This document discusses effective practices for ensuring data destruction when decommissioning digital media. It emphasizes the importance of having a formal sanitization process and policy to mitigate risks from failed data removal. The types of media sanitization are described as clearing, purging and destroying data, with purging providing protection against laboratory attacks. Both software and hardware-based methods are outlined, including the benefits of secure erase for purging and degaussing for data destruction. Regulations and standards that inform policies are also referenced.

1. Garlic, Wooden Stakes and Silver Bullets -
Ensuring Effective Data Destruction
Practices
Ben Rothke, CISSP, CISA
Senior Security Consultant
BT Professional Services
June 29, 2010

2. About me
• Senior Security Consultant – BT Professional Services
• Frequent writer and speaker
• Author of Computer Security: 20 Things Every Employee
Should Know (McGraw-Hill)
• Veteran O’Reilly webinarist
– Information Security and Social Networks
– http://www.oreillynet.com/pub/e/1417
2

3. Agenda
• Business case for media sanitization
• Why must end-of-life media/data be sanitized?
• Types of media sanitization
• DIY or outsource?
• References
• Q/A
• Twitter hashtag #rothkewebinar
3

4. Business case for media sanitization
• Every business has digital media (often terabytes) that
must be sanitized
• Media sanitization is often overlooked
• Failure to adequately sanitize media can have
catastrophic consequences to a business
– financial loss
– damage to a company’s reputation
– regulatory violations
– civil and criminal liability for Directors and Officers
• especially since effective media sanitization is not rocket science
• Therefore - digital media must be sanitized before
disposal or redeployment
4

5. Where magic fails, formal processes are effective
5

6. Old data is big news
6

7. Information security - printers and copiers
7

8. Regulations, standards and other drivers
• HIPAA
• PCI DSS
• GLBA
• Privacy Act
• Electronic Espionage Act
• PIPEDA (Canada)
• FACTA Disposal rule
• Check 21
• FISMA
• Contracts
• Best Practices
• and more….. 8

9. Storage data is remarkably resilient
Fire - Found after fire Soaked – PowerBook
destroys home – all Crushed - Bus runs underwater for two
data recovered over laptop – all data days - all data
recovered recovered
Fall from space – Hard
drive recovered from space
shuttle Columbia recovered
from a dry river bed. 99%
of 400MB data recovered
9

10. Sanitization as part of the data lifecycle
Discovery
Sanitization Classification
Auditing
Protection Control

11. When do you need to sanitize media?
• Device is sold, donated, discarded or recycled
• End of lease
• Device returned to a manufacturer for warranty repair
• After severe malware/hacking attempt, for complete
removal of offending code from infected storage device
• RAID or hot spare:
– Hot spare placed into service, then removed when faulty RAID
drive was replaced
– Hot spare should be sanitized, as well as the original failed
RAID drive if the drive is still operational
11

12. Hard drives and media are everywhere….
• Over 500 million hard drives were
sold in 2009
• There are still billions out there
• Thumb drives are everywhere
• 4GB USB drives given away at
conferences for free
12

13. Sanitization as a formal process
• Formal system of information sanitization
– Based on risk factors specific to the organization
– policy must be created and implemented
– should be extensive, explicit, auditable and audited
– performed in a formal, consistent, documented manner
– done on a scheduled basis
– in the event of a failure, plaintiff’s lawyers will have much less to
use, which could likely be judged positively by a jury
– has quality control built in
13

14. Policy
• Policy is dependent on a number of factors including:
– age and type of the storage technology
– classification of the data residing on the device
– environment in which the device had been used
• One policy does not fit all
– If device was used to store public data, but used in a SCIF that
handles top secret information; the drive, since it was used in a
SCIF, likely classified as the highest level of classification
• Create a responsible policy
– must encompass all types of storage hardware and information
classifications and employ a responsible sanitization practice
using both in-house and if required external services/resources
14

15. Sanitization moratorium
• Include notion of a data sanitization moratorium
– Often called a Litigation Hold or Legal Hold
– organization must stop its data sanitization activities
– sanitization activities must immediately be placed on hold until
Legal department determines whether these sanitization
activities jeopardize sought-after data
– doesn’t just mean when there is a lawsuit
• can be regulatory investigation, internal investigation for workplace
misconduct, preservation because a client or vendor is in litigation
• while you aren’t technically part of it, you may have data material to
the matter they are involved in
15

16. Form factors
• Hard drives
• USB / thumb drives
• Optical disks
• Solid state storage
• Flash
• VHS video
• External hard drives
• Floppies
• MFP
• Back-up tapes
• Copy machines
• DVD/CD
• Smart phones 16

17. Selling is not sanitization
17

18. NIST Special Publication 800-88
• Guidelines for Media Sanitization
• Sanitization
– general process of removing data from storage media, such that
there is reasonable assurance that the data may not be easily
retrieved and reconstructed
• 800-88 assists with decision-making when media
require disposal, reuse, or will be leaving the effective
control of an organization
• Develop and use local policies and procedures in
conjunction with 800-88 to make effective, risk-based
decisions on the ultimate sanitization and/or disposition
of media and information
18

19. Types of media sanitization
• Clearing
– Protects confidentiality of data against keyboard attack.
– Example: overwriting
• Purging
– Protects the confidentiality of information against a laboratory
attack (use of special equipment by trained recovery
technicians)
– Example: Secure Erase, degaussing
• Destroying
– Absolute destruction
– Example: Hard drive shredding, smelting, disintegration
19

20. Unacceptable media sanitization practices
• File deletion
• Drive formatting
• Disk partitioning
• Encryption / key destruction
20

21. Software-based disk sanitization
Advantages Disadvantages
• Single pass is adequate (as long as • Requires significant time to process
all data storage regions can be entire high capacity drive
addressed) • May not be able to sanitize data from
• Cost-effective and easily configurable inaccessible regions (HPA, DCO, etc.)
sanitization solution • Inconsistent data logging, audit trails or
• Can be configured to clear specific certification labels
data, files, partitions or just the free • No security protection during the
space erasure process / subject to intentional
• Erases all remnants of deleted data or accidental parameter changes
to maintain ongoing security • May require separate license for every
• Green solution hard drive
• Ineffective without good QA processes
• Not scalable
21

22. Single pass vs. multiple passes
• DoD standard 5220.22-M (1995)
– at least 3 passes required
• NIST Special Publication 800-88, section 2.3
– Replaces 5220 which is retired
– for ATA disk drives manufactured after 2001 (over 15 GB) clearing
by overwriting the media once is adequate to protect the media
from both keyboard and laboratory attack
– single pass is adequate only if able to access the entire data
storage region of the media surface
22

23. Secure Erase – Purge Level Sanitization
• HDD manufacturers & Center for Magnetic Recording
Research created Secure Erase sanitization standard
– component of the ANSI ATA Specification
– optional inclusion for use in SCSI as Secure Initialize
– embedded in the firmware of all standards compliant ATA hard
drives manufactured since 2001 (IDE, ATA, PATA, SATA)
– single pass operation eradicates all data in all data sectors
– highly effective and fast
– validated and certified by various governing bodies
– but most individuals and companies don’t even know it exists
– HDD manufacturers scared of irate help-desk calls
– inhibited by most PC manufacturers to protect from the potential
exploitation by virus / malware
23

24. Hardware-based disk sanitization – degaussing
• Removal of data by exposing data storage bits on media surface to
a magnetic field of sufficient strength to achieve coercion of the bit
– Ensure model is on NSA Degausser Evaluated Products List (DEPL)
• Destructive process
– Creates irreversible damage to hard drives
• destroys the special servo control data on the drive, which is meant to
be permanently embedded on the hard drive
• once the servo is damaged, the drive is unusable
• if you plan to reuse the drive, don’t degauss it
24

25. Choosing a degausser
• Cycle time – amount of time it takes to complete the erasure
• Heat generation – may generate significant heat and need to be cooled
down
– If you need to degauss many drives, downtime can be an issue
• Wand or cavity style – hand wands models are generally cheaper, but
may lack certain power features
– cavity style degaussers enable you to place the entire unit into the degausser
• Size – smaller portable unit or a larger more powerful unit?
– Some powerful models require wheels to move as they can weigh nearly 400 pounds
25

26. Environmental considerations - location placement
• Should be installed in a location that will not interfere with
equipment or cause risk to operator or the public
• Caution must be taken so that the strong electromagnetic
fields created by the degausser don’t produce collateral
damage to other susceptible equipment nearby
• Must not impose potential health risk
– Consideration for interference with those who have pacemakers
26

27. Physical disk destruction
• Physical destruction achieved using many methods
– Shredding
– Disintegration
– Bending, breaking or mangling the hard drive
• hard drive is easily distinguishable from unprocessed hard drives -
ensuring the disposal of the correct hard drive
– Is absolute destruction required?
• Media must be ground to a diameter smaller than a single data 512KB
block, which would require a particle size of no larger than 1/250 inch
27

28. Hardware-based disk sanitization – Secure Erase
• Enables the native Secure Erase command
- Overcomes host limitations to effectively launch Secure Erase
- Maintains internal audit log
- Issues destruction certificate upon successful completion
• Automatically format drives after erasure
– used to rollout a new O/S to multiple workstations
28

29. Optical media sanitization
• Securely and permanently eradicates digital data on
DVD, CD-ROM and other optical media
– grinds the information layer off media
• Ensure device meets the requirements of NSA/CSS 04-
02 for Optical Media Destruction
29

30. In-house data sanitization
Advantages Disadvantages
• Media never leaves your location, no risk • Destruction systems can be expensive
of loss in transit • Low volume makes a longer time for ROI
• Full control • Staff with other duties may miss devices
• Data is destroyed by your own trusted • Must manage internal personnel and
staff technology changes
– Recommended that all destruction • Lack of space and/or resources for proper
activities be carried out under the segregation between destroyed and non-
office of the CISO, and by a trained destroyed units
and trusted technology support • Still must have a qualified vendor to deal with
technician residual waste and/or drives that fail
sanitization/wiping process
• Disposal of residual material
• Technicians will miss drives
• Requires good QC process to be effective
30

31. In-house sanitization
• Quality control
– If your organization is going to do any of its own data
sanitization, it must have quality control mechanisms
• Separation of duties - one tech removes hard drives while another
is assigned to verify the drives have been removed, document the
verification, and replace the cover
– Wiping - assign a separate tech to take a random sample of at
least 10% (depending on quantity) and attempt to recover data
with a COTS data recovery tool
31

32. Outsourced data sanitization
Advantages Disadvantages
• No initial capital investment required • No direct control of vendor employees
• can handle varying destruction needs • media may be transported outside of your
(disintegration, degaussing, etc.) location
• can handle varying volume needs • possible security concerns with off-
• experts utilizing best practices premise transportation and handling
• may have higher security standards than • may get locked into a bad contract
your location • may require minimums greater than your
• no need to manage personnel and needs
technology changes • data is handled/destroyed by non-
• regulatory compliant residual disposal employees
• if litigated, professional secure destruction • if hardware is not disposed of properly,
services destruction documentation is you could be included in a pollution
more credible than internally generated liability case
processes • Given these disadvantages, special
emphasis should be placed on vendor
selection criteria that specifically
address these issues
32

33. Questions for a prospective outsourced firm
• What type of insurance coverage do they have?
– professional liability (sometimes called Errors & Omissions)
– pollution / environmental liability
– demand to see certificate of insurance demonstrating coverage for both
• What processes do they follow from receipt of asset through disposition?
• What are their security procedures?
• How do they sanitize data?
• Are they NAID certified for digital data destruction?
• How do they verify data is eradicated?
• Do they do full background checks?
• What are financial capabilities?
• If private, where do they get their funding? How stable is source?
• Can they provide customer references?
• Do they have the necessary state and local permits?
• Do they export e-waste overseas?
• Can they handle all or most of the locations for which you will require services?
• Do they have processes around chain of custody?
• Will they agree to the SLA’s that you have created?
• Do they barcode items?
• The key is to ask a lot of questions in advance!
33

34. Outsourcing - Caveat Emptor
• A certificate of destruction, and a contract assuring
responsibility of the process mean very little in the real
world
• If a device is lost or data is exposed, it will be the owner
of the data who will be getting the penalty and making
the mandatory disclosure
• The service provider will be little more than a footnote in
the disclosure
34

35. Taking data sanitization seriously
• Segregation
– separate all storage devices and media from others to be
disposed of materials.
– specifically remove all hard drives from to-be-disposed-of PCs,
laptops and servers
• Inventory
– establish the chain of possession of the data storage device.
– best practice - establish the connection of a particular storage
device to the unit it was removed from and use internal asset
management records to track the device back to the actual user
• Isolation
– using secure collection containers, isolate the inventoried data
storage devices in such a manner as to prevent unauthorized
removal from the sanitization process
– but avoid warehousing – Media must be processed frequently
as to avoid warehousing of drives containing confidential data.
35

36. NAID
• National Association for Information Destruction
• International trade association for companies providing
information destruction services
• Mission is to promote the information destruction
industry and the standards and ethics of its member
companies
• NAID certified companies are audited annually by an
independent 3rd-party and subject to unannounced
audits
• www.naidonline.org
36

37. References
• Guidelines for Media Sanitization (NIST SP 800-88)
• UCF Media Disposal Implementation Guide
• NAID Information Destruction Policy Compliance Toolkit
• ARMA Contracted Destruction for Records and
Information Media
• Gartner - Best Practices for Data Destruction
37

38. Vendors / solution providers
• DestructData • Ensconce Data
– www.destructdata.com Technology
– www.deadondemand.com
• Security Engineered
Machinery • Garner Products
– www.semshred.com – www.garner-products.com
• Ontrack Eraser • Darik’s Boot And Nuke
– www.ontrack.com – www.dban.org
• CPR Tools • Reclamere
– www.cprtools.net – www.reclamere.com
• Back Thru the Future
– www.backthruthefuture.com
38

39. For more information
• National Association of Corporate Directors
– Record Retention and Document Destruction Policy
– www.nacdonline.org/images/RecordRetention051023.pdf
• Remembrance of Data Passed: A Study of Disk
Sanitization Practices
– www.computer.org/portal/cms_docs_security/security/v1n1/garfinkel.pdf
• Best Practices for the Destruction of Digital Data
– www.cicadasecurity.com/guide.html
• Hard Drive Disposal: The Overlooked Confidentiality
Exposure
– http://www-03.ibm.com/financing/pdf/sg/Hard_Drive_Disposal_The_Overlooked_Confidentiality_Exposure_AP.pdf
• Storage & Destruction Business Magazine
– www.sdbmagazine.com
39

40. References
• Center for Magnetic Recording Research
– http://cmrr.ucsd.edu/
• Australian Department of Defence
– Information and Communications Technology Security Manual
– http://www.dsd.gov.au/_lib/pdf_doc/acsi33/acsi33_u_0907.pdf
• Can Intelligence Agencies Read Overwritten Data?
– www.nber.org/sys-admin/overwritten-data-gutmann.html
40

41. Conclusion / Action Items
• Management awareness
– management must be aware of the risks
– must ensure formal sanitization processes are developed
• Develop strategies on media sanitization
• Review security procedures for adequacy,
completeness, scope and failure analysis
• Develop an information lifecycle audit program
– Follow a life cycle approach to IT risk management that
includes making an explicit decision about data destruction
• Implement sanitization process
• Ensure quality control is built into the process
41

42. Thanks for attending – Q/A
Ben Rothke, CISSP, CISA
Senior Security Consultant
BT Professional Services
ben.rothke@bt.com
www.linkedin.com/in/benrothke
www.twitter.com/benrothke
42