Networking Device Erasure and Data Destruction

Posted by Frank Milia

Sep 26, 2014 8:30:00 AM

Storage devices and electronic media are not the only devices that require erasure and data destruction service levels in order to eliminate risks of causing a breach from an equipment disposition. Networking devices, routers, and switches hold sensitive information that in the wrong hands can be used to find entry to or otherwise compromise a network’s security.

The good news is that the major manufacturers have built in acceptable erasure methods into various networking devices and the process is easy to navigate.

At IT Asset Management Group we utilize the best methods of clearing a device depending on the manufacturer’s instructions and tools available. If a device cannot be reset to factory default, configuration cleared, NVRAM erased, VLAN cleared or any other information fails to erase with 100% certainty the device is quarantined and then physically destroyed.

The exact method of erasing networking devices will be specific to the manufacturer and model of the hardware but the following is broad overview of the process.Networking_DevicesMethods for Networking Device Erasure 

  1. Switches - Clear all configuration files including startup and running configuration files. Erase the NVRAM file system and removal of all files. Reload the switch to factory default. Clear all VLAN information created on switch. Confirm device has been cleared.
  2. Routers - Reset password and device to factory default.   Using Register Configuration write erase and set device back to factory default. Confirm device has been cleared.  

A sample of the type of manufacturer provided instructions used by ITAMG can be found below.

Common Switch: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2900-xl-series-switches/24328-156.html

Common Router: http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-123-mainline/46509-factory-default.html

Networking Device Destruction

Any device that cannot be reset and confirmed to no longer contain any user created configurations or data should be physically dismantled, shredded, and recycled for commodity material in accordance with all local, state, and federal laws. ITAMG’s data destruction services are developed in accordance with the DoD 5220.22-M standards and NIST 800-88 Guidelines for Media Sanitization.

Looking for more information on running a secure data destruction program? 

Download 5 Data Destruction Tips

more

Topics: data security, data destruction, data breach, education & tips, data sanitization

The Frightening Impact of Theft, Loss, and Data Breaches

Posted by Frank Milia

Oct 15, 2013 7:29:00 PM

“Don’t panic, it’s only a data breach.”  Are those words that you would ever hear?  Certainly not, because when there is a data breach while panic may not be the optimal reaction it more often than not is the reaction. 

A data breach can cause shock waves through a company and even a community.  Just look to the example of Santa Clara Valley Medical Center who had to notify 571 patients that their information, including birthday, age, sex, and even specific medical results,  was compromised after a laptop had been stolen from their location in San Jose, California.  571 individuals concerned about identity theft and their information in the hands of criminals all because one laptop was stolen.  

According to information obtained by Symantec, theft or loss was the top cause for data breaches second to criminal hacking.  The study, done in 2011, revealed the combined statistics from theft and hacking resulted in over 200 million compromised identities.

Guys_On_HD

 

So if theft is number one and hacking is number two, it is safe to say that companies must defend themselves sufficiently against both aspects.  HR and the department heads of IT must consistently be planning and implementing procedures to mitigate risk from both loss and criminal activity.  From demanding that simple procedures be followed such as shutting down computers so passwords are required on start up, locking down offices after work hours, to training on the importance of keeping mobile assets secure everywhere they go, companies must arm themselves with every means possible to take care of data that is stored on-site at the firm.

As an IT Asset Disposal vendor operating since 1999 we have found that assets at time of disposal are at an increased risk to theft.  When assets are retired and not properly secured, stored, and accounted for negligence can lead to a low tech data breach in the form of missing, lost, and stolen media.

The first step to ensuring loss and theft does not affect your data security is to take accurate inventory of retired assets.  Once this is complete assets should be kept in a locked room or cage until sanitized or serviced by an approved disposal vendor.  For highly confidential media santization or destruction should take place prior to disposal of equipment. Receiving logs and inventory audit reports from disposal vendors should then be used to cross reference serial numbers to your firm's asset management records. Many companies may have excellent data sanitization processes but neglect the serious threat of theft prior to the completion of data destruction due to real estate, space, and other logistics obstacles.        

In the Ponemon Institute’s and Symantec’s Report "2013 Cost of Data Breach Study,"  the numbers regarding the costs associated with a data breach are frightening:

 

US Cost per Record:  $188

Average Records per US Breach:  23,647

Average US Data Breach Total Cost:  $4,445,636

Average Cost Due to Lost Business: $3,030,814

 

In response to these alarming figures companies can also mitigate risk by implementing a policy regarding data destruction using a firm that will monitor, guard, and provide proof of destruction through Department of Defense compliant data eradication methods.

The U.S. Department of Defense (DOD) has established a National Industrial Security Program Operating Manual that various Federal Government Departments must use including the Department of Defense, Department of Energy, and CIA. The program describes the methods and systems by which classified information must be secured. Through this data destruction protocol, information is kept secure from acquisition through destruction.

Disastrous results can be avoided through strict adherence to safety and security policies both on-site and after the sale of IT equipment.  Informing customers and employees of a data breach is the last thing any company wants to have to do.  Customers will be lost and employees’ trust will be diminished. To avoid these issues company heads must plan accordingly, take action, and choose wisely when selecting vendors to help with security needs.

 

 

Looking for More Info On Best Practices for EOL Equipment?

 


Download 5 Data Destruction Tips

 

more

Topics: data destruction, data breach, Computer Liquidation, hard drive shredding, IT Asset Disposition

ITAM: The most boring thing….

Posted by Steve Bossert

Sep 18, 2013 4:36:24 PM

ITAM stands for IT Asset Management, but there is often a lot of confusion when talking to  vendors that name solutions after industry terms, let alone a a certain company that just so happens to be named IT Asset Management Group.

All too often acronyms confuse people. According the International Association for IT Asset Management, ITAM breaks down to covering:

  • SAM (Software Asset Management)
  • HAM (Hardware Asset Management)
  • APM (Asset Portfolio Management)

From ITAMG’s perspective on ITAM, we see hardware having three broad categories. Owned Assets (OA) are the contracts, and hardware and software entitlements covered under SAM or APM and these are areas ITAMG does not currently focus on.

The others are Discovered Assets (DA) and Fixed IT Assets (FITA). This is where IT Asset Management Group can provide your organization with assistance as part of your ITAM, ITAD and EOL processes.

IT assets are very different that most fixed assets, like your chair or a mouse pad since they do not require specific software to run or are discoverable on your network. This is a major reason why ERP (Enterprise Resource Planning) software is not the best solution for tracking IT assets. Instead, IT assets often go through an Installed Moved Added Changed or IMAC process for short.

It is hard to inventory an IT asset until software has been installed, configured and then deployed. Your organization wont often be able to collect this information into a hardware asset repository until it is connected to your network. Too many organization rely on solutions like this and they should still take the time just prior to deployment to document these assets through physical or technology assisted means. Our paper on IT asset tracking methods goes into more detail about this.

Discoverable assets are by far some of the most important IT assets in an organization since they most likely contain a CPU. This is a major reason why many organization have stopped tracking things like keyboards, mice and even monitors. These are then often considered a fixed asset. Another way, while not always thought of as discoverable, is to think about all IT assets that are capable of storing information, like on a traditional hard drive (HDD) or a solid state disk (SSD).

The thinking is not cost driven, but because a device with a CPU or HDD/SDD must have software or information to make it useable and therefore can be exploited. A Dell 19 inch LCD monitor is not often thought of as hacking target for today’s cyber security bad guys.

ITAM Success

The goals of ITAM are simple enough. Focus on compliance, improve accountability and control your inventory. Following these goals should in most cases allow your organization to save money by preventing redundant purchases over time or better time new IT purchases based on asset devaluation. It may also even allow you to better negotiate with a certain software company based in Redmond, Washington should they decide to audit your discoverable assets for proper licensing.

As hardware assets near End of Life (EOL), you will have a leg up in the decommissioning process too. Having an accurate inventory list will not only help you check off desktops, switches, servers and laptops from active to retired status, it help help your disposition partner maximize value back to your organization and minimize risk associated with any device that was discoverable at some point and/or have information stored on it.

Most importantly, the finance and security compliance people will love you. It will make what they do easier since now more than ever they are often found at the intersection of technology created issues and business issues and could use your help.

Bored

This is why many consider ITAM boring. As an IT professional, you may rather spend your time talking with a technical account manager about the latest Cisco UCS server and Nexus switches or perhaps demo an IBM FlashSystem 820 with its low latency read and write times. This is all fine and good, but if you are thinking about how you can get a promotion if the path to CIO does not look promising, here is a great chance to start thinking about how IT impacts the overall business continuity of your organization.

Be the hero

Over time, inventory management systems have evolved into separate silos. There is one tool for managing and tracking routers. Another for desktops and laptops. None of these systems communicate. It is often not a simple task to generate a list of all discoverable assets in case your CFO demands an actual list when he realizes how much more new equipment that was just recently ordered and wants to know why. Should your CFO lead the charge in finding a solve all end all inventory and asset management solution? How will you handle end of life strategy or associate hard drives by serial number to the device they came from? Does your organization require on site disk destruction? What is the legal procedure for the release of certain equipment? Focus instead on being the hero by thinking about business issues and align yourself with the resources that can help you reach that goal.

Homework or “workwork”?

Reach out to your network of IT friends and find out who they use to help them with decommissioning, data destruction and all other ITAM, ITAD and EOL projects.Do some research on organizations that may be a good fit to service your organization, especially if HIPAA or SoX are often referred to in daily activities at your company.

The world has changed. Cyber security is the hot topic and within that realm, its not just about firewall management and locking down TCP/UDP IP ports.

ITAM may be boring at times, but it is the new imperative. And, in case you were wondering, there are 27 acronyms mentioned in this article.

List of Acronyms

  • APM – Asset Portfolio Management
  • CFO – Chief Financial Officer
  • CIO – Chief Information Officer
  • CPU – Central Processing Unit
  • DA – Discovered Assets
  • EOL – End of Life
  • ERP – Enterprise Resource Planning
  • FITA – Fixed IT Asset
  • HAM - Hardware Asset Management
  • HDD- Hard Disk Drive
  • HIPAA – Health Insurance Portability and Accountability Act
  • IAITAM -International Association for IT Asset Management
  • IBM – International Business Machines
  • IMAC – Installed Moved Added Changed
  • IP – Internet Protocol
  • IT – Information Technology
  • ITAD – IT Asset Destruction
  • ITAM – IT Asset Management
  • ITAMG – IT Asset Management Group
  • LCD – Liquid Crystal Display
  • OA – Owned Assets
  • SAM - Software Asset Management
  • SoX  – Sarbanes-Oxley Act
  • SSD – Solid State Disk
  • TCP – Transmission Control Protocol
  • UCS – Unified Computing System
  • UDP – User Datagram Protocol
more

Topics: IT Asset Disposal, IT services, ITAD, data breach, education & tips, computer hardware

The Repercussions of the Poor Electronic Recycling Decisions of our Past

Posted by Frank Milia

Sep 18, 2013 4:35:39 PM

The government, corporations, and citizens in the United States have a higher awareness than ever before for the necessity to properly recycle electronic waste. Although there have been positive results from educating and regulating the electronic waste producers, collectors, and recyclers a great threat still remains.

In a recent New York Times article by Ian Urbina “Unwanted Electronic Gear Rising in Toxic Piles” the increased concern that electronic waste is being improperly handled is well documented. The article exposes a practice by electronics recyclers that promote their brand by deceiving clients with false claims of legal and ethical recycling procedures. In reality, these recyclers separate out valuable material and then stockpile, carelessly discard, or illegally export the remaining toxic waste

13737975_xl_electronic_waste

Cathode-ray tube (CRT) monitors and televisions are currently the largest threat to our environment from electronic waste. CRT products have a high cost of collecting, processing, separation, and of down-stream disposal of the toxic lead glass. Because of the high costs associated with properly dismantling and recycling electronic waste, the U.S. government has developed programs and incentives for recycling companies to collect and process the material. Many states also require manufacturers to provide “take-back” programs, which are typically contracted out to recycling companies.

Some recycling companies have taken advantage of these incentives and OEM contracts and are now stuck with product they cannot afford to process and in turn are abandoning warehouses full of electronic waste, land-filling the material, or exporting it illegally and then shutting down the business to restart under a new brand.

Ian Urbina claims that the federal government alone is disposing of 10,000 computers a week, and even many of their own disposal practices have been taken advantage of by parties who undertake fraudulent or illegal actions handling the waste. The burden of solving this problem is on the generators of the waste, all of us, to take the time to seriously investigate how our electronic waste is being handled.

There are some practices leading IT business decision makers can utilize in order to avoid contributing to criminally reckless recycling vendors.   Every IT department should have a written disposal policy that includes data security, environmental and social policy, a list of approved and qualified vendors, and methods for tracking the disposal of regulated electronic waste.

A qualified disposal vendor should be one that can provide verifiable data and tracking of the receiving, processing, and downstream recycling of material. Vendor selection should be made not only according to third party certifications (R2, ISO 14001, BAN etc.) but from evaluation of a vendor’s software reporting tools and transparent access to the recycling vendors’ processes, procedures, and physical facilities. Demand the same level of sophistication from an IT asset disposal vendor that you would from any other technology partner.

The past choice that some have made to utilize fly by night recycling outfits or select vendors without performing due diligence is one that will negatively affect our environment for years to come. The abandoned stockpiles of CRT monitors will be monuments to our collective poor oversight.

Today is a day to reflect on our past decisions and to pledge that we will do everything we can to ensure our electronic waste is processed in an ethical, secure, and environmentally sound manner.

more

Topics: IT Asset Disposal, IT services, data destruction, ITAD, data breach, technology vendors, education & tips, computer hardware

   

ITAD Guidance

Stay informed on important IT asset management topics.

Our posts focus on IT management, data security, and computer hardware from the unique perspective of IT asset disposal experts.

Subscribe and you will stay on top of:

  • IT procurement trends and analysis
  • Data security methods and best practices
  • Compliance tools and updates

Subscribe to Email Updates

R2-2013_Logo.png

Recent Posts

Visit our Main Site at: www.itamg.com