Given that there are absolutely no known’s in “unknown unknown”, speculating that anything represents the majority of those cases is, well, wild speculation. Honestly, its as likely to be use of graphic card memory for tools or violation of VM boundaries. It could be anything.

Also, from a risk calculation perspective, the simple cost of purchasing drives, let alone drives from Nigeria, would make this an unlikely option for criminals. It’s far easier to compromise a system electronically via no-cost bots across no-cost network links than to purchase anything from anywhere.

Regardless whether you agree that IT disposal represents the “biggest hidden risk,” it does represent a risk that should be considered. Local disposal (or loss via 3rd parties) of unencrypted data tapes has been widely reported on, regardless whether that lost data was ever used in a crime. The reputation losses that can incur as a result should make businesses aware there is real risk involved.

That all said, it has been repeatedly demonstrated that a concerted effort can reassemble data from even the most damaged drives (the Space Shuttle drive data reconstruction being but one example), so if data is going to be left unencrypted on any physical device the furnace becomes your only safe bet.

Applying data sensitivity identification can mitigate some risk. If your data is valuable for, at most, 6 months then simply keep the old drives that long before disposing of them. If the data has value for a longer period, adjust accordingly. If the storage time becomes too long, or the risk of using 3rd parties for such storage, then encryption becomes a cheaper option (despite it costing more than not using it, providing its cheaper than storing the data.) If, however, your data is sensitive for a period that makes brute force decryption viable, then we’re back to the furnace.

Personally, I would be more concerned about the entity who accepts the drives directly from me, than from whomever they ship those drives to. That first party has knowledge of who I am and which drives are mine, and therefore are in the position to pick and choose drives that might be valuable. Whoever is receiving these drives in, for example, Nigeria has far less knowledge and ends up having to go through a far greater volume of noise to get to a signal. That alone reduces the likelihood, and therefore the risk.

We have long recommended that sensitive data should be encrypted at rest. If it is, then it is likely to be encrypted in transit (e.g. via Internet backup or physical tape transfers.) This mitigates many issues brought up in the media, and should satisfy most regulatory requirements. Keeping data encrypted in memory (or while in use by an application) can be desirable and may reduce some specific risks, but has far less overall risk reducing benefits than encrypting at rest.

None of this is meant to suggest that the outsourcing of IT disposal shouldn’t involve investigating how that entity handles the data/devices, or, that there aren’t differences between providers of such services. All outsourcing should involve investigation of all pertinent details.

Thanks for pointing this out, Kyle.

Cheers,
Russ

Sadly, 80% of unwanted US computer equipment is exported to developing countries by these so-called recyclers - often with confidential data still on hard drives.

As the Verizon study states “criminals prefer to exploit weaknesses rather than strengths.” What could be easier than buying old hard drives from an e-scrap dealer in Nigeria?

Outsourcing IT disposal makes sense. But if an organization fails to maintain proper oversight, outsourcing actually increases the risks, provides a false sense of security, and is likely the majority of the 90% of breaches that involve some type of “unknown unknown.”

Kyle Marks
President & CEO
Retire-IT, LLC
kmarks@retire-it.com

Are you not counting that the attack was made available as a module for Metasploit about 36 hours before this was posted? Also, the fact that the technique of DNS cache poisoning is very old is irrelevant. Almost all (if not all) new exploits are applications of very old techiniques.

“Q: But couldn’t the criminal attack and “own” the user’s browser?
A: Only if that browser was vulnerable anyway. ”

Or you are running JavaScript, which almost every browser is. Even if you are using FireFox with NoScript, if it is a trusted site, you likely will have allowed the site to execute JS in your browser. See Jeremiah’s Black Hat presentations from 2005 and 2006.
http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-grossman.pdf
http://jeremiahgrossman.blogspot.com/2006/08/home-from-blackhat-and-defcon.html

“But even if all of these things fail, the criminal still only has ownership of PCs in your company which have visited the same site.”

But once the criminal has control over 1 computer, he can cause that computer to initiate requests for any domain he wishes, launching his UDP flood at the same time, and thereby poisoning even more domains for that company. Not to mention he then has some degree of access behind your firewall and can begin probing your internal network; and that is still with nothing more than JS.

“Q: Couldn’t the criminal snooker the user into typing in personally identifying information to be exploited later?
A: Only if that user would have done so anyway. If the new site has a certificate, it will fail and the user will get certificate errors in the browser.”

Why wouldn’t the user type their login information into their bank’s website? As far as the certificate is concerned, a couple of other options here. The more likely is that “Mallory” will get a valid cert on a look-a-like domain and the user isn’t likely to notice the difference. More evil, but substantially less likely, if a cert vendor has their DNS cache poisoned then Mallory could get a cert with the real domain name issued for his site. Many cert vendors will issue a basic cert with little more than an uploaded CSR and a matching file on the server. The criminal doesn’t have to redirect to the bank, thereby revealing a single IP; the criminal could just put up a “service unavailable” notice after login.

“The ISP hosting the poisoned DNS would probably get support calls from customers unable to get to their search engine”

Because all of those people using free WiFi at coffee shops know who to call for support? What are they going to do? Tell the barista they can’t get to a specific web site? The barista has more important things to worry about, like was that a half-foam, no-fat or a no-foam, half-fat latte?

“Q: Couldn’t criminals perform man-in-the-middle (MITM) attacks?
A: Sure, but consider the volume and the processing power they’d require.”

It would not require much processing power at all to copy all emails sent to a domain and then forward the message on to the intended mail server.

Keep in mind the original blog post is in response to public reaction to our findings regarding the percentage of breaches involving insiders. We’re not suggesting likelihood is more important than impact (or damage); it’s just that nobody seemed to argue against or misconstrue the latter parameter.

Schneier once proposed a vulnerability life cycle in a Crypto-Gram newsletter. However, during the time of writing my thesis, there were several important pieces of research no-one had put together to come up with a ‘more correct’ vulnerability lif…

If I’m managing risk instead of metrics, I want to know the amount of damage (exposure) done by one or the other. The data clearly shows that the insiders _do the most damage_ to an organization in terms of data exposure.

My experience is that it is also more costly to clean up after an insider.

As you say, Ben, “The cost of locking down data includes much more than merely correcting particular mistakes.” We don’t disagree. However, our data shows that eliminating error significantly reduces risk. We believe in many cases one single defensive action can significantly reduce risk, and there are certainly instances where a handful of simple, inexpensive controls can reduce almost all significant risks. There is a point at which implementing more does not achieve equivalent, or even significant, risk reduction. One cannot argue that doing what you have defined in your own policy is a “bad thing,” only, possibly, that your policy need not be as elaborate as you may have it.

I’m sure we agree there are operational costs for any network, and I think we agree those costs include “vigilance, equipment upgrades, employee training, auditing, etc. They may also possibly include “policing of business partners,” and definitely de-provisioning of network connections, etc. I’d hope you’d also agree characterizing them as purely security costs is too narrow in the extreme, versus reasonable network operational costs. Whoops, there goes that word “reasonable” again!

We’re also not suggesting that myriad attack paths be “locked down.” Our risk-based approach considers paths of least resistance and greatest availability (i.e., areas of greatest risk). Our study data shows opportunistic attacks of low skill level can be extremely successful. Such attacks remain successful because the cost of attack is relatively low for the criminal. We believe in implementing controls to the point an organization is no longer a target of opportunity (they become a target of choice). This doesn’t mean the organization has plugged every hole, but it does mean they have made the cost of attack for the criminal higher than for other potential targets.

As you suggest, it is conceivable that the cost of attack could be increased by factors other than the implementation of internal controls. There may well be value, for instance, in making data less desirable or valuable to the criminal. Unfortunately, most organizations simply do not have the capacity to accomplish this, much less influence external changes on a scale comparable to the suggested revamp of the credit card system. It’s hard to argue against such ideas. In the meantime, however, there remains a need for organizations to implement effective and efficient measures of securing the environment over which they have control.