Security News > 2007 > April > The fine art of data destruction
http://www.techworld.nl/idgns/2924/the-fine-art-of-data-destruction.html By Michele Hope Network World (US) 12 April 2007 Peggy Jones, a business manager for the information-management team at the College of Southern Maryland, was asked recently to help dispose of what she now estimates were about 1,200 old backup tapes and cassettes her IT organization had been storing in a relatively well-fortified walk-in vault. The issue of what to do with the old tapes came to a head when renovation was scheduled for the building where the vault resided. "We had already moved to another backup system. So, these old tapes didn't work in our current system anyway. Now it was just old data we needed to figure out how to dispose of properly," Jones says. Her research led her to Data Killers, a media-destruction and computer-recycling firm in Maryland that could shred tapes and hard drives securely , and provide a certificate affirming their destruction. It would even let you stay and watch the shredding process, if you wanted. Then the media's "remains" would be delivered to a smelter for melting and recycling its various metals. With its 6,600-pound shredder, Data Killers is able to take just about any storage medium, such as the college's tapes, and turn it into particles the size of a thumbnail, owner Elizabeth Wilmot says. Jones and a co-worker soon found themselves loading the tapes into the back of one of the college's vehicles and driving to Data Killers. After spending what Jones recalls was "a little more than an hour" watching the shredding, they were able to report back that the deed had been done. Setting policy is the first step Enterprises such as the College of Southern Maryland can face high stakes when they recycle, donate or throw away end-of-life IT assets. Amid mounting legislation and a steady flow of horror stories -- about identity theft , lost tapes, stolen credit-card data, and the unintended exposure of private data after used hard drives, cell phones and PDAs are sold on eBay -- it behooves companies to protect sensitive or government-regulated personal information throughout its life cycle. Experts maintain that, just as it is developed for data in flight and data at rest, policy should be developed for end-stage data disposal or data destruction. Randy Kahn, owner of Kahn Consulting, says data destruction and disposal can be viewed as part of a larger corporate-governance commitment to proper information management. Kahn, a lawyer and author of Privacy Nation and Information Nation, advises companies about issues related to information management , compliance and technology. "Proper information management impacts the entire life cycle of information, from making sure employees understand policy surrounding how to manage the creation and storage of that information to how to properly dispose of it at the end of its useful life." Steps in the right direction are developing a media-sanitization or data-destruction policy, making an effort to educate users about it and selectively testing or auditing the policy's effectiveness. Policies about data destruction often deal with organizations' decisions about how best to dispose of IT assets they are replacing or retiring, according to Jon Oltsik, an analyst at Enterprise Strategy Group (ESG). He also sees this type of policy applied to archived data that has passed its required retention date. "As it stands right now, in many corporations, data destruction is on an ad-hoc and as-needed basis," says Robert J. Hansen, a voting systems security expert and security researcher at the University of Iowa. "That just doesn't cut it. You need to think about this in advance before it becomes an issue." Hansen maintains a blog on software engineering topics that includes his own "Ten Commandments of Data Destruction." Creating a policy for data destruction ranks high on his list. Yet many IT organizations wait until they need to do their own spring cleaning before they decide what to do with data on older storage media that usually have been sitting around a while gathering dust, Data Killers' Wilmot says. "A lot of times, the first call we get is that they have several thousand tapes, and they don't know what to do with them," she says. "It's a lot like spring cleaning at first . . . then they tell us they'll be better about this in the future, destroying the media on more of a regular basis like quarterly or biannually." Pulverize, then liquefy Fauquier Bank maintains a strict policy about protecting and restricting access to its sensitive bank and customer records, says Josh Brown, director of security for the Warrenton, Va., bank. Yet even here, a detailed data-destruction policy and schedules have had to evolve for what Brown estimates now amounts to about 30 hard drives per year. After several computers were upgraded last year, the bank began looking at whether to donate the old computers that then were taking up a good amount of storage space. As a precaution, the bank's previous IT manager decided to remove and store the old hard drives separately, to avoid potentially proprietary data falling into the wrong hands. Brown believed that just overwriting or wiping the hard drives didn't go far enough to guard against the risk of exposing the bank's data. Already accustomed to the bank's use of a weekly, on-site document-shredding service, Brown liked the idea of reformatting the hard drives, then driving to a local company himself to have them shredded. That way, he could ensure a solid chain of custody between leaving the building and getting the drives shredded. "Now, when it leaves here, it's pulverized, then it's liquefied," he explained, noting that as a bank, he thinks it makes sense to take a few extra steps. Data-destruction services also offer customers the option to view their media's destruction remotely, and ship double-locked "storm cases" to protect remote customers' media in transit to their facility. Wilmot says this is a popular option, but the local bank and college both preferred to deliver the media themselves. Without a trace There are a number of methods for destroying data, each with pros and cons. People may dispute the benefits of one method over another, but most agree on one thing: Using simple deletion or disk-formatting commands is not enough to destroy data unequivocally. These methods leave too many traces of data behind. With simple utilities, it is easy to recover files deleted from the file system. It's a lot like tearing out a book's table of contents but leaving the rest of the book behind. Beyond the obvious deletion functions, you start getting into secure deletion, the act of clearing, overwriting, wiping or "scrubbing" the data once or many times with a string of 1s and 0s. In the middle of the spectrum are devices, such as degaussers, that purge data from a variety of media. At the far end of the spectrum is what Hansen refers to in his blog as utter annihilation. This is where you get into the more visceral acts of shredding, pulverizing, incinerating or melting the media. Hansen maintains that heating a hard drive past the Curie point (the point at which metal loses its magnetic properties) and melting it into slag are the only sure ways never to recover what once was on there. Jesse Kornblum, a computer forensics researcher with ManTech SMA, isn't so sure you have to go to quite that length to render data immune to most random attackers. Kornblum, who spent a good deal of his former life trying to uncover computer data for various criminal investigations, maintains that a single software overwriting often will suffice. "In general, one pass or one wipe is sufficient to frustrate any ordinary forensic analysis that might take place from outside of the hard drive," he says. "Now, you have to get someone to crack open the drive and look at it with a [magnetic force] microscope. That can cost hundreds of dollars." If you want to be really sure the data is destroyed, Kornblum says melting the drive down to slag may be the best (albeit somewhat costly) way to do it. Asked to view data destruction from the eyes of a bank customer with personal bank data, Kornblum admits he'd feel a lot better knowing his bank was melting down the drives it no longer needed. "That's just in case someone who knew what they were doing could reassemble it," he says. How far is far enough? Picking one data-destruction method over another usually comes down to how far the organization believes it needs to go to destroy data to comply with applicable legislation or corporate policy. As Kornblum puts it, "It's always a question of how valuable is the information on the drive, and how hard do you think someone would work to get it?" Unfortunately, most legislation does not offer specific guidance in this area. The majority of today's data-privacy and -protection laws prescribe taking proper data-destruction measures, without indicating the process or technology a company should use, Kahn says. Many laws indicate something to the effect that data should be destroyed so as to render the data unable to be read or accessed successfully. General guidelines -- such as the broad wording found in such regulations as the Sarbanes-Oxley Act -- prompt organizations to look elsewhere for guidance on the specific processes or technologies they should use to destroy data or sanitize the media on which it's stored. Not surprisingly, detailed guidelines for media sanitization and disposal can be found in the government sector, including the early U.S. Department of Defense drafts of Standard DoD 5220.22-M. These include a clearing and sanitization matrix and guidelines for destroying every kind of data from classified or top-secret to unclassified. This standard often is referred to by overwriting-software vendors , a few of whom may claim to be "DoD-certified" or "DoD-compliant." (A 2005 version of the matrix is available from the Web site of the Defense Security Service Office of the Designated Approving Authority.) Peter Adler, a lawyer and information security expert who heads the Adler InfoSec & Privacy Group, has conducted detailed research on secure media disposal. He cites two leading information security standards with specific guidelines for media disposal and sanitization: ISO 17799 and the National Institute of Standards and Technology (NIST) Special Publication 800-88, titled "Guidelines for Media Sanitization." Now interim director of privacy and cybersecurity policy at Maryland's Montgomery College, Adler often helps organizations assess security risk and develops specific policies for them to follow. Based on his research, Adler developed a procedural model to help organizations determine whether data or media should be cleared or purged, or physically destroyed. Like the guidance offered in the NIST publication, much of the model depends on whether the data or media will be reused or will be leaving the organization's control. There's just one caveat: The model assumes an organization first can identify and categorize the data stored on specific media into one of four different classes: nonsensitive information, business-sensitive information, legally protected information and classification not known. The only challenge to this assumption happens when some media have been lying around for so long it's difficult to know exactly what type of data resides on them. This was the case at the College of Southern Maryland. "Since we didn't really know what was on [the tapes], we treated it all as confidential," Jones says. Don't mash it, hash it Another option is to encrypt files or whole volumes of data earlier in their life cycle, before the media on which they are stored need to be retired, or are upgraded or donated. While experts say that encryption doesn't necessarily absolve companies of their obligation to destroy highly sensitive data or media, encrypting the data may offer something of a legal safe harbor for companies trying to obey many privacy regulations. The University of Iowa's Hansen is not a great fan of scrubbing or overwriting, which he equates to "locking the barn up after the horse is already out." On the other hand, storing data in encrypted format on a drive partition might let you avoid scrubbing the drive: "When someone tries to recover data, they first have to find the data. If all they see on the drive is noise, that's a pretty effective deterrent. It's definitely a counterforensic technique," he says. If a corporation could maintain an employee's encryption key for the disk, it could access the data if the employee leaves the company. When the company no longer wants to use the disk, it just "forgets" or destroys the disk, Hansen says. ESG's Oltsik also sees encryption as possibly the easiest way to, in effect, destroy data. He sees the emerging area of digital rights management as also offering some interesting solutions. In the age of movable data -- roaming laptops, USB flash drives, PDAs and smart phones -- encryption may well be the answer, Oltsik maintains: "Moving forward, that's how we'll deal with all this data mobility, because you can't take physical possession of every device and just destroy it. There are too many devices, with more coming in the future." __________________________ Subscribe to InfoSec News http://www.infosecnews.org
News URL
http://www.techworld.nl/idgns/2924/the-fine-art-of-data-destruction.html