Category: Press Releases

Responsible Hard-Drive Destruction – Let’s Get Real

June 13, 2018 at 4:14 pm by SEM

December, 2010

by Andrew Kelleher

Destroying stuff seems to be my specialty, though I have a definite preference for the purposeful kind of destruction.  Years ago, my 1983 Datsun went against my purposes when it decided to leave that icy road and run into that big rock, but at least it didn’t come back from the scrapyard to haunt me.  In contrast, my 5-year-old laptop computer that barely boots up could come back in many ways if I’m not careful how I dispose of it.

As we know, a used computer’s hard drive contains old e-mail messages; credit-card, bank-account, and Social-Security numbers; and plenty of other personal information.  Because the information security field is my home turf, some of the talk I hear about how to destroy old drives makes me shiver as if I were back on that icy road.  Many so-called methods of destruction border on the insane and unsafe, not to mention the unreliable.  There is a whole lot of bad advice online, especially.  I can tell you most of these postings skirt the truth.  Some throw a tarp over it.

Here, paraphrased, are some comments I found recently with a simple Web search:

“I just take my old hard drives out to the parking lot and bash them with a big hammer.”

“I’d toast them with a blowtorch if I were you.”

“Cook them in the oven at very high heat, then plunge them into a bucket of ice water.”

“An acid bath is the way to go.”

“Melt them down!”

“Take them miles out to sea and throw them in.  Even if somebody finds one, the salt water will have done a job on it.”

“Throw it in your fireplace.”

“Remove the platters from the cases and bend them.”

“Take them outdoors and shoot a hole through each one with a pistol – the larger the caliber, the better.”

“Drill a few holes in each drive and be done with it.”

“Dip them in a vat of liquid nitrogen on the roof of a tall building, and then drop them over the edge.”

I wonder how many of these folks have ever followed their own recommendations.  Are some of these “home remedies” difficult and/or impractical?  In many cases, they sound like they came from a handbook for the Spanish Inquisition.  Yes, some might be feasible if you have one or two hard drives to dispose of, but even those could pose huge liability risks when done for an employer.  If you have time to waste, gloves on your hands, and safety goggles on your eyes, some of these methods might even work.  But businesses that have to deal with liability, workplace safety, and the disposal of multiple hard drives should have a problem with these methods, not to mention they are just crazy dangerous!  Besides, even if carried out as recommended, most of these measures are far less than 100% effective.

Safely, but Thoroughly

By the way, I do realize that some of the online comments are tongue-in-cheek, but my overall reaction is still the same: Are you crazy?  You need to have a proven destruction technology that is safe, easy to use, and, most importantly, effective.  The equipment must give you peace of mind — the assurance that no one is going to recapture a bit of data off your discarded drives.  Otherwise, why not just throw the hard drive away or give it to some nefarious folks for their own uses?

It is not as paranoid a view as it used to be.  Data-recovery technology continues to advance by leaps and bounds.  There are many techniques that are not top secret but still allow the recovery of information from seriously damaged drives — you’d be surprised.  Just ask your state and local police or the U.S. National Security Agency/Central Security Service (NSA/CSS).  By the way, the U.S. government is so concerned with the loss or theft of data, or just with the end of a computer’s life, that the NSA has developed guidelines that require hard drives to be degaussed (demagnetized) and incinerated or otherwise physically damaged prior to disposal.  Many other countries have similar guidelines.

Aside from governments securing state secrets, every person and enterprise has old hard drives that should eventually be destroyed.  And don’t think that just because you aren’t a government agency or contractor you don’t need to be vigilant about hard-drive disposal.  There are real risks of information (financial and tax records, Internet purchases, etc.)  falling into nefarious hands, not to mention there is information your competitors would love to see, such as price lists, sales figures, customer data, engineering data, memos drafted in preparation for bidding, e-mails from the president to his mistress, etc.  Aside from damage to one’s reputation, there is the possibility of a lawsuit from an employee, customer, patient, or other individual who claims he or she was harmed by the release of his/her private information.  The list goes on and on.

Of course, different owners have different security needs, and that is why there are different kinds of safe and effective hard-drive-destruction equipment on the market.  There are more options than ever before, and the trick is finding the right solution/equipment (or destruction service) for your hard drives.

Although hospitals and other healthcare and health-insurance providers, banks and other financial institutions, and government/military entities are subject to higher standards of confidentiality, every business has employee records and proprietary information.  We all have to replace computers from time to time — more frequently as newer technology makes them obsolete.  How many old computers/drives do you have gathering dust in an out-of-the-way corner or storage room?  I’d be willing to bet that most IT folks would say those items won’t be needed again.  More than likely, they just aren’t sure what to do with them, but they do know they cannot just throw them out.

A Job Worth Doing…

Just one hard drive can contain hundreds of thousands of files.  When a digital file is “deleted” from a computer, the information actually remains on the drive, as do “deleted” e-mail messages and records of all online activity.  Even reformatting or overwriting may not be enough to prevent confidential/proprietary/sensitive data from being recovered by a determined individual using the right techniques and equipment.

In light of the above, I favor a “belt & suspenders” approach — two proven methods of data destruction for absolute certainty.  But there is more to information security than choosing the right destruction equipment.  What you do with old drives prior to destruction is just as important.  Keep them in a secure location prior to destruction, or they could be long gone before you even know they are missing.  And keep records!

For any facility, I strongly recommend instituting a comprehensive information-security program — written procedures that must be followed.  Such procedures should include detailed recordkeeping and labeling that states, for example, the serial number of each drive, the computer from which it was removed, and the date it was removed.  The program should also include careful documentation of destruction dates and methods and a plan for in-house monitoring/verification.  You never know when these records will come in handy.

Proper training is a must.  These procedures should only be carried out by trusted employees or a security service, and supervised by management.  By the way, if you have a written policy that calls for destruction of records on a regular schedule, it looks less arbitrary and suspicious if documents are missing when requested in the course of litigation or an audit.

Businesses that don’t yet have a comprehensive information-security program can take a cue from federal regulations that require some facilities to have one in place, such as the rules implementing the Fair and Accurate Credit Transaction Act (FACTA).  In order to minimize fraud and identity theft, FACTA’s far-ranging standards require lenders, insurers, and many other businesses — anyone who “maintains or otherwise possesses consumer information for a business purpose” — to properly destroy consumer information.  Likewise, hospitals and other healthcare entities must comply with privacy and security standards promulgated under the Health Insurance Portability and Accountability Act (HIPAA).  Similar requirements may be found in the Sarbanes-Oxley (Public Company Accounting Reform and Investor Protection) Act and the Gramm-Leach-Bliley (Financial Services Modernization) Act.  Further, the credit card industry is required by the Payment Card Industry Data Security Standard (PCI DSS), international protocols issued by a credit-card-industry council, to take proper security measures with customer and corporate proprietary information.

Tools of the Trade

When is a hard drive really destroyed enough to prevent recovery of information it once held?  That is debatable.  Let’s take a look at some choices for the safe removal of data:

  1. Overwriting the drive. “Disk-wiping” software is used to replace stored data with a pattern of meaningless characters.  I felt obligated to mention this method, but I do so with reservations.  There are many versions of such software on the market, so it is important that the chosen version be compatible with the drive to be overwritten.  U.S. Department of Defense guidelines recommend this step for operable drives bound for disposal, prior to degaussing and/or destruction.  But one overwriting “pass” is not enough, and this method must be carried out by someone who is patient and careful and understands the process, as it is time-consuming and based on the age and size of the drive.
  2. Degaussing. Degaussing is one of those words that evoke images of a mad scientist and large static discharges in the laboratory.  Degaussing is simply the elimination of a magnetic field.  There are two major methods of degaussing.  The first method permanently erases data from hard drives when they are passed through the magnetic fields of powerful, fixed, rare-earth magnets.  The second method uses a powerful electromechanical pulse that instantaneously generates a powerful magnetic field to permanently erase data from disks in an enclosed chamber.  One should note that because there are variations in the formats and magnetic densities of hard-drives and in the methods by which they store information (latitudinal or perpendicular), the degaussing device must have a high enough coercivity rating (magnetic power) to overcome the drive’s magnetic field and completely erase its stored information.  If it doesn’t, the whole process is a waste of time.  The NSA/CSS evaluates degaussers and has published a list of approved devices for the erasure of sensitive or classified magnetic storage devices.  The list rates each degausser model on the basis of which types of drives and other magnetic media it is strong enough to erase.  Careful and informed buyers tend to rely on it for guidance.  Degaussing is more effective than overwriting, but here, too, training is essential.  Once you purchase a degausser, be sure to follow the directions.

    An NSA Evaluated degausser that can completely erase hard drives with no chance of data recovery.

  3. Crushing. This method destroys drives by subjecting them to extreme pressure from a conical steel punch or similar device.  Good for a low volume of drives, these relatively inexpensive units are available in manual and powered models.  I put this method in line with basic destruction methods.  At the least, deforming the drive enough to render it inoperable is better than doing nothing.  Unlike after degaussing, the information residing on a deformed hard drive is still intact, but it is much more difficult to retrieve.

    An automatic Sledgehammer hard drive crusher with a conical punch to pierce drive casings and platters.

  4. Shredding. Hard-drive shredders literally rip drives to shreds.  The shredding process is much the same as in an ordinary paper shredder, but these machines are more robust and capable of destroying multiple types and sizes of drives.  These shredders are also good for destroying cell phones, PDAs, electronic organizers, and other data-storage devices.  Several models are available, the largest of which can destroy up to 2,500 drives per hour.  Again, as with crushers, the information residing on the hard drive platter is still there, but since the drives are shredded into several randomly sized strips, it is even more difficult to retrieve.
    A Jackhammer hard drive shredder, capable of destroying up to 2,500 hard drives per hour.

    Hard disk drives and other electronic devices end up as co-mingled “e-scrap,” most of which can be recycled.  Powerful shredders reduce metal to random strips.

  5. Disintegration. “Mechanical incineration” by a heavy-duty disintegrator (rotary knife mill) cuts items into smaller and smaller pieces until they are unrecognizable and unreconstructible.  For hard drives and other metal, this is typically done after shredding.  Disintegration is similar to shredding, although the end particles are much smaller and more damaged.  Disintegrators are also available in several models able to handle various sizes and volumes of hard drives.  The upkeep for a disintegrator is significantly greater than that for a shredder, and is therefore an important consideration when choosing between the two.

While all of these methods are effective, I favor a two-stage approach that combines degaussing with crushing or shredding.  For the ultimate, choose degaussing, followed by shredding, followed by disintegration, but this is for those who are really paranoid.

Ideally, the decision to purchase destruction equipment and the implementation of a destruction program would be based on security needs, not on cost.  But in a practical world, there are budgets to be met.  Degaussers, shredders, and disintegrators all come in different sizes and capacities.  While some of these units are relatively inexpensive ($1,000 to $5,000), others could run as high as $50,000.

The Outsourcing Option

For some businesses, the peace of mind that comes from knowing sensitive records will never leave their facilities intact makes the investment in destruction equipment worthwhile.  Even so, many companies simply cannot afford to purchase this equipment for the relatively few items they need to destroy.  These businesses may choose to outsource such destruction.  Aside from budgetary considerations, if you rarely need to purge your files, only destroy 10 hard drives a year, or would simply rather not destroy sensitive materials on your own premises, by all means find a reputable destruction service.  An advantage to outsourcing is that your waste eventually gets mixed with the waste of others, which makes your data even harder to retrieve.

Outsourcing can be affordable and safe when done properly, but if you choose this option, be sure to do your homework thoroughly.  Evaluate a service provider and its security protocols before signing the contract.  Here are some questions to ask:

  1. If the service will pick up your hard drives, how will it transport them to the destruction facility?  Does the service offer locked, trackable transport cases with tamper-proof security tags?
  2. Does the service require a long-term contract or a monthly minimum?
  3. Upon arrival at the facility, will your items be inventoried by serial number (or barcodes correlated with serial numbers) and stored in a locked, monitored area?  How long are they likely to remain there awaiting destruction?
  4. Are job applicants thoroughly screened?  Is the facility monitored around the clock by security cameras?
  5. What destruction methods will be used?  Degaussers?  Shredders?  Disintegrators?
  6. Has the facility’s equipment been evaluated by the NSA/CSS?
  7. What proof will you have that items were actually destroyed?  Would you be allowed to watch the destruction in person or on video?
  8. Will the destruction of your items be logged and certified in writing?
  1. What happens to destroyed waste?  Is it recycled in accordance with pertinent regulations?
  • Is the facility bonded and insured, and to what limits?

If you don’t like the answer to any of these questions, look for another service.  Like all service providers, some are better than others and some offer more robust security assurances.  I personally prefer more security over less.  You also need to understand that security comes at a cost.  Many destruction companies are nothing more than recycling companies posing as secure-destruction experts.  If the service you are considering passes all the above tests, visit the facility in person.  Even if you like what you see there and end up giving the company your business, it is a good idea to pop in from time to time for a surprise inspection.

And please note that a certificate of destruction does not free you from your legal responsibility.  If a destruction contractor certifies that your confidential data was destroyed, yet the data surfaces somehow, you are still liable for damages suffered by the injured parties.

Methodical Choices Protect Your Business

Sometimes the best overall destruction/disposal solution is a combination.  For example, you might choose to degauss your hard drives in house and then send the degaussed drives to a service for the next stage, such as shredding and/or disintegration.  You still get “belt & suspenders” — by choosing two (or more) destruction methods, you protect yourself against human error if someone falls down on the job at one stage or the other.

Regardless of the methods you choose for disposing of outmoded computers, be mindful of the fact that they contain valuable and toxic materials.  Some components can be reused, and most can be recycled.  Explore options that go beyond legally mandated procedures to minimize the chance of environmental contamination.  Security is your main goal, but security and recycling do not have to be at odds with each other.

Although information-security programs will differ according to facility size and mission, every field of endeavor these days must address the disposal of protected information.  Confidential patient records are just as important to a small medical practice, for example, as proprietary product designs are to a large corporation.  In both cases, the methods chosen to destroy computer hard drives have to be equally effective.  A wide selection of equipment is available to help a facility establish a program that meets its particular needs.

A comprehensive hard-drive disposal program can prevent sensitive electronic records from falling into the hands of those nefarious folks who want to do mischief at your expense.  Data security is an ongoing process, but by learning about threats and understanding destruction options, you will be in a much better position to protect yourself and your business.

Andrew Kelleher is president of Security Engineered Machinery (SEM), the largest direct supplier of high-security information destruction equipment to the United States federal government and its various security agencies.  For more information, contact Mr. Kelleher at SEM, PO Box 1045, Westborough, MA 01581, TEL: 508-366-1488, FAX: 508-366-6814, e-mail: info@semshred.com

 

Destruction System reduces SSDs and other Electronic Media to Less Than 0.5mm Particles – Meets DIN E-7

at 4:06 pm by SEM

WESTBORO, MA — The SEM Model SSD1-HS from Security Engineered Machinery reduces solid state devices to waste particles of .5mm squared or less and meets DIN 66399 Standard E-7; smaller than the NSA requirement for sanitization of SSD devices per NSA/CSS EPL 9-12. Absolute destruction through repetitive high speed cutting of memory media ensure all data is properly sanitized.

Storage media is continuously cut until it is small enough to pass through a customer selected waste sizing system to meet customer’s security level or a specific DIN Level. Items that can be destroyed in the Model SSD1-HS include solid state boards, RAM, smart phone / cell phone components, SIM cards, USB flash drives, compact flash and even optical discs. The Model SSD1-HS is a compact, self-contained destruction system with all components housed within a custom enclosure for maximum sound, odor and dust control.

The Model SSD1-HS destruction capacity is dependent on the media being destroyed and the customer selected sizing screen.

An ergonomic operator interface allows easy viewing and control of all machine functions. The Model SSD1-HS features an interlocked feed slide with integrated feeding protocols ensuring proper metering of media through the data sanitization process. Safety interlocks prevent operation when any safety guard or panel is not in place or waste disposal is required. An air filtration system consisting of a carbon pre-filter and HEPA filter is also included.

Security Engineered Machinery, SEM, is an innovative designer and manufacturer of data-destruction equipment located in Westboro Massachusetts. SEM supplies mission critical EOL equipment to the US Federal Government including the DoD and other intelligence agencies, as well as large multinational datacenter operators. SEM’s engineering staff is available to assist customers with special products and systems that will sanitize any media / material down to stakeholder required sanitization levels such as high volume central destruction systems used by nationally recognized commercial banks and healthcare organizations. Areas of expertise include the destruction of hard drives and other mixed media and heavy-duty, high-capacity shredders for recycling applications.

For more information, contact James T. Norris, Norris & Company, 264 Bodwell Street, Avon, MA 02322 Tel: (508) 510-5626, FAX: (508) 510-4180, E-mail: jim@norrisco.com

SEM 2 in 1 Crusher for Either HDD or SSD Media

at 4:04 pm by SEM

WESTBORO, MA — The SEM Model 0101, an NSA evaluated and listed destruction device for all computer hard drives regardless of their size, format or type, can now be factory configured for dual media destruction of either HDD or SSD media. The Model 0101 Hard Drive Crusher from Security Engineered Machinery has long been the choice of the Federal Government, US Military and Fortune 1000 companies for physical destruction of HDDs.

The SEM Model 0101 Crusher can now be purchased with a factory installed SSD Kit allowing the system to perform dual media destruction of either HDDs or SSDs. The SSD Kit consists of a specially designed hardened steel anvil with 292 piercing spikes, an SSD Wear Plate, and an SSD Press Plate. The large number of spikes on the anvil ensures each data bearing chip is damaged during the operating cycle. Solid State media that can be destroyed include memory sticks and circuit/controller boards found on hard drives, SSD drives, cell phones, tablets and similar devices up to 5.39” x 5.39” (137mm x 137mm).

The Model 0101 with integrated SSD Kit also includes a standard HDD anvil and can be easily exchanged in the field for the destruction of conventional hard drives and other rotational magnetic media.

Offices, hospitals, data centers, and other facilities can destroy confidential/sensitive information in a timely manner in accordance with government regulations and industry standards (HIPAA, FACTA, SOX, PCI DSS, etc.). The Model 0101 also satisfies National Security Agency requirements for physical destruction of rotational drives after they have been degaussed in an NSA-listed degausser.

The unit is compact, portable (22”H x 10”W x 19”D, 105 lbs.), quiet and virtually vibration free. It operates on standard 120V power, international voltages are also available. A safety interlock prevents the unit from functioning while the door is open and is the only crusher on the market that allows hard drives to be crushed with carriers still attached.

ISO 14001 Registered, Security Engineered Machinery, “SEM” is a global supplier of information security solutions and the largest producer of data-destruction equipment in the United States and operates a manufacturing and design facility adjacent to its headquarters in Westboro, Massachusetts. SEM’s full-service engineering department designs custom systems, such as high volume centralized security destruction systems with integrated waste briquetting and evacuation systems in use by the Federal Government and commercial entities. SEM’s areas of expertise include the design and production of destruction equipment for any type of data storage media from paper to hard drives to solid state, where data security and end of life measures are essential.

For more information, contact James T. Norris, Norris & Company, 264 Bodwell Street, Avon, MA 02322 Tel: (508) 510-5626, FAX: (508) 510-4180, E-mail: jim@norrisco.com

Security Engineered Machinery Introduces Enterprise Line of Data Destruction Devices

at 4:03 pm by SEM

data-center-ssd-destructionSecurity Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, announced the introduction of a line of hard drive destroyers specifically engineered for enterprise drive destruction. The Enterprise Line, which includes rotational and solid state shredders and a disintegrator, is the first of its kind in the data destruction industry.

“We engineered the Enterprise Line to address the needs of our data center clients,” said Nicholas Cakounes, Executive Vice President of SEM. “The overwhelming client feedback we received expressed an imminent need for data destruction devices that could easily handle the larger, thicker, denser enterprise drives commonly found in data center environments.”

The Enterprise Line includes the compact, quiet Model 0315 hard drive shredder designed for office use, as well as the high-volume Model 0305 and Model 0304 shredders. The 0315 shreds up to 90 enterprise rotational hard disk drives (HDDs) and up to 120 enterprise solid state drives (SSDs) per hour at 1.5” final particle size, whereas the industrial grade 0305 and 0304 destroy up to 800 HDDs/1,200 SSDs and 1,400 HDDs/2,000 SSDs per hour, respectively. All three models are available in multiple configurations to accommodate a variety of user requirements: rotational hard disk drive (HDDs) only, solid state drive (SSD) only, and a combo version that destroys both HDDs and SSDs utilizing separate feed openings and cutting chambers. Final particle size for HDDs ranges from 1.5” to 0.75”, and final particle size for SSDs is 0.375”. All shredders in the new Enterprise Line are noted on the NSA/CSS Evaluated Products List (EPL) for HDD Destruction Devices as an approved solution for the “deformation of magnetic media hard drive platters” and are GDPR, NIST 800-88, SOX, FACTA, HIPAA, FISMA, NAID, and DoD compliant.

In addition to the three shredder models, SEM’s new Enterprise Line includes the Model 2SSD Disintegrator engineered to destroy SSDs to a nominal particle size of 2mm2. This newly redesigned machine employs an industrial grade, dual stage cutting system with specially enhanced cutting blades and sizing screens to provide maximum throughput in an office environment. Designed with a custom, steel-insulated sound enclosure for maximum sound control, the 2SSD also features an internal carbon-based pre-filter and HEPA air filtration system for operator safety as well as odor and dust control. Click for video.

“After pilot testing the devices with our existing Fortune 50 data center clients, we realized that the Enterprise Line provides the ideal solution to organizations looking to safeguard privacy and mitigate risk in the data center and beyond,” added Andrew Kelleher, President of SEM. “In addition to data centers, security-focused organizations such as the federal government, healthcare providers, and financial institutions are facing increased compliance requirements in parallel with more frequent use of enterprise drives into their data centers. The problem becomes what to do with the drives at end-of-life to maintain privacy and compliance — we are providing that solution.”

All devices in the Enterprise Line are specifically designed for enterprise drive destruction with increased torque, industrial grade construction, and more rugged cutting heads, enabling the system to cut through multiple steel plates, carriers, and other enterprise drive constructed components such as heat sinks and cooling tubes.

Security Engineered Machinery Founder Honored as ASIS Life Member

May 31, 2018 at 5:08 pm by SEM
Leonard Rosen, SEM Founder and Chairman of the Board

Leonard Rosen has been a continuous member of ASIS since 1968

Security Engineered Machinery Co., Inc. is pleased to announce that Leonard Rosen, SEM founder and Chairman of the Board, has been honored with Life Member status by the American Society for Industrial Security (ASIS). ASIS grants Life Member status to individuals who have 50 years of continuous membership within the organization. Mr. Rosen founded SEM in 1967 and became a member of ASIS in 1968.

“Receiving ASIS Life Member status was unexpected, and quite an honor,” said Mr. Rosen. “To me, this speaks volumes about the quality and endurance of Security Engineered Machinery, which has enabled me to remain a member of ASIS over the past five decades. SEM has consistently adapted to changing technology while continuing to grow through the years, and I am so proud to be part of this incredible organization. We started by selling paper shredders to the federal government and now manufacture data destruction devices for every type of data and for every type of client. SEM continues to be a robust organization that has helped to protect national security for over 50 years.”

Throughout the years, SEM has supported ASIS through trade show participation as well as advertising in ASIS publications, including Security Management. In addition, SEM team members maintain membership and actively participate in regional chapters of ASIS.

“ASIS is truly the premier security association for security-centric government and commercial entities, and I am thrilled to gain Life Member status in such an upstanding organization,” added Mr. Rosen.

Mr. Rosen founded SEM in 1967 to fill a clear need for high security disintegration equipment for the federal government. He has possessed numerous positions with SEM over the years, including sales and marketing and operations. Prior to founding SEM, Mr. Rosen served in the U.S. Army and is a Korean War Veteran, after which he served in management positions related to sales and marketing roles with various domestic and international manufacturers. A graduate of Boston University, Mr. Rosen continues to be actively involved with SEM day-to-day operations and serves as Chairman of the Board.

“In addition to strategic vision that laid the foundation for SEM’s success, Len possesses exceptional leadership capabilities that are directly responsible for the longevity of SEM employees, whose service can often be counted in decades rather than years,” commented Andrew Kelleher, President of SEM. “He valued and encouraged work-life balance and positive company culture before anyone even knew what they were, and SEM continues to operate in that vein. It is rare to find someone with the vision and integrity of Len Rosen.”