• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Hard drives replaced under warranty - best practices?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering

View previous topic :: View next topic  
Author Message
mb
Just Arrived
Just Arrived


Joined: 25 Aug 2003
Posts: 0


Offline

PostPosted: Thu Jan 27, 2005 7:18 pm    Post subject: Hard drives replaced under warranty - best practices? Reply with quote

Most warranty replacements require that the failed parts be returned to the manufacturer. This poses a definite security risk when the part being replaced is a hard disk drive. The drive may likely contain information that is sensitive.

While computer manufacturers are unlikely to deliberately attempt to retrieve data from a failed hard drive, once it leaves your facility, the chain of custody is broken.

What are the most common ways businesses deal with this issue? Since few if any 'erasure techniques' are foolproof, it seems to me that the best way to deal with it is to simply opt out of the warranty replacement, incur the cost yourself and have the drive physically destroyed.
Back to top
View user's profile Send private message
zvon
Just Arrived
Just Arrived


Joined: 01 Sep 2004
Posts: 0
Location: Toronto, Canada

Offline

PostPosted: Fri Jan 28, 2005 12:21 am    Post subject: Reply with quote

In my experience I usually judge it on situational basis. If its very critical data, we decide to not use the warranty system, but if its just some guys PC we tend to not care too much.

Id love to hear how others have dealt with this situation.
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Fri Jan 28, 2005 12:44 am    Post subject: Reply with quote

I likewise take it on a case by case basis. If that PC has held company secrets then I say take the loss. However, if it's just some schmos computer and it wouldn't matter even if our main competitor got ahold of it, then I wipe and swap.
Back to top
View user's profile Send private message Send e-mail
Networkguy
Trusted SF Member
Trusted SF Member


Joined: 29 Apr 2002
Posts: 16777215
Location: UK

Offline

PostPosted: Fri Jan 28, 2005 1:36 am    Post subject: Reply with quote

In the case of server drives on site warranties are a must.

if a drive fails (we use HP for our intel servers) we call out the engineer who then confirms the drive is dead (remember that dead drives are not repaired anyway) and gives us a new one.

We then place the old drive on top of our nice big degauser (is that how you spell that?) switch it on, watch the lights in the room dim Twisted Evil and then hand the now very dead (and clean) drive to the engineer to drop in a skip on the way home.
Back to top
View user's profile Send private message
mb
Just Arrived
Just Arrived


Joined: 25 Aug 2003
Posts: 0


Offline

PostPosted: Fri Jan 28, 2005 5:12 pm    Post subject: Reply with quote

Thanks for the feedback. I actually had the opportunity yesterday to discuss this with a business attorney who has some experience with this sort of thing.

Before I go further, let me preface this with (1) YMMV... and (2) my paraphrasing of what the attorney said may not accurately reflect her actual intended meaning and (3) this is NOT legal advise; I'm not an attorney and I don't play one on the Internet.

She said where issues of privacy of customer data were paramount, you have only a few practical choices:

In all cases, some kind of legal audit trail must exist and in all cases the data on the drive must be destroyed - to high level of industry standard. This means formatting the drive, fdisk, etc are simply not acceptable. Professional wiping tools and degaussing are apparently a bit more of a gray area. But if the goal is no leaks of sensitive data via end of life cycle HDDs, then the certified destruction is the route to go.

She said that some manufacturers have drive destruction certification programs - i.e. they will replace your defective drive and later certify receipt and destruction of the failed drive. Apparently, some manufacturers will also accept certification of drive destruction from bonded 3rd parties as part of their warranty program..

If none of these are available, then she said the best route is to suffer the cost of drive replacement (i,e, don't use the warranty) and destroy the data yourself or by using a 3rd party service such as this service.

She also added that the cost of such programs needed to be weighed against the potential cost of lawsuits and/or bad PR if private customer data became public via such a source.
Back to top
View user's profile Send private message
Mongrel
SF Mod
SF Mod


Joined: 30 May 2002
Posts: 8


Offline

PostPosted: Sat Dec 15, 2007 11:09 pm    Post subject: Reply with quote

I know that banks and other large financial institutions will destroy the
drive. As to what arrangements they have in their SLA's with the vendor, I
am not sure - but I know they do get drives when they need them.

Military wipe simply won't do it and degaussing has been proven less than
perfect as well. There was even a post here on this topic a couple years
back.

And what your lawyer said is indeed true. Chain of Custody and verification of destruction are critical for the auditors and the feds (OCC, SOX, GLBA
etc.)
Back to top
View user's profile Send private message
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Mon Dec 17, 2007 7:16 pm    Post subject: Reply with quote

I have had to use Dell's Keep Your Hard Drive service in the past. You pay an additional upfront cost for the service and keep your old hard drive if it crashes. They will then send you a replacement drive you can use. Works quite well actually.
Back to top
View user's profile Send private message
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Tue Dec 18, 2007 9:37 am    Post subject: Reply with quote

It all depends uppon the level of criticallity when it comes on data sensitivity.

The best way to destroy a drive is either by de-magnitazation or fire. These are the only secure ways to clean erase/destroy a drive.

As for warranty issue. Companies with such high level of sensitivity do not use warranties in this way.
They have special contracts , where an engineer of the vendor comes in, checks that the drive is dead, while company personnel is present.
He fills out a form and then assigns the new hardware.
Old hardware is either stored (with recorded serial number) or destroyed in furnace and high fire or under a very strong magnet.

Keep in mind though that we are talking for high sensitivity data (equal to SECRET clearance level in US) and it is not applicable to companies or other areas where they mostly use degausing or software methods.


Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
graycat
SF Mod
SF Mod


Joined: 29 Apr 2005
Posts: 16777195
Location: London, UK

Offline

PostPosted: Tue Dec 18, 2007 3:50 pm    Post subject: Reply with quote

for the most part I agree with what people have been saying. We look at things on a case by case basis taking into account not only the server but also it's data that it might have held. On this basis we can decide whether to take the hit by purchasing a new drive rather than using the support packs or not. If the data is of a suitably secret or confidential nature then we will indeed take the hit, purchase a replacement and then have the drive professionally disposed of by a reputable external company.
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Tue Dec 18, 2007 7:28 pm    Post subject: Reply with quote

The_Real_Gandalf wrote:
The best way to destroy a drive is either by de-magnitazation or fire. These are the only secure ways to clean erase/destroy a drive.


This looks pretty secure to me, so long as you are there to monitor the destruction process. Very Happy
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register