Storage

10 tips for secure computer disposal

If you're in charge of IT resources at an organization with more than a handful of users, you might need this advice for secure equipment disposal.

If you're in charge of IT resources at an organization with more than a handful of users, you might need this advice for secure equipment disposal.


Even in the best of times, computers get rotated out of use and we have to figure out how we should dispose of them. In a recession economy, people get laid off, systems running software with high licensing costs get decommissioned, and system breakdowns may lead to consolidation of functionality rather than repairs, perhaps increasing the rate at which we dispose of computer equipment. This can expose us to security threats if we aren't careful about how we do it. Take the following list of 10 tips for secure equipment disposal to heart.

Note: This article originally appeared as an entry in our IT Security blog and is available as a PDF download.

1: Eliminate access

Ensure that you eliminate any accounts or other access control facilities that are associated with the decommissioned equipment. You don't want an ex-employee still getting into his old workstation after he's not supposed to have access to it any longer, and you don't want lingering network access accounts used to remotely connect to the computer providing more "target surface" for security crackers when you don't need the account at all any longer. You should generally do this first.

2: Delete files securely

Don't assume that taking hard drives to the landfill is secure. If there's sensitive data on your drives, you need to get rid of it before taking it away. Even if you don't think there is any sensitive data on the drive, consider whether you're willing to bet the business on that -- and if not, do more than just chuck the drive in the trash. Even reformatting or repartitioning a drive to "erase" the data it stores isn't good enough these days (if it ever was). Tools such as the shred utility can help you delete files more securely. Encrypting the data on the drive before doing any deletion can help make data even more difficult to recover later.

3: Destroy storage devices

In the most extreme cases, storage devices may need to be physically destroyed to ensure that sensitive data isn't leaked to whoever gets the drives next, even within your own organization. In such cases, you probably shouldn't destroy them yourself. There are experts who can do this for you, and they're probably a lot better at safely and effectively rendering any data on your drives unrecoverable than you would be. If your needs are so stringent that you can't trust this to an outside agency that specializes in secure destruction of storage devices, you should have a specialized team within your organization that has the same equipment and skills as an outside contractor.

4: Use checklists

Keep a checklist for the decommissioning process to make sure you don't forget a step at any point. This can be especially important when dealing with many, many computers at once, such as when an entire department is shut down -- but it's important the rest of the time, too. Don't rely on the checklist to do your thinking for you, though. Consider every detail of the system in question, its uses, and any potential dangers for security that come to mind. Add new measures to the checklist when you come up with a threat you have to deal with that may be relevant again at a later date; not everything on the checklist has to apply in every case for it to be a valuable addition.

5: Clearly identify decommissioned systems

Make sure you have clear, physical indicators of whether a system has been fully decommissioned in a secure manner, and that they don't consist of something easily misplaced or overlooked like a sticky note. It's best if computers that haven't been fully decommissioned are kept in a specific location, while decommissioned equipment goes somewhere else, so that habits you develop will help you avoid making mistakes. For instance, perhaps workstations should be kept on desks and servers in racks until they're cleared (and they should probably stay there until they've had their drive contents shredded, at least, because they're already set up with power and whatever interface is normal for that system). Doing so can lend a sense of urgency to the need to securely decommission the equipment, too, because you'll feel the pressure of wanting to clear the space for other uses.

6: Keep careful records

Whoever is responsible for decommissioning a machine should sign off on the completion of the process, if more than one person might be assigned such a responsibility. This way, if something goes wrong, you know who to talk to when it comes time to find out what happened and how bad the mistake really is. Log the time and date of completion, too. Just keep meticulous records in general, including the specifics of equipment components that have been processed, where they're going from here, and (when appropriate) their depreciated value and replacement cost.

7: Don't put off the task

Don't store equipment in need of secure decommissioning. Make it a priority to get it done, so the equipment doesn't end up being neglected for weeks, months, or years -- until someone gets an opportunity to compromise your security by making use of sensitive data stored on it. Don't leave it running unnecessarily, either. You don't want yet another system running on your network, waiting to get compromised by a security cracker or malware, when you don't actually have any use for the system.

8: Clear configuration settings on networking equipment

Managed switches, authenticating serial console servers, and other "smart" network infrastructure devices can provide clues to a clever security cracker on how best to break into your network and the systems that reside on it.

9: Control access to the equipment

Establish clear guidelines for who should have access to any equipment in need of secure disposal. Track a "chain of custody" to help ensure that nobody who shouldn't have access to it before disposal gets his or her hands on it.

10: Track equipment contents

Track the physical contents of every computer and piece of network infrastructure equipment in your organization so you won't make the mistake of overlooking a storage device. Remember that even volatile RAM can serve as a "storage device" for sensitive data under limited conditions. Ultimately, you should just adopt an attitude of practical paranoia about sensitive data storage and act accordingly.

Persistent security

Don't fall into the trap of meticulously securing your running systems, then getting compromised or having sensitive data recovered because you didn't put any thought into securing the systems slated for disposal. The need for good security practice doesn't go away when you turn off the computer.


Finally: 10 Things... the newsletter!

Get the key facts on a wide range of technologies, techniques, strategies, and skills with the help of the concise need-to-know lists featured in TechRepublic's 10 Things newsletter, delivered every Friday. Automatically sign up today.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

24 comments
UKITR
UKITR

Make sure to use a reputable IT recycling company, it's worth spending a bit of extra foot-work or money and finding one who can securely AND ethically dispose of your equipment. Even with the strict WEEE legislation in the UK, many companies are falling victim to man-in-a-van outfits. Do your research and make sure your old equipment and data is disposed of correctly. http://www.uk-computer-recycling.co.uk

gyni
gyni

i m participated in poster presentation and my topic is green computing . so ur tips are helpful in my work... thax...

ewasteuk
ewasteuk

Find out more about the disposal of computers in a secure and environmentally friendly way - Remploy are experts in recycling computer equipment

NORSE55
NORSE55

1 refer to the NIST 8088 - encrption of hard drive is not safe and is easily cracked. 2. There is a difference between Purging a drive and clearing a hard drive According to the NIST. The only proper way for a hard drive to be PURGED is to initiate The Secure Erase Command that is installed into the hard drive firmware and is activated by special equipment. Secure erase will erase the hard drive beyond forensic recovery. Developed for the National Security Agency by Gordon B Hughes of the University of California .Most ATA hard drives since 2001 have this firmware and some SCSI units. Also it apparently the software cannot erase hard drives beyond Forensic recovery. Software cannot erase info on the bad sectors of the hard drive. Robo

Eric Hall
Eric Hall

Excellent article. However, the most effective and cheapest method for hard drive disposal involves no file "shredding" or outside contractor. No technolgical advancements have yet to trump the handy sledge hammer and chisel.

vickaprili
vickaprili

The asset register is a great idea provided it is kept up to date. ie New hardware needs to be added or removed to the list and repositioning of workstations requires the list to be updated as well. "In a timely fashion"

reisen55
reisen55

There is a lovely dumpster in Orange County, NY that I regularly visit on Sundays and often find a few little gems thrown out among all the tons of printer parts, and often computers that startup live - I use them for parts and toss the rest. Then I regularly visit another dumpster in Ramsey, NJ where I often find genuine good stuff, such as a Dell Server, once a flat panel display, computers sometimes and other trivia. Many firms do not properly conduct equipment disposal and the most secure way is to contact any reputable disposal firm - see PROCESSOR.COM for names and have your old equipment carried out in a professional manner. But I am not going to make too big of an issue on that. Another good way to dispose of current IT equipment is to outsource your IT staff and give them 30 days notice before shipping jobs off to Bangalore. You would be amazed how many laptops magically go offsite for intense testing by the departing technicians.

apotheon
apotheon

Do you have a secure disposal policy in place? Have you ever been bitten by unsecured data left on equipment you decommissioned when it fell into someone else's hands?

apotheon
apotheon

Another good way to dispose of current IT equipment is to outsource your IT staff and give them 30 days notice before shipping jobs off to Bangalore. You would be amazed how many laptops magically go offsite for intense testing by the departing technicians. I wouldn't exactly call that "secure" disposal. You seem to have a very interesting definition of the word "good" in that statement.

Slayer_
Slayer_

Drop it into a water barrel while its running, dry it off, then throw it into a fire. Data is irreparable now. Bon fires are awesome :)

tech4me
tech4me

Asset every device that stores data. PDA's, mobiles, laptops, desktops, etc. Every asset must have an assigned owner. That owner has an assigned manager. Charge yearly fee for any managed asset until it is handed to IT. The owner is primary person responsible for the device. The manager is the secondary owner of the device. If any device goes missing they still pay for it and if it's intentionally not reported, fire the person responsible or drop their pay, etc. If the primary person goes and the manager does not follow up by informing IT and checking all devices are still with the company, fire or demote them instead, etc. Likewise with data disposal, every asset should have a field in its CMDB with the last known location (e.g DISPOSED) and IT Technician who disposed it. Anything goes wrong you know who disposed of it. CMDB is updated by someone else other then the IT techs doing the data wipes, who then send off forms or emails or something to say "yes I wiped it securely I'm sure and I bothered to check there wasn't a 2nd HDD in the PC", etc. When the items go off for disposal (or auction) they should still have their serial numbers (probably no company identifiable markings though) so you should still be able to look them up in your CMDB even if they turn up in a police investigation a year later. Following the above, the users will make sure that assets are passed on to IT for secure disposal because they're jobs are on the line and they'll also continue paying for it until it's returned to IT. It's taking years but my place of employment is slowly changing their processes to follow similar path. Suddenly all the managers are going around asking their staff where their PDA's and laptops are and getting pissed when they get blank stares. I love it. No-one cares about data security except IT but mix it with money and suddenly all the managers are listening.

JIM
JIM

I use a company in Massachusetts called CDS. They arrive at my loading dock and totally shred the hard drives in about 3 seconds. The total process is recorded and they provide a certificate of destruction. Also I have them shred our dlt tapes and all our cellphones. www.corpdestructsolutions.com

shasca
shasca

All we really do with PC/Laptops is run Wipedrive 3.0 with the D.O.D. three time option. Then off to the recycler.

StealthWiFi
StealthWiFi

When leaving offices, Thermite the building Very Effective! (Just Kidding)

reisen55
reisen55

I would not call this a good way to do it, but it was certainly a period of extreme anger. Organizations would do well not to anger their IT professionals too much. The outsourcing experience = being sold down the river and when one realizes that, despite your best work - and I was closing 1,200 tickets per year - that the firm doesn't give a tinker's damn about you ... well, take your choice.

Michael Jay
Michael Jay

I really like the option of using the AK47 in full auto mode to remove any remaining data. Has the added effect of reducing excess stress as well, after turning a drive into so much wasted metal you kinda feel good about everything.

Michael Kassner
Michael Kassner

We physically destroy the HDDs before letting them out of our control. That means hammer and drill types of things.

Neon Samurai
Neon Samurai

.. in the case of the SMM ecploit. The virus *IS* in the cpu.

santeewelding
santeewelding

BALTHOR would disagree. He has me thinking the solder is imbued with intelligence.

apotheon
apotheon

The data's stored on the platters, not the circuit boards.

jasonemmg
jasonemmg

When you need something important done correctly...DO IT YOURSELF !!! I've used screw drivers, drills and the good old hammer to destroy HDD's. Crack the case open and smash the circuit boards,etc... Then dispose of pieces on separate days to avoid a jigsaw puzzle rebuild!

pgit
pgit

We take drives apart and use the platters and spacers to make mobiles, the dangling, artsy-craftsy things. They're pretty cool. Neat thing is how we build/hang them. We take the magnets out of the drive, run them over the surface of the platters (inside a piece of cloth to avoid scratches) then build the mobile on the frame of an old 6-8 inch speaker. The speaker has a magnet, of course, and the magnets from the hard drive almost always have a couple holes in the metal they're attached to. You nail or screw the hard drive magnet into the ceiling or wherever you want to hang the mobile, then just plunk the speaker magnet end up onto the HD magnet... Only thing to be careful about is some if not all these magnets are ceramic and can crumble apart if you hit them too hard. But with the strength of these speaker and hard drive magnets (and being careful) I've yet to hear of one of these falling down, even with repeated attacks from curious cats. I'm looking at one right now, (mobile, not cat) very nice how light is randomly reflected around, like sitting beside a swimming pool. The one I have at home is a never ending source of entertainment for the cats, when they get in the mood they attack the reflections. The way the platters spin and twist randomly, the reflections will often move to a point, come to a rapid halt and reverse course, drives 'em nuts. Now I hope someone doesn't tell me data can still be retrieved off these platters exposed to a strong magnetic field, fat human fingers, a good buffing and then the dust-laden air... BTW the top flange (screw plate) makes a great key ring. IBM drives below 100 GB often have the best, actually machined, not stamped. PS we usually rip the cone, spider and any wiring off the speaker, gives you more attach points.

santeewelding
santeewelding

With a 1/8" kerf does wonders when drives are brought to me now and again.

Editor's Picks