Defeating the dumpster divers

The proliferation of storage media, from thumb drives and cell phones to giant disk arrays, makes secure disposal of decommissioned gear a much trickier task

DOD 5220.22-M, National Industrial Security Program Operating Manual

Editor's Note: This is the second in a two-part series on smart storage strategies. Read the first article, "Spring cleaning for storage clutter."

When you send a sensitive personnel file to the recycling bin on your PC Windows desktop or reformat your entire hard drive, the data you created may appear to be gone, but from a cyberthief’s point of view it’s certainly not forgotten.

Agency security managers have long known that simple erase and reformatting commands do little more than remove operating system indexes that help users quickly locate files. The information remains intact and potentially accessible to anyone using easily available data-recovery software.

To close security gaps, the Defense Department and the National Institute of Standards and Technology circulated guidelines for overwriting data and bombarding media with magnetic fields to cleanse storage media of sensitive information.

But now, with the proliferation of storage media in a wide range of devices, even DOD finds itself scrambling to stay a step ahead of information thieves. “The department is in the early stages of formulating specific enterprisewide guidance regarding cleansing and disposal of newer technologies, such as flash memory,” said Maj. Patrick Ryder, a spokesman at the Office of the Assistant Secretary of Defense.

As agencies such as DOD update their data-destruction policies, many security managers are combining sanitization techniques for heightened protection while also taking advantage of the falling storage-media prices.

Their conclusion is that for ultimate security, the most prudent strategy may be to physically destroy the hard drives, tape cartridges, thumb drives and other media that contain sensitive information.

“The cost of drives is getting so cheap now, our policy is to destroy a drive that holds anything more than unclassified, nonsensitive information,” said Bill Hunteman, associate chief information officer of cybersecurity at the Energy Department. “This gives us a high level of assurance that information won’t potentially be leaked.”

New challenges
High-capacity hard drives aren’t the only technologies prompting security managers to consider pulverizing storage media under an industrial press or dipping it into a vat of acid.

Hard drives packed in disk arrays by the tens or hundreds are overwritten using the same software as individual drives. But the high data volumes in arrays make the process even more time consuming, extending the job in some cases beyond a day, depending on data volumes and the number of overwrites needed for security, said Paula Laughlin, director of global services marketing at storage vendor EMC.

The company now provides on- and off-site array and disk drive sanitization services using its proprietary tools. EMC also offers buyout programs for agencies that lease arrays if they choose to destroy the drives at the end of the contract rather than return the hardware, Laughlin added.

Some security officials fear that the time required to overwrite terabyte-size storage capacities could lead to shortcuts in data-sanitization policies. “When the process takes too long, the job just is not going to get done,” said Bill Margeson, chief executive officer of CBL Data Recovery Technologies, a recovery service that also offers free disk-overwriting software.

Flash-memory devices such as thumb drives, cell phones and personal digital assistants present other data-wiping challenges. Flash memory is nonvolatile, so information isn’t erased when the device is shut down.

“It’s decidedly more difficult to remove data when you really want to get rid of it,” said Carmi Levy, senior research analyst at Info-Tech Research Group. “So just as with hard drives, when you delete a file held in flash memory, it doesn’t necessarily disappear. Even worse, because the memory is designed to remember data even when power isn’t available, sometimes ghosts of old files can appear. Even after you’ve wiped it a couple of times, the file may still be retrievable.”

In addition to raising security concerns, disposing of storage media is expensive. DOE and DOD don’t itemize data-destruction costs in their information technology operating budgets. But Zaman Khan, director of business development at systems integrator Intelligent Decisions, estimated that agencies pay $15 to $20 apiece to cleanse or destroy each storage device, including staff time for the procedure itself and audits to account for each procedure.

Beyond technology
Tools used to cleanse or destroy storage media are only part of the data-protection equation. Formal policies and enforcement measures to assure the tools are being used effectively are also essential.

“We tend to look at data-handling problems as technology issues,” Levy said. “In fact, they are driven more by processes and behaviors. The first step for any organization is to recognize that [improper data destruction] is a significant risk for them.”

Kentucky has maintained formal data sanitization policies since 2003, but for Toby Whitehouse, the state’s chief information security officer, having a policy isn’t sufficient.

“We’ve had a lot of discussions over the last few years about what happens when you sit a technician in front of a set of computers and say, ‘Wipe all of these machines,’ ” Whitehouse said. “How do you really know that that’s occurred?”

Kentucky put some checks in place to audit the process. Before computers or hard drives leave government, Kentucky requires someone from the IT staff of the relevant agency to sign documentation attesting to the device’s cleansing. The state’s Division of Surplus Property, the clearinghouse for decommissioned technology, won’t accept equipment without the proper documentation. The division then releases the devices for public auction.

Although Whitehouse said he believes that process protects the data, he worries about people who use the tediousness of media cleansing as an excuse for taking shortcuts. He said Kentucky is looking for way to reduce the burden on IT staff members so that no one is tempted to skip a cleansing.

Outside help
Some commercial companies use the complexities of data disposal as a selling point for outsourcing the job. Intelligent Decisions, which offers cleansing and disposal services for public and private organizations, counts the Veterans Affairs Department as a client. To address chain-of-custody concerns that arise when agencies let data-laden equipment leave their premises, the company developed an application that tracks each device during shipment and processing. 

The application uses a secure Web portal that creates a shipping label with a unique control number for each unit. Clients can choose to use commercial delivery companies or their own staff to transport the devices. When the equipment arrives at the processing center, Intelligent Decisions matches the manifest against a physical inventory of the shipment. If the container was damaged or if storage devices are missing, the company notifies the agency.

“They will either send somebody here for an inspection or we will do a reverse logistics of the shipping route to find out what happened,” Khan said.

Media that arrives at Intelligent Decisions is slated for destruction by a pulverizing press. However, for extra safety, some devices may first be degaussed, a process that uses strong magnets to jumble information until it’s unreadable. This two-step process guards against any recognizable data remaining on disk-platter shards, Khan said.

After pulverization, a recycling company hauls away the remains, separates the various materials and sells the metals for reprocessing.

Khan said VA is talking with the company about ways to dispose of thumb drives. The two have yet to reach a recycling agreement because of the unique chain-of-custody challenges created by the drives’ small size.
“A lot of media, including flash drives, don’t have serial numbers,” Khan said. “So how do we account for each thumb drive that is being sent to us?”

One potential solution under consideration is nylon-mesh socks equipped with RFID chips to house each drive and provide tracking capabilities. Khan estimates the RFID socks would cost about 25 cents each.

Despite safeguards, many agencies are slow to entrust media containing sensitive data to outsourcers for destruction.

“Personally, I’m more of a hands-on person who likes to see that it’s been done correctly,” Whitehouse said. “Putting that job in the hands of other people?  That’s a trust level that maybe eventually we’ll get to, but I’m personally not there yet.”

Joch is a business and technology writer based in New England. He can be reached at ajoch@worldpath.com.ajoch@worldpath.com
Data destroyersThere are a number of tried-and-true tools for agencies that want to protect important information stored on decommissioned hard drives, tape cartridges and flash memory units. The tool choice depends on the level of security required.

Technique: Data overwriting
Best For: Hard drives and drive arrays
Security Level: Moderate
Cost: Software prices range from freeware to enterprise licenses costing about $3,000.

Rather than try to erase data from a hard drive, agencies can scramble information beyond recognition by writing over the entire disk platter with sequences of 0s and 1s. Guidelines from the Defense Department and the National Institute of Standards and Technology advise overwriting at least three times and assembling the characters in varying patterns.

This method is considered generally effective for nonclassified information because overwriting doesn’t harm the hard drive, making it available for redeployment in other departments or for sale to outside organizations.

However, some agency security officials question whether disk-writing software can be trusted to cover the entire disk platter and not leave data in certain sectors exposed for retrieval.

Technique:
Degaussing
Best For: Hard drives, drive arrays  and tape cartridges
Security level: Moderate
Cost: Enterprise-class units start at about $10,000.

In this technique, powerful magnetic fields generated in a procedure known as degaussing rearrange the placement of data held on storage media. This jumbling makes it difficult to read the information. Technicians can perform the scrambling process in minutes rather than in the hours or days required for overwriting hard drives and arrays.

However, some agency security managers and consultants question the effectiveness of degaussing on modern, densely packed hard-drive technology. Best practices call for degaussers to be rated at 5,000 gauss or more and to be tested at least twice yearly to verify that they’re running at rated levels, said Zaman Khan, director of business development at Intelligent Decisions.

Technique:
Destruction
Best For: Hard drives, individual drives in arrays, tape cartridges and flash memory devices
Security Level: High
Cost: Costs range from $15 to $20 per device.

Destroying media devices through melting at high temperatures, dissolving them in acid, or pulverizing them by using large presses and recycling the remaining metals entails the least risk for classified and other highly sensitive information.
For extra security, some agencies combine degaussing and destruction.

— Alan Joch
Is storage encryption the answer?Data encryption has become the norm for agencies to avoid highly publicized data breaches that involve lost laptop PCs and sensitive information. Meanwhile, do the data-scrambling capabilities of this technology mean agencies can lessen their efforts to sanitize or destroy storage media when decommissioning gear?

That answer is an emphatic no, agency security managers say. The Energy Department’s standing policy is to destroy all decommissioned media that holds sensitive or classified data, whether or not it’s encrypted, said Bill Hunteman, associate chief information officer of cybersecurity at DOE.

In July 2006, the Defense Department mandated that staff members encrypt all personally identifiable information stored on portable computing devices or removable electronic media. A representative said DOD is preparing to issue new guidance requiring the encryption of all controlled unclassified information stored on portable devices and media. However, that policy probably won’t change the department’s data-sanitization practices.

“Routine encryption will not preclude the need for wiping data from decommissioned devices and media unless they are destroyed,” said Maj. Patrick Ryder, a spokesman at the Office of the Assistant Secretary of Defense. “It is simply a matter of good housekeeping if the devices or media are to be reused outside of the department. And there is also always the chance that some sensitive data did not get encrypted.”

Data-disposal policies that don’t rely solely on encryption give agencies a comfort level required for today’s security-conscious times, said Richard Kissel, information technology security specialist at the National Institute of Standards and Technology.

“If an organization wants to encrypt a whole disk in order to sanitize it, and the key disappears and cannot be regenerated, then the data is as good as gone,” Kissel said. “But if you are a paranoid type, that’s not good enough because you know the data is still there, and all someone has to do is find the right key.”

— Alan Joch

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above