SlideShare a Scribd company logo

Ben Rothke - Effective Data Destruction Practices

Ben Rothke
Ben Rothke

Webinar from Ben Rothke on 'Effective Data Destruction Practices'.

Technology
1 of 42
Download to read offline
Garlic, Wooden Stakes and Silver Bullets - Ensuring Effective Data Destruction Practices Ben Rothke, CISSP, CISA Senior Security Consultant BT Professional Services June 29, 2010
About me • Senior Security Consultant – BT Professional Services • Frequent writer and speaker • Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill) • Veteran O’Reilly webinarist – Information Security and Social Networks – http://www.oreillynet.com/pub/e/1417 2
Agenda • Business case for media sanitization • Why must end-of-life media/data be sanitized? • Types of media sanitization • DIY or outsource? • References • Q/A • Twitter hashtag #rothkewebinar 3
Business case for media sanitization • Every business has digital media (often terabytes) that must be sanitized • Media sanitization is often overlooked • Failure to adequately sanitize media can have catastrophic consequences to a business – financial loss – damage to a company’s reputation – regulatory violations – civil and criminal liability for Directors and Officers • especially since effective media sanitization is not rocket science • Therefore - digital media must be sanitized before disposal or redeployment 4
Where magic fails, formal processes are effective 5
Old data is big news 6
Information security - printers and copiers 7
Regulations, standards and other drivers • HIPAA • PCI DSS • GLBA • Privacy Act • Electronic Espionage Act • PIPEDA (Canada) • FACTA Disposal rule • Check 21 • FISMA • Contracts • Best Practices • and more….. 8
Storage data is remarkably resilient Fire - Found after fire Soaked – PowerBook destroys home – all Crushed - Bus runs underwater for two data recovered over laptop – all data days - all data recovered recovered Fall from space – Hard drive recovered from space shuttle Columbia recovered from a dry river bed. 99% of 400MB data recovered 9
Sanitization as part of the data lifecycle Discovery Sanitization Classification Auditing Protection Control
When do you need to sanitize media? • Device is sold, donated, discarded or recycled • End of lease • Device returned to a manufacturer for warranty repair • After severe malware/hacking attempt, for complete removal of offending code from infected storage device • RAID or hot spare: – Hot spare placed into service, then removed when faulty RAID drive was replaced – Hot spare should be sanitized, as well as the original failed RAID drive if the drive is still operational 11
Hard drives and media are everywhere…. • Over 500 million hard drives were sold in 2009 • There are still billions out there • Thumb drives are everywhere • 4GB USB drives given away at conferences for free 12
Sanitization as a formal process • Formal system of information sanitization – Based on risk factors specific to the organization – policy must be created and implemented – should be extensive, explicit, auditable and audited – performed in a formal, consistent, documented manner – done on a scheduled basis – in the event of a failure, plaintiff’s lawyers will have much less to use, which could likely be judged positively by a jury – has quality control built in 13
Policy • Policy is dependent on a number of factors including: – age and type of the storage technology – classification of the data residing on the device – environment in which the device had been used • One policy does not fit all – If device was used to store public data, but used in a SCIF that handles top secret information; the drive, since it was used in a SCIF, likely classified as the highest level of classification • Create a responsible policy – must encompass all types of storage hardware and information classifications and employ a responsible sanitization practice using both in-house and if required external services/resources 14
Sanitization moratorium • Include notion of a data sanitization moratorium – Often called a Litigation Hold or Legal Hold – organization must stop its data sanitization activities – sanitization activities must immediately be placed on hold until Legal department determines whether these sanitization activities jeopardize sought-after data – doesn’t just mean when there is a lawsuit • can be regulatory investigation, internal investigation for workplace misconduct, preservation because a client or vendor is in litigation • while you aren’t technically part of it, you may have data material to the matter they are involved in 15
Form factors • Hard drives • USB / thumb drives • Optical disks • Solid state storage • Flash • VHS video • External hard drives • Floppies • MFP • Back-up tapes • Copy machines • DVD/CD • Smart phones 16
Selling is not sanitization 17
NIST Special Publication 800-88 • Guidelines for Media Sanitization • Sanitization – general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed • 800-88 assists with decision-making when media require disposal, reuse, or will be leaving the effective control of an organization • Develop and use local policies and procedures in conjunction with 800-88 to make effective, risk-based decisions on the ultimate sanitization and/or disposition of media and information 18
Types of media sanitization • Clearing – Protects confidentiality of data against keyboard attack. – Example: overwriting • Purging – Protects the confidentiality of information against a laboratory attack (use of special equipment by trained recovery technicians) – Example: Secure Erase, degaussing • Destroying – Absolute destruction – Example: Hard drive shredding, smelting, disintegration 19
Unacceptable media sanitization practices • File deletion • Drive formatting • Disk partitioning • Encryption / key destruction 20
Software-based disk sanitization Advantages Disadvantages • Single pass is adequate (as long as • Requires significant time to process all data storage regions can be entire high capacity drive addressed) • May not be able to sanitize data from • Cost-effective and easily configurable inaccessible regions (HPA, DCO, etc.) sanitization solution • Inconsistent data logging, audit trails or • Can be configured to clear specific certification labels data, files, partitions or just the free • No security protection during the space erasure process / subject to intentional • Erases all remnants of deleted data or accidental parameter changes to maintain ongoing security • May require separate license for every • Green solution hard drive • Ineffective without good QA processes • Not scalable 21
Single pass vs. multiple passes • DoD standard 5220.22-M (1995) – at least 3 passes required • NIST Special Publication 800-88, section 2.3 – Replaces 5220 which is retired – for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack – single pass is adequate only if able to access the entire data storage region of the media surface 22
Secure Erase – Purge Level Sanitization • HDD manufacturers & Center for Magnetic Recording Research created Secure Erase sanitization standard – component of the ANSI ATA Specification – optional inclusion for use in SCSI as Secure Initialize – embedded in the firmware of all standards compliant ATA hard drives manufactured since 2001 (IDE, ATA, PATA, SATA) – single pass operation eradicates all data in all data sectors – highly effective and fast – validated and certified by various governing bodies – but most individuals and companies don’t even know it exists – HDD manufacturers scared of irate help-desk calls – inhibited by most PC manufacturers to protect from the potential exploitation by virus / malware 23
Hardware-based disk sanitization – degaussing • Removal of data by exposing data storage bits on media surface to a magnetic field of sufficient strength to achieve coercion of the bit – Ensure model is on NSA Degausser Evaluated Products List (DEPL) • Destructive process – Creates irreversible damage to hard drives • destroys the special servo control data on the drive, which is meant to be permanently embedded on the hard drive • once the servo is damaged, the drive is unusable • if you plan to reuse the drive, don’t degauss it 24
Choosing a degausser • Cycle time – amount of time it takes to complete the erasure • Heat generation – may generate significant heat and need to be cooled down – If you need to degauss many drives, downtime can be an issue • Wand or cavity style – hand wands models are generally cheaper, but may lack certain power features – cavity style degaussers enable you to place the entire unit into the degausser • Size – smaller portable unit or a larger more powerful unit? – Some powerful models require wheels to move as they can weigh nearly 400 pounds 25
Environmental considerations - location placement • Should be installed in a location that will not interfere with equipment or cause risk to operator or the public • Caution must be taken so that the strong electromagnetic fields created by the degausser don’t produce collateral damage to other susceptible equipment nearby • Must not impose potential health risk – Consideration for interference with those who have pacemakers 26
Physical disk destruction • Physical destruction achieved using many methods – Shredding – Disintegration – Bending, breaking or mangling the hard drive • hard drive is easily distinguishable from unprocessed hard drives - ensuring the disposal of the correct hard drive – Is absolute destruction required? • Media must be ground to a diameter smaller than a single data 512KB block, which would require a particle size of no larger than 1/250 inch 27
Hardware-based disk sanitization – Secure Erase • Enables the native Secure Erase command - Overcomes host limitations to effectively launch Secure Erase - Maintains internal audit log - Issues destruction certificate upon successful completion • Automatically format drives after erasure – used to rollout a new O/S to multiple workstations 28
Optical media sanitization • Securely and permanently eradicates digital data on DVD, CD-ROM and other optical media – grinds the information layer off media • Ensure device meets the requirements of NSA/CSS 04- 02 for Optical Media Destruction 29
In-house data sanitization Advantages Disadvantages • Media never leaves your location, no risk • Destruction systems can be expensive of loss in transit • Low volume makes a longer time for ROI • Full control • Staff with other duties may miss devices • Data is destroyed by your own trusted • Must manage internal personnel and staff technology changes – Recommended that all destruction • Lack of space and/or resources for proper activities be carried out under the segregation between destroyed and non- office of the CISO, and by a trained destroyed units and trusted technology support • Still must have a qualified vendor to deal with technician residual waste and/or drives that fail sanitization/wiping process • Disposal of residual material • Technicians will miss drives • Requires good QC process to be effective 30
In-house sanitization • Quality control – If your organization is going to do any of its own data sanitization, it must have quality control mechanisms • Separation of duties - one tech removes hard drives while another is assigned to verify the drives have been removed, document the verification, and replace the cover – Wiping - assign a separate tech to take a random sample of at least 10% (depending on quantity) and attempt to recover data with a COTS data recovery tool 31
Outsourced data sanitization Advantages Disadvantages • No initial capital investment required • No direct control of vendor employees • can handle varying destruction needs • media may be transported outside of your (disintegration, degaussing, etc.) location • can handle varying volume needs • possible security concerns with off- • experts utilizing best practices premise transportation and handling • may have higher security standards than • may get locked into a bad contract your location • may require minimums greater than your • no need to manage personnel and needs technology changes • data is handled/destroyed by non- • regulatory compliant residual disposal employees • if litigated, professional secure destruction • if hardware is not disposed of properly, services destruction documentation is you could be included in a pollution more credible than internally generated liability case processes • Given these disadvantages, special emphasis should be placed on vendor selection criteria that specifically address these issues 32
Questions for a prospective outsourced firm • What type of insurance coverage do they have? – professional liability (sometimes called Errors & Omissions) – pollution / environmental liability – demand to see certificate of insurance demonstrating coverage for both • What processes do they follow from receipt of asset through disposition? • What are their security procedures? • How do they sanitize data? • Are they NAID certified for digital data destruction? • How do they verify data is eradicated? • Do they do full background checks? • What are financial capabilities? • If private, where do they get their funding? How stable is source? • Can they provide customer references? • Do they have the necessary state and local permits? • Do they export e-waste overseas? • Can they handle all or most of the locations for which you will require services? • Do they have processes around chain of custody? • Will they agree to the SLA’s that you have created? • Do they barcode items? • The key is to ask a lot of questions in advance! 33
Outsourcing - Caveat Emptor • A certificate of destruction, and a contract assuring responsibility of the process mean very little in the real world • If a device is lost or data is exposed, it will be the owner of the data who will be getting the penalty and making the mandatory disclosure • The service provider will be little more than a footnote in the disclosure 34
Taking data sanitization seriously • Segregation – separate all storage devices and media from others to be disposed of materials. – specifically remove all hard drives from to-be-disposed-of PCs, laptops and servers • Inventory – establish the chain of possession of the data storage device. – best practice - establish the connection of a particular storage device to the unit it was removed from and use internal asset management records to track the device back to the actual user • Isolation – using secure collection containers, isolate the inventoried data storage devices in such a manner as to prevent unauthorized removal from the sanitization process – but avoid warehousing – Media must be processed frequently as to avoid warehousing of drives containing confidential data. 35
NAID • National Association for Information Destruction • International trade association for companies providing information destruction services • Mission is to promote the information destruction industry and the standards and ethics of its member companies • NAID certified companies are audited annually by an independent 3rd-party and subject to unannounced audits • www.naidonline.org 36
References • Guidelines for Media Sanitization (NIST SP 800-88) • UCF Media Disposal Implementation Guide • NAID Information Destruction Policy Compliance Toolkit • ARMA Contracted Destruction for Records and Information Media • Gartner - Best Practices for Data Destruction 37
Vendors / solution providers • DestructData • Ensconce Data – www.destructdata.com Technology – www.deadondemand.com • Security Engineered Machinery • Garner Products – www.semshred.com – www.garner-products.com • Ontrack Eraser • Darik’s Boot And Nuke – www.ontrack.com – www.dban.org • CPR Tools • Reclamere – www.cprtools.net – www.reclamere.com • Back Thru the Future – www.backthruthefuture.com 38
For more information • National Association of Corporate Directors – Record Retention and Document Destruction Policy – www.nacdonline.org/images/RecordRetention051023.pdf • Remembrance of Data Passed: A Study of Disk Sanitization Practices – www.computer.org/portal/cms_docs_security/security/v1n1/garfinkel.pdf • Best Practices for the Destruction of Digital Data – www.cicadasecurity.com/guide.html • Hard Drive Disposal: The Overlooked Confidentiality Exposure – http://www-03.ibm.com/financing/pdf/sg/Hard_Drive_Disposal_The_Overlooked_Confidentiality_Exposure_AP.pdf • Storage & Destruction Business Magazine – www.sdbmagazine.com 39
References • Center for Magnetic Recording Research – http://cmrr.ucsd.edu/ • Australian Department of Defence – Information and Communications Technology Security Manual – http://www.dsd.gov.au/_lib/pdf_doc/acsi33/acsi33_u_0907.pdf • Can Intelligence Agencies Read Overwritten Data? – www.nber.org/sys-admin/overwritten-data-gutmann.html 40
Conclusion / Action Items • Management awareness – management must be aware of the risks – must ensure formal sanitization processes are developed • Develop strategies on media sanitization • Review security procedures for adequacy, completeness, scope and failure analysis • Develop an information lifecycle audit program – Follow a life cycle approach to IT risk management that includes making an explicit decision about data destruction • Implement sanitization process • Ensure quality control is built into the process 41
Thanks for attending – Q/A Ben Rothke, CISSP, CISA Senior Security Consultant BT Professional Services ben.rothke@bt.com www.linkedin.com/in/benrothke www.twitter.com/benrothke 42

Recommended

Acuent Security
Acuent Security Acuent Security
Acuent Security Stephen Bates
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Federation for Identity and Cross-Credentialing Systems (FiXs)
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Ben Rothke
 
Hayat Resume-1
Hayat Resume-1Hayat Resume-1
Hayat Resume-1Hayat Azizi
 
Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012henkpieper
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Duke Pci T Raining Slides
Duke Pci T Raining SlidesDuke Pci T Raining Slides
Duke Pci T Raining SlidesLaney Dale
 

Recommended

Acuent Security
Acuent Security Acuent Security
Acuent Security Stephen Bates
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Federation for Identity and Cross-Credentialing Systems (FiXs)
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Ben Rothke
 
Hayat Resume-1
Hayat Resume-1Hayat Resume-1
Hayat Resume-1Hayat Azizi
 
Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012henkpieper
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
Duke Pci T Raining Slides
Duke Pci T Raining SlidesDuke Pci T Raining Slides
Duke Pci T Raining SlidesLaney Dale
 
How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...Community Protection Forum
 
Afac device-security-july-7-2014v7-2
Afac device-security-july-7-2014v7-2Afac device-security-july-7-2014v7-2
Afac device-security-july-7-2014v7-2KBIZEAU
 
The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionThe Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionDigital Guardian
 
Auditing Distributed Preservation Networks
Auditing Distributed Preservation Networks Auditing Distributed Preservation Networks
Auditing Distributed Preservation Networks Micah Altman
 
PCI Myths
PCI MythsPCI Myths
PCI MythsSasha Nunke
 
2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINAL2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINALRick Kingsley
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
Capture Discovery
Capture DiscoveryCapture Discovery
Capture Discoverywlucina
 
Telaid: Technology Lifecycle Solutions
Telaid: Technology Lifecycle SolutionsTelaid: Technology Lifecycle Solutions
Telaid: Technology Lifecycle Solutionsajackson88
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be BreachedMike Saunders
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...Digital Bond
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
Frontline solutions For Security Practitioners 1008
Frontline solutions For Security Practitioners 1008Frontline solutions For Security Practitioners 1008
Frontline solutions For Security Practitioners 1008Rick Wanner
 
DSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_Offerings
DSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_OfferingsDSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_Offerings
DSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_OfferingsAndris Soroka
 
Comp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesComp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesCMDLMS
 
Proact story on Archiving
Proact story on ArchivingProact story on Archiving
Proact story on ArchivingProact Netherlands B.V.
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Barry Caplin
 
Closing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet EnterpriseClosing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet Enterprisebagnalldarren
 

More Related Content

What's hot

How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...Community Protection Forum
 
Afac device-security-july-7-2014v7-2
Afac device-security-july-7-2014v7-2Afac device-security-july-7-2014v7-2
Afac device-security-july-7-2014v7-2KBIZEAU
 
The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionThe Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionDigital Guardian
 
Auditing Distributed Preservation Networks
Auditing Distributed Preservation Networks Auditing Distributed Preservation Networks
Auditing Distributed Preservation Networks Micah Altman
 
2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINAL2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINALRick Kingsley
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
Capture Discovery
Capture DiscoveryCapture Discovery
Capture Discoverywlucina
 
Telaid: Technology Lifecycle Solutions
Telaid: Technology Lifecycle SolutionsTelaid: Technology Lifecycle Solutions
Telaid: Technology Lifecycle Solutionsajackson88
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be BreachedMike Saunders
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...Digital Bond
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
Frontline solutions For Security Practitioners 1008
Frontline solutions For Security Practitioners 1008Frontline solutions For Security Practitioners 1008
Frontline solutions For Security Practitioners 1008Rick Wanner
 
DSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_Offerings
DSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_OfferingsDSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_Offerings
DSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_OfferingsAndris Soroka
 
Comp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesComp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesCMDLMS
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 

What's hot (20)

How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...
 
Afac device-security-july-7-2014v7-2
Afac device-security-july-7-2014v7-2Afac device-security-july-7-2014v7-2
Afac device-security-july-7-2014v7-2
 
The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionThe Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention
 
Auditing Distributed Preservation Networks
Auditing Distributed Preservation Networks Auditing Distributed Preservation Networks
Auditing Distributed Preservation Networks
 
PCI Myths
PCI MythsPCI Myths
PCI Myths
 
2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINAL2015 Angelbeat_ConvergenceMsg-FINAL
2015 Angelbeat_ConvergenceMsg-FINAL
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
 
Capture Discovery
Capture DiscoveryCapture Discovery
Capture Discovery
 
Telaid: Technology Lifecycle Solutions
Telaid: Technology Lifecycle SolutionsTelaid: Technology Lifecycle Solutions
Telaid: Technology Lifecycle Solutions
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be Breached
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
 
Frontline solutions For Security Practitioners 1008
Frontline solutions For Security Practitioners 1008Frontline solutions For Security Practitioners 1008
Frontline solutions For Security Practitioners 1008
 
DSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_Offerings
DSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_OfferingsDSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_Offerings
DSS @Arrow_Inspiration_Roadshow_2013_Symantec_Extends_Encryption_Offerings
 
Comp8 unit6b lecture_slides
Comp8 unit6b lecture_slidesComp8 unit6b lecture_slides
Comp8 unit6b lecture_slides
 
Proact story on Archiving
Proact story on ArchivingProact story on Archiving
Proact story on Archiving
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 

Viewers also liked

Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Barry Caplin
 
Closing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet EnterpriseClosing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet Enterprisebagnalldarren
 
Attack surface analysis of Tizen devices
Attack surface analysis of Tizen devicesAttack surface analysis of Tizen devices
Attack surface analysis of Tizen devicesRyo Jin
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 
beware of Thing Bot
beware of Thing Botbeware of Thing Bot
beware of Thing BotBellaj Badr
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 

Viewers also liked (6)

Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!Wearing Your Heart On Your Sleeve - Literally!
Wearing Your Heart On Your Sleeve - Literally!
 
Closing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet EnterpriseClosing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet Enterprise
 
Attack surface analysis of Tizen devices
Attack surface analysis of Tizen devicesAttack surface analysis of Tizen devices
Attack surface analysis of Tizen devices
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013
 
beware of Thing Bot
beware of Thing Botbeware of Thing Bot
beware of Thing Bot
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 

Similar to Ben Rothke - Effective Data Destruction Practices

CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecuritySam Bowne
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset SecuritySam Bowne
 
CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecuritySam Bowne
 
Data Sanitization: What, Why, When and How?
Data Sanitization: What, Why, When and How?Data Sanitization: What, Why, When and How?
Data Sanitization: What, Why, When and How?Baltimax
 
Digital Media Storage.pptx
Digital Media Storage.pptxDigital Media Storage.pptx
Digital Media Storage.pptxLydiahkawira1
 
7-Backups of security Devices-03-06-2023.ppt
7-Backups of security Devices-03-06-2023.ppt7-Backups of security Devices-03-06-2023.ppt
7-Backups of security Devices-03-06-2023.pptabhichowdary16
 
Backup and Archive Doesn't Have to be Complicated and Expensive
Backup and Archive Doesn't Have to be Complicated and ExpensiveBackup and Archive Doesn't Have to be Complicated and Expensive
Backup and Archive Doesn't Have to be Complicated and Expensivespectralogic
 
Blancco Drive Eraser - product sheet
Blancco Drive Eraser - product sheetBlancco Drive Eraser - product sheet
Blancco Drive Eraser - product sheetChristophe Elut
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!MarketingArrowECS_CZ
 
Scale up is history! is scale out the future for storage
Scale up is history! is scale out the future for storageScale up is history! is scale out the future for storage
Scale up is history! is scale out the future for storageStarWind Software
 
Four Assumptions Killing Backup Storage Webinar
Four Assumptions Killing Backup Storage WebinarFour Assumptions Killing Backup Storage Webinar
Four Assumptions Killing Backup Storage WebinarStorage Switzerland
 
Data Sanitization and Disposal: Best Practices
Data Sanitization and Disposal: Best PracticesData Sanitization and Disposal: Best Practices
Data Sanitization and Disposal: Best PracticesAvritek
 
Cincinnati window shade technology overview
Cincinnati window shade technology overviewCincinnati window shade technology overview
Cincinnati window shade technology overviewrippea
 
CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsSam Bowne
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsSam Bowne
 

Similar to Ben Rothke - Effective Data Destruction Practices (20)

CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
 
2. Asset Security
2. Asset Security2. Asset Security
2. Asset Security
 
CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset Security
 
Encryption
EncryptionEncryption
Encryption
 
Data Sanitization: What, Why, When and How?
Data Sanitization: What, Why, When and How?Data Sanitization: What, Why, When and How?
Data Sanitization: What, Why, When and How?
 
Digital Media Storage.pptx
Digital Media Storage.pptxDigital Media Storage.pptx
Digital Media Storage.pptx
 
Data security
Data securityData security
Data security
 
Future
FutureFuture
Future
 
Andrew waugh
Andrew waughAndrew waugh
Andrew waugh
 
7-Backups of security Devices-03-06-2023.ppt
7-Backups of security Devices-03-06-2023.ppt7-Backups of security Devices-03-06-2023.ppt
7-Backups of security Devices-03-06-2023.ppt
 
Andrew Waugh presentation
Andrew Waugh presentationAndrew Waugh presentation
Andrew Waugh presentation
 
Backup and Archive Doesn't Have to be Complicated and Expensive
Backup and Archive Doesn't Have to be Complicated and ExpensiveBackup and Archive Doesn't Have to be Complicated and Expensive
Backup and Archive Doesn't Have to be Complicated and Expensive
 
Blancco Drive Eraser - product sheet
Blancco Drive Eraser - product sheetBlancco Drive Eraser - product sheet
Blancco Drive Eraser - product sheet
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
 
Scale up is history! is scale out the future for storage
Scale up is history! is scale out the future for storageScale up is history! is scale out the future for storage
Scale up is history! is scale out the future for storage
 
Four Assumptions Killing Backup Storage Webinar
Four Assumptions Killing Backup Storage WebinarFour Assumptions Killing Backup Storage Webinar
Four Assumptions Killing Backup Storage Webinar
 
Data Sanitization and Disposal: Best Practices
Data Sanitization and Disposal: Best PracticesData Sanitization and Disposal: Best Practices
Data Sanitization and Disposal: Best Practices
 
Cincinnati window shade technology overview
Cincinnati window shade technology overviewCincinnati window shade technology overview
Cincinnati window shade technology overview
 
CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security Operations
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 

More from Ben Rothke

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Ben Rothke
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsBen Rothke
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionBen Rothke
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionBen Rothke
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systemsBen Rothke
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about themBen Rothke
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comBen Rothke
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligattBen Rothke
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeBen Rothke
 
Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperBen Rothke
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practicesBen Rothke
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010Ben Rothke
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeBen Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceBen Rothke
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftBen Rothke
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperBen Rothke
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 

More from Ben Rothke (20)

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about them
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity com
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligatt
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothke
 
Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. Hooper
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS Compliance
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswift
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White Paper
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 

Recently uploaded

What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Recently uploaded (20)

What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

Ben Rothke - Effective Data Destruction Practices

  • 1. Garlic, Wooden Stakes and Silver Bullets - Ensuring Effective Data Destruction Practices Ben Rothke, CISSP, CISA Senior Security Consultant BT Professional Services June 29, 2010
  • 2. About me • Senior Security Consultant – BT Professional Services • Frequent writer and speaker • Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill) • Veteran O’Reilly webinarist – Information Security and Social Networks – http://www.oreillynet.com/pub/e/1417 2
  • 3. Agenda • Business case for media sanitization • Why must end-of-life media/data be sanitized? • Types of media sanitization • DIY or outsource? • References • Q/A • Twitter hashtag #rothkewebinar 3
  • 4. Business case for media sanitization • Every business has digital media (often terabytes) that must be sanitized • Media sanitization is often overlooked • Failure to adequately sanitize media can have catastrophic consequences to a business – financial loss – damage to a company’s reputation – regulatory violations – civil and criminal liability for Directors and Officers • especially since effective media sanitization is not rocket science • Therefore - digital media must be sanitized before disposal or redeployment 4
  • 5. Where magic fails, formal processes are effective 5
  • 6. Old data is big news 6
  • 7. Information security - printers and copiers 7
  • 8. Regulations, standards and other drivers • HIPAA • PCI DSS • GLBA • Privacy Act • Electronic Espionage Act • PIPEDA (Canada) • FACTA Disposal rule • Check 21 • FISMA • Contracts • Best Practices • and more….. 8
  • 9. Storage data is remarkably resilient Fire - Found after fire Soaked – PowerBook destroys home – all Crushed - Bus runs underwater for two data recovered over laptop – all data days - all data recovered recovered Fall from space – Hard drive recovered from space shuttle Columbia recovered from a dry river bed. 99% of 400MB data recovered 9
  • 10. Sanitization as part of the data lifecycle Discovery Sanitization Classification Auditing Protection Control
  • 11. When do you need to sanitize media? • Device is sold, donated, discarded or recycled • End of lease • Device returned to a manufacturer for warranty repair • After severe malware/hacking attempt, for complete removal of offending code from infected storage device • RAID or hot spare: – Hot spare placed into service, then removed when faulty RAID drive was replaced – Hot spare should be sanitized, as well as the original failed RAID drive if the drive is still operational 11
  • 12. Hard drives and media are everywhere…. • Over 500 million hard drives were sold in 2009 • There are still billions out there • Thumb drives are everywhere • 4GB USB drives given away at conferences for free 12
  • 13. Sanitization as a formal process • Formal system of information sanitization – Based on risk factors specific to the organization – policy must be created and implemented – should be extensive, explicit, auditable and audited – performed in a formal, consistent, documented manner – done on a scheduled basis – in the event of a failure, plaintiff’s lawyers will have much less to use, which could likely be judged positively by a jury – has quality control built in 13
  • 14. Policy • Policy is dependent on a number of factors including: – age and type of the storage technology – classification of the data residing on the device – environment in which the device had been used • One policy does not fit all – If device was used to store public data, but used in a SCIF that handles top secret information; the drive, since it was used in a SCIF, likely classified as the highest level of classification • Create a responsible policy – must encompass all types of storage hardware and information classifications and employ a responsible sanitization practice using both in-house and if required external services/resources 14
  • 15. Sanitization moratorium • Include notion of a data sanitization moratorium – Often called a Litigation Hold or Legal Hold – organization must stop its data sanitization activities – sanitization activities must immediately be placed on hold until Legal department determines whether these sanitization activities jeopardize sought-after data – doesn’t just mean when there is a lawsuit • can be regulatory investigation, internal investigation for workplace misconduct, preservation because a client or vendor is in litigation • while you aren’t technically part of it, you may have data material to the matter they are involved in 15
  • 16. Form factors • Hard drives • USB / thumb drives • Optical disks • Solid state storage • Flash • VHS video • External hard drives • Floppies • MFP • Back-up tapes • Copy machines • DVD/CD • Smart phones 16
  • 17. Selling is not sanitization 17
  • 18. NIST Special Publication 800-88 • Guidelines for Media Sanitization • Sanitization – general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed • 800-88 assists with decision-making when media require disposal, reuse, or will be leaving the effective control of an organization • Develop and use local policies and procedures in conjunction with 800-88 to make effective, risk-based decisions on the ultimate sanitization and/or disposition of media and information 18
  • 19. Types of media sanitization • Clearing – Protects confidentiality of data against keyboard attack. – Example: overwriting • Purging – Protects the confidentiality of information against a laboratory attack (use of special equipment by trained recovery technicians) – Example: Secure Erase, degaussing • Destroying – Absolute destruction – Example: Hard drive shredding, smelting, disintegration 19
  • 20. Unacceptable media sanitization practices • File deletion • Drive formatting • Disk partitioning • Encryption / key destruction 20
  • 21. Software-based disk sanitization Advantages Disadvantages • Single pass is adequate (as long as • Requires significant time to process all data storage regions can be entire high capacity drive addressed) • May not be able to sanitize data from • Cost-effective and easily configurable inaccessible regions (HPA, DCO, etc.) sanitization solution • Inconsistent data logging, audit trails or • Can be configured to clear specific certification labels data, files, partitions or just the free • No security protection during the space erasure process / subject to intentional • Erases all remnants of deleted data or accidental parameter changes to maintain ongoing security • May require separate license for every • Green solution hard drive • Ineffective without good QA processes • Not scalable 21
  • 22. Single pass vs. multiple passes • DoD standard 5220.22-M (1995) – at least 3 passes required • NIST Special Publication 800-88, section 2.3 – Replaces 5220 which is retired – for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack – single pass is adequate only if able to access the entire data storage region of the media surface 22
  • 23. Secure Erase – Purge Level Sanitization • HDD manufacturers & Center for Magnetic Recording Research created Secure Erase sanitization standard – component of the ANSI ATA Specification – optional inclusion for use in SCSI as Secure Initialize – embedded in the firmware of all standards compliant ATA hard drives manufactured since 2001 (IDE, ATA, PATA, SATA) – single pass operation eradicates all data in all data sectors – highly effective and fast – validated and certified by various governing bodies – but most individuals and companies don’t even know it exists – HDD manufacturers scared of irate help-desk calls – inhibited by most PC manufacturers to protect from the potential exploitation by virus / malware 23
  • 24. Hardware-based disk sanitization – degaussing • Removal of data by exposing data storage bits on media surface to a magnetic field of sufficient strength to achieve coercion of the bit – Ensure model is on NSA Degausser Evaluated Products List (DEPL) • Destructive process – Creates irreversible damage to hard drives • destroys the special servo control data on the drive, which is meant to be permanently embedded on the hard drive • once the servo is damaged, the drive is unusable • if you plan to reuse the drive, don’t degauss it 24
  • 25. Choosing a degausser • Cycle time – amount of time it takes to complete the erasure • Heat generation – may generate significant heat and need to be cooled down – If you need to degauss many drives, downtime can be an issue • Wand or cavity style – hand wands models are generally cheaper, but may lack certain power features – cavity style degaussers enable you to place the entire unit into the degausser • Size – smaller portable unit or a larger more powerful unit? – Some powerful models require wheels to move as they can weigh nearly 400 pounds 25
  • 26. Environmental considerations - location placement • Should be installed in a location that will not interfere with equipment or cause risk to operator or the public • Caution must be taken so that the strong electromagnetic fields created by the degausser don’t produce collateral damage to other susceptible equipment nearby • Must not impose potential health risk – Consideration for interference with those who have pacemakers 26
  • 27. Physical disk destruction • Physical destruction achieved using many methods – Shredding – Disintegration – Bending, breaking or mangling the hard drive • hard drive is easily distinguishable from unprocessed hard drives - ensuring the disposal of the correct hard drive – Is absolute destruction required? • Media must be ground to a diameter smaller than a single data 512KB block, which would require a particle size of no larger than 1/250 inch 27
  • 28. Hardware-based disk sanitization – Secure Erase • Enables the native Secure Erase command - Overcomes host limitations to effectively launch Secure Erase - Maintains internal audit log - Issues destruction certificate upon successful completion • Automatically format drives after erasure – used to rollout a new O/S to multiple workstations 28
  • 29. Optical media sanitization • Securely and permanently eradicates digital data on DVD, CD-ROM and other optical media – grinds the information layer off media • Ensure device meets the requirements of NSA/CSS 04- 02 for Optical Media Destruction 29
  • 30. In-house data sanitization Advantages Disadvantages • Media never leaves your location, no risk • Destruction systems can be expensive of loss in transit • Low volume makes a longer time for ROI • Full control • Staff with other duties may miss devices • Data is destroyed by your own trusted • Must manage internal personnel and staff technology changes – Recommended that all destruction • Lack of space and/or resources for proper activities be carried out under the segregation between destroyed and non- office of the CISO, and by a trained destroyed units and trusted technology support • Still must have a qualified vendor to deal with technician residual waste and/or drives that fail sanitization/wiping process • Disposal of residual material • Technicians will miss drives • Requires good QC process to be effective 30
  • 31. In-house sanitization • Quality control – If your organization is going to do any of its own data sanitization, it must have quality control mechanisms • Separation of duties - one tech removes hard drives while another is assigned to verify the drives have been removed, document the verification, and replace the cover – Wiping - assign a separate tech to take a random sample of at least 10% (depending on quantity) and attempt to recover data with a COTS data recovery tool 31
  • 32. Outsourced data sanitization Advantages Disadvantages • No initial capital investment required • No direct control of vendor employees • can handle varying destruction needs • media may be transported outside of your (disintegration, degaussing, etc.) location • can handle varying volume needs • possible security concerns with off- • experts utilizing best practices premise transportation and handling • may have higher security standards than • may get locked into a bad contract your location • may require minimums greater than your • no need to manage personnel and needs technology changes • data is handled/destroyed by non- • regulatory compliant residual disposal employees • if litigated, professional secure destruction • if hardware is not disposed of properly, services destruction documentation is you could be included in a pollution more credible than internally generated liability case processes • Given these disadvantages, special emphasis should be placed on vendor selection criteria that specifically address these issues 32
  • 33. Questions for a prospective outsourced firm • What type of insurance coverage do they have? – professional liability (sometimes called Errors & Omissions) – pollution / environmental liability – demand to see certificate of insurance demonstrating coverage for both • What processes do they follow from receipt of asset through disposition? • What are their security procedures? • How do they sanitize data? • Are they NAID certified for digital data destruction? • How do they verify data is eradicated? • Do they do full background checks? • What are financial capabilities? • If private, where do they get their funding? How stable is source? • Can they provide customer references? • Do they have the necessary state and local permits? • Do they export e-waste overseas? • Can they handle all or most of the locations for which you will require services? • Do they have processes around chain of custody? • Will they agree to the SLA’s that you have created? • Do they barcode items? • The key is to ask a lot of questions in advance! 33
  • 34. Outsourcing - Caveat Emptor • A certificate of destruction, and a contract assuring responsibility of the process mean very little in the real world • If a device is lost or data is exposed, it will be the owner of the data who will be getting the penalty and making the mandatory disclosure • The service provider will be little more than a footnote in the disclosure 34
  • 35. Taking data sanitization seriously • Segregation – separate all storage devices and media from others to be disposed of materials. – specifically remove all hard drives from to-be-disposed-of PCs, laptops and servers • Inventory – establish the chain of possession of the data storage device. – best practice - establish the connection of a particular storage device to the unit it was removed from and use internal asset management records to track the device back to the actual user • Isolation – using secure collection containers, isolate the inventoried data storage devices in such a manner as to prevent unauthorized removal from the sanitization process – but avoid warehousing – Media must be processed frequently as to avoid warehousing of drives containing confidential data. 35
  • 36. NAID • National Association for Information Destruction • International trade association for companies providing information destruction services • Mission is to promote the information destruction industry and the standards and ethics of its member companies • NAID certified companies are audited annually by an independent 3rd-party and subject to unannounced audits • www.naidonline.org 36
  • 37. References • Guidelines for Media Sanitization (NIST SP 800-88) • UCF Media Disposal Implementation Guide • NAID Information Destruction Policy Compliance Toolkit • ARMA Contracted Destruction for Records and Information Media • Gartner - Best Practices for Data Destruction 37
  • 38. Vendors / solution providers • DestructData • Ensconce Data – www.destructdata.com Technology – www.deadondemand.com • Security Engineered Machinery • Garner Products – www.semshred.com – www.garner-products.com • Ontrack Eraser • Darik’s Boot And Nuke – www.ontrack.com – www.dban.org • CPR Tools • Reclamere – www.cprtools.net – www.reclamere.com • Back Thru the Future – www.backthruthefuture.com 38
  • 39. For more information • National Association of Corporate Directors – Record Retention and Document Destruction Policy – www.nacdonline.org/images/RecordRetention051023.pdf • Remembrance of Data Passed: A Study of Disk Sanitization Practices – www.computer.org/portal/cms_docs_security/security/v1n1/garfinkel.pdf • Best Practices for the Destruction of Digital Data – www.cicadasecurity.com/guide.html • Hard Drive Disposal: The Overlooked Confidentiality Exposure – http://www-03.ibm.com/financing/pdf/sg/Hard_Drive_Disposal_The_Overlooked_Confidentiality_Exposure_AP.pdf • Storage & Destruction Business Magazine – www.sdbmagazine.com 39
  • 40. References • Center for Magnetic Recording Research – http://cmrr.ucsd.edu/ • Australian Department of Defence – Information and Communications Technology Security Manual – http://www.dsd.gov.au/_lib/pdf_doc/acsi33/acsi33_u_0907.pdf • Can Intelligence Agencies Read Overwritten Data? – www.nber.org/sys-admin/overwritten-data-gutmann.html 40
  • 41. Conclusion / Action Items • Management awareness – management must be aware of the risks – must ensure formal sanitization processes are developed • Develop strategies on media sanitization • Review security procedures for adequacy, completeness, scope and failure analysis • Develop an information lifecycle audit program – Follow a life cycle approach to IT risk management that includes making an explicit decision about data destruction • Implement sanitization process • Ensure quality control is built into the process 41
  • 42. Thanks for attending – Q/A Ben Rothke, CISSP, CISA Senior Security Consultant BT Professional Services ben.rothke@bt.com www.linkedin.com/in/benrothke www.twitter.com/benrothke 42