an introduction to asset recovery

Sims Metal Management LimitedASX Code: SGMNYSE Code: SMS

Securing the data on your retired electronic assets

Information Governance, Risk and Compliance

20/05/2010

2

Agenda

• What are the methods for retrieving data?• What are the recognised methods for destroying data, their

advantages and disadvantages• Understanding ICT equipment, the potential data it holds and

how best to destroy it• Methods of raising awareness for the need of a secure asset

retirement program• Information about your data – understanding what has been

destroyed• In summary who are Sims Recycling Solutions

– Why we are experts


The Methods for Retrieving Data

With gratitude to Pete Warren, Investigative Journalist (ICT Industry)

3

Examples of Data Leakage

• In 2005 100 Hard Disk Drives bought on eBay for £5 each– 1 in 7 had valuable data on including– Paul McArtney’s financial records– Pension plans, customer databases, financial information, payroll records,

personnel details, login codes, and admin passwords for one of Europe’s largest financial services groups

• August 2008, computer bought on eBay for £35– Held personal data on a million customers from RBS, NatWest and American

Express (accidentally sold by their data holding company)

• 2008 Mobile phones case study – Glamorgan University– 161 phones were randomly bought on eBay: 82 still worked and of that:– 7% were deemed to hold enough info to allow for stolen identity– 7% would have allowed corporate fraud to take place– Of the Blackberry’s bought: 27% carried company data and 16% carried personal

data– One well-known Australian Senior Businessman’s phone revealed details of illicit

affair

Examples of Data Leakage

• In 2009 Hard Disk from eBay yielded secrets of the Lockheed Martin’s THAAD Missile Defence System (Star Wars)

– Names and phone numbers, templates for Lockheed, design documents, subcontractor documents, security policies and blueprints of facilities, as well as a Lockheed Test Launch Procedure PDF, employee personal info and social security numbers

• 2010: Warehouse in New Jersey - 4 photocopiers were randomly bought $300 each

– New York Police Sex Crimes Division, papers still left on copier but lists of offenders and victims were found on hard drive

– New York Narcotics Division, list of targets for major drugs raid– 95 pages of names, pay stubs and social security numbers– 300 pages of individual health records

• 2010 study into 43 USB Sticks bought on eBay– 2 (4%) were damaged and as a result, unreadable.– 2 (4%) had been effectively cleaned and contained no recoverable data– 20 (46% of the readable USB Storage devices) had been deleted or formatted, but still

contained recoverable data.– 41 (95% of the readable USB Storage devices) contained data that could be easily

recovered, • 8 (40%) contained sufficient information for the organisation that they had come

from to be identified. • 14 (70%) contained sufficient information for individuals to be identified.

Methods of retrieving data

• Recovery of data from equipment is incredibly sophisticated

• Recovery of data can be achieved from almost any device

• HDD from Shuttle Columbia’s black box– Found in dried up lake bed alongside Shuttle debris 6 months

after the catastrophe– Within 2 days Kroll Ontrack Inc. had recovered 99% of data

Pros and Cons of in-house solutions

• Pros– Data never leaves your location, so there is no risk of loss during transport to

a processing facility– Data is destroyed by your own trusted staff

• Cons– Destruction systems can be expensive and low volume processing will mean

a long return on investment– If staff are not fully trained and focused on task, they may miss items– Lack of space and/or resources to ensrue segregation between data

destroyed and non-data destroyed units– Data destruction can be a time consuming process– Your company will still have to deal with a third party to ensure appropriate

treatment of “waste” data destroyed units

Pros and Cons of outsourced solutions

• Pros– No capital investment required– Experts at data destruction using best practices

• May even operate to better standard than client’s– Third parties are able to handle multiple destruction methods and also advise on

the best methods for particular items– There does not need to be any volume issues through a third party– Waste disposal compliant with regulations– If something goes wrong, you have a liable partner with appropriate insurance

• Cons– Data may be transported off of your location (however new on-site services

available or alternatively ensure your supplier has secure logistics)– Data is handled/destroyed by non-employees– May require minimum destruction quantities greater than your needs– There are different types of contract available for electronic asset management,

you might get tied into a bad one, if inexperienced at asking right questions– If hardware is not disposed of properly, you could be included in a environmental

liability case (check the credentials of the company involved)


Recognised methods for destroying data

Advantages and Disadvantages

What knowledge exists on data destruction?

• What are the standards that exist within this area?• What methods exist to achieve data destruction?

Data Destruction - terminology

• Guidance on secure data destruction is detailed in: – HMG IA Standard No. 5, Secure Sanitisation of Protectively Marked or Sensitive

Information, Issue 3.1, October 2009– Set standards for data erasure on magnetic, semiconductor and optical media through

overwriting and degaussing

• CESG (Communications Electronic Security Group)– National Technical Authority for Information Assurance– Concerned with data security through software deletion & degaussing

• Hardware destruction to acheive secure data destruction, to Government Standards, requires granulation to less than 6mm

• List X - Capability to transport, store & manage protectively marked data

Impact Level (IL)

IL Descriptor of Data

Secure Sanitation Level (SSL)

High or low security

6 Top Secret SSL3 High

5 Secret SSL3 High

4 Confidential SSL2 High

3 Restricted SSL2 Low

2 Protect SSL1 Low

1 Protect SSL1 Low

Data Destruction – Software based

• Examples of bespoke software certified by CESG– Blancco, DESlock, IBAS Expert Eraser, Kroll Ontrack, UltraErase

• Capable of SSL1 – SSL3 depending on the software solution

• Systems tested and ratified by QinetiQ• An appropriate system must use a trusted “boot” procedure to

ensure malicious code cannot be executed

• Appropriate systems must give you a detailed report on:– The disk capacity to be overwritten– The number user addressable areas that HAVE and HAVE NOT been

overwritten– The number of bad or unusable sectors that CANNOT be overwritten

• An overwriting sequence consists of overwrites a binary number (Octet), followed by its complement, followed by a random sequence

Data Destruction – Software based

The overwriting sequence can be repeated up to seven times depending on security requirements (to ensure full overwriting)

• Advantages:– Equipment can be reused– Software asset register can be

retrieved– Service can be tailored to needs

(control costs)– Highly portable

• Disadvantages:– Report of destruction only (no

visual confirmation)

– Only suitable for certain devices

– Relatively slow and labour intensive

Original Data

Data Wipe (1st pass)...

Data Wipe (2nd pass)...

... Subsequent passes.

Data Destruction – Hardware based, Degaussers

• Examples of Degaussers approved by CESG:– Verity (Verity Systems); Hard Disk Magnet Crusher (Future Technology

Industry);

• Equipment that generates a magnetic field powerful enough to destroy magnetically stored information on hard drives or solid state memory devices

• Coercivity – is the power of the magnetic field required to reduce the materials magnetisation to zero, some equipment requires higher ratings than other equipment (measured in Oersteds, Oe)

• Standards– The CESG standard approves equipment for both the higher and lower levels

of security

• Degaussers must be tested and retested for effectiveness:– Initially; whenever required by CESG; regular user testing

Data Destruction – Hardware based, Degaussers

• Advantages– Potentially suitable for any

type of electronic equipment– A medium speed for

processing– Highly portable– Component materials can

be recycled

• Disadvantages– No “visual” confirmation of

successful destruction

– No ability to “report” on success of destruction

– Operator dependant

– No reuse potential

Data Destruction – Physical destruction

• Government Standards exist for – Central Destruction Facility

• Standard refers to an approved facility capable of certified destruction• Approved organisations must all be certified to ISO9000 quality systems

– Destruction equipment• Standard refers to the equipment used for the certified destruction

• HMG IA standard generally refers to the use of a granulator to reduce equipment to flakes of less than 6mm in size

– Other appropriate methods of destruction include: fire; abrasion; explosives/thermite!!!

• With right systems in place, these systems are capable of safely destroying up to IL6

• Often the “granulated” material is then sent to recovery facility– Mixed with other high grade material– Processed into constituent materials via magnet systems, etc.

Data Destruction – Physical destruction

• Advantages:– Fast processing– New services are

transportable for “on-site” destruction

– Component materials can be recycled

– Visual confirmation of secure destruction

• Disadvantages– Not available for reuse– Fixed facility operators will

require secure transport


Understanding ICT Equipment

Data risk by equipment and how to destroy it

What equipment is at risk?

• Open discussion – what equipment is at risk and what is the extent of that risk?

Desktop, laptops, servers

• Information– Comprehensive company

information

• Data Risk (100Gb upwards)

• Recommended Disposal– Software (allows reuse)– Physical Destruction

(perceived as more secure)

Printers, Scanners, Copiers, Faxes

• Data Risk many contain:– Internal hard drive (around

4Gb – 20Gb)– Digital “flash” card (1Gb) – Data is retained until

overwritten • Information

– Personnel Records, Passports, Reports

• Recommended Disposal– Software (allows reuse for

high value equipment)– Physical Destruction for

desk top units (low value)

Data storage media

• Data Risk– Almost any company

data is conceivable– 1Gb up to 100Gbs

• Recommended Disposal– No current (ratified)

method of achieving software deletion

– Physical Destruction

Communications devices

• Data Risk includes:– 1Gb+ flash and hard drive

memories• Information

– Personal data, bank accounts etc.

– Contacts– Emailed documents– Satellite navigation data

addresses• These devices are only just

getting data deletion options• Ratified methods for software

erasure only now being developed (Blancco)

• Recommended Disposal– Hardware destruction

Network equipment – Routers and Switches

• Data Risk– Not company data but

do contain network‐specific data such as static IP addresses which expose networks to external risk of infiltration

• Recommended Disposal– Physical Destruction

Point of sale, retail debit/credit terminals

• Data Risk– Some contain flash

memory

• Information– May contain personal

credit/debit information


Specialist equipment

• Medical and military equipment, etc

• Data Risk– Operation dependant



Methods of Raising Awareness

How to kick start a secure asset recovery strategy

Methods of raising awareness – open discussion

• Survey conducted at Information Security 2009– 37% of employees would give away company info in exchange for a bribe

• Of that 37% the percentage breakdown of bribe was:– 63%... £1 million– 10%... Their mortgage paid off– 5%... For a holiday– 5%... For a new job– 4%... Paying off Credit Card debt– 2%... For a free slap up meal!!!

• 68% of employees felt it would be easy to sneak data out of a company

• In this culture, what are the possible ways to raise awareness for the issues of data security?


Information about your data

Understanding what has been destroyed

Blancco Data Erasure Report – page 1

Blancco Data Erasure Report – page 2

WebView - Client billing report

• Asset Tag Data

• Recovery Details

• Unit re-use, recycle• Unique Blancco reference

number

WebView - Deleted software register report

• Activity and Tracking ID• Unit type• Serial number of Unit

• Operating System/License• Software product deleted

Information about your assets and data

• What other information would you find useful to know about your redundant electronic assets?


Sims Recycling SolutionsICT Asset Management

In summary – Why we are experts

Sims Recycling Solutions - Global

• Turnover as part of Sims Metal Management - circa €5 bn.– World’s largest metals recycler (public company ASX/NYSE)– In 2009, Carbon Footprint was 319,256 Tonnes. Less than 3% of the total

carbon saved by our activities – over 13.6 Million Tonnes

• The world’s largest electronics recovery and recycling company– 38 facilities world-wide

• Over 400,000 tonnes of Electronics recovered annually– The equivalent to over 25 Million Desktop Computers– Excludes non-hazardous Large Domestic Appliances (Metal Management)

• Over 1.7m individual assets recovered for reuse annually• Over 15m individual Integrated Circuits recovered• Innovest’s Global 100 most sustainable companies 2010

(released at the Davos Summit 2010)

Standards and Licenses

• Management Systems in use, certified at all but 1 EU site:– ISO 9001:2000 - Quality standard– ISO 14001 - Environmental standard– OHSAS 18001 - H&S standard

• Asset Recovery operations have or are working towards – ISO 27001 - Security management standard

• Permits for:– All sites are registered to be Authorised Treatment Facilities for WEEE– Belgium, registered as Producer Compliance Scheme– Hazardous Waste Regulations (approved handling and storage)– Electronic scrap and End of Life products– Waste Management and Waste Carrier licences– Relevant technical competence qualifications (e.g. WAMITAB CoTC, UK)– Approved Microsoft Approved Refurbisher status (MAR)

• Data and Hardware destruction completed to:– HMG IA Standard No. 5 - Secure Sanitisation of Protectively Marked or

Sensitive Information, Issue 3.1, October 2009– Where necessary granulation of hardware can be achieved to less than 6mm

in line with Government Standards

38

Global Operations – Sims Recycling Solutions

38 Operations Globally

Australia4

Operations

EU14

Operations

California3

Operations

AsiaRepresentative

offices

Tennessee1 Operation

Canada1 Operation

Illinois2

Operations

India3

Operations

Singapore1 Operation

Florida2

Operations

South Carolina

2 Operations

Louisiana1 Operation

Nevada1 Operation

Arizona 1 Operation

New Zealand

1 Operation

South Africa1

Operations

an introduction to asset recovery

Documents