Caitlin Fjerstad (00:17)
Hello everybody and welcome back to the Spark Podcast powered by Dynamic Lifecycle Innovations. On Spark Podcasts, we really aim to help organizations that get the most value out of their IT and lifecycle programs. In this episode, we’ll be discussing an important topic within the industry and one that is not getting as much focus as it really deserves, and that is network device sanitization.

Caitlin Fjerstad (00:40)
So with me today are three experts that we’ll be hearing from. First is Casey Dingfelder. He is the Executive Vice President of Dynamic. Casey, welcome. Thank you for joining us today.

Casey Dingfelder (00:51)
Thanks for having me, Caitlin.

Caitlin Fjerstad (00:53)
Next up, have Rolly Aponte. is a Senior Development Engineer. Rolly, thank you so much for joining.

Rolly Aponte (01:01)
Thank you very much.

Caitlin Fjerstad (01:02)
And last but not least is Adam Barrett. Adam is the founder and managing director at Nova Fox, which created the product solution Hydra. Adam, thank you so much. It’s a pleasure having you here today.

Adam Burrett (01:14)
Thanks for having me. Really good to be here.

Caitlin Fjerstad (01:15)
Wonderful. So diving right into it, can someone start us out and give us a little bit more insight into the idea of sanitizing network devices? Has there been an industry trend? Was there a significant event that occurred? Or what took place in order for you and others to be taking

a closer look into this process.

Casey Dingfelder (01:38)
I can take this one, Caitlin. So as our material streams evolved, we started to see more and more of these networking switches coming through. our responsibility back to our, our partners, our customers is we need to be able to process this equipment. need to safeguard the data and then also recover value. So the, the solutions that existed on the market were a lot of relying on manual deletion of certain files and just, there’s a lot of opportunity for human error and just, you know, honest mistakes to happen.

So as we followed some of those ⁓ processes that were recommended from other folks in the industry, we sent off for forensic testing and it was found that there was still some residual data being left behind on these different machines. So we knew that wasn’t going to be acceptable. And so then we started to just pursue other avenues where we wanted a little bit more software driven, automated, kind of take out that human aspect.

Caitlin Fjerstad (02:33)
Yeah, absolutely. Oh, Adam, were you going to say something there too?

Adam Burrett (02:37)
Yeah, I think the other thing that’s changed that we’ve seen a lot of is the industry, you know, the end users, the people we’re collecting from their expectations are changing because the risk is changing. You know, if you looked at this four or five years ago, no one was talking about statewide hacking where, know, you’ve got advanced hackers deliberately going out and looking for secondhand reuse equipment to compromise networks. we’re seeing it, you know, people are

There are stories where people have taken devices off of eBay and then use the credentials and the information they found to then attack the original customer.

Caitlin Fjerstad (03:15)
absolutely. It’s definitely becoming a thing. that’s why this is a topic of, you know, it wasn’t happening five years ago, but it is starting to happen now. And people need to be prepared, absolutely, know what kind of resources they have out there to prepare and protect themselves. So from that, then, what was the process? What did it look like for examining these types of devices? And when you were first exploring it,

Did you expect to find something? Were you surprised if and when you did find something? Talk about that process, though.

Rolly Aponte (03:47)
Yeah, I’ll take that one. ⁓ We wanted to be as objective as possible, so we had selected… ⁓

two enterprise Cisco routers that were advertised to be sanitized for this test. ⁓ through the analysis was done through third party forensics ⁓ and they had conducted that forensics with two different passes. One was through the command line interface and directly attached to the device to see if they could ⁓ view or access these files right from the device itself. And then the second pass of forensics was done by removing

the removal compact flash card, ⁓ which was part of the unit. And they had imaged that device to make a byte for byte image of the contents. And from that, they were able to reconstruct some of the data from the device.

Caitlin Fjerstad (04:45)
So if I’m not as technical of a person as you are, what I’m understanding is you kind of took that, correct me if I’m off on this, the parent-child relationship and kind of separated that out. So the parent might have passed, but when you looked at the child device within it, ⁓ there were aspects of it that it was still giving that information, still being able to extract some of that data.

Rolly Aponte (05:09)
Yes, ⁓ from the command line, know, this is the forensics lab directly attaching to the device. ⁓ It had appeared blank. ⁓ The files were deleted and visible to the operating system within the unit. through reconstructing the image, ⁓ you are able to see the data that the unit itself cannot see.

Caitlin Fjerstad (05:32)
Mmm, okay.

Adam Burrett (05:33)
Yeah.

I mean, in essence, it’s exactly the same as if you took a hard drive out of a computer. There’s no difference. know, you, when you go into your computer and you delete the file, you’re deleting nothing. You’re just deleting the top part of the file that says I’m a file and I’m here. The actual file itself still exists until it’s overwritten eventually by other files within the system, which is why, you know, we’re, looking at the same level of techniques to do the erasure as you would with a laptop and a desktop. You would never dream of selling.

Rolly Aponte (05:48)
Thank

Adam Burrett (06:01)
your desktop on eBay just by deleting the files. You wouldn’t do it. And networking should be treated in the same way.

Caitlin Fjerstad (06:07)
Absolutely. Wonderful. Are you able to share a little bit more about what the forensic testing actually uncovered? Was it a lot of information? What type of data maybe it did cover that was supposed to be sanitized, but unfortunately wasn’t fully sanitized?

Rolly Aponte (06:09)
Yeah.

Yeah, the files that were the data that was reconstructed, a lot of it had to do or it was the DHCP. ⁓ So it’s the IP addresses that were actually issued by the device. There were also MAC addresses, which give the unique signature of devices within the network. And then BRF, which are essentially ⁓ sections of the network. You might have one for ⁓ wireless access points. You might have one for offices, one for warehouse.

So we could not only see the unique traces of the devices, but how they communicate with each other on the device

Adam Burrett (07:02)
we’ve come across evidence where you’ve got things like the passwords that are still in their credentials, encrypted credentials, unencrypted credentials. Cisco, particularly, they let you do both for some reason. They started to change it, but on the oldest things, you could literally have passwords in plain text exactly as you would type them in. And on certain devices, particularly firewalls, we’ve seen things like radius credentials, which is used for encrypting VPNs.

Rolly Aponte (07:06)
Thank you.

Adam Burrett (07:28)
If you have those credentials, can break into an entire network without physically getting hold of anything. It’s quite a big thing.

Caitlin Fjerstad (07:37)
Wow.

Yeah, absolutely.

Rolly Aponte (07:40)
One of the more interesting things about the data that was found as well as it was in the unallocated space of the drive which is interesting it tells us that this section of ⁓ the storage was actually deleted so It’s similar to you going into your operating system and deleting it to say a word file, you know

The file is still there, as Adam had mentioned, it’s the index that is gone. I always go back to this file cabinet analogy that I learned about a long time ago and really kind of put it together as, imagine you have a file cabinet full of files and you just take all the labels off the files. what deleting it is. ⁓ The data is still there, it’s just not indexed to the operating system itself. So that tells us that this data was attempted to be deleted and indexed.

was gone but it did persist.

Caitlin Fjerstad (08:34)
Yeah, yeah, you can definitely see it. And great analogy. Thank you for talking through that. That helps me a lot. I’m sure it helps a lot of people think about just how they need to properly sanitize it, not just delete the file, but sanitize the devices to make sure that is done properly and that there truly isn’t anything remaining. ⁓ Wonderful. Another question I had here is more from a business standpoint, I guess, what does residual data on decommissioned

switches actually mean for an enterprise organization. What does that look like from their lens?

Adam Burrett (09:07)
if you look at the data that’s remaining on these switches, you’ve got look at the categories as well. So if you look at what devices we are processing, I like to look them as a pyramid. So then you have things like switches, which are at the bottom of the pyramid. The kind of data that’s on there is more around where you’re plugging into a network. One of my first jobs here, supermarket, a chain called Marks and Spencer’s.

We used to have a till in the middle of a really busy retail space, and they used to have ports all around the wall that you could literally just go and plug into. But if you plug in blind, you don’t know what you’re doing. If you had access to the switches from that site or from a similar site, you’ve got a roadmap. So you know what to plug in, how to configure your machine, and what you’re attacking. The reason why I said a pyramid is there’s lots of those on the market. You’ve got access switches all over the place.

The security, you need physical access in order to compromise it. So the risk is there, but it’s not as great, let’s say, the next level up, which is things like your enterprise switches. These are things that coming out of data centers. These are huge. If you have access to these things, and you could potentially gain access to a network without physically being accessed to it, potentially, because it’s a data center.

And then above that, you’ve got things like routers and firewalls, or routers and firewalls, because obviously we say routers, you guys say routers. They’re connected directly to the internet. So if you have one of those, and engineers are going to get shot for this. Engineers are lazy. The chances are that the password on the new kit is exactly the same as the password on the old kit, just because we don’t want to keep changing all our records. So if you get hold of one of those, the chances are the kit that’s

Adam Burrett (10:54)
gone into replace the equipment that’s just taken out, is it configured either in the same way or very similar? So that then gives you access to the keys into the building without actually getting into the building. You everyone worries about a hard drive. A hard drive is a point in time snapshot. If you get access through a router, you’re in the network, you can get access to the live data, not the old data. And if you’ve got things like radius, passwords, and user credentials, again, that’ll give you access directly to the files.

That’s the kind of level of risk that you’ve got. It’s a case of giving people access into your network.

Caitlin Fjerstad (11:31)
Yeah, that is great insight into how enterprises can stay secure day to day from all of those potential risks as well.

Caitlin Fjerstad (11:38)
All right, so thinking about common methods like file detection or factor reset too. So common methods for those, why did those common methods fail to fully remove this data? Because I’m sure most people think that they do fully remove the data. So why do those fail? Or what is happening technically under the surface that makes these devices vulnerable? ⁓

Adam or Rolly, don’t know if either of you are able to provide some insights on that technical side.

Rolly Aponte (12:10)
⁓ yeah, we’ll take a step of that one. So this is a logical deletion. So that is essentially the removing of the label off the file, you know, in the file cabinet analogy. ⁓ There are much more secure methods out there such as overwrite, you know, where you’re actually, you’re not just unindexing the file, you’re overwriting the file. So that’s not, you can’t retrieve the data anymore.

⁓ Other methods are cryptographic erasure where the data is encrypted as it’s stored. And in instance, you would delete the encryption key. ⁓ The data would remain behind, but it is encrypted and ⁓ unusable at that point.

But a lot of these factory resets ⁓ are logical deletions and they do exactly what they say. It’s just getting a provision, know, provisioning it for another ⁓ life, you know, the next factory reset, the next time you use the device. So, and with most delete commands, you’re just getting the logical delete as well.

Caitlin Fjerstad (13:11)
Okay.

Adam Burrett (13:13)
Yeah. And I think the other, the other danger with factory reset and to be honest, a lot of the manual techniques is evidence and the ability to verify. So a factory reset, and we’ve seen this on multiple devices where you run the factory reset and it prompts you and says, we are now going to erase all the files. You run the command and we always send it. We always do a check. We always pull the flash out and make sure we do our own checks before we add something. So you go through and you go, okay, fine. She said you’re going to erase it.

And then all the files are still there. So you can’t actually trust what the screen is telling you. You have to verify and prove that the data is gone. And that’s the biggest problem with factory reset. No manufacturer does these things in the same way. One company does a factory reset and actually erases it and does it properly. And the next one doesn’t. Or even within the same manufacturer. You could have a Cisco switch and you run a factory reset and then a newer version of the firmware, that factory reset no longer works.

Adam Burrett (14:09)
And we’ve seen this multiple times. Juniper is a really good example. The old firmware, when you ran their commands to do the erasure, it worked. You run it on the new ones, doesn’t work. So you have to be very careful with the inbuilt commands because you can’t trust them.

Caitlin Fjerstad (14:24)
Yeah, absolutely. It’s fun to deal with those changes where you think it should be the same and it’s not. I suppose too, as you’re talking about that too, is that something you think enterprises, are they doing that on their level? Is that truly more at the retirement level or is that really more of like the ITAD type of partner level? Where does that always happen? Where should that be happening? I would imagine absolutely on the ITAD side. after the disposal or after you’ve passed it on to the partner, but can you walk through that or give a little bit of description of where that should be happening in terms of making sure everything’s staying safe and reducing that risk?

Adam Burrett (15:04)
I think it depends, and I think Casey will agree on this, it depends on the customer’s risk appetite. So it depends, you know, if, let’s say for instance, a bank, major bank, they’re probably going to say, well, you’re not allowed to take this off site until it’s been erased. And we see this a lot, you know, they have to be erased at the data center, at their offices, before you’re even allowed to pick it up, to bring it back to an ITAD facility to do the wiping. And if you can’t verify and prove you can do that, they’re going to make you shred it, because that’s obviously the ultimate.

Destruction we want to avoid that everybody wants to avoid the destruction side. I think realistically The the end users they don’t have the skills to erase a device and keep it sellable This is this is where the mistakes come in, know People will go in and they’ll just do an erasure and in doing the erasure They’ve wiped the license they’ve wiped the OS and you now have a really nice paperweight because

ITADs don’t necessarily have access to be able to put the OS back on unless there’s one already on there. They certainly don’t have access to things like licensing and things like that. So ideally, you want to have your professional ITAD doing that work because they make sure you’re getting the most revenue for resale.

Caitlin Fjerstad (16:17)
Yeah, absolutely. The revenue for resale potential and just thinking about circular economy. mean, being able to actually put it back into use versus to your point, you you don’t want to have to physically destroy it for many different reasons, both the resale side, but then also just then you have to mind for new materials. So the sustainability aspect, which a lot of people have a focus on, but then also who doesn’t want potential resale revenues back to them to make their programs more efficient and. ⁓

generating actually a return. So that’s fantastic.

Rolly Aponte (16:50)
just wanted to add one thing with the factory reset. It’s rather kind of a blanket term, you know, because they all do it little differently, as Adam has said, and they are largely undocumented. you never, ⁓ it’s very hard to verify what is actually happening under the hood of a factory reset, which is something

we struggle with all the time. know, many devices advertise some functionality of a factory reset, but without verification, it’s, you don’t really know what you’re getting into, you know, so that’s why it’s ⁓ really nice to have that verification of ⁓ like a override or a cryptographic erasure. You know, once you have that in hand, you go from the thought of you think it’s clean and sanitized to knowing it’s clean and sanitized. ⁓

So, and that’s very important, you know.

Caitlin Fjerstad (17:42)
Yeah, that confidence to have in that security is absolutely, yeah, wonderful.

Casey Dingfelder (17:46)
Any residual data that’s left on a device at its end of life, it’s a data breach. So sometimes the data is going to be meaningless or harmless, but the only way to really be sure is just to get 100 % eradication and have it verified. I mean, that’s the only way to truly be safe. So you don’t want to take that chance that the data that’s being left behind is, you know, maybe falling under that harmless side. Just, you need to make sure you have confidence that all the data has been sanitized, erased and

And to Adam’s point, you can verify or it’s been verified that it happened.

Rolly Aponte (18:21)
Yeah, and to add to that, through our findings, we found different artifacts of remnant data. And one the important things to consider with this is a lot of times these different fragments are aggregated together to paint the whole picture. So ⁓ whether it’s a small

Artifact, know, no matter how insignificant it may seem does represent a flaw in the process and it’s Like getting one puzzle piece, but ultimately you’re trying to get the picture. So you put enough of those pieces together And you can certainly have something pretty dangerous on your hands, you know, so the aggregation of data is something that is Not really discussed a whole lot but is very important to consider ⁓ How you can buy multiple pieces of network equipment and reconstruct that?

Adam Burrett (19:11)
And then the other thing to think about with you piece it together and it could be data that’s no good to anybody apart from the name of the person you’ve taken it from. And that then brings out reputation damage and it’s reputation damage for the end user, but it’s also reputation damage for the ITAD because you know, the data could be useless for a hacking point of view, but for a nice new story to say, look, I’ve just got a switch that’s come from this bank down the road. It’s another thing that causes a risk.

Caitlin Fjerstad (19:39)
Yeah. So I think ⁓ this next question that I had really ties into this. So maybe it’s just a question if you guys have additional information or additional details on that. But going into that risk, how does that type of exposure for organizations or how could this expose, excuse me, organizations to regulatory compliance or just again, as you were kind of alluding to that reputational consequence?

Casey Dingfelder (20:09)
I think it’s going to vary depending on the organization. So like you take healthcare, for example, they’re going to be regulated by HIPAA. If it’s financial with the PCI payment card industry, like there’s just expectations that they have certain security in place to protect, safeguard that information and not properly disposing of these switches at the end of life would make them liable that they didn’t do a good job of protecting.

you know, the consumer’s information or the patient’s information from a HIPAA perspective. So it’s probably going to vary ⁓ industry to industry or from company to company. But then just, just in general, like it’s just bad image, bad brand branding for a company too, to have a data breach. I think no one wants it, but I think others are going to be regulated more ⁓ than others at the same time.

Caitlin Fjerstad (20:57)
Yeah. And I think, you know, I know people talk about the different certifications too. It’s the, as you say, people are going to be regulated more certain industries might be regulated were more, but having those certifications to not only are you having the processes in place, but you’re being audited that you have the processes in place day to day and making sure again, Rolly, you alluded to it or mentioned it earlier. It’s just that confidence, that confidence and the trust that you can have that it’s being done properly, that there is

you know, that risk being eliminated from that as well.

Okay, so question maybe from each of your lenses or whoever wants to speak up on this, what would you say really from either dynamic side or Hydra side? What is different or what makes your guys’ approach to sanitizing networks which is different from standard industry practices? If either of you can describe that a little bit.

Adam Burrett (21:57)
So I think from the Hydra’s point of view, the aim for Hydra is to make it so that you don’t have to remember all the commands. You don’t even have to tell it what you’ve plugged in. So it’s, automates the entire process. And because of the way that it’s been built and the way that we verify devices as we add them to the product, when we give you a green certificate at the end, there’s no question, has it been erased or not? So.

you’re at the end of a test, you’ll always end up with a red light or a green light, which is, which is the easiest way to understand what’s going on. And if it’s green, then it’s been erased. And if it’s red, then it hasn’t. And I think that’s, that’s the simplicity and the ability to give you a certificate that we are happy to say this is certified as erased use the confidence and the standard that, ⁓ that a lot of ITADs and a lot of people do generally is that they, they will literally just

go into their database of text scripts and start typing the commands out. And then at the end they go, yeah, that’s done. That works. And then they move on to the next one. And then they move on to the next one. Or they’re just pressing the factory reset button and saying, it’s factory reset. When you look at NIST, from a NIST clear, just a standard NIST clear, factory reset is OK. But they put a massive caveat at the bottom of it that says, but it’s probably not.

Caitlin Fjerstad (23:18)
Right.

Adam Burrett (23:20)
And

now you’ve got NIST v2, which has come out, which completely changes the whole thing. And they’re now basically saying, no, you need to treat this equipment like you would in a war hard drive. So the standards are catching up for this, which is great. And it’s great for the industry that the standards are catching up. And people actually now understand what the expectations are because historically it’s just been, you do what you think is right and what Google tells you to do.

Caitlin Fjerstad (23:46)
Right. And I’m sure too, thinking about, you know, working with a partner, you’re trusting in what they’re telling you. And so if they’re meeting the standard requirements, but the standards maybe aren’t up to what the new industry needs are to ensure that security, then you might be getting the minimum requirements or the minimum risk protection. But you want above standards, you want above and beyond that risk mitigation to make sure that you’re absolutely taking care of it.

Yeah, we’re doing the minimum that we can to secure that data and making sure that nothing’s going to be happening there.

Adam Burrett (24:22)
Yeah, yeah, definitely.

Casey Dingfelder (24:25)
From dynamics perspective, there’s two criteria criteria that we were really looking for. One, it was to remove the human element, having to remember the command prompts, knowing what files to delete on every model. just the training as you hire new people or new team members. And then as new models come out, there’s just a lot to have to manage. Right. So having an automated solution, ⁓ to, remember that, to manage that. And then the second part, which is the most important is the ability to verify. So those were the two criteria we were really set out to look for.

to give us confidence that we could recover the value. Because if we can’t honestly ⁓ comfortably say that we’ve erased the data from the machine, we don’t try to pursue the value recovery side of it. So in order for us to get both ends of the data and the value recovery, we wanted those two sets of criteria to be checked.

Caitlin Fjerstad (25:15)
Yeah. Wonderful. Thank you. Okay. I know we are running to the end of the questions, but one thing that I do always like to ask people at the end of our podcast episodes is about advice. So thinking about the topic at hand in terms of network switches being properly sanitized from maybe each of you, if you want to give a little bit of a snippet, and it can be something that you said already, if you just want to really put an explanation point on it, but what piece of advice

would you be giving to people who are handling this type of equipment and sending it off to somebody else for sanitization and possibly resale?

Casey Dingfelder (25:52)
So I would recommend just challenging, asking your vendor what their process is, and then just challenging them to verify that. So, ⁓ you know, it’s easy to say, Hey, what are you doing with my devices that I send to you? And then to say, we wipe them and resell them, but really kind of lean in and ask for them to explain what the wiping process consists of, and then have that verification at the end. If they can produce that, then you can feel confident that they do have a good solution in place. But if you start to uncover,

that maybe they technically aren’t covering some of the areas that they should, then I think it’s going to create more concerns or more questions that you should be asking. So again, I think just leaning in, not just taking the surface answer of that it’s being wiped, but really kind of asking the how, ⁓ how it’s happening. And then really it’s that, okay. And then also show us or explain how it’s verified. Those are the two pieces of advice I would have.

Adam Burrett (26:45)
I’ll double that actually because that’s really good advice. The provider you use to process your kit, you should be asking them, what product are you using to erase my networking kit? We’re all used to saying, what product are you using to wipe my laptops? Because we all know the only way to actually wipe a laptop or a desktop is to use a product. that should be a question now for networking equipment. What are you using to wipe my equipment?

To do an erasure on 50%, 60%, 70 % of the equipment out there, it cannot be done by hand. It has to be done by an automated system. So the question should be, what do you use to process my equipment?

Rolly Aponte (27:27)
Yeah, think it hits nail right on the head is just making sure it is repeatable, verifiable, and you are documenting it. the verification is documented as well, just ensuring that it’s airtight.

⁓ You know these devices very wildly ⁓ so it’s a difficult challenge to make sure it’s all supported and Adam you’d know more than anyone that you know they’re not all created equal some of them are be tricky you know so I think automation is is absolutely critical here really removes a human error you know element of it

Caitlin Fjerstad (27:57)
Thank

Great advice and definitely, you know, I think it sums up what we’ve been discussing for the last bit here wonderfully as well, how it’s happening, what that process looks like, what products are you using within that process, and then how are you verifying that. So going through that and then to Rolly’s point too, making sure that it’s automated, it’s repeatable. We want to make sure this is not

left to human error that it does have a structure and a process to it to make sure that it’s going to be handled no matter what type of product it is and that it is sustainable and repeatable to that point too. So thank you. Really appreciate that advice. ⁓ But overall, thank you, Casey, Rolly Adam, everybody for joining us today. We are so happy to learn a little bit more about network switches, sanitizing them and how to make sure you are eliminating that risk.

to the data that is on those, which is ever so important ⁓ and especially for multiple industries. So really appreciate all of you having time to share your insights today. So thank you all for joining us.

Adam Burrett (29:10)
Thank you very much. for having me.

Casey Dingfelder (29:10)
Thank you, Kayla.

Rolly Aponte (29:11)
Thank you again. Bye.

Caitlin Fjerstad (29:12)
Wonderful.

Well, if you have any other questions for any of our listeners, I’m sure that all three of these gentlemen would be super excited to connect with you and answer any questions that you have. otherwise, too, we just encourage you to ask those questions that the three of them gave in terms of their advice. Ask those questions about your own program, about your ITAD Partners program to make sure that you have that trust and confidence with what is happening to your equipment and the data on that equipment.

That’s what we’ll leave you with and tune in next time for the next topic on the Spark podcast. Thank you everyone.