Edition 96
IT Asset Disposition – The Achilles Heel of Cybersecurity
by Angie Ransom, Retail Division and David Brent, Vice President, Marketing and Business Developm, , ERI Direct

Return to Menu

Achilles — the greatest warrior in Homer’s Iliad; undefeatable but for a singular vulnerability. An overlooked, unexpected weakness.

In the world of cybersecurity, there is a great deal of attention focused on hot topics such as blockchain, machine learning and AI, improved penetration testing, application vulnerability testing, and more. Certainly, all of these are critically important issues in the cyber war.

However, as the offensive and defensive weapons are improved in the fight against those with malicious intent, it becomes more attractive — and ultimately more productive and successful — to strike at another potential vulnerability – end-of-life data bearing assets.

In response to this threat, major laws and regulatory standards now cement the requirement of compliant policies and procedures to protect sensitive data.

With the acceleration of smart technology and larger on board non-volatile memory (NVRAM), data security requirements have expanded to an increasing number of devices. Legacy devices stockpiled by many organizations are also subject to these requirements. Warehouse scanners, POS devices, printers, cameras, smartcards, network devices, and copying machines all may be data bearing devices.

For many organizations, legacy storage devices such as CDs and backup data tapes still exist in warehouses, storage rooms, and closets. There is no “statute of limitations” for old data when it comes to a data breach. Items such as televisions and monitors generally do not have NVRAM, but even screen “burn in” can be of concern for organizations with the highest security requirements.

Even with a robust asset disposition policy, things can go horribly wrong. Assets will inevitably be processed by third-party service providers at some point in the disposition process, either relying on service providers with a core competency in data sanitization or further downstream for e-recycling.

The PBS report (“Ghana: Digital Dumping Ground”) from 2009 highlighted the risk of failing to perform due diligence on service providers. A correspondent and several graduate journalism students from the University of British Columbia traveled to Ghana to document the mountains of e-waste shipped there from developed nations, including the United States.

In addition to the e-waste dumping grounds, salvaged hard drives were being sold in open air markets. The locals acknowledged that cybercriminal syndicates would purchase them to retrieve any personal data they could find. A student purchased some of the hard drives for the equivalent of $35.

As it turns out, one of the drives originated from one of largest U.S. government contractors. It contained sensitive contract data from the Defense Intelligence Agency, NASA, the Pentagon, and Homeland Security, including confidential TSA hiring procedures. No cyber-attack. No network breaches. No warning. $35 in an open-air market in Africa is all it took to obtain classified information.

The issue with exporting e-waste to developing countries persists. The fundamental issue is that it costs significantly less to ship electronic assets to developing countries than to process them securely and responsibly. Container ships from Asia to U.S. ports will typically return empty, so it is extremely cheap to transport e-scrap to Asia. From there it is disseminated to other countries, including Pakistan and Ghana. There is no current comprehensive U.S. law that precludes shipment of e-scrap to developing countries. There is an international treaty, the Basel Convention, that restricts the flow of e-waste to developing countries; however, the U.S. has not ratified that treaty. Regardless of legislation, the damage to brand and reputation for an organization can be severe due to consumer backlash.

A 2018 study conducted by ERI identified 134 supplier sites of ITAD, e-recycling, or both that have been fined, de-certified, suspended, or shipped e-scrap to developing nations. Unfortunately, the number of such service provider incidents continues to increase.

Spotlight on the Lowly Printer
The following scenario is all too common.

One vendor describes itself as a “company with global presence in the electronics recycling industry. Our facility is certified with R2 and ISO certification.” Additionally, their environmental policy statement is: “With our zero-landfill policy, [Vendor] guarantees no single piece of electronic device will end up in a landfill anywhere in the world and thus, reducing the liability of our clients and the damage done to the environment.”

Further, they also identify on their website as being certified by the EPA and CalRecycle. However, the EPA does not certify e-recyclers and their status with CalRecycle is inactive. They are not R2 certified, which is one of the two recognized responsible recycling certifications.

The important takeaway is the cruciality of carefully selecting and auditing any suppliers that are key partners in your asset disposition strategy, ensuring they are doing what they commit to do. The situation with one printer emphasizes the point.

The Basel Action Network (www.ban.org) is a non-profit watchdog organization focused on bringing awareness as to where e-waste eventually ends up, publishing results from the use of GPS trackers on devices such as printers. One printer from the referenced vendor was tracked by BAN as follows:

• July 6, 2017 Houston, Texas
• July 21, 2017 Carson, California
• Aug. 24, 2017 Port of Hong Kong
• August 28, 2017 Hong Kong, New Territories
• November 13, 2017 Port of Karachi
• November 22, 2017 Lahore, Pakistan

This single case is just used as one of many examples reported by BAN. No matter how it happened, or who was responsible, the printer ended up in Pakistan. The bottom line question -- is it an acceptable risk that your organization’s potentially sensitive data or personally identifiable information of your customers ends up in Pakistan?

Printers are a common device found in most organizations. Printer volatile memory will clear upon powering down. However, some printer NVRAM will retain sensitive data including embedded web server passwords, POP3/SMTP data, recently printed documents, and related data.

Post Script and PJL scripts, a generic printing language supported by many laser printers, are available on the Internet from both reputable and black hat sources to do a data dump from a printer’s NVRAM. All that is required is a USB cable to connect to the printer. Accordingly, the NVRAM must either be cleared, or the device destroyed in a responsible manner to safeguard the data.

Every organization needs to have robust policies and procedures for asset disposition of all potential data-bearing devices. More than just a “check box,” organizations need to actively review and audit third party service providers handling data destruction and recycling, including review of chain of custody, downstream vendors of the primary service provider, and in-person observation of the service provider’s operations and processes.

Consider due diligence that includes verification that the service provider is National Association for Data Destruction (NAID) certified, not just a member of that organization. It is straightforward to become a member, but certification requires rigorous evaluation and submission to random, unannounced audits that many service providers are not willing to allow.

Further and as recommended by the EPA, service providers and potentially their downstream vendors should hold either R2 or e-Stewards certification at all facilities. Both require service providers to adhere to rigorous standards and documented methodologies. This helps ensure responsible e-recycling and prevents improper disposal that not only could result in a data breach but is hazardous to the environment and could result in fines and penalties to the source organization as the “generator” under the Resource Conservation and Recovery Act (RCRA).
Angie Ransom leads the Retail Division of ERI, the largest fully integrated IT and Electronics Asset Disposition service provider in the United States. Angie has worked with ERI for over 13 years, helping safeguard organizations. Her expertise includes: retail products, program analysis, day-to-day operations, and compliance.

David Brent is the Vice President, Marketing and Business Development of ERI. David has held executive level positions in two public companies, entrepreneurial ventures, and consulting to organizations in a wide range of industries including energy, financial services, automotive, electronics manufacturing, and pharmaceuticals

Return to Menu