The Secure Disposal Saga




4 months ago


View on Twitter

What are some things that you don't learn from certificates in InfoSeC and only experience on the job? I'll go first. The saga of secure disposal of endpoints. #infosec A thread ~ 🧶

You would expect the removal of hard drives and secure destruction with certificates and the lot for end-of-life equipment. Well, not always. Some eye-opening behaviour I've witnessed over the years in places I've worked or consulted.

Companies donate laptops to schools in their country or other countries with the hard drive included, just because it would be useless without the drive or expensive for schools to buy hard drives. Charity tramps information security.

Employees are given the option to purchase their laptops as is when leaving the company. Not even formatted. Will 25 other user profiles from previous users. No BitLocker either.

Some companies do not have an off-boarding procedure to request the equipment back or don't know who has what. Some people that have been in the company for years have 2-3 laptops at home that their kids use now. Still, AD joined.

Execs in some companies bend the rules and use all the latest shiniest laptops and gadgets that they keep at home. Forgotten. Still, AD joined. Nobody wants to ask them for it, if they want to stay employed.

Mac OS systems in most companies are not managed and have full administrative access. The rationale. Macs don't get viruses or get hacked. We're good. You're not. These Macs are in most cases not even encrypted.

And that's how hard drives end up on eBay and then recovered company data make headlines on the BBC news. What are some things you've learned on the job that has left you speechless?