December, 2010

by Andrew Kelleher

Destroying stuff seems to be my specialty, though I have a definite preference for the purposeful kind of destruction.  Years ago, my 1983 Datsun went against my purposes when it decided to leave that icy road and run into that big rock, but at least it didn’t come back from the scrapyard to haunt me.  In contrast, my 5-year-old laptop computer that barely boots up could come back in many ways if I’m not careful how I dispose of it.

As we know, a used computer’s hard drive contains old e-mail messages; credit-card, bank-account, and Social-Security numbers; and plenty of other personal information.  Because the information security field is my home turf, some of the talk I hear about how to destroy old drives makes me shiver as if I were back on that icy road.  Many so-called methods of destruction border on the insane and unsafe, not to mention the unreliable.  There is a whole lot of bad advice online, especially.  I can tell you most of these postings skirt the truth.  Some throw a tarp over it.

Here, paraphrased, are some comments I found recently with a simple Web search:

“I just take my old hard drives out to the parking lot and bash them with a big hammer.”

“I’d toast them with a blowtorch if I were you.”

“Cook them in the oven at very high heat, then plunge them into a bucket of ice water.”

“An acid bath is the way to go.”

“Melt them down!”

“Take them miles out to sea and throw them in.  Even if somebody finds one, the salt water will have done a job on it.”

“Throw it in your fireplace.”

“Remove the platters from the cases and bend them.”

“Take them outdoors and shoot a hole through each one with a pistol – the larger the caliber, the better.”

“Drill a few holes in each drive and be done with it.”

“Dip them in a vat of liquid nitrogen on the roof of a tall building, and then drop them over the edge.”

I wonder how many of these folks have ever followed their own recommendations.  Are some of these “home remedies” difficult and/or impractical?  In many cases, they sound like they came from a handbook for the Spanish Inquisition.  Yes, some might be feasible if you have one or two hard drives to dispose of, but even those could pose huge liability risks when done for an employer.  If you have time to waste, gloves on your hands, and safety goggles on your eyes, some of these methods might even work.  But businesses that have to deal with liability, workplace safety, and the disposal of multiple hard drives should have a problem with these methods, not to mention they are just crazy dangerous!  Besides, even if carried out as recommended, most of these measures are far less than 100% effective.

Safely, but Thoroughly

By the way, I do realize that some of the online comments are tongue-in-cheek, but my overall reaction is still the same: Are you crazy?  You need to have a proven destruction technology that is safe, easy to use, and, most importantly, effective.  The equipment must give you peace of mind — the assurance that no one is going to recapture a bit of data off your discarded drives.  Otherwise, why not just throw the hard drive away or give it to some nefarious folks for their own uses?

It is not as paranoid a view as it used to be.  Data-recovery technology continues to advance by leaps and bounds.  There are many techniques that are not top secret but still allow the recovery of information from seriously damaged drives — you’d be surprised.  Just ask your state and local police or the U.S. National Security Agency/Central Security Service (NSA/CSS).  By the way, the U.S. government is so concerned with the loss or theft of data, or just with the end of a computer’s life, that the NSA has developed guidelines that require hard drives to be degaussed (demagnetized) and incinerated or otherwise physically damaged prior to disposal.  Many other countries have similar guidelines.

Aside from governments securing state secrets, every person and enterprise has old hard drives that should eventually be destroyed.  And don’t think that just because you aren’t a government agency or contractor you don’t need to be vigilant about hard-drive disposal.  There are real risks of information (financial and tax records, Internet purchases, etc.)  falling into nefarious hands, not to mention there is information your competitors would love to see, such as price lists, sales figures, customer data, engineering data, memos drafted in preparation for bidding, e-mails from the president to his mistress, etc.  Aside from damage to one’s reputation, there is the possibility of a lawsuit from an employee, customer, patient, or other individual who claims he or she was harmed by the release of his/her private information.  The list goes on and on.

Of course, different owners have different security needs, and that is why there are different kinds of safe and effective hard-drive-destruction equipment on the market.  There are more options than ever before, and the trick is finding the right solution/equipment (or destruction service) for your hard drives.

Although hospitals and other healthcare and health-insurance providers, banks and other financial institutions, and government/military entities are subject to higher standards of confidentiality, every business has employee records and proprietary information.  We all have to replace computers from time to time — more frequently as newer technology makes them obsolete.  How many old computers/drives do you have gathering dust in an out-of-the-way corner or storage room?  I’d be willing to bet that most IT folks would say those items won’t be needed again.  More than likely, they just aren’t sure what to do with them, but they do know they cannot just throw them out.

A Job Worth Doing…

Just one hard drive can contain hundreds of thousands of files.  When a digital file is “deleted” from a computer, the information actually remains on the drive, as do “deleted” e-mail messages and records of all online activity.  Even reformatting or overwriting may not be enough to prevent confidential/proprietary/sensitive data from being recovered by a determined individual using the right techniques and equipment.

In light of the above, I favor a “belt & suspenders” approach — two proven methods of data destruction for absolute certainty.  But there is more to information security than choosing the right destruction equipment.  What you do with old drives prior to destruction is just as important.  Keep them in a secure location prior to destruction, or they could be long gone before you even know they are missing.  And keep records!

For any facility, I strongly recommend instituting a comprehensive information-security program — written procedures that must be followed.  Such procedures should include detailed recordkeeping and labeling that states, for example, the serial number of each drive, the computer from which it was removed, and the date it was removed.  The program should also include careful documentation of destruction dates and methods and a plan for in-house monitoring/verification.  You never know when these records will come in handy.

Proper training is a must.  These procedures should only be carried out by trusted employees or a security service, and supervised by management.  By the way, if you have a written policy that calls for destruction of records on a regular schedule, it looks less arbitrary and suspicious if documents are missing when requested in the course of litigation or an audit.

Businesses that don’t yet have a comprehensive information-security program can take a cue from federal regulations that require some facilities to have one in place, such as the rules implementing the Fair and Accurate Credit Transaction Act (FACTA).  In order to minimize fraud and identity theft, FACTA’s far-ranging standards require lenders, insurers, and many other businesses — anyone who “maintains or otherwise possesses consumer information for a business purpose” — to properly destroy consumer information.  Likewise, hospitals and other healthcare entities must comply with privacy and security standards promulgated under the Health Insurance Portability and Accountability Act (HIPAA).  Similar requirements may be found in the Sarbanes-Oxley (Public Company Accounting Reform and Investor Protection) Act and the Gramm-Leach-Bliley (Financial Services Modernization) Act.  Further, the credit card industry is required by the Payment Card Industry Data Security Standard (PCI DSS), international protocols issued by a credit-card-industry council, to take proper security measures with customer and corporate proprietary information.

Tools of the Trade

When is a hard drive really destroyed enough to prevent recovery of information it once held?  That is debatable.  Let’s take a look at some choices for the safe removal of data:

1. Overwriting the drive. “Disk-wiping” software is used to replace stored data with a pattern of meaningless characters.  I felt obligated to mention this method, but I do so with reservations.  There are many versions of such software on the market, so it is important that the chosen version be compatible with the drive to be overwritten.  U.S. Department of Defense guidelines recommend this step for operable drives bound for disposal, prior to degaussing and/or destruction.  But one overwriting “pass” is not enough, and this method must be carried out by someone who is patient and careful and understands the process, as it is time-consuming and based on the age and size of the drive.
2. Degaussing. Degaussing is one of those words that evoke images of a mad scientist and large static discharges in the laboratory.  Degaussing is simply the elimination of a magnetic field.  There are two major methods of degaussing.  The first method permanently erases data from hard drives when they are passed through the magnetic fields of powerful, fixed, rare-earth magnets.  The second method uses a powerful electromechanical pulse that instantaneously generates a powerful magnetic field to permanently erase data from disks in an enclosed chamber.  One should note that because there are variations in the formats and magnetic densities of hard-drives and in the methods by which they store information (latitudinal or perpendicular), the degaussing device must have a high enough coercivity rating (magnetic power) to overcome the drive’s magnetic field and completely erase its stored information.  If it doesn’t, the whole process is a waste of time.  The NSA/CSS evaluates degaussers and has published a list of approved devices for the erasure of sensitive or classified magnetic storage devices.  The list rates each degausser model on the basis of which types of drives and other magnetic media it is strong enough to erase.  Careful and informed buyers tend to rely on it for guidance.  Degaussing is more effective than overwriting, but here, too, training is essential.  Once you purchase a degausser, be sure to follow the directions.

   An NSA Evaluated degausser that can completely erase hard drives with no chance of data recovery.

3. Crushing. This method destroys drives by subjecting them to extreme pressure from a conical steel punch or similar device.  Good for a low volume of drives, these relatively inexpensive units are available in manual and powered models.  I put this method in line with basic destruction methods.  At the least, deforming the drive enough to render it inoperable is better than doing nothing.  Unlike after degaussing, the information residing on a deformed hard drive is still intact, but it is much more difficult to retrieve.

   An automatic Sledgehammer hard drive crusher with a conical punch to pierce drive casings and platters.

4. Shredding. Hard-drive shredders literally rip drives to shreds.  The shredding process is much the same as in an ordinary paper shredder, but these machines are more robust and capable of destroying multiple types and sizes of drives.  These shredders are also good for destroying cell phones, PDAs, electronic organizers, and other data-storage devices.  Several models are available, the largest of which can destroy up to 2,500 drives per hour.  Again, as with crushers, the information residing on the hard drive platter is still there, but since the drives are shredded into several randomly sized strips, it is even more difficult to retrieve.
   A Jackhammer hard drive shredder, capable of destroying up to 2,500 hard drives per hour.

   Hard disk drives and other electronic devices end up as co-mingled “e-scrap,” most of which can be recycled.  Powerful shredders reduce metal to random strips.

5. Disintegration. “Mechanical incineration” by a heavy-duty disintegrator (rotary knife mill) cuts items into smaller and smaller pieces until they are unrecognizable and unreconstructible.  For hard drives and other metal, this is typically done after shredding.  Disintegration is similar to shredding, although the end particles are much smaller and more damaged.  Disintegrators are also available in several models able to handle various sizes and volumes of hard drives.  The upkeep for a disintegrator is significantly greater than that for a shredder, and is therefore an important consideration when choosing between the two.

While all of these methods are effective, I favor a two-stage approach that combines degaussing with crushing or shredding.  For the ultimate, choose degaussing, followed by shredding, followed by disintegration, but this is for those who are really paranoid.

Ideally, the decision to purchase destruction equipment and the implementation of a destruction program would be based on security needs, not on cost.  But in a practical world, there are budgets to be met.  Degaussers, shredders, and disintegrators all come in different sizes and capacities.  While some of these units are relatively inexpensive ($1,000 to $5,000), others could run as high as $50,000.

The Outsourcing Option

For some businesses, the peace of mind that comes from knowing sensitive records will never leave their facilities intact makes the investment in destruction equipment worthwhile.  Even so, many companies simply cannot afford to purchase this equipment for the relatively few items they need to destroy.  These businesses may choose to outsource such destruction.  Aside from budgetary considerations, if you rarely need to purge your files, only destroy 10 hard drives a year, or would simply rather not destroy sensitive materials on your own premises, by all means find a reputable destruction service.  An advantage to outsourcing is that your waste eventually gets mixed with the waste of others, which makes your data even harder to retrieve.

Outsourcing can be affordable and safe when done properly, but if you choose this option, be sure to do your homework thoroughly.  Evaluate a service provider and its security protocols before signing the contract.  Here are some questions to ask:

1. If the service will pick up your hard drives, how will it transport them to the destruction facility?  Does the service offer locked, trackable transport cases with tamper-proof security tags?
2. Does the service require a long-term contract or a monthly minimum?
3. Upon arrival at the facility, will your items be inventoried by serial number (or barcodes correlated with serial numbers) and stored in a locked, monitored area?  How long are they likely to remain there awaiting destruction?
4. Are job applicants thoroughly screened?  Is the facility monitored around the clock by security cameras?
5. What destruction methods will be used?  Degaussers?  Shredders?  Disintegrators?
6. Has the facility’s equipment been evaluated by the NSA/CSS?
7. What proof will you have that items were actually destroyed?  Would you be allowed to watch the destruction in person or on video?
8. Will the destruction of your items be logged and certified in writing?

9. What happens to destroyed waste?  Is it recycled in accordance with pertinent regulations?

• Is the facility bonded and insured, and to what limits?

If you don’t like the answer to any of these questions, look for another service.  Like all service providers, some are better than others and some offer more robust security assurances.  I personally prefer more security over less.  You also need to understand that security comes at a cost.  Many destruction companies are nothing more than recycling companies posing as secure-destruction experts.  If the service you are considering passes all the above tests, visit the facility in person.  Even if you like what you see there and end up giving the company your business, it is a good idea to pop in from time to time for a surprise inspection.

And please note that a certificate of destruction does not free you from your legal responsibility.  If a destruction contractor certifies that your confidential data was destroyed, yet the data surfaces somehow, you are still liable for damages suffered by the injured parties.

Methodical Choices Protect Your Business

Sometimes the best overall destruction/disposal solution is a combination.  For example, you might choose to degauss your hard drives in house and then send the degaussed drives to a service for the next stage, such as shredding and/or disintegration.  You still get “belt & suspenders” — by choosing two (or more) destruction methods, you protect yourself against human error if someone falls down on the job at one stage or the other.

Regardless of the methods you choose for disposing of outmoded computers, be mindful of the fact that they contain valuable and toxic materials.  Some components can be reused, and most can be recycled.  Explore options that go beyond legally mandated procedures to minimize the chance of environmental contamination.  Security is your main goal, but security and recycling do not have to be at odds with each other.

Although information-security programs will differ according to facility size and mission, every field of endeavor these days must address the disposal of protected information.  Confidential patient records are just as important to a small medical practice, for example, as proprietary product designs are to a large corporation.  In both cases, the methods chosen to destroy computer hard drives have to be equally effective.  A wide selection of equipment is available to help a facility establish a program that meets its particular needs.

A comprehensive hard-drive disposal program can prevent sensitive electronic records from falling into the hands of those nefarious folks who want to do mischief at your expense.  Data security is an ongoing process, but by learning about threats and understanding destruction options, you will be in a much better position to protect yourself and your business.

Andrew Kelleher is president of Security Engineered Machinery (SEM), the largest direct supplier of high-security information destruction equipment to the United States federal government and its various security agencies.  For more information, contact Mr. Kelleher at SEM, PO Box 1045, Westborough, MA 01581, TEL: 508-366-1488, FAX: 508-366-6814, e-mail: info@semshred.com