Recycling Computers: Creating Security Problems?

Wednesday May 17th 2006 by Linda LeBlanc
Share:

What you do with old computer gear could undo all the measures you've taken to secure your data.

Congratulations, you've made great strides in improving the data security in your company. You've convinced your employees to a) not take candy from strangers in e-mail, b) not to leave personally identifying data lying around online, and c) exert physical control over their laptops, PDAs and other electronic gizmos. You are the reigning security guru in your organization.

Now answer this question: What happens to your data when systems are decommissioned? Do you know? Do you want to know? All the data we've been talking about keeping secure, where does it go?

Let's talk about the machines themselves. Generally, three things can happen to computers:

  • They get repurposed. The boss gets the latest toy, her assistant gets the previous latest toy, and the file clerk gets the assistant's old system.

  • They get repositioned. The boss takes the old toy home for the kids, and gets the new one for the office. The assistant and the file clerk are out of luck.

  • They get recycled either internally or externally. Internal recycling means an e-mail is sent to the company, and whoever wants or needs a computer (based on some pre-determined criteria) gets it.

    External recycling occurs when the machine is donated to schools and charities or is simply carted off by an entity unaffiliated with the company. This may be a contract disposal company or the janitor. The important part is that you have no way of knowing where it ends up.

    When computers are repurposed, you might think the data hasn't "really" changed hands. This is simply not true. Sure, the assistant works for the boss, is the boss's right hand, knows everything necessary to keep things running smoothly and to keep the boss out of trouble. But there's an old adage that applies here: just because I taught you everything you know, doesn't mean I taught you everything I know.

    Just because the assistant is familiar with the majority of material on his department head's computer doesn't mean that he has any reason to have access to the rest of it. Additionally, the boss probably has information he — most emphatically — doesn't want his subordinate to have.

    Performance evaluations, pay structures and personal business data are all excellent examples. What happens if the assistant is disgruntled?

    Repositioned machines pose a different risk. You take your old business system home, to let your kids install games and other applications so they can play on line. Your youngest child has a completely annoying habit of clicking whatever pops up on the screen "to see where it goes."

    You already know from hard, cold experience that this involves adware, spyware, viruses and all the other things you fight day in and day out at the office. Frankly, you are just too tired to deal with it at home too.

    Since the kids are the only one who use the computer (OK, you occasionally balance your check book and pay bills on line) it's just not that big of a deal. What about your data from the office?

    Finally, the machine is recycled and some rogue from Sales takes it and disappears back into the darkness from whence he came. The next thing you know, some top-secret document even your boss doesn't know about is all over the corporate network, and it doesn't look good for you. You'll eventually be vindicated, but between now and eventually is a long, long time.

    Recycling a machine to the outside world? You can just imagine the threats, the pitfalls and the unemployment line you're exposed to here. You have no control over what happens to that data after it's been released to the general public. Just because you hire a commercial disposal firm doesn't mean you hired an ethical one.

    Looking at the Options
    By now you're having nightmares over the loss of your company assets in one form or another. You basically have three options: software wiping, magnetic degaussing, or, my personal favorite, physical destruction.

    There are applications available that will boot your system to a CD and then overwrite the entire drive with the numeral one and random letters, random characters or some combination of letters, characters and numbers.

    A modest sized hard drive (40Gig) takes approximately 36 hours to wipe using the lowest setting. Clearly this is not scalable. Additionally, you can't pipeline the process without multiple copies of the software.

    Next you can employ a magnetic degaussing system. You can do multiple disks at once and it takes up less room. But you have to take the drive out of the case, and there is a much larger initial expense for equipment. They can also be loud, and they make some people nervous about magnetic fields and health issues.

    Physical destruction is an option if you're going to go to take them out of the case. Gather a set of drives that need to be destroyed; have an organizational picnic (your team, division, department, site, company, whatever). Sell tickets for the opportunity to pound a hard drive into the ground with a sledgehammer. Donate the proceeds to charity. Purchase replacement disks as a tax write-off.

    Smashing hard drives may be emotionally fulfilling, but it's not an efficient way to provide data security for decommissioned computer systems. You might be tempted to put drives in a box in a dark corner for later, but remember the bad guys live in a dark corner waiting for the opportunity to make off with sensitive data.

    As usual, there's no easy solution but we have to find something workable to protect our company's collective assets and ourselves. You may find the answer lies in more than one solution, but it certainly doesn't lie in no solution at all.

    Linda LeBlanc, who served as a Gunnery Sergeant in the U.S. Marine Corps., now is a network security analyst at MIT. She also does security consulting for Web-based businesses. LeBlanc's columns reflect her own opinions, and not necessarily those of her employer.

  • Adapted from esecurityplanet.com.

    Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
    Share:
    Home
    Mobile Site | Full Site
    Copyright 2017 © QuinStreet Inc. All Rights Reserved