Gaping Holes in IT Asset Data Security – The Untold Story of Embedded Media

By Brian Lovett, Brass Valley

The data security industry is young and as with any new industry, lessons are learned as it gains maturity. Unfortunately, with data security laws constantly changing and new technologies constantly being introduced to the market, gaps in data security are being discovered the hard way, which we’ve all seen from the years of public data breaches. Many companies have seen them internally only through audits. At Brass Valley, we educate on the hidden dangers organizations may be exposed to. Here are just a couple of examples of hidden data and potential threats that we’ve found.

Wake Up Call # 1

Last year, a fortune 1000 client was closing several offices and needed to dispose of their old phone system. The system was comprised of a few hundred phones and a few controller units. When we discussed data security, we were told that someone had already come in and erased all of the hard drives. When we brought the equipment into our facility for processing and remarketing, as part of our quality assurance process we tested these items. In doing so, we immediately found IP addresses, passwords, voicemails and other pieces of confidential information.

Wake Up Call # 2

Another client, a well-known box store, sent us all of their warehouse inventory scanners for asset recovery / recycling. They insisted that no data security would need to be applied to these devices. What they missed is that they never considered the wireless card we found in each scanner. Each had complete login credentials to the wireless network of the client as well as username and password credentials to their inventory database.

Wake Up Call # 3

In a more recent situation, a client was refreshing their Cisco switches and we were called in to provide a trade-in value. We asked if part of the buy price would include proper erasure of the devices. The client thought for a minute and said, “I’m not sure.” We talked further and discovered that they had no idea which switches had media in them and which ones didn’t. Because he didn’t track it, he wasn’t sure what needed data security. This realization made him think about the wide open exposure his company had all along from not erasing switches that were to be recycled.

Wake Up Call # 4

Only a few weeks ago a large financial client was replacing and reselling their multifunction fax machines. They insisted that they had flushed the memory buffers and everything was gone. Two months later, the manufacturer showed up at their door looking to fix a fax machine that was dialing home for repairs. The client hadn’t realized that there was more than one memory buffer and that it had a call home feature in it.

These are just a few examples of where we find data on devices. Some constitute a total breach. Some provide data like IP addresses and passwords that are the point of entry for a data breach.

Solving the Problems

The major reason for these lapses in data security is lack of knowledge about where media is embedded and that lack of knowledge needs to change. One of the services for you to look for from your vendors is access to security information on all types of computer equipment. The information should outline the proper nomenclature for the device because it is so important when trying to reconcile reports. It should also describe the specific location of the serial number (because so many devices have multiple serial numbers on them). The information needs to include where any media could potentially be on the device AND how to locate and erase/destroy it.

All of that information would have to be continually updated and populated as new computer technology is developed and deployed. The combination of professional service offerings plus this type of information in an accurate and thorough resource is an advantage to any IT Asset Manager’s risk reduction program. The provision of knowledge sharing as part of professional services offers greater protection from data security breaches and represents a new level of service in the industry.