The eyebrow-raising report from Russian cybersecurity firm Kaspersky Labs on the existence of never-before-seen spyware created a buzz last month, with questions circling about who is behind the attacks. As IT Asset Disposition professionals, we are not as concerned about who is behind it, but in how to make sure the malware is destroyed on a hard drive.
This malware, purported by Kaspersky to be developed by an NSA (National Security Agency)-backed group, is embedded in the firmware of the hard drive. So even multiple passes of a data erasure program will not remove it. The only way to get rid of it is to remove and destroy the hard drive.
In this malware, multiple sophisticated programs drive the HDD firmware to infect computers and servers in different ways. Computers that were not connected to networks were compromised. Even computer equipment in transit was curiously infected.
While some IT security experts are mystified by the news of the HDD firmware, others are not at all surprised. They are saying that this has been a theorized threat for years and all computer users need to anticipate increasingly sophisticated methods of cyber-hacking. Many IT experts rightly believe the focus should be on how to minimize risk, and not so much on the source of the hacks.
No matter the source of the attacks, many can be thwarted by using proper data security defenses and strong internal procedures. Consider the risks to your networks and data – if you have state secrets, your risk is very high – and develop a plan that matches that risk. Decide what steps are appropriate for your business to protect company, customer and employee data. This will also help you meet your compliance with standards and regulations such as HIPAA, PCI, and SOX.
Take proper measures to encrypt your organization’s computer hard drives. This will not only keep it safe during its lifetime, but also secure while in transit between users or for final disposition. And finally, dispose of your computer equipment with a NAID AAA certified ITAD partner. If your data is high-risk in nature, you may want to use onsite data destruction services. The NSA itself has high standards for data destruction.