I saw this post today and can't believe this myth is still out there. Here's the scoop, go ask an IT person "How many times do I have to wipe a drive to completely erase it?" You will hear many answers and the most popular will likely be 3 times, 7 times, it can never be erased. Let's clear it up. If you make one pass correctly your mission is accomplished. This is how magnetic media works, feel free to test it yourself with the forensic/data recovery tool of choice. How does wasting money come into play?
I was once part of a project testing multiple web proxy vendors. A work policy stated that hard drives could not be returned to vendors and all drives had to be degaussed then shredded. This was for non-classified material that would be tough to even call sensitive. One vendor was set to charge around 16k for the drives in their product. In order to avoid this charge I began asking if there was a waiver process, how it worked, and if the policy was in-house or from a more "legal" entity. Sure enough, there was a waiver process. I filled out the (un) necessary forms and also attempted to explain why this may not be required in the future in order to save my company and the vendor money. No amount of demonstration or discussion seemed to convince people that seven passes, degaussing, and shredding were the only way to maybe prevent our data from falling into the hands of the empire. This was a two-week process with regular chastisement received by me for even attempting to return a drive. At the culmination of the project I erased the drives manually using dd and then handed them to our other forensic examiner to ensure he could not retrieve data. The data was gone, the drives returned and we managed to save thousands of dollars. As I gave the final status report one of the managers stated "We probably could have saved $16,000 if we had just followed the policy." Feeling offended by that I retorted "If the policy is technically inaccurate or wrong, we should fix the policy because it makes us look stupid." Not my most humble moment.
As far as I know that company continues to destroy drives in the name of security that could be recycled, reused, or returned . This effort likely costs millions of dollars annually and provides landfills with many tiny shards of metal that will never break down. Policies are good things when they are accurate.
We definitely have a policy like the one you mention where I work. We didn't until some new government regulations came down from on high regarding patient data, and now we shred every drive, regardless of whether they are under warranty or not. Basically, if a hard drive fails, we buy a replacement instead of returning it for warranty credit. This policy was motivated by fear from our upper management because of the legal ramifications written into the new law if a hard drive is lost. Not only that, but we also apparently have a legal obligation to notify our local news media when a drive is lost or stolen that was not encrypted and has a potential for containing patient data. The last thing our upper management wants is our company's name in a newspaper story about how thousands of our patient's social security numbers were compromised.
ReplyDeleteFunny, that policy doesn't prevent drives from being lost or stolen. You should degauss/shred a drive you cannot wipe, if you can wipe you are just throwing bucks in the trash out of #FUD. I would love to see the "requirement" to notify the media, that's terrible yet believable.
ReplyDelete