Why Information Must Be Destroyed, Part Two

Ben Rothke looks at how to destroy digitally stored information. Includes pros and cons of in-house and outsourced data destruction.

1 2 Page 2
Page 2 of 2

As stated earlier, the degaussing process involves the removal of data by exposing data storage bits present on the media surface to a magnetic field of sufficient strength to achieve coercion of the bit. There are a number of challenges to using a degausser, and not all degaussers are up to the task. If you are considering using a degausser, ensure that it's on the NSA Degausser Evaluated Products List (DEPL) [PDF link].

The DEPL specifies the model identification of current equipment units that were evaluated against and found to satisfy the requirements for erasure of magnetic storage devices that retain sensitive or classified data. Note also that the operator of the degausser must understand the capabilities of the device, and should be aware of what can and cannot be effectively and securely processed.

Degaussing is a destructive process and will create irreversible damage to hard drives since it also destroys the special servo control data on the drive, which is meant to be permanently embedded on the hard drive. Once the servo is damaged, the drive is unusable. If you plan to reuse the drive, don't degauss it.

When choosing a degausser, some other criteria to consider are:

  • Cycle time—amount of time it takes to complete the erasure
  • Heat generation—some degauggers will generate significant heat and need to be cooled down. If you need to degauss many drives, this downtime can be an issue.
  • Wand or cavity style—Hand wands models are generally cheaper, but may lack certain power features. Cavity style degaussers enable you to place the entire unit into the degausser.
  • Size—Do you want a smaller portable unit or a larger more powerful unit? Some of the more powerful models require wheels to move as they can weigh nearly 400 pounds.
  • The Fujitsu Mag EraSURE P3M and Garner Products HD-3W degaussers are two examples of many of the available brands. Note that it is imperative that the degausser is strong enough for the media, especially hard drives. As hard drives can be particularly challenging to get enough force to penetrate the heavy shielding and plating protecting the platters.

    Physical Destruction

    Given the low cost of hard drives combined with the huge amount of data stored on them, the simplest and most cost effective method of sanitization is to simply destroy the hard drive. Just as paper can be shredded, so can hard drives and other media. Video of hard drives being destroyed can be seen at the SSI web site. [See also shredding on a truck in Data Breaches Spark Hard-Drive Shredding Boom.]

    Depending on the service used and the quantity to be destroyed, costs for external data destruction are roughly $15.00 per hard drive shredded, but go down to under $3.00 when done in bulk (over 500 drives).

    What do you do if a company offers to destroy your hard drives for an unreasonably low price? Odds are that they are not in the media destruction business, but rather are a recycler. Choose a true destruction firm, not a recycler.

    For those whose volume warrants in-house destruction, products such as the SEM Sledgehammer and Garner Products PD-4 destroys hard drives with tons of force causing catastrophic trauma to the hard drive chassis while destroying the internal platter.

    On the upper end, the SEM Model 0301 Jackhammer is a high torque hard drive shredder that can shred up to 25 hard drives per minute. This is a serious device for organizations that have significant amount of hardware to destruct.

    Secure Erase

    The obvious choice for a hard drive purge would be a feature that one could use at the drives end of life point. While there is such a feature, known as Secure Erase (SE), it has not become ubiquitous for a number of reasons.

    SE is an overwriting technology that uses a hard drive-based firmware process to overwrite the drive. SE is a drive command defined in the ANSI ATA and SCSI disk drive interface specifications.

    On one side, SE is an excellent free utility, but has limitations relative to types of drives it works on, and requires some expertise over and above basic technician knowledge. SE is approved as a data purging method as per NIST 800-88.

    In addition, hard drive manufactures appear to be reticent to advocate a technology that can destroy all of the data on their device. They don't want to receive calls from irate users demanding to know what happened to their data. Given that issue and the technical expertise required to initiate SE, it has not found widespread use.

    Media destruction: In-house or outsourced?

    Media and hard drive destruction, like other services, can be done in-house or outsourced. Which is the best way to go? Like every decision, the correct answer is the proverbial it depends.

    The same issues that pertain to paper-based destruction apply to hard drives and other media. The difference though is that the data contained on one hard drive can be equal to an entire flatbed of hard copy. With that, if outsourced, the amount of trust needed is significantly greater.

    There is no single answer to the in-house/outsource question. Every business has different needs that must be considered before a decision is made. Before considering using external service providers to process your end-of-life storage hardware, make sure that you consider the potential risks of handing off unprotected storage assets to a third party. A review of the handling practices and accreditations of the service provider should be conducted when evaluating service providers.

    When selecting an outsourced firm, required that they be NAID certified. The National Association for Information Destruction (NAID) is an independent organization that certifies destruction companies. It offers a program certifying its members as complying with best practice for the handling of data storage hardware. Its certification program checks a shredding company's compliance in 22 critical areas.

    As the industry watchdog, NAID ensures that its constituent members adhere to industry best practices. Any data destruction organization that is not a NAID member and certified should be dealt with cautiously.

    When it comes to something as critical as information destruction -- caveat emptor. Unscrupulous shredding companies will claim to be NAID certified just to get your business. Make sure to ask for a copy of their NAID certificate as proof of their standing or look them up online at the NAID website.

    During your consideration of each aspect, speak to trusted associates and ask the vendor for references. The following points can help you in your decision:

    In-House Destruction—Advantages
    • Media never leaves your location, so there is no risk of loss in transit
    • Data is destroyed by your own trusted staff.

    If you do decide to do this internally, it is recommended that all destruction activities be carried out under the office of the CISO, and by a trained and trusted technology support technician.

    In-House Destruction—Disadvantages
    • Destruction systems can be expensive
    • Low volume makes a longer time for ROI
    • Staff with other duties may miss devices
    • Must manage internal personnel and technology changes
    • Lack of space and/or resources for proper segregation between destroyed and non-destroyed units
    • Still must have a qualified vendor to deal with residual waste and/or drives that fail sanitization/wiping process
    • Time-consuming process
    • Disposal of residual material—When you destroy any type of electronic device you must dispose of the residual material in an environmentally compliant manner. The shredding of tape cartridges for example is incredibly messy, and you can wind up with three times the volume of material. In some states, on-site physical destruction of any type of electronic devices may be a prohibited activity under state environmental laws.
    • No initial capital investment required
    • Can handle varying destruction needs (disintegration, degaussing etc.)
    • Can handle varying volume needs
    • Experts at data destruction utilizing best practices
    • May have even higher security standards than your location
    • No need to manage personnel and technology changes
    • Regulatory compliant residual disposal
    • If litigated, professional secure destruction services destruction documentation is more credible than internally generated processes.
    • Media may be transported outside of your location
    • May get locked into a bad contract
    • May require minimums greater than your needs
    • Data is handled/destroyed by non-employees
    • If hardware is not disposed of properly, you could be included in a pollution liability case.

    Site Visits

    If the decision is to outsource, a site visit to their destruction facility is a must. Rather than taking the salesperson's word for it or basing your decision on their marketing glossies, site visits let you know what the company is really like.

    During the visit, make sure they have appropriate access control and other security controls in place. This should include alarms, closed-circuit television, mantraps, etc. Ask the vendor for assurance that their employees are trained, bonded, and have passed background checks.

    Look around and see how professional the employees are. Are they in uniforms? Are they wearing appropriate safety paraphernalia? Ask to see their documented procedures on how they process incoming items. Ensure that it has appropriate security and quality assurance measures in place. When you leave, you should have a good feeling that it is a reputable firm, staffed with trained professionals.

    Once you have decided on an outsourcing firm, regular unscheduled visits to its facility are in order. This ensures that it is indeed a quality organization, and was not simply putting on an act.

    Relevant Documentation

    There is a lot of good information available to assist you in your data destruction endeavors.

    From a policy perspective, there are a number of good policy documents, including:

    Other excellent resources include:

    Taking Data Destruction Seriously

    Irrespective of which data destruction technology and methods you choose, what's crucial is that organizations take data destruction seriously. This means ensuring it's a formal process, not something done in an ad-hoc manner.

    For example, there are companies that will send you a flat-rate drop box to place all of your old media into, and they will come and pick it up. Some of these boxes can hold up to half a ton. Imagine placing a few hundred hard drives in such a receptacle; this would be a hacker or business intelligence analysts dream come true. For the determined attacked, they will see such a box a veritable pool of retired devices waiting for harvesting.

    If anyone is going to seriously consider such a service, they better have a plan A' first, such as physical destruction or degaussing. While such a solution is adequate for old monitors, printers and telephone gear, it is far too risky to use as a destruction solution for confidential data.

    Dan Bayha, VP of Technology Disposal at Ogdensburg, NJ-based media destruction firm Back Thru The Future, notes that such a formal process is done by following a plan of segregation, inventory and isolation.

    • Segregation—separate all storage devices and media from others to be disposed of materials. Specifically remove all hard drives from to be disposed of PCs, laptops and servers.
    • Inventory—Establish the chain of possession of the data storage device. Best practice is to establish the connection of a particular storage device to the unit it was removed from and using internal asset management records to be able to track the machine back to the actual user.
    • Isolation—Using secure collection containers, isolate the inventoried data storage devices in such a manner as to prevent unauthorized removal from the destruction process.


    There is a lot more to data sanitization than what has been described in this brief article. But data sanitization is a necessary component of any security policy that is compliant with any of the current privacy initiatives. The inadvertent exposure of confidential information bears very significant consequences and penalties that include financial penalties and in some cases incarceration.

    If your organization is not careful about effective media sanitization, your data loss incident could become your competitors' good fortune and your worst corporate and legal nightmare.

    Ben Rothke CISSP, PCI QSA (ben.rothke@bt.com) is a Senior Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education)

    . Ben would like to thank Ryk Edelstein of Converge Net Inc. for his technical assistance.

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)