Malware

• The volume of mobile malware has continued to grow exponentially

• FortiGuard Labs reported 500 malicious Android samples a day in January 2013

• By November the number had risen to1500 new malware samples per day

PCWorld – December 2013

Data Breaches

• According to DataLossDB, the top five breaches in 2013 affected about 450 million records

• Infamous Target breach, 40 million people had their credit card information captured during the Christmas shopping season

Data Breaches

• Average costs:– Per compromised record – $194– Per incident - $5.5M

• Damages trust and reputation• Increased legislation to address:

– Health Insurance Portability and Accountability Act (HIPPA)

– Identity Theft and Assumption Deterrence Act (ITADA)

– Gramm-Leach-Bliley Act (GLBA)

Low Tech Theft

• Most data breaches made public in were due to criminals using the high tech means listed on the previous slides

• Items for recycling often fall outside of established security protocols

• Items for recycling just a vulnerable

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=NnLJwXMhB0aK1M&tbnid=hOv7zigjeyctIM:&ved=0CAUQjRw&url=http://liability-risk.com/?page=insurance-survey-services&ei=kgv8UoiyOMaCqgG0-ICwBw&bvm=bv.61190604,d.eW0&psig=AFQjCNGxKofeoDP84NurZQECbDrSsuEB9A&ust=1392336112401006

Low Tech Theft

• Data is in more than computers and servers; copiers, printers, scanners, and fax Machines often come with HDD’s and flash memory

• Employee owned devices– Do your employees use their own…cell

phones, tablets, other?• Affinity Health Plan, a New York based not-for-

profit managed care plan learned the hard way– Information left on hard drive of a copier

Low Tech Theft

• Bad guys “getting smart”• Electronic materials sent to developing countries

for crude, illegal and inexpensive metal extraction process

• Potential data in material more valuable than commodity value

How Should I Manage My Data on End of Life Assets?

Electronics Recycling Industry

• Electronics recycling is a fairly young industry • Companies entering the industry could so with

few barriers to entry– Warehouse, truck, low cost labor

• Most recyclers continue to be, “mom and pop” operations with small facilities and fewer than 15 employees

• Easy to Export – US did not ratify rules set by Basel Action Network (BAN)

What to Look for - Types of Certifications

• R2 & e-Stewards: Recycle Responsibly• ISO 14001:2004 Environmentally Responsible• OHSAS 18001: Safety• TAPA: Transported Asset Protection• Microsoft Authorized Refurbisher: able to load operating

system for refurbished resale.

Transported Asset Protection Association

• HVTT (High Value Theft Targeted) asset theft poses a major problem for many industries

• Theft of electronics and almost any other cargo of value is a daily event throughout the world

• This type of crime leads to potential liability of data breaches and compromised brand integrity

• While government programs such as C-TPAT focus on keeping dangerous items out of the supply chain, TAPA focuses mainly on the issue of theft

Not All About Certifications - Observe• Do a Site Visit• Security

– Are there adequate security controls in place? Theft of a HDD or tablet with data on it is a breach.

• Safety– If the company does not care about the safety of their

people will they care about the safety of your data?• Environment

– If the site is careless about the environment will they be careless about your data?

• Employees– Background checked? Prison labor?

• Equipment

Found a Recycler, Now What? Protecting data: Three main methods of erasing HD (Magnetic Media)

Three Options Available

3 Destroy

Physical destruction of media

2 Purge

All data destroyed (including firmware)

1 Clear

Data overwritten

Clearing

• Ensure information cannot be retrieved by data, disk, or file recovery utilities

• Resistant to keystroke recovery attempts from standard input devices

• Overwriting is one method (software)• Replace written data with random data• Cannot be used for media that are damaged or not writeable• Size and type of media determine if this is possible

Why three passes?

• Some organizations are not specific on number of passes

• When specified, normally three• Why?

– US NIST Special Publication 800-88

1 1111 1 11 11111111

1 1111 1 11 11111111

1 1111 1 11 11111111

Purging

• Process that protects data from laboratory attack using non-standard means

• Degaussing – exposing media (hard drive) to strong magnetic field• Usually destroys drive as key firmware info on drive is destroyed• Ideal for large capacity drives• Does not work on optical media or flash drives• Eliminates boot sector

Destruction

• Ultimate form of sanitization• Variety of methods but

shredding is typical method of destruction

• Shred sizes may vary depending on customers requirements

Hard Drives (non SSD)

Clear• Overwrite media by validated overwriting software

Purge• Use approved degausser on entire HD unit or disassemble HD and purge

platters

Shred• Shred• Commodity separation• Material sent to proper metal smelter

Cellphones/Tablets/Flash Drives

Clear• Delete all memory (internal and external)• Perform manufacturer reset• Use of external software

Purge• Same as clear

Shred• Remove battery and shred device• Device shredded and processed at precious metal smelter

Asset Retirement

On average, servers and data storage systems are replaced every three years. Managing these assets at the end of their useful life can be onerous and raise many questions: • Aside from data, how to put together a great recycling program

27

The Three R’s of Recycling

Reduce

• Managing carbon footprint with efficient logistics– Reduce carbon and cost of program

• Find a recycler with multiple sites

30

SRS Global Operations

45 Operations Globally

12 USOperations

4 CanadaOperations

25 EUOperations

1 New ZealandOperation

5 AustraliaOperations

3 IndiaOperations

1 UAEOperation

1 South AfricaOperation

1 SingaporeOperation

Asia Representative

Offices

North American Locations

Sacramento,CA

San Francisco,CA

Los Angeles,CA

Montreal,QC

Edison,NJ

Toronto,ON (2)

Vancouver,BC

Nashville,TN

Chicago,IL (2)

Dallas,TX

Tampa,FL

Washington,DC

Tucson,AZ

Recycle Locally - Avoid Export Whole

• Processing near generation site– Increases security – Do you want your data

sent to out of country on an un-wiped drive?

SRS

Other ?

Reuse

• Consider allowing recycler to reuse/resell assets• With proper controls, it is safe and can return

value to the recycling program• Huge energy savings versus recycling and

fabricating new product

500%EnergySavings

Recycle

• Overall, the processes used to make consumer goods from recycled material versus raw resources is much more energy and water efficient

• Recycling 1 million laptops saves the energy equivalent to the electricity used by 3,657 US homes in a year (EPA)

• A ton of circuit boards can contain up to 800 times the amount of gold mined from one ton of ore in the US. (EPA)

• EPA tool to calculate energy savings from recycling: http://ecocycle.org/ecofacts

Q&A