Securing the data on your retired electronic

assets
Sims Metal Management Limited
ASX Code: SGM
NYSE Code: SMS

Information Governance, Risk and Compliance

20/05/2010
Agenda

• What are the methods for retrieving data?

• What are the recognised methods for destroying data, their
advantages and disadvantages
• Understanding ICT equipment, the potential data it holds and
how best to destroy it
• Methods of raising awareness for the need of a secure asset
retirement program
• Information about your data – understanding what has been
destroyed
• In summary who are Sims Recycling Solutions
– Why we are experts

2
The Methods of Retrieving Data

Sims Metal Management Limited

ASX Code: SGM
NYSE Code: SMS

With gratitude to Pete Warren, Investigative

Journalist (ICT Industry)

3
Examples of Data Leakage

• In 2005 100 Hard Disk Drives bought on eBay for £5 each

– 1 in 7 had valuable data on including
– Paul McCartney’s financial records
– Pension plans, customer databases, financial information, payroll records,
personnel details, login codes, and admin passwords for one of Europe’s largest
financial services groups
• August 2008, computer bought on eBay for £35
– Held personal data on a million customers from RBS, NatWest and American
Express (accidentally sold by their data holding company)
• 2008 Mobile phones case study – Glamorgan University
– 161 phones were randomly bought on eBay: 82 still worked and of that:
• 7% were deemed to hold enough information to allow for stolen identity
• 7% would have allowed corporate fraud to take place
• Of the Blackberry’s bought: 27% carried company data and 16% carried
personal data
• One well-known Australian Senior Businessman’s phone revealed details of
an illicit affair
Examples of Data Leakage

• In 2009 a Hard Disk from eBay yielded secrets of the Lockheed Martin’s
THAAD Missile Defence System (Star Wars)
– Names and phone numbers, templates for Lockheed, design documents, subcontractor
documents, security policies and blueprints of facilities, as well as a Lockheed Test
Launch Procedure PDF, employee personal info and social security numbers
• 2010: Warehouse in New Jersey - 4 photocopiers were randomly bought
$300 each
– New York Police Sex Crimes Division, papers still left on copier but lists of offenders and
victims were found on a hard drive
– New York Narcotics Division, list of targets for major drugs raid
– 95 pages of names, pay stubs and social security numbers
– 300 pages of individual health records
• 2010 study into 43 USB Sticks bought on eBay
– 2 (4%) were damaged and as a result, unreadable.
– 2 (4%) had been effectively cleaned and contained no recoverable data
– 20 (46% of the readable USB Storage devices) had been deleted or formatted, but still
contained recoverable data.
– 41 (95% of the readable USB Storage devices) contained data that could be easily
recovered,
• 8 (40%) contained sufficient information for the organisation that they had come
from to be identified.
• 14 (70%) contained sufficient information for individuals to be identified.
Methods of retrieving data

• Recovery of data from equipment is incredibly

sophisticated
• Recovery of data can be achieved from almost any
device
• HDD from Shuttle Columbia’s black box
– Found in dried up lake bed alongside Shuttle debris 6 months
after the catastrophe
– Within 2 days Kroll Ontrack Inc. had recovered 99% of data
Pros and Cons of in-house solutions

• Pros
– Data never leaves your location, so there is no risk of loss during transport to
a processing facility
– Data is destroyed by your own trusted staff
• Cons
– Destruction systems can be expensive and low volume processing will mean
a long return on investment
– If staff are not fully trained and focused on task, they may miss items
– Lack of space and/or resources to ensure segregation between data
destroyed and non-data destroyed units
– Data destruction can be a time consuming process
– Your company will still have to deal with a third party to ensure appropriate
treatment of “waste” data destroyed units
Pros and Cons of outsourced solutions

• Pros
– No capital investment required
– Experts at data destruction using best practices
• May even operate to better standard than client’s
– Third parties are able to handle multiple destruction methods and also advise on
the best methods for particular items
– There does not need to be any volume issues through a third party
– Waste disposal compliant with regulations
– If something goes wrong, you have a liable partner with appropriate insurance
• Cons
– Data may be transported from your location (however new on-site services
available or alternatively ensure your supplier has secure logistics)
– Data is handled/destroyed by non-employees
– May require minimum destruction quantities greater than your needs
– There are different types of contract available for electronic asset management,
you might get tied into a bad one, if inexperienced at asking right questions
– If hardware is not disposed of properly, you could be included in a environmental
liability case (check the credentials of the company involved)
Recognised methods for destroying data

Sims Metal Management Limited

ASX Code: SGM
NYSE Code: SMS

Advantages and Disadvantages

What knowledge exists on data destruction?

• What are the standards that exist within this area?

• What methods exist to achieve data destruction?
Data Destruction - terminology

• Guidance on secure data destruction is detailed in:

– HMG IA Standard No. 5, Secure Sanitisation of Protectively Marked or Sensitive
Information, Issue 3.1, October 2009
– Set standards for data erasure on magnetic, semiconductor and optical media
through overwriting and degaussing
• CESG (Communications Electronic Security Group)
– National Technical Authority for Information Assurance
– Concerned with data security through software deletion & degaussing
• Hardware destruction to achieve secure data destruction, to
Government Standards, requires granulation to less than 6mm

Impact IL Descriptor of Secure Sanitation High or low security

Level (IL) Data Level (SSL)
6 Top Secret SSL3 High
5 Secret SSL3 High
4 Confidential SSL2 High
3 Restricted SSL2 Low
2 Protect SSL1 Low
1 Protect SSL1 Low
Data Destruction – Software based

• Examples of bespoke software certified by CESG

– Blancco, DESlock, IBAS Expert Eraser, Kroll Ontrack, UltraErase
• Capable of SSL1 – SSL3 depending on the software solution
• Systems tested and ratified by QinetiQ
• An appropriate system must use a trusted “boot” procedure to
ensure malicious code cannot be executed
• Appropriate systems must give you a detailed report on:
– The disk capacity to be overwritten
– The number user addressable areas that HAVE and HAVE NOT been
overwritten
– The number of bad or unusable sectors that CANNOT be overwritten
• An overwriting sequence consists of overwrites a binary number
(Octet), followed by its complement, followed by a random
sequence
Data Destruction – Software based

The overwriting sequence can be repeated up to seven times

depending on security requirements (to ensure full overwriting)
Original Data

Data Wipe (1st pass)...

Data Wipe (2nd pass)...

... Subsequent passes.

• Advantages: • Disadvantages:
– Equipment can be reused – Report of destruction only (no
– Software asset register can be visual confirmation)
retrieved
– Service can be tailored to needs – Only suitable for certain devices
(control costs) – Relatively slow and labour
– Highly portable intensive
Data Destruction – Hardware based, Degaussers

• Examples of Degaussers approved by CESG:

– Verity (Verity Systems); Hard Disk Magnet Crusher (Future Technology
Industry);
• Equipment that generates a magnetic field powerful enough to
destroy magnetically stored information on hard drives or solid
state memory devices
• Coercivity – is the power of the magnetic field required to reduce
the materials magnetisation to zero, some equipment requires
higher ratings than other equipment (measured in Oersteds, Oe)
• Standards
– The CESG standard approves equipment for both the higher and lower levels
of security
• Degaussers must be tested and retested for effectiveness:
– Initially; whenever required by CESG; regular user testing
Data Destruction – Hardware based, Degaussers
• Advantages
– Potentially suitable for any
type of electronic equipment
– A medium speed for
processing
– Highly portable
– Component materials can
be recycled
• Disadvantages
– No “visual” confirmation of
successful destruction
– No ability to “report” on
success of destruction
– Operator dependant
– No reuse potential
Data Destruction – Physical destruction

• Government Standards exist for

– Central Destruction Facility
• Standard refers to an approved facility capable of certified destruction
• Approved organisations must all be certified to ISO 9000 quality systems
– Destruction equipment
• Standard refers to the equipment used for the certified destruction
• HMG IA standard generally refers to the use of a granulator to
reduce equipment to flakes of less than 6mm in size
– Other appropriate methods of destruction include: fire; abrasion;
explosives/thermite!!!
• With right systems in place, these systems are capable of safely
destroying up to IL6
• Often the “granulated” material is then sent to a recovery facility
– Mixed with other high grade material
– Processed into constituent materials via magnet systems, etc.
Data Destruction – Physical destruction

• Advantages: • Disadvantages
– Fast processing – Not available for reuse
– New services are – Fixed facility operators will
transportable for “on-site” require secure transport
destruction
– Component materials can
be recycled
– Visual confirmation of
secure destruction
Understanding ICT Equipment

Sims Metal Management Limited

ASX Code: SGM
NYSE Code: SMS

Data risk by equipment and how to destroy it

What equipment is at risk?

• What equipment is at risk and what is the extent of that risk?

Desktop, laptops, servers

• Information
– Comprehensive company
information
• Data Risk (100Gb
upwards)
• Recommended Disposal
– Software (allows reuse)
– Physical Destruction
(perceived as more secure)
Printers, Scanners, Copiers, Faxes

• Data Risk many contain:

– Internal hard drive (around 4Gb –
20Gb)
– Digital “flash” card (1Gb)
– Data is retained until overwritten
• Information
– Personnel Records, Passports,
Reports
• Recommended Disposal
– Software (allows reuse for high
value equipment)
– Physical Destruction for desk top
units (low value)
Data storage media

• Data Risk
– Almost any company data is
conceivable
– 1Gb up to 100Gbs
• Recommended Disposal
– No current (ratified) method
of achieving software
deletion
– Physical Destruction
Communications devices

• Data Risk includes:

– 1Gb+ flash and hard drive memories
• Information
– Personal data, bank accounts etc.
– Contacts
– Emailed documents
– Satellite navigation data addresses
• These devices are only just getting data deletion
options
• Ratified methods for software erasure only now
being developed (Blancco)
• Recommended Disposal
– Hardware destruction
Network equipment – Routers and Switches

• Data Risk
– Not company data but do contain
network‐specific data such as static IP
addresses which expose networks to external
risk of infiltration
• Recommended Disposal
– Physical Destruction
Point of sale, retail debit/credit terminals

• Data Risk
– Some contain flash memory
• Information
– May contain personal
credit/debit information
• Recommended Disposal
– Physical Destruction
Specialist equipment

• Medical and military

equipment, etc
• Data Risk
– Operation dependant
• Recommended
Disposal
– Physical Destruction
Methods of Raising Awareness

Sims Metal Management Limited

ASX Code: SGM
NYSE Code: SMS

How to kick start a secure asset recovery strategy

Methods of raising awareness – open discussion

• Survey conducted at Information Security 2009

– 37% of employees would give away company info in exchange for a bribe
• Of that 37% the percentage breakdown of bribe was:
– 63%... £1 million
– 10%... Their mortgage paid off
– 5%... For a holiday
– 5%... For a new job
– 4%... Paying off Credit Card debt
– 2%... For a free slap up meal!!!
• 68% of employees felt it would be easy to sneak data out of a
company
• In this culture, what are the possible ways to raise awareness for
the issues of data security?
Information about your data

Sims Metal Management Limited

ASX Code: SGM
NYSE Code: SMS

Understanding what has been destroyed

Blancco Data Erasure Report – page 1
Blancco Data Erasure Report – page 2
WebView - Client billing report

• Asset Tag Data • Unit re-use, recycle

• Recovery Details • Unique Blancco reference
number
WebView - Deleted software register report

• Activity and Tracking ID • Operating System/License

• Unit type • Software product deleted
• Serial number of Unit
Information about your assets and data

• What other information would you find useful to know about your
redundant electronic assets?
Sims Recycling Solutions
ICT Asset Management
Sims Metal Management Limited
ASX Code: SGM
NYSE Code: SMS

In summary – Why we are experts

Sims Recycling Solutions - Global

• Turnover as part of Sims Metal Management - circa €5 bn.

– World’s largest metals recycler (public company ASX/NYSE)
– In 2009, Carbon Footprint was 319,256 Tonnes. Less than 3% of the total
carbon saved by our activities – over 13.6 Million Tonnes
• The world’s largest electronics recovery and recycling company
– 38 facilities world-wide
• Over 400,000 tonnes of Electronics recovered annually
– The equivalent to over 25 Million Desktop Computers
– Excludes non-hazardous Large Domestic Appliances (Metal Management)
• Over 1.7m individual assets recovered for reuse annually
• Over 15m individual Integrated Circuits recovered
• Innovest’s Global 100 most sustainable companies 2010
(released at the Davos Summit 2010)
Standards and Licenses

• Management Systems in use, certified at all but 1 EU site:

– ISO 9001:2000 - Quality standard
– ISO 14001 - Environmental standard
– OHSAS 18001 - H&S standard
• Asset Recovery operations have or are working towards
– ISO 27001 - Security management standard
• Permits for:
– All sites are registered to be Authorised Treatment Facilities for WEEE
– Belgium, registered as Producer Compliance Scheme
– Hazardous Waste Regulations (approved handling and storage)
– Electronic scrap and End of Life products
– Waste Management and Waste Carrier licences
– Relevant technical competence qualifications (e.g. WAMITAB CoTC, UK)
– Approved Microsoft Approved Refurbisher status (MAR)
• Data and Hardware destruction completed to:
– HMG IA Standard No. 5 - Secure Sanitisation of Protectively Marked or
Sensitive Information, Issue 3.1, October 2009
– Where necessary granulation of hardware can be achieved to less than 6mm in
line with Government Standards
 Global Operations – Sims Recycling Solutions

Canada EU
Illinois
1 Operation 12 Operations
2 Operations
Asia
Representative
offices
California
3 Operations
Singapore
1 Operation
Arizona
1 Operation

Australia
Nevada 4 Operations
1 Operation

South
Carolina
2 Operations
Florida South Africa India New Zealand
Tennessee 2 Operations 1 Operation 3 Operations 1 Operation
1 Operation

35 Operations Globally
38