00:01
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:12
Welcome to CyberSound. I’m your host, Jason Pufahl, joined today by Michael Grande and Steve Maresca. Hey guys, and we’ve got, on Zoom, a special guest, Rocco D’Amico, the CEO of Brass Valley. Welcome Rocco, thanks for joining.
Rocco D’Amico 00:28
Well, it’s great to be here. Thanks, guys.
Jason Pufahl 00:30
So we, we’re gonna talk a little bit about sort of your business, and I’ll summarize it really quickly. You’re in the data destruction, data disposal business primarily. But if you could maybe give a couple minutes of who you are, who you serve and what you do, yeah.
Rocco D’Amico 00:49
So we are in the i 10 industry, which is IT asset disposition, and we work with large to medium sized companies. When they’re dealt with their old computer equipment, usually it’s data center equipment. We do a lot of that, we’re data center centric, but when they’re all done with the old equipment, they need someone that’s a third party to come in and erase all the data, remove the equipment, which is what we do, then we bring it back to our facility and we either recycle it or we refurbish it and resell it. And if we resell it, the customer gets a revenue share based on the resale proceeds that we’ve received.
Jason Pufahl 01:22
So from a destruction standpoint, is it really, is it physical destruction? Is it primarily software based erasing of data? What types of data do you generally, you know, is it paper and electronic?
Rocco D’Amico 01:34
So it’s a financial, it’s a financial question really, because most of the companies that we’re working with are trying to recuperate some of the investment that they have in the equipment. So so our first stop is is going to be erasure, if possible. And we erase to NIST 800-88 specifications and but if the if the equipment has no value, and it’s going to be scrapped anyway, what we’ll recommend is that it’s physically shredded. So we’ll physically shred drives, and that’s just a less expensive way to go for these folks. So that’s how we that’s how we do it.
Steven Maresca 02:08
So what practices would you say organizations need to know about if they’re not actually performing disposition of devices in this capacity at the moment?
02:21
Well, as smaller companies probably try to do an F disk or something like that, they’ll try to do a reset or something like that. And it really doesn’t get the data. It just gets the pointers, so that it just removes the pointers to the to the data, the data store size and the drive. So you really need to have a professional service or software that goes in that’s specifically built for erasure, and they’ve got their own algorithms how they do it the right ones and zeros over the platters. And if it’s solid state, it’s something different. They they they erase in a different manner, but, but I think the biggest misconception that I see, or the biggest, I don’t know if it’s a misconception, but people ask for the Department of Defense 52 20 erasure specification, and that’s really like 15 or 20 years old, and it was designed for older technology. And the NIST 800-88 standard is much more current and designed for modern drives, and it works much better. It’s much quicker, and so it’s also a source of cost savings for the customer as well.
Steven Maresca 03:29
I’m glad you mentioned it, because too many folks reference the, you know, the seven wipe DoD standard hole, but you know that they don’t know that it’s for a 10 inch drive platter from 1977? So that’s helpful. I mean, there are plenty of people who do that just sort of blindly, because they think they have to,
Jason Pufahl 03:48
Well, right? So, I mean, are you coming up against, you know, all formats of media still? I mean, you know, do you have clients calling you about, hey, I need my five and a quarter is my three and a half’s my old, by old disk, like. What are you what are your conversations with clients? What types of things do you get into?
04:05
Yeah. So a lot of times it’s funny, because a lot of times when they hear we come in, we’re coming in, it’s like word spreads around campus, and before you know, people are opening up closets and say, hey, while you’re here, come get this and come get that. And so we do see ogre technologies. Typically, they don’t know what they have. They just say, we know we have hard drives and we need, we need to get them erased. But with with that, most of the focus with most of the companies we deal with, it is on the hard drives, and what they don’t realize is that there’s also information that’s stored in other places that creates an attack vector for someone to get in, or a tax service for someone to get in if, if they get their hands on. So you’re speaking about a raise. For example, for years and years and years they built, been built. For speed and self healing, and because of that, they use buffer memory. So we had a situation many years ago where we took in maybe 15 arrays from from a large bank, and just for last, one of my technicians went and said, well, hey, let me and these arrays had supposedly been erased by the OEM, and they were but my text said, hey, just for last let me plug this in to see what happens. Well, he plugs it in and all the right, all the data from the buffer memory got written right back onto the drive. So, so at that point, it was like an eye opener for us for a couple reasons. One was like, well, hey, if the OEMs don’t even know that this stuff is in there, who else does? And the other eye opener was we have to be vigilant and look at different areas where data might be, because that’s, that’s, it’s a potential liability for our customers. So, so it’s, I think, that people need to think about a little bit about the architecture to understand where the total exposure is.
Michael Grande 04:13
Rocco, you mentioned banks in that last example. Are there any industries that you sort of mostly focus on, or are you sort of, you know, very broad based?
06:10
Typically the industries we play well with are highly regulated, so it’s healthcare, it’s banking, it’s financial services, pharmaceuticals, biopharmaceuticals, companies like that, typically. But what we have, since we’re in the high end, what we have fits everybody on the lower end too, is just, it’s, it’s just kind of better than what they’ve ever seen before. So, right?
Steven Maresca 06:32
Yeah. So I have a bit of a left field kind of question. We have some customers that care about long term longevity of data, I’m confident you have some degree of opinion about data storage mechanisms that are resilient, that stand the test of time, if they wish to keep them around a long time. Do you have any exposure to that sort of thing in your business?
06:56
Not necessarily this business, except we do get situations where there’s merger and acquisition activity, and what we find is that they’re either going to do one or two things. They’re either going to try to hold on to the hardware that they’ve acquired because it’s got some information that they are required to hang on to a while, and they’ll hang on to it, and they’ll put it in the closet, wherever they put it, or they’re going to try to pump it up to the cloud, to maintain it like that. So that’s kind of the two mechanisms we see for people that want to retain data.
Steven Maresca 07:28
Makes sense. Thank you. Other treasure troves of long term data are usually around, you know, litigation, expectations, employee termination, things of that variety. Do you treat that with any higher degree of sensitivity?
07:43
Well, we don’t usually, when people are sending their equipment to us, they’re sending it to us to be destroyed. So so we eradicate the data, and it’s up to them to save whatever they need to save. And usually, as I say, they’re either going to not give it to us or they’re going to pump it into the cloud somewhere and save it like that.
Jason Pufahl 08:00
Yeah, the outcome of his business is pretty straightforward.
Michael Grande 08:03
There’s only one outcome.
Rocco D’Amico 08:07
I’d like to tear things down,
Jason Pufahl 08:09
It’d be way easier to take apart than to build it. So what, what types of things are should a client be thinking about, though, in they call you do they need to be concerned about, you know, chain of custody, for example? Or, you know, is there a time where you take, you take drives, maybe, don’t destroy them on site? And is there a period of time where you have to store them? And, you know, is there a secure facility to do that, like, you know, what types of things might might impact an engagement?
08:38
Sure, so one of the things that we emphasize with our clients is that they really need to pay attention to chain of custody, because most people think the chain of custody ends when they give their equipment to us, but really you cannot, as a company that only the original generator of the waste or of the data or the store of the data, you cannot sever your liability for that that information or that equipment, either, you know, from an environmental perspective, or from the data security perspective. So they’re on a hook, uh, no matter where it goes to me or or my downstream. So a good chain of custody and a chain of custody, really, it’s they all started out back in the hazmat industry, hazardous waste industry. It was a way to track hazardous materials from the point of origin all the way to to the grave. So cradle to grave, they wanted that kind of tracking. So a good chain of custody is going to be able to give you that kind of a trace and a roadmap see where all the equipment goes and and so a lot of times what what will happen is the customer will get a certificate of recycling, and it really, in and of itself, is worthless. You really should have the chain of custody, and for instance, for sensitive information, you really should have serial numbers on that, for the for the computer that it came off on, for the for the hard drive that it came off. Of because the first thing when something goes wrong and something gets stolen, or something gets ends up in a lake, which happens, the first thing that happens is they look at the serial number, they say, okay, HP, serial number XYZ. And they say, this is like the state troopers that do this, or whoever does it, they go to HP, and they say, who had this under maintenance, and they go, and that’s how they trace it back to the original owner. And then you need, as the owner, to be able to say, okay, serial number XYZ. I gave that to Brass Valley. This is how they handled it. And you need to be able to do this. So that’s that whole loop that you want to be able to construct when you go through this process.
Steven Maresca 10:38
I mean, certainly there are many horror stories of devices with recoverable data on certain auction sites that we shall mention by name. So, yeah. Well, heard.
Jason Pufahl 10:47
Yeah. And so actually speak, if we could speak a little bit to that, you know, asset recovery piece you said that, you know, some of your clients hope to resell some of that, you know, some of the, some of the hardware, recover a little bit of their initial investment. What does that process look like? And and is there a chain of custody, custody element to that? Or how does that work?
11:12
Yeah, so, so throughout the itad industry, they’ve got what they call a circular economy, and that basically means we’re going to try to get as much life out of the equipment as we possibly can, which means we’d rather resell it and have somebody use it than to have to just tear it apart and shred it and smelt it and turn it into something else that way, because you’re just the more you can extend the useful life of the equipment, the better off the environment is going to like it and everybody else is going to like it, right? So, so, so what we can do is, in that situation, we take, let’s say it’s a laptop, we’ll be able to tell where we sold that laptop, and we keep those records, so that way, if something goes wrong in that laptop ends up someplace where it’s not supposed to be, we can go back and say, now, this was a sale, and this was done legally, and all that. So that’s how we take care of that. And just somewhat we’re on that topic. One of the things that we’re working on, I’ve got a gentleman that works with me from Ghana, and we’re taking laptops that were not not going to be used in the states because they’re too late and low tech. Don’t they’re the technology is too low end, but over in Ghana, where they don’t have anything that we’re sending it over there we’re going to our goal is to try to give every school in Ghana, every kid in every school in Ghana, a laptop computer, so that they can have an introduction to the 21st century, really. So it’s, it’s really pretty cool.
Jason Pufahl 12:34
So do me a favor, speak a little bit more about that, because I don’t want to gloss over that. So that Brass Valley’s goal is to work with an individual from Ghana to actually get computer equipment to students.
12:44
Yeah, yeah, we’ve got just it, just by happenstance. It was a gentleman that works for me and comes from Ghana and like companies like the United Nations. I got people from all over the place and and so. So this gentleman from Ghana, he happened to be connected to high government officials in Ghana. And he got the idea, said, you know, and he’s very charitable man. He said, hey, I he’s looking at all these computers going through our building and and he knows the ones that we’re scrapping are we’re setting down to be recycled. And he said, you know what? I know somebody that can use that. And he gives all the school children in Ghana, they have nothing. Yeah, they really, I mean, it’s dirt poor. So we just, we just kept working it and working it, working it. And now we’re starting, I think we’ve had four or five shipments, initial shipments go over. So we’re, we’re trying to build that out and and then who knows where it goes after that. I’d like to do it for the whole continent if we could.
Rocco D’Amico 13:41
That’s a great cost.
Jason Pufahl 13:43
Great. Yeah, good for you. Congratulations on pulling that together.
Rocco D’Amico 13:46
Thank you. Yeah, it’s, he’s, he’s doing all the work,
Jason Pufahl 13:50
Yeah, yeah, you get to tell the story. Yeah, I think it’s, it’s a fairly straightforward business that you have. So I don’t want to, I don’t want to overdo it, necessarily. It sounds though, I love the term. Do you say a circular economy? That’s a great way to describe so that business of recovery and your reuse like that. Anything that we haven’t covered today, that you wanted to make sure that our listeners heard or that you were able to get across?
Rocco D’Amico 14:21
I will share one other thing with you folks, because it may help, may help some of the listeners. One of the things that we implemented in our organization was were high reliability practices, and they were originally used, I don’t know if you guys are familiar with this, but they’re originally used in the nuclear industry, and then they were used in they were adopted by the aviation industry, and then they were adopted by the healthcare industry. And it’s basically, it’s a way to prevent a human error that’s going to cause a big problem where somebody’s going to die. And so what we did was that if we have a data breach, it’s a big deal, because we’re working with a lot of data centers, and it’s going to be a mega breach if something goes wrong with our with one of our processes. So I had a lot of confidence in our processes, but I didn’t have as much. There was just silly little mistakes that are happening with people. And so my wife, who’s an educator at was it was an educator at Waterbury Hospital. She would tell me frequently that, you know, that, hey, we would talk about during dinner time, and we’d say, and say, you know, this happened, that happened. She’d go, you know, you really ought to think about the high reliability practices. And so being the attentive husband that I was, I said, that sounds great. Pass the potatoes, would you so? And so finally, one day I got frustrated. She explained to me, yeah, how it came to be in just the magnitude of of improvement that it could make. So it just a quick example in the American healthcare system before they adapted the adopted these principles, the healthcare system in America was losing the equivalent of a 747, worth of people falling out of the sky every day. And these were just needless mistakes that were causing deaths. And so it’s, it’s so we’ve adopted the practices in our organization, and I’m seeing much less, much less. The error rates are much lower, and it just works. So anybody that’s looking at this frustrated, like I was with, like just the little human interaction issues that come up just because they don’t teach you how to work with each other in school, there’s not a course on that. So this is kind of like the course on that, that makes things work, and it makes everybody want to play together as a team, and it takes away any kind of stigma for asking the dumb question and that kind of thing. So it’s really good. So that’s what I’ll leave you with.
Jason Pufahl 14:30
How long did it take you to put that into practice?
Rocco D’Amico 16:42
It’s ongoing. But, I mean, we’ve been doing it for at least two years now. So if you never, you never let go, but you always reinforce it, but, but I would say probably three months, you know, three months of constant and then they and then the team started coming back to me with things, you know, that when I knew they got it, you know, I just knew they got it right.
Steven Maresca 17:00
I think that’s a great place to sort of wrap up. I mean, it’s culture in general, in process, culture in data handling and management, information security. It’s not talked about enough, but it is one of the core things that makes everything flow fluidly and without friction.
Jason Pufahl 17:17
And you know, while the outcome of your business probably isn’t hugely complicated. The process is to make sure that you have demonstrated, you know, that chain of custody, the the attestations required to say that you have destroyed something like all that assurance. I’m sure there’s a lot of nuance and a lot of complication to tracking that and ensuring habit. So absolutely,
17:37
Absolutely, yeah,
Jason Pufahl 17:39
Well, I think we’re roughly up against time, but I appreciate you joining. I think it’s this is a topic that mostly every business probably cares about, sure, and as we talk more about data governance, hopefully we can kind of continue to reinforce the importance of actually doing the right things with the data that you store, process, transmit and ultimately need to dispose of so well.
Rocco D’Amico 18:04
Thanks for having me, guys. I really appreciate it.
Jason Pufahl 18:06
Thanks, Rocco. And of course, as always, if anybody has any questions, you’ll feel free to let us know, and we can, we can address, we can address that and move forward.
Rocco D’Amico 18:14
Thanks again. Thanks.
18:15
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn and remember, stay vigilant, stay resilient. This has been CyberSound.