In the first installment of Why Information Must Be Destroyed I discussed how not discarding worthless hard copy documents, even though they appear to have no value is a security risk. While this is true for physical hard copies, it is even more relevant for digitally stored data.
This installment deals with the process of destroying hard drives and other digital media. This is commonly known as disk sanitization or data purging. Unfortunately, far too few organizations realized the need for the issue, and therefore few have formalized processes around data purging.
What needs to be destroyed?
The Unified Compliance Framework (UCF) media destruction recommendations include handling guidance for the destruction of 48 different media types including compact flash drives, electronically erasable PROM (EEPROM), magnetic tape and more. The UCF also identifies the appropriate data elimination practice for each type of data storage asset including the use of secure erase, chemically clean, ultraviolet erase, and shredding.
Ultimately, any device capable of storing data that has reached the end of its usable life must be addressed by a policy that effectively mandates the elimination of any trace of legacy data. Essentially, any storage medium; including optical media, backup media, cassettes, VHS tapes, floppy disks, X-rays, microfiche, microfilm, intelligent mobile devices (BlackBerry, smartphone, etc.), ID cards, and credit cards; that contains any confidential or personal information should be addressed in policies regarding access, retention, handling and destruction. [See also The Seven Deadly Sins of Record Retention.]
For example, a smartphone, be it a BlackBerry or iPhone, presents a significant risk to data loss protection efforts if adequate disposal procedures are not applied. Smartphones often contain a poorly protected image of the user's complete inbox, contact information and other confidential information present on their workstation. Yet, despite security measures to protect workstations and organizational messaging systems, smartphones often are neglected.
Given the relatively short lifespan of these assets (smartphones are replaced on average of every 18-24 months) and that many organizations do not have the available resources to handle the data elimination process, there is a high probability that your organization is warehousing a significant inventory of used units. The risk of data exposure due to the loss or theft of a just a single device can initiate the need to issue a mandatory disclosure of lost data. Hence, every organization must seriously consider the risks posed by the warehousing data storage devices.
Used Equipment—The Afterlife
Once hardware reaches the end of its operational life to an organization, it is often returned off-lease, donated or resold. Used equipment with hard dives or other media should not be released from the organization's control unless data has been eliminated from the equipment, and data destruction has been verified. A zero tolerance policy against the selling of used media that cannot be effectively sanitized should be established.
You may receive email offers with subject lines like: Cash Your Used Tape and Data Cartridges, We Buy Used DLT and Backup Storage Media, Check Out Our Surplus or Used Media Donation and Buy-Back Program. Such email should be considered suspect. The reality is that the money that can be made from selling such devices pales in comparison to the substantial security and legal risks. Even if the vendor promises to securely erase the media, in the event of a failure or breakdown in process, imagine having to inform the CEO that 10 million customer records were retrieved off a tape which was sold for $14.00. Bottom line, never sell used media, destroy it.
Under no circumstance should backup tapes or other media that cannot be certified as devoid of any recoverable data be exposed given to any outside organization, with the only exception being by court order.
Simson Garfinkel' writes in Remembrance of Data Passed: A Study of Disk Sanitization Practices on computer.org that the secondary hard-disk market is almost certainly awash in information that is both sensitive and confidential. His conclusion was based on his research that included buying used hard drives from various resellers and, by using conventional recovery methods, discovering that most of the equipment contained sensitive personal or sensitive corporate information. [Editor's note: Garfinkel covered this research for CSO in his Machine Shop column Hard Disk Risk.]
The handling of storage hardware under warranty that has failed while in operation is also something that needs to be addressed. Even if the vendor provides assurance that the media will be sanitized, the organization loses all care, custody and control of the asset once it has been handed off to the carrier for return to the vendor.
Once this asset has left your custody, the potential for loss in transit, or assurance that the device was in fact sanitized is out of the organization's control. Should the device be lost in transit, or not properly sanitized as promised, and end up in the aftermarket, it will be the owner of the data making the mandatory disclosure, even though the loss was not their direct responsibility. Unfortunately, data loss at the hands of a third party is far more common than one might think.
Disk Sanitization Solutions
NIST Special Report 800-88 [PDF link] describes three levels (clearing, purging, destroying) of data sanitization for hard drives. Each level has specific advantages and disadvantages, and depending on the type of information stored on its hard drives, each organization will need to establish policy using the appropriate sanitization practice to address its concerns.
Clearing—Clearing information is a level of media sanitization that protects the confidentiality of information against a robust keyboard attack. Simple deletion of items doesn't suffice for clearing. Clearing must not allow information to be retrieved by data, disk or file recovery utilities. It must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. Overwriting, for example, is an acceptable method for clearing media.
Purging—Purging information is a media sanitization process that protects the confidentiality of information against a laboratory attack. Laboratory attacks involve a threat with the resources and knowledge to use nonstandard systems to conduct data recovery attempts on media outside their normal operating environment. This type of attack involves using signal processing equipment by specially trained personnel.
Degaussing is a purging technique which exposes the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains. A degausser is a device that generates a magnetic field used to sanitize magnetic media. Degaussers are rated based on the type (i.e., low energy or high energy) of magnetic media they can purge. Degaussers operate using either a strong permanent magnet or an electromagnetic coil.
Degaussing can be an effective method for purging damaged media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes. Degaussing though is ineffective for purging nonmagnetic media, such as optical media, CD-ROM, DVD, etc.
NIST 800-88 lists specific recommendations for purging different media types. If purging media is not a reasonable sanitization method for an organization, the guide recommends that the media be destroyed.
Destroying—Destruction of media is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting.
If destruction is decided upon due to the high security categorization of the information or due to environmental factors, any residual medium should be able to withstand a laboratory attack.
As detailed in the Media Disposal Toolkit, the decision for which sanitization method you will choose should be based upon the classification of the information that you are storing on that specific media.
Software-Based Disk Sanitization
To fully erase all data from a drive's media surface, special-purpose software must be used. These utilities eliminate user data by overwriting all accessible areas of the media surface with obfuscating data to make the data that is overwritten unrecoverable.
There are a many sources of overwrite utilities ranging from the popular open source Darik's Boot and Nuke (DBAN), to commercially available products such as iolo technologies' DriveScrubber. These software tools provide the user the ability to define the level of data sanitization through the choice of overwrite methods and iterations.
DBAN is launched from a self-booting disk, optical media or USB flash drive and securely wipes the hard disks of most computers. Configured for automatic operation, DBAN automatically detects and completely deletes the contents of any attached hard disk, making it an appropriate utility for bulk or emergency data destruction.
Although many still reference the need for a multipass overwrite processes as stated in the outdated National Industrial Security Program operating manual (DoD 5220.22-M), according to NIST 800-88 and the University of California San Diego's Center for Magnetic Recording Research, a single overwrite pass of the entire media surface is sufficient to render the data inaccessible.
As a tool for securely deleting specific confidential files, software has a more functional role. Unlike hardware-based solutions, software such as PGP's Desktop Shredder can be configured to wipe specific data or free space on the hard drive. This flexibility affords the owner of the data the ability to eliminate all remnants of deleted data and maintain ongoing security, while retaining programs and existing files, and keeping the operating system intact.
Although software can provide a cost effective and easily configurable sanitization solution, it has the disadvantage of requiring significant time to process an entire high capacity drive. Additionally, should there be damage to the media surface, the software may not be able to sanitize data from the inaccessible regions, and the process may fail.
An additional advantage that software has over hardware is that you can wipe just the free space on the hard drive, erasing all remnants of deleted data to maintain ongoing security, while keeping existing files and operating system intact.
Unacceptable media sanitization practices
There are a number of methods which are perceived as being effective, but do nothing to remove data. Some of them are:
File Deletion—When a file-system deletes a file, it is not truly erased from the storage media. Rather the file system marks the space as available. That makes the recovery of deleted files relatively easy. Conversely, it makes the true destruction of data somewhat more difficult.
Drive Formatting—The perception that formatting a hard drive removes data is incorrect. Formatting a hard drive does not remove data from the drive. Drive formatting is simply the process of preparing a hard disk or other storage medium for use, by re-initializing the file system. Yet, despite a clean file system, the data will remain on the hard drive in orphaned sectors, and can be easily recovered.
Even though Windows may provide you with the following scary message that all data on the disk will be erased, that is not so as the data can easily be recovered.
Disk Partitioning—When a disk is used for the first time, it must be partitioned, which is the process of establishing the volume allocation information on the hard drive. The information in the partition table identifies how the drive is presented to the operating system, including the number of logical volumes, volume size and the location of these partitions on the drive.
Once a drive is partitioned, each partition is then formatted, establishing the file allocation structure for each logical volume. While some sectors may be overwritten by the new file structure, any existing data though is left intact, and can be recovered.
Encryption—Encryption is a fantastic way to assure the privacy of live data, but is not suitable for the protection of end-of-life data.
Encryption's weakness is that the keys used to secure the data may be compromised. Even if the 256-bit Advanced Encryption Standard (AES) is used, which is unbreakable using current technology; data can be compromised if the user chooses a weak passphrase to protect the data, or if the key was not properly destroyed.
Some have suggested that encryption and then losing the keys is a method of destruction. But in speaking with those who have forensic labs, they note that there are ways of getting keys, as well as cracking keys on lesser levels of encryption. Given that, encryption should be used as a security mechanism, not as a destruction tool.
Hardware-based Disk Sanitization
From a hardware perspective, there are two basic disk sanitization methods, degaussing and destruction.