Why Information Must Be Destroyed, Part Two

Ben Rothke looks at how to destroy digitally stored information. Includes pros and cons of in-house and outsourced data destruction.

In the first installment of Why Information Must Be Destroyed I discussed how not discarding worthless hard copy documents, even though they appear to have no value is a security risk. While this is true for physical hard copies, it is even more relevant for digitally stored data.

This installment deals with the process of destroying hard drives and other digital media. This is commonly known as disk sanitization or data purging. Unfortunately, far too few organizations realized the need for the issue, and therefore few have formalized processes around data purging.

What needs to be destroyed?

The Unified Compliance Framework (UCF) media destruction recommendations include handling guidance for the destruction of 48 different media types including compact flash drives, electronically erasable PROM (EEPROM), magnetic tape and more. The UCF also identifies the appropriate data elimination practice for each type of data storage asset including the use of secure erase, chemically clean, ultraviolet erase, and shredding.

Ultimately, any device capable of storing data that has reached the end of its usable life must be addressed by a policy that effectively mandates the elimination of any trace of legacy data. Essentially, any storage medium; including optical media, backup media, cassettes, VHS tapes, floppy disks, X-rays, microfiche, microfilm, intelligent mobile devices (BlackBerry, smartphone, etc.), ID cards, and credit cards; that contains any confidential or personal information should be addressed in policies regarding access, retention, handling and destruction. [See also The Seven Deadly Sins of Record Retention.]

For example, a smartphone, be it a BlackBerry or iPhone, presents a significant risk to data loss protection efforts if adequate disposal procedures are not applied. Smartphones often contain a poorly protected image of the user's complete inbox, contact information and other confidential information present on their workstation. Yet, despite security measures to protect workstations and organizational messaging systems, smartphones often are neglected.

Given the relatively short lifespan of these assets (smartphones are replaced on average of every 18-24 months) and that many organizations do not have the available resources to handle the data elimination process, there is a high probability that your organization is warehousing a significant inventory of used units. The risk of data exposure due to the loss or theft of a just a single device can initiate the need to issue a mandatory disclosure of lost data. Hence, every organization must seriously consider the risks posed by the warehousing data storage devices.

Used Equipment--The Afterlife

Once hardware reaches the end of its operational life to an organization, it is often returned off-lease, donated or resold. Used equipment with hard dives or other media should not be released from the organization's control unless data has been eliminated from the equipment, and data destruction has been verified. A zero tolerance policy against the selling of used media that cannot be effectively sanitized should be established.

You may receive email offers with subject lines like: Cash Your Used Tape and Data Cartridges, We Buy Used DLT and Backup Storage Media, Check Out Our Surplus or Used Media Donation and Buy-Back Program. Such email should be considered suspect. The reality is that the money that can be made from selling such devices pales in comparison to the substantial security and legal risks. Even if the vendor promises to securely erase the media, in the event of a failure or breakdown in process, imagine having to inform the CEO that 10 million customer records were retrieved off a tape which was sold for US$14.00. Bottom line, never sell used media, destroy it.

Under no circumstance should backup tapes or other media that cannot be certified as devoid of any recoverable data be exposed given to any outside organization, with the only exception being by court order.

Simson Garfinkel' writes in Remembrance of Data Passed: A Study of Disk Sanitization Practices on computer.org that the secondary hard-disk market is almost certainly awash in information that is both sensitive and confidential. His conclusion was based on his research that included buying used hard drives from various resellers and, by using conventional recovery methods, discovering that most of the equipment contained sensitive personal or sensitive corporate information. [Editor's note: Garfinkel covered this research for CSO in his Machine Shop column Hard Disk Risk.]

The handling of storage hardware under warranty that has failed while in operation is also something that needs to be addressed. Even if the vendor provides assurance that the media will be sanitized, the organization loses all care, custody and control of the asset once it has been handed off to the carrier for return to the vendor.

Once this asset has left your custody, the potential for loss in transit, or assurance that the device was in fact sanitized is out of the organization's control. Should the device be lost in transit, or not properly sanitized as promised, and end up in the aftermarket, it will be the owner of the data making the mandatory disclosure, even though the loss was not their direct responsibility. Unfortunately, data loss at the hands of a third party is far more common than one might think.

Disk Sanitization Solutions

NIST Special Report 800-88 [PDF link] describes three levels (clearing, purging, destroying) of data sanitization for hard drives. Each level has specific advantages and disadvantages, and depending on the type of information stored on its hard drives, each organization will need to establish policy using the appropriate sanitization practice to address its concerns.

Clearing--Clearing information is a level of media sanitization that protects the confidentiality of information against a robust keyboard attack. Simple deletion of items doesn't suffice for clearing. Clearing must not allow information to be retrieved by data, disk or file recovery utilities. It must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. Overwriting, for example, is an acceptable method for clearing media.

Purging--Purging information is a media sanitization process that protects the confidentiality of information against a laboratory attack. Laboratory attacks involve a threat with the resources and knowledge to use nonstandard systems to conduct data recovery attempts on media outside their normal operating environment. This type of attack involves using signal processing equipment by specially trained personnel.

Degaussing is a purging technique which exposes the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains. A degausser is a device that generates a magnetic field used to sanitize magnetic media. Degaussers are rated based on the type (i.e., low energy or high energy) of magnetic media they can purge. Degaussers operate using either a strong permanent magnet or an electromagnetic coil.

Degaussing can be an effective method for purging damaged media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes. Degaussing though is ineffective for purging nonmagnetic media, such as optical media, CD-ROM, DVD, etc.

NIST 800-88 lists specific recommendations for purging different media types. If purging media is not a reasonable sanitization method for an organization, the guide recommends that the media be destroyed.

Destroying--Destruction of media is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting.

If destruction is decided upon due to the high security categorization of the information or due to environmental factors, any residual medium should be able to withstand a laboratory attack.

As detailed in the Media Disposal Toolkit, the decision for which sanitization method you will choose should be based upon the classification of the information that you are storing on that specific media.

Join the CSO newsletter!

Error: Please check your email address.

Tags information security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ben Rothke

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place