In the first installment of Why Information Must Be Destroyed I discussed how not discarding worthless hard copy documents, even though they appear to have no value is a security risk. While this is true for physical hard copies, it is even more relevant for digitally stored data.
This installment deals with the process of destroying hard drives and other digital media. This is commonly known as disk sanitization or data purging. Unfortunately, far too few organizations realized the need for the issue, and therefore few have formalized processes around data purging.
What needs to be destroyed?
The Unified Compliance Framework (UCF) media destruction recommendations include handling guidance for the destruction of 48 different media types including compact flash drives, electronically erasable PROM (EEPROM), magnetic tape and more. The UCF also identifies the appropriate data elimination practice for each type of data storage asset including the use of secure erase, chemically clean, ultraviolet erase, and shredding.
Ultimately, any device capable of storing data that has reached the end of its usable life must be addressed by a policy that effectively mandates the elimination of any trace of legacy data. Essentially, any storage medium; including optical media, backup media, cassettes, VHS tapes, floppy disks, X-rays, microfiche, microfilm, intelligent mobile devices (BlackBerry, smartphone, etc.), ID cards, and credit cards; that contains any confidential or personal information should be addressed in policies regarding access, retention, handling and destruction. [See also The Seven Deadly Sins of Record Retention.]
For example, a smartphone, be it a BlackBerry or iPhone, presents a significant risk to data loss protection efforts if adequate disposal procedures are not applied. Smartphones often contain a poorly protected image of the user's complete inbox, contact information and other confidential information present on their workstation. Yet, despite security measures to protect workstations and organizational messaging systems, smartphones often are neglected.
Given the relatively short lifespan of these assets (smartphones are replaced on average of every 18-24 months) and that many organizations do not have the available resources to handle the data elimination process, there is a high probability that your organization is warehousing a significant inventory of used units. The risk of data exposure due to the loss or theft of a just a single device can initiate the need to issue a mandatory disclosure of lost data. Hence, every organization must seriously consider the risks posed by the warehousing data storage devices.
Used Equipment--The Afterlife
Once hardware reaches the end of its operational life to an organization, it is often returned off-lease, donated or resold. Used equipment with hard dives or other media should not be released from the organization's control unless data has been eliminated from the equipment, and data destruction has been verified. A zero tolerance policy against the selling of used media that cannot be effectively sanitized should be established.
You may receive email offers with subject lines like: Cash Your Used Tape and Data Cartridges, We Buy Used DLT and Backup Storage Media, Check Out Our Surplus or Used Media Donation and Buy-Back Program. Such email should be considered suspect. The reality is that the money that can be made from selling such devices pales in comparison to the substantial security and legal risks. Even if the vendor promises to securely erase the media, in the event of a failure or breakdown in process, imagine having to inform the CEO that 10 million customer records were retrieved off a tape which was sold for US$14.00. Bottom line, never sell used media, destroy it.
Under no circumstance should backup tapes or other media that cannot be certified as devoid of any recoverable data be exposed given to any outside organization, with the only exception being by court order.
Simson Garfinkel' writes in Remembrance of Data Passed: A Study of Disk Sanitization Practices on computer.org that the secondary hard-disk market is almost certainly awash in information that is both sensitive and confidential. His conclusion was based on his research that included buying used hard drives from various resellers and, by using conventional recovery methods, discovering that most of the equipment contained sensitive personal or sensitive corporate information. [Editor's note: Garfinkel covered this research for CSO in his Machine Shop column Hard Disk Risk.]
The handling of storage hardware under warranty that has failed while in operation is also something that needs to be addressed. Even if the vendor provides assurance that the media will be sanitized, the organization loses all care, custody and control of the asset once it has been handed off to the carrier for return to the vendor.
Once this asset has left your custody, the potential for loss in transit, or assurance that the device was in fact sanitized is out of the organization's control. Should the device be lost in transit, or not properly sanitized as promised, and end up in the aftermarket, it will be the owner of the data making the mandatory disclosure, even though the loss was not their direct responsibility. Unfortunately, data loss at the hands of a third party is far more common than one might think.
Disk Sanitization Solutions
NIST Special Report 800-88 [PDF link] describes three levels (clearing, purging, destroying) of data sanitization for hard drives. Each level has specific advantages and disadvantages, and depending on the type of information stored on its hard drives, each organization will need to establish policy using the appropriate sanitization practice to address its concerns.
Clearing--Clearing information is a level of media sanitization that protects the confidentiality of information against a robust keyboard attack. Simple deletion of items doesn't suffice for clearing. Clearing must not allow information to be retrieved by data, disk or file recovery utilities. It must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. Overwriting, for example, is an acceptable method for clearing media.
Purging--Purging information is a media sanitization process that protects the confidentiality of information against a laboratory attack. Laboratory attacks involve a threat with the resources and knowledge to use nonstandard systems to conduct data recovery attempts on media outside their normal operating environment. This type of attack involves using signal processing equipment by specially trained personnel.
Degaussing is a purging technique which exposes the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains. A degausser is a device that generates a magnetic field used to sanitize magnetic media. Degaussers are rated based on the type (i.e., low energy or high energy) of magnetic media they can purge. Degaussers operate using either a strong permanent magnet or an electromagnetic coil.
Degaussing can be an effective method for purging damaged media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes. Degaussing though is ineffective for purging nonmagnetic media, such as optical media, CD-ROM, DVD, etc.
NIST 800-88 lists specific recommendations for purging different media types. If purging media is not a reasonable sanitization method for an organization, the guide recommends that the media be destroyed.
Destroying--Destruction of media is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting.
If destruction is decided upon due to the high security categorization of the information or due to environmental factors, any residual medium should be able to withstand a laboratory attack.
As detailed in the Media Disposal Toolkit, the decision for which sanitization method you will choose should be based upon the classification of the information that you are storing on that specific media.