Destroy, Shred, Disintegrate: Guidelines for Securely Decommissioning Storage
Thanks to improved corporate information security practices, attackers are seeking new methods for accessing sensitive corporate information, putting storage media more at risk than ever. We offer several recommendations for destroying data.
It is perhaps the defining image of the love-hate relationship between office worker and technology: in the 1999 movie Office Space, three characters take a misbehaving printer into a field and “execute” it with baseball bats to the gangsta-rap sounds of Ice Cube’s “Down for Whatever.”
When it comes to repurposing or disposing of storage devices and storage media, however, organizations need a more level-headed approach. Security managers must ensure all devices containing sensitive information are thoroughly wiped or professionally destroyed. Doing anything less may leave recoverable information and create a security risk.
Many companies, however, make no attempt to decommission storage. Witness a 2003 study in which Massachusetts Institute of Technology (MIT) researchers bought 158 used hard drives, and found information on all but 12. More recently, security software maker Pointsec Mobile Technologies acquired 100 laptops at random via online auctions, and was able to retrieve information from about 70 of them—including sensitive information from a large financial organization.
The MIT study illustrates the potential goldmine of corporate secrets available to dumpster-diving attackers, but that’s not news for criminals. In fact, according to “Guidelines for Media Sanitization,” a draft report recently released by the National Institute of Standards and Technology (NIST), “with the more prevalent use of increasingly sophisticated encryption, an attacker wishing to gain access to an organization’s sensitive information is forced to look outside the system itself for that information. One avenue of attack is the recovery of supposedly deleted data from media.”
Given the threat, why don’t many organizations properly decommission storage media? Perhaps they don’t understand that many techniques—from trusting the Windows Recycle Bin to putting a drill bit through a hard drive—don’t always succeed, especially with experts at work. In a recent New York Times article, for example, the head of a data-recovery service claimed his company had restored information from laptops most others would have written off, including one that sank with a cruise ship to the bottom of the Amazon River, and another crushed by a truck.
Three Techniques for Destroying Data
What should organizations do to ensure data can’t be recovered? The NIST report outlines the three most common options: cleaning, purging, and destroying.
Cleaning involves laying down random data on the media to overwrite any sensitive data. Storage space targeted may include not only logical storage locations, but also addressable locations.
Purging requires degaussing media—exposing it to magnetic fields strong enough to disrupt “the recorded magnetic domains.” There are dedicated devices for doing this. Serial ATA drives’ firmware also includes an effective “secure erase” command.
For destroying most flexible media—paper, diskettes removed from containers, CDs—shredding is effective, though NIST recommends a cross-cut shredder for optimal obfuscation. Media with a physical recording surface can also be sanded, though NIST warns “the entire media recording surface must be completely removed” for this to work.
If none of these techniques applies, NIST recommends destroying the media via “disintegration, pulverization, melting, and incineration.” Notwithstanding IT employees’ potential urges to handle this Office Space style, NIST recommends these techniques be outsourced to a facility “with the specific capabilities to perform these activities effectively, securely, and safely.”
Securing Removable Media
When creating storage security policies and weighing which media to obliterate, don’t forget sensitive information can turn up in unexpected places. As the NIST report notes, “with the advanced features of today’s operating systems, electronic media used on a system should be assumed to contain information commensurate with the security categorization of the system’s confidentiality.” Hence, if any sensitive information exists on the machine, there’s a chance it also ended up on any writable storage media with which the computer came into contact.
At most companies, however, removable media exists in a security-policy gray zone. According to a survey last year of 300 British IT managers conducted by Pointsec, for example, 84 percent of companies have employees who use removable-media devices—especially PDAs and MP3 players—at work. Ninety percent of surveyed companies also identify such devices as a potential danger to information security, and as a result some organizations prohibit their use. Yet at one-third of organizations, employees continue to use such devices without authorization.
How can IT decommission devices and media with sensitive information when it doesn’t know about them or have control over them? “Storing information on devices is not a new problem—not so long ago it would have been information stored onto a 1.5-Mbyte floppy disk. However, now the problem is a much greater storage problem and, therefore, it needs to be dealt with in the security policy,” notes Martin Allen, Pointsec’s managing director. In other words, “Organizations need to introduce strict guidelines on the use of removable media devices in the workplace, as well as investing in encryption software which will allow administrators to force the encryption of all data put onto a mobile device.”
Many vendors offer software for ensuring all information stored on a device is encrypted. Pointsec, for example, has software for both PCs and mobile devices, including PocketPCs, while Whole-Disk Encryption from PGP can encrypt all laptop contents, pre-boot, only granting access to users with appropriate credentials. Such software can also ensure any information saved to external media is only saved in encrypted format.
Credant’s Mobile Guardian Enterprise Edition can also do this when employees want to store sensitive information on a mobile device—including cell phones, USB thumb drives, and iPods—by requiring employees to download a software agent that keeps sensitive information encrypted. Such an approach can also be used to regulate business partners’ use of sensitive information, and one relevant feature is a “data kill” option which allows an IT department to tell a device (via IP) to delete specific data and then confirm the data is destroyed, for auditing purposes.
Thus, by using whole-disk encryption software, or software to specifically regulate and encrypt sensitive information on PCs, removable memory, and mobile devices, companies can mitigate many security concerns related to using storage devices. Simply put, while effectively decommissioning storage is a must, you can’t put a baseball bat—real or proverbial—to devices that are lost, stolen, or no longer in IT control.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.