In the first installment of Why Information Must Be Destroyed I discussed how not discarding worthless hard copy documents, even though they appear to have no value is a security risk. While this is true for physical hard copies, it is even more relevant for digitally stored data.
This installment deals with the process of destroying hard drives and other digital media. This is commonly known as disk sanitization or data purging. Unfortunately, far too few organizations realized the need for the issue, and therefore few have formalized processes around data purging.
What needs to be destroyed?
The Unified Compliance Framework (UCF) media destruction recommendations include handling guidance for the destruction of 48 different media types including compact flash drives, electronically erasable PROM (EEPROM), magnetic tape and more. The UCF also identifies the appropriate data elimination practice for each type of data storage asset including the use of secure erase, chemically clean, ultraviolet erase, and shredding.
Ultimately, any device capable of storing data that has reached the end of its usable life must be addressed by a policy that effectively mandates the elimination of any trace of legacy data. Essentially, any storage medium; including optical media, backup media, cassettes, VHS tapes, floppy disks, X-rays, microfiche, microfilm, intelligent mobile devices (BlackBerry, smartphone, etc.), ID cards, and credit cards; that contains any confidential or personal information should be addressed in policies regarding access, retention, handling and destruction. [See also The Seven Deadly Sins of Record Retention.]
For example, a smartphone, be it a BlackBerry or iPhone, presents a significant risk to data loss protection efforts if adequate disposal procedures are not applied. Smartphones often contain a poorly protected image of the user's complete inbox, contact information and other confidential information present on their workstation. Yet, despite security measures to protect workstations and organizational messaging systems, smartphones often are neglected.
Given the relatively short lifespan of these assets (smartphones are replaced on average of every 18-24 months) and that many organizations do not have the available resources to handle the data elimination process, there is a high probability that your organization is warehousing a significant inventory of used units. The risk of data exposure due to the loss or theft of a just a single device can initiate the need to issue a mandatory disclosure of lost data. Hence, every organization must seriously consider the risks posed by the warehousing data storage devices.
Used Equipment—The Afterlife
Once hardware reaches the end of its operational life to an organization, it is often returned off-lease, donated or resold. Used equipment with hard dives or other media should not be released from the organization's control unless data has been eliminated from the equipment, and data destruction has been verified. A zero tolerance policy against the selling of used media that cannot be effectively sanitized should be established.
You may receive email offers with subject lines like: Cash Your Used Tape and Data Cartridges, We Buy Used DLT and Backup Storage Media, Check Out Our Surplus or Used Media Donation and Buy-Back Program. Such email should be considered suspect. The reality is that the money that can be made from selling such devices pales in comparison to the substantial security and legal risks. Even if the vendor promises to securely erase the media, in the event of a failure or breakdown in process, imagine having to inform the CEO that 10 million customer records were retrieved off a tape which was sold for $14.00. Bottom line, never sell used media, destroy it.
Under no circumstance should backup tapes or other media that cannot be certified as devoid of any recoverable data be exposed given to any outside organization, with the only exception being by court order.
Simson Garfinkel' writes in Remembrance of Data Passed: A Study of Disk Sanitization Practices on computer.org that the secondary hard-disk market is almost certainly awash in information that is both sensitive and confidential. His conclusion was based on his research that included buying used hard drives from various resellers and, by using conventional recovery methods, discovering that most of the equipment contained sensitive personal or sensitive corporate information. [Editor's note: Garfinkel covered this research for CSO in his Machine Shop column Hard Disk Risk.]
The handling of storage hardware under warranty that has failed while in operation is also something that needs to be addressed. Even if the vendor provides assurance that the media will be sanitized, the organization loses all care, custody and control of the asset once it has been handed off to the carrier for return to the vendor.
Once this asset has left your custody, the potential for loss in transit, or assurance that the device was in fact sanitized is out of the organization's control. Should the device be lost in transit, or not properly sanitized as promised, and end up in the aftermarket, it will be the owner of the data making the mandatory disclosure, even though the loss was not their direct responsibility. Unfortunately, data loss at the hands of a third party is far more common than one might think.
Disk Sanitization Solutions
NIST Special Report 800-88 [PDF link] describes three levels (clearing, purging, destroying) of data sanitization for hard drives. Each level has specific advantages and disadvantages, and depending on the type of information stored on its hard drives, each organization will need to establish policy using the appropriate sanitization practice to address its concerns.
Clearing—Clearing information is a level of media sanitization that protects the confidentiality of information against a robust keyboard attack. Simple deletion of items doesn't suffice for clearing. Clearing must not allow information to be retrieved by data, disk or file recovery utilities. It must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. Overwriting, for example, is an acceptable method for clearing media.
Purging—Purging information is a media sanitization process that protects the confidentiality of information against a laboratory attack. Laboratory attacks involve a threat with the resources and knowledge to use nonstandard systems to conduct data recovery attempts on media outside their normal operating environment. This type of attack involves using signal processing equipment by specially trained personnel.
Degaussing is a purging technique which exposes the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains. A degausser is a device that generates a magnetic field used to sanitize magnetic media. Degaussers are rated based on the type (i.e., low energy or high energy) of magnetic media they can purge. Degaussers operate using either a strong permanent magnet or an electromagnetic coil.
Degaussing can be an effective method for purging damaged media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes. Degaussing though is ineffective for purging nonmagnetic media, such as optical media, CD-ROM, DVD, etc.
NIST 800-88 lists specific recommendations for purging different media types. If purging media is not a reasonable sanitization method for an organization, the guide recommends that the media be destroyed.
Destroying—Destruction of media is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting.
If destruction is decided upon due to the high security categorization of the information or due to environmental factors, any residual medium should be able to withstand a laboratory attack.
As detailed in the Media Disposal Toolkit, the decision for which sanitization method you will choose should be based upon the classification of the information that you are storing on that specific media.
Software-Based Disk Sanitization
To fully erase all data from a drive's media surface, special-purpose software must be used. These utilities eliminate user data by overwriting all accessible areas of the media surface with obfuscating data to make the data that is overwritten unrecoverable.
There are a many sources of overwrite utilities ranging from the popular open source Darik's Boot and Nuke (DBAN), to commercially available products such as iolo technologies' DriveScrubber. These software tools provide the user the ability to define the level of data sanitization through the choice of overwrite methods and iterations.
DBAN is launched from a self-booting disk, optical media or USB flash drive and securely wipes the hard disks of most computers. Configured for automatic operation, DBAN automatically detects and completely deletes the contents of any attached hard disk, making it an appropriate utility for bulk or emergency data destruction.
Although many still reference the need for a multipass overwrite processes as stated in the outdated National Industrial Security Program operating manual (DoD 5220.22-M), according to NIST 800-88 and the University of California San Diego's Center for Magnetic Recording Research, a single overwrite pass of the entire media surface is sufficient to render the data inaccessible.
As a tool for securely deleting specific confidential files, software has a more functional role. Unlike hardware-based solutions, software such as PGP's Desktop Shredder can be configured to wipe specific data or free space on the hard drive. This flexibility affords the owner of the data the ability to eliminate all remnants of deleted data and maintain ongoing security, while retaining programs and existing files, and keeping the operating system intact.
Although software can provide a cost effective and easily configurable sanitization solution, it has the disadvantage of requiring significant time to process an entire high capacity drive. Additionally, should there be damage to the media surface, the software may not be able to sanitize data from the inaccessible regions, and the process may fail.
An additional advantage that software has over hardware is that you can wipe just the free space on the hard drive, erasing all remnants of deleted data to maintain ongoing security, while keeping existing files and operating system intact.
Unacceptable media sanitization practices
There are a number of methods which are perceived as being effective, but do nothing to remove data. Some of them are:
File Deletion—When a file-system deletes a file, it is not truly erased from the storage media. Rather the file system marks the space as available. That makes the recovery of deleted files relatively easy. Conversely, it makes the true destruction of data somewhat more difficult.
Drive Formatting—The perception that formatting a hard drive removes data is incorrect. Formatting a hard drive does not remove data from the drive. Drive formatting is simply the process of preparing a hard disk or other storage medium for use, by re-initializing the file system. Yet, despite a clean file system, the data will remain on the hard drive in orphaned sectors, and can be easily recovered.
Even though Windows may provide you with the following scary message that all data on the disk will be erased, that is not so as the data can easily be recovered.
Disk Partitioning—When a disk is used for the first time, it must be partitioned, which is the process of establishing the volume allocation information on the hard drive. The information in the partition table identifies how the drive is presented to the operating system, including the number of logical volumes, volume size and the location of these partitions on the drive.
Once a drive is partitioned, each partition is then formatted, establishing the file allocation structure for each logical volume. While some sectors may be overwritten by the new file structure, any existing data though is left intact, and can be recovered.
Encryption—Encryption is a fantastic way to assure the privacy of live data, but is not suitable for the protection of end-of-life data.
Encryption's weakness is that the keys used to secure the data may be compromised. Even if the 256-bit Advanced Encryption Standard (AES) is used, which is unbreakable using current technology; data can be compromised if the user chooses a weak passphrase to protect the data, or if the key was not properly destroyed.
Some have suggested that encryption and then losing the keys is a method of destruction. But in speaking with those who have forensic labs, they note that there are ways of getting keys, as well as cracking keys on lesser levels of encryption. Given that, encryption should be used as a security mechanism, not as a destruction tool.
Hardware-based Disk Sanitization
From a hardware perspective, there are two basic disk sanitization methods, degaussing and destruction.
As stated earlier, the degaussing process involves the removal of data by exposing data storage bits present on the media surface to a magnetic field of sufficient strength to achieve coercion of the bit. There are a number of challenges to using a degausser, and not all degaussers are up to the task. If you are considering using a degausser, ensure that it's on the NSA Degausser Evaluated Products List (DEPL) [PDF link].
The DEPL specifies the model identification of current equipment units that were evaluated against and found to satisfy the requirements for erasure of magnetic storage devices that retain sensitive or classified data. Note also that the operator of the degausser must understand the capabilities of the device, and should be aware of what can and cannot be effectively and securely processed.
Degaussing is a destructive process and will create irreversible damage to hard drives since it also destroys the special servo control data on the drive, which is meant to be permanently embedded on the hard drive. Once the servo is damaged, the drive is unusable. If you plan to reuse the drive, don't degauss it.
When choosing a degausser, some other criteria to consider are:
- Cycle time—amount of time it takes to complete the erasure
- Heat generation—some degauggers will generate significant heat and need to be cooled down. If you need to degauss many drives, this downtime can be an issue.
- Wand or cavity style—Hand wands models are generally cheaper, but may lack certain power features. Cavity style degaussers enable you to place the entire unit into the degausser.
- Size—Do you want a smaller portable unit or a larger more powerful unit? Some of the more powerful models require wheels to move as they can weigh nearly 400 pounds.
- Media never leaves your location, so there is no risk of loss in transit
- Data is destroyed by your own trusted staff.
- Destruction systems can be expensive
- Low volume makes a longer time for ROI
- Staff with other duties may miss devices
- Must manage internal personnel and technology changes
- Lack of space and/or resources for proper segregation between destroyed and non-destroyed units
- Still must have a qualified vendor to deal with residual waste and/or drives that fail sanitization/wiping process
- Time-consuming process
- Disposal of residual material—When you destroy any type of electronic device you must dispose of the residual material in an environmentally compliant manner. The shredding of tape cartridges for example is incredibly messy, and you can wind up with three times the volume of material. In some states, on-site physical destruction of any type of electronic devices may be a prohibited activity under state environmental laws.
- No initial capital investment required
- Can handle varying destruction needs (disintegration, degaussing etc.)
- Can handle varying volume needs
- Experts at data destruction utilizing best practices
- May have even higher security standards than your location
- No need to manage personnel and technology changes
- Regulatory compliant residual disposal
- If litigated, professional secure destruction services destruction documentation is more credible than internally generated processes.
- Media may be transported outside of your location
- May get locked into a bad contract
- May require minimums greater than your needs
- Data is handled/destroyed by non-employees
- If hardware is not disposed of properly, you could be included in a pollution liability case.
- Royal Canadian Mounted Police Hard Drive Secure Information Removal and Destruction Guidelines [PDF]
- Ball State University Procedures for Transfer or Disposal of Computers, Storage Media, and Paper Documents [PDF]
- Cuyahoga County Information Services Center Disposition of Obsolete Equipment Plan [PDF]
- Best Practices for the Destruction of Digital Data
- Hard Drive Disposal: The Overlooked Confidentiality Exposure [PDF]
- NAID Information Destruction Compliance Toolkit
- Storage & Destruction Business magazine
- Segregation—separate all storage devices and media from others to be disposed of materials. Specifically remove all hard drives from to be disposed of PCs, laptops and servers.
- Inventory—Establish the chain of possession of the data storage device. Best practice is to establish the connection of a particular storage device to the unit it was removed from and using internal asset management records to be able to track the machine back to the actual user.
- Isolation—Using secure collection containers, isolate the inventoried data storage devices in such a manner as to prevent unauthorized removal from the destruction process.
The Fujitsu Mag EraSURE P3M and Garner Products HD-3W degaussers are two examples of many of the available brands. Note that it is imperative that the degausser is strong enough for the media, especially hard drives. As hard drives can be particularly challenging to get enough force to penetrate the heavy shielding and plating protecting the platters.
Given the low cost of hard drives combined with the huge amount of data stored on them, the simplest and most cost effective method of sanitization is to simply destroy the hard drive. Just as paper can be shredded, so can hard drives and other media. Video of hard drives being destroyed can be seen at the SSI web site. [See also shredding on a truck in Data Breaches Spark Hard-Drive Shredding Boom.]
Depending on the service used and the quantity to be destroyed, costs for external data destruction are roughly $15.00 per hard drive shredded, but go down to under $3.00 when done in bulk (over 500 drives).
What do you do if a company offers to destroy your hard drives for an unreasonably low price? Odds are that they are not in the media destruction business, but rather are a recycler. Choose a true destruction firm, not a recycler.
For those whose volume warrants in-house destruction, products such as the SEM Sledgehammer and Garner Products PD-4 destroys hard drives with tons of force causing catastrophic trauma to the hard drive chassis while destroying the internal platter.
On the upper end, the SEM Model 0301 Jackhammer is a high torque hard drive shredder that can shred up to 25 hard drives per minute. This is a serious device for organizations that have significant amount of hardware to destruct.
The obvious choice for a hard drive purge would be a feature that one could use at the drives end of life point. While there is such a feature, known as Secure Erase (SE), it has not become ubiquitous for a number of reasons.
SE is an overwriting technology that uses a hard drive-based firmware process to overwrite the drive. SE is a drive command defined in the ANSI ATA and SCSI disk drive interface specifications.
On one side, SE is an excellent free utility, but has limitations relative to types of drives it works on, and requires some expertise over and above basic technician knowledge. SE is approved as a data purging method as per NIST 800-88.
In addition, hard drive manufactures appear to be reticent to advocate a technology that can destroy all of the data on their device. They don't want to receive calls from irate users demanding to know what happened to their data. Given that issue and the technical expertise required to initiate SE, it has not found widespread use.
Media destruction: In-house or outsourced?
Media and hard drive destruction, like other services, can be done in-house or outsourced. Which is the best way to go? Like every decision, the correct answer is the proverbial it depends.
The same issues that pertain to paper-based destruction apply to hard drives and other media. The difference though is that the data contained on one hard drive can be equal to an entire flatbed of hard copy. With that, if outsourced, the amount of trust needed is significantly greater.
There is no single answer to the in-house/outsource question. Every business has different needs that must be considered before a decision is made. Before considering using external service providers to process your end-of-life storage hardware, make sure that you consider the potential risks of handing off unprotected storage assets to a third party. A review of the handling practices and accreditations of the service provider should be conducted when evaluating service providers.
When selecting an outsourced firm, required that they be NAID certified. The National Association for Information Destruction (NAID) is an independent organization that certifies destruction companies. It offers a program certifying its members as complying with best practice for the handling of data storage hardware. Its certification program checks a shredding company's compliance in 22 critical areas.
As the industry watchdog, NAID ensures that its constituent members adhere to industry best practices. Any data destruction organization that is not a NAID member and certified should be dealt with cautiously.
When it comes to something as critical as information destruction -- caveat emptor. Unscrupulous shredding companies will claim to be NAID certified just to get your business. Make sure to ask for a copy of their NAID certificate as proof of their standing or look them up online at the NAID website.
During your consideration of each aspect, speak to trusted associates and ask the vendor for references. The following points can help you in your decision:In-House Destruction—Advantages
If you do decide to do this internally, it is recommended that all destruction activities be carried out under the office of the CISO, and by a trained and trusted technology support technician.In-House Destruction—Disadvantages
If the decision is to outsource, a site visit to their destruction facility is a must. Rather than taking the salesperson's word for it or basing your decision on their marketing glossies, site visits let you know what the company is really like.
During the visit, make sure they have appropriate access control and other security controls in place. This should include alarms, closed-circuit television, mantraps, etc. Ask the vendor for assurance that their employees are trained, bonded, and have passed background checks.
Look around and see how professional the employees are. Are they in uniforms? Are they wearing appropriate safety paraphernalia? Ask to see their documented procedures on how they process incoming items. Ensure that it has appropriate security and quality assurance measures in place. When you leave, you should have a good feeling that it is a reputable firm, staffed with trained professionals.
Once you have decided on an outsourcing firm, regular unscheduled visits to its facility are in order. This ensures that it is indeed a quality organization, and was not simply putting on an act.
There is a lot of good information available to assist you in your data destruction endeavors.
From a policy perspective, there are a number of good policy documents, including:
Taking Data Destruction Seriously
Irrespective of which data destruction technology and methods you choose, what's crucial is that organizations take data destruction seriously. This means ensuring it's a formal process, not something done in an ad-hoc manner.
For example, there are companies that will send you a flat-rate drop box to place all of your old media into, and they will come and pick it up. Some of these boxes can hold up to half a ton. Imagine placing a few hundred hard drives in such a receptacle; this would be a hacker or business intelligence analysts dream come true. For the determined attacked, they will see such a box a veritable pool of retired devices waiting for harvesting.
If anyone is going to seriously consider such a service, they better have a plan A' first, such as physical destruction or degaussing. While such a solution is adequate for old monitors, printers and telephone gear, it is far too risky to use as a destruction solution for confidential data.
Dan Bayha, VP of Technology Disposal at Ogdensburg, NJ-based media destruction firm Back Thru The Future, notes that such a formal process is done by following a plan of segregation, inventory and isolation.
There is a lot more to data sanitization than what has been described in this brief article. But data sanitization is a necessary component of any security policy that is compliant with any of the current privacy initiatives. The inadvertent exposure of confidential information bears very significant consequences and penalties that include financial penalties and in some cases incarceration.
If your organization is not careful about effective media sanitization, your data loss incident could become your competitors' good fortune and your worst corporate and legal nightmare.
Ben Rothke CISSP, PCI QSA (firstname.lastname@example.org) is a Senior Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education). Ben would like to thank Ryk Edelstein of Converge Net Inc. for his technical assistance.