rothke effective data destruction practices
DESCRIPTION
TRANSCRIPT
![Page 1: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/1.jpg)
Garlic, Wooden Stakes and Silver Bullets -Ensuring Effective Data Destruction
Practices
Ben Rothke, CISSP, CISASenior Security ConsultantBT Professional Services
June 29, 2010
![Page 2: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/2.jpg)
2
About me
• Senior Security Consultant – BT Professional Services• Frequent writer and speaker• Author of Computer Security: 20 Things Every Employee
Should Know (McGraw-Hill)• Veteran O’Reilly webinarist
– Information Security and Social Networks– http://www.oreillynet.com/pub/e/1417
![Page 3: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/3.jpg)
Agenda
• Business case for media sanitization• Why must end-of-life media/data be sanitized?• Types of media sanitization• DIY or outsource?• References• Q/A
• Twitter hashtag #rothkewebinar
3
![Page 4: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/4.jpg)
Business case for media sanitization
• Every business has digital media (often terabytes) that must be sanitized
• Media sanitization is often overlooked• Failure to adequately sanitize media can have
catastrophic consequences to a business– financial loss– damage to a company’s reputation– regulatory violations– civil and criminal liability for Directors and Officers
• especially since effective media sanitization is not rocket science
• Therefore - digital media must be sanitized before disposal or redeployment
4
![Page 5: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/5.jpg)
Where magic fails, formal processes are effective
5
![Page 6: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/6.jpg)
Old data is big news
6
![Page 7: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/7.jpg)
Information security - printers and copiers
7
![Page 8: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/8.jpg)
Regulations, standards and other drivers
• HIPAA• PCI DSS• GLBA• Privacy Act• Electronic Espionage Act• PIPEDA (Canada)• FACTA Disposal rule• Check 21• FISMA• Contracts• Best Practices• and more….. 8
![Page 9: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/9.jpg)
Storage data is remarkably resilient
9
Fire - Found after fire destroys home – all data recovered
Crushed - Bus runs over laptop – all data recovered
Soaked – PowerBook underwater for two days - all data recovered
Fall from space – Hard drive recovered from space shuttle Columbia recovered from a dry river bed. 99% of 400MB data recovered
![Page 10: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/10.jpg)
Sanitization as part of the data lifecycle
Discovery
Classification
ControlProtection
Sanitization
Auditing
![Page 11: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/11.jpg)
When do you need to sanitize media?
• Device is sold, donated, discarded or recycled• End of lease• Device returned to a manufacturer for warranty repair• After severe malware/hacking attempt, for complete
removal of offending code from infected storage device• RAID or hot spare:
– Hot spare placed into service, then removed when faulty RAID drive was replaced
– Hot spare should be sanitized, as well as the original failed RAID drive if the drive is still operational
11
![Page 12: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/12.jpg)
Hard drives and media are everywhere….
• Over 500 million hard drives were sold in 2009
• There are still billions out there
• Thumb drives are everywhere• 4GB USB drives given away at
conferences for free
12
![Page 13: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/13.jpg)
Sanitization as a formal process
• Formal system of information sanitization– Based on risk factors specific to the organization– policy must be created and implemented– should be extensive, explicit, auditable and audited– performed in a formal, consistent, documented manner– done on a scheduled basis– in the event of a failure, plaintiff’s lawyers will have much less to
use, which could likely be judged positively by a jury– has quality control built in
13
![Page 14: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/14.jpg)
Policy
• Policy is dependent on a number of factors including:– age and type of the storage technology– classification of the data residing on the device– environment in which the device had been used
• One policy does not fit all– If device was used to store public data, but used in a SCIF that
handles top secret information; the drive, since it was used in a SCIF, likely classified as the highest level of classification
• Create a responsible policy– must encompass all types of storage hardware and information
classifications and employ a responsible sanitization practice using both in-house and if required external services/resources
14
![Page 15: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/15.jpg)
Sanitization moratorium
• Include notion of a data sanitization moratorium– Often called a Litigation Hold or Legal Hold– organization must stop its data sanitization activities– sanitization activities must immediately be placed on hold until
Legal department determines whether these sanitization activities jeopardize sought-after data
– doesn’t just mean when there is a lawsuit • can be regulatory investigation, internal investigation for workplace
misconduct, preservation because a client or vendor is in litigation • while you aren’t technically part of it, you may have data material to
the matter they are involved in
15
![Page 16: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/16.jpg)
Form factors
• Hard drives• USB / thumb drives• Optical disks• Solid state storage• Flash• VHS video• External hard drives• Floppies• MFP• Back-up tapes• Copy machines• DVD/CD• Smart phones
16
![Page 17: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/17.jpg)
Selling is not sanitization
17
![Page 18: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/18.jpg)
NIST Special Publication 800-88
• Guidelines for Media Sanitization• Sanitization
– general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed
• 800-88 assists with decision-making when media require disposal, reuse, or will be leaving the effective control of an organization
• Develop and use local policies and procedures in conjunction with 800-88 to make effective, risk-based decisions on the ultimate sanitization and/or disposition of media and information
18
![Page 19: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/19.jpg)
Types of media sanitization
• Clearing– Protects confidentiality of data against keyboard attack.– Example: overwriting
• Purging– Protects the confidentiality of information against a laboratory
attack (use of special equipment by trained recovery technicians)
– Example: Secure Erase, degaussing
• Destroying– Absolute destruction– Example: Hard drive shredding, smelting, disintegration
19
![Page 20: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/20.jpg)
Unacceptable media sanitization practices
• File deletion• Drive formatting• Disk partitioning • Encryption / key destruction
20
![Page 21: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/21.jpg)
Software-based disk sanitization
Advantages• Single pass is adequate (as long as
all data storage regions can be addressed)
• Cost-effective and easily configurable sanitization solution
• Can be configured to clear specific data, files, partitions or just the free space
• Erases all remnants of deleted data to maintain ongoing security
• Green solution
Disadvantages• Requires significant time to process
entire high capacity drive• May not be able to sanitize data from
inaccessible regions (HPA, DCO, etc.)• Inconsistent data logging, audit trails or
certification labels• No security protection during the
erasure process / subject to intentional or accidental parameter changes
• May require separate license for every hard drive
• Ineffective without good QA processes• Not scalable
21
![Page 22: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/22.jpg)
Single pass vs. multiple passes
• DoD standard 5220.22-M (1995)– at least 3 passes required
• NIST Special Publication 800-88, section 2.3– Replaces 5220 which is retired– for ATA disk drives manufactured after 2001 (over 15 GB) clearing
by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack
– single pass is adequate only if able to access the entire data storage region of the media surface
22
![Page 23: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/23.jpg)
Secure Erase – Purge Level Sanitization
• HDD manufacturers & Center for Magnetic Recording Research created Secure Erase sanitization standard– component of the ANSI ATA Specification– optional inclusion for use in SCSI as Secure Initialize– embedded in the firmware of all standards compliant ATA hard
drives manufactured since 2001 (IDE, ATA, PATA, SATA)– single pass operation eradicates all data in all data sectors– highly effective and fast– validated and certified by various governing bodies– but most individuals and companies don’t even know it exists– HDD manufacturers scared of irate help-desk calls– inhibited by most PC manufacturers to protect from the potential
exploitation by virus / malware
23
![Page 24: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/24.jpg)
Hardware-based disk sanitization – degaussing
• Removal of data by exposing data storage bits on media surface to a magnetic field of sufficient strength to achieve coercion of the bit
– Ensure model is on NSA Degausser Evaluated Products List (DEPL)
• Destructive process– Creates irreversible damage to hard drives
• destroys the special servo control data on the drive, which is meant to be permanently embedded on the hard drive
• once the servo is damaged, the drive is unusable• if you plan to reuse the drive, don’t degauss it
24
![Page 25: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/25.jpg)
Choosing a degausser
• Cycle time – amount of time it takes to complete the erasure• Heat generation – may generate significant heat and need to be cooled
down– If you need to degauss many drives, downtime can be an issue
• Wand or cavity style – hand wands models are generally cheaper, but may lack certain power features
– cavity style degaussers enable you to place the entire unit into the degausser
• Size – smaller portable unit or a larger more powerful unit?– Some powerful models require wheels to move as they can weigh nearly 400 pounds
25
![Page 26: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/26.jpg)
Environmental considerations - location placement
• Should be installed in a location that will not interfere with equipment or cause risk to operator or the public
• Caution must be taken so that the strong electromagnetic fields created by the degausser don’t produce collateral damage to other susceptible equipment nearby
• Must not impose potential health risk – Consideration for interference with those who have pacemakers
26
![Page 27: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/27.jpg)
Physical disk destruction
27
• Physical destruction achieved using many methods– Shredding– Disintegration– Bending, breaking or mangling the hard drive
• hard drive is easily distinguishable from unprocessed hard drives -ensuring the disposal of the correct hard drive
– Is absolute destruction required?• Media must be ground to a diameter smaller than a single data 512KB
block, which would require a particle size of no larger than 1/250 inch
![Page 28: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/28.jpg)
Hardware-based disk sanitization – Secure Erase
• Enables the native Secure Erase command - Overcomes host limitations to effectively launch Secure Erase- Maintains internal audit log- Issues destruction certificate upon successful completion
• Automatically format drives after erasure– used to rollout a new O/S to multiple workstations
28
![Page 29: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/29.jpg)
Optical media sanitization
• Securely and permanently eradicates digital data on DVD, CD-ROM and other optical media– grinds the information layer off media
• Ensure device meets the requirements of NSA/CSS 04-02 for Optical Media Destruction
29
![Page 30: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/30.jpg)
In-house data sanitization
Advantages• Media never leaves your location, no risk
of loss in transit • Full control• Data is destroyed by your own trusted
staff– Recommended that all destruction
activities be carried out under the office of the CISO, and by a trained and trusted technology support technician
Disadvantages• Destruction systems can be expensive • Low volume makes a longer time for ROI • Staff with other duties may miss devices• Must manage internal personnel and
technology changes• Lack of space and/or resources for proper
segregation between destroyed and non-destroyed units
• Still must have a qualified vendor to deal with residual waste and/or drives that fail sanitization/wiping process
• Disposal of residual material • Technicians will miss drives• Requires good QC process to be effective
30
![Page 31: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/31.jpg)
In-house sanitization
• Quality control– If your organization is going to do any of its own data
sanitization, it must have quality control mechanisms• Separation of duties - one tech removes hard drives while another
is assigned to verify the drives have been removed, document the verification, and replace the cover
– Wiping - assign a separate tech to take a random sample of at least 10% (depending on quantity) and attempt to recover data with a COTS data recovery tool
31
![Page 32: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/32.jpg)
Outsourced data sanitization
Advantages• No initial capital investment required• can handle varying destruction needs
(disintegration, degaussing, etc.) • can handle varying volume needs • experts utilizing best practices• may have higher security standards than
your location• no need to manage personnel and
technology changes• regulatory compliant residual disposal• if litigated, professional secure destruction
services destruction documentation is more credible than internally generated processes
Disadvantages• No direct control of vendor employees• media may be transported outside of your
location• possible security concerns with off-
premise transportation and handling• may get locked into a bad contract• may require minimums greater than your
needs• data is handled/destroyed by non-
employees• if hardware is not disposed of properly,
you could be included in a pollution liability case
• Given these disadvantages, special emphasis should be placed on vendor selection criteria that specifically address these issues
32
![Page 33: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/33.jpg)
Questions for a prospective outsourced firm• What type of insurance coverage do they have?
– professional liability (sometimes called Errors & Omissions)– pollution / environmental liability– demand to see certificate of insurance demonstrating coverage for both
• What processes do they follow from receipt of asset through disposition?• What are their security procedures?• How do they sanitize data?• Are they NAID certified for digital data destruction?• How do they verify data is eradicated?• Do they do full background checks?• What are financial capabilities?• If private, where do they get their funding? How stable is source?• Can they provide customer references?• Do they have the necessary state and local permits?• Do they export e-waste overseas?• Can they handle all or most of the locations for which you will require services?• Do they have processes around chain of custody?• Will they agree to the SLA’s that you have created?• Do they barcode items?
• The key is to ask a lot of questions in advance!
33
![Page 34: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/34.jpg)
Outsourcing - Caveat Emptor
• A certificate of destruction, and a contract assuring responsibility of the process mean very little in the real world
• If a device is lost or data is exposed, it will be the owner of the data who will be getting the penalty and making the mandatory disclosure
• The service provider will be little more than a footnote in the disclosure
34
![Page 35: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/35.jpg)
Taking data sanitization seriously
• Segregation – separate all storage devices and media from others to be
disposed of materials. – specifically remove all hard drives from to-be-disposed-of PCs,
laptops and servers
• Inventory– establish the chain of possession of the data storage device. – best practice - establish the connection of a particular storage
device to the unit it was removed from and use internal asset management records to track the device back to the actual user
• Isolation – using secure collection containers, isolate the inventoried data
storage devices in such a manner as to prevent unauthorized removal from the sanitization process
– but avoid warehousing – Media must be processed frequently as to avoid warehousing of drives containing confidential data. 35
![Page 36: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/36.jpg)
NAID
• National Association for Information Destruction• International trade association for companies providing
information destruction services • Mission is to promote the information destruction
industry and the standards and ethics of its member companies
• NAID certified companies are audited annually by an independent 3rd-party and subject to unannounced audits
• www.naidonline.org
36
![Page 37: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/37.jpg)
References
• Guidelines for Media Sanitization (NIST SP 800-88)• UCF Media Disposal Implementation Guide• NAID Information Destruction Policy Compliance Toolkit• ARMA Contracted Destruction for Records and
Information Media• Gartner - Best Practices for Data Destruction
37
![Page 38: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/38.jpg)
Vendors / solution providers
• DestructData– www.destructdata.com
• Security Engineered Machinery
– www.semshred.com
• Ontrack Eraser– www.ontrack.com
• CPR Tools– www.cprtools.net
• Back Thru the Future– www.backthruthefuture.com
• Ensconce Data Technology
– www.deadondemand.com
• Garner Products– www.garner-products.com
• Darik’s Boot And Nuke– www.dban.org
• Reclamere– www.reclamere.com
38
![Page 39: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/39.jpg)
For more information
• National Association of Corporate Directors – Record Retention and Document Destruction Policy– www.nacdonline.org/images/RecordRetention051023.pdf
• Remembrance of Data Passed: A Study of Disk Sanitization Practices
– www.computer.org/portal/cms_docs_security/security/v1n1/garfinkel.pdf
• Best Practices for the Destruction of Digital Data– www.cicadasecurity.com/guide.html
• Hard Drive Disposal: The Overlooked Confidentiality Exposure
– http://www-03.ibm.com/financing/pdf/sg/Hard_Drive_Disposal_The_Overlooked_Confidentiality_Exposure_AP.pdf
• Storage & Destruction Business Magazine– www.sdbmagazine.com
39
![Page 40: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/40.jpg)
References
• Center for Magnetic Recording Research– http://cmrr.ucsd.edu/
• Australian Department of Defence– Information and Communications Technology Security Manual– http://www.dsd.gov.au/_lib/pdf_doc/acsi33/acsi33_u_0907.pdf
• Can Intelligence Agencies Read Overwritten Data?– www.nber.org/sys-admin/overwritten-data-gutmann.html
40
![Page 41: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/41.jpg)
Conclusion / Action Items
• Management awareness– management must be aware of the risks– must ensure formal sanitization processes are developed
• Develop strategies on media sanitization• Review security procedures for adequacy,
completeness, scope and failure analysis• Develop an information lifecycle audit program
– Follow a life cycle approach to IT risk management that includes making an explicit decision about data destruction
• Implement sanitization process• Ensure quality control is built into the process
41
![Page 42: Rothke effective data destruction practices](https://reader034.vdocuments.net/reader034/viewer/2022050804/54623e64af7959ba618b4bfb/html5/thumbnails/42.jpg)
Thanks for attending – Q/A
Ben Rothke, CISSP, CISASenior Security ConsultantBT Professional [email protected]
www.linkedin.com/in/benrothkewww.twitter.com/benrothke
42