Welcome!

Virtualization Authors: Elizabeth White, RealWire News Distribution, Yung Chou, Deborah Strickland, JP Morgenthal

Related Topics: Virtualization

Virtualization: Article

Sidestep the Data Storage Blues

An argument for sanitizing hard disks
By Winn Schwartau
Article Rating:
May 3, 2005 10:00 AM EDT
Reads:
 12,889

Antonio Marcelli killed people for a living. At least a few he admitted to. The feds caught him, he turned state's evidence, testified in open court against the capos and subsequently entered the witness protection program. He was safe until his new name and location hit the Internet.

A computer junkie from Kentucky had bought a heap of old hard drives that the Justice Department had discarded. Lo and behold, names and addresses of people in the witness protection program popped up in a perfectly readable format.

Embarrassing? Yes. Deadly? Potentially. What went wrong? The DOJ forgot a simple fact: the value of data doesn't die when a hard disk (or tape, etc.) is tossed in the garbage.

In 2004, techno-journalist Simpson Garfinkel investigated the lack of care he suspected permeated every organization. He bought a slew of used drives from various places and discovered that 90% of them still contained readable data. Was that data valuable? Maybe not to Simpson, but to someone certainly.

The fact is your discarded hard drives and tapes still contain your company's valuable and private data. You probably just upgraded, changed suppliers or formats. Maybe some of the data is old and useless - maybe. But how can you be sure without a complete, time-consuming, and expensive contents analysis? You can't.

That's where hard disk sanitization comes in.

To protect confidential company data and comply with all the myriad regulations (GLB, SarBox, HIPAA, etc.), we can't be complacent about the resilience of magnetic storage. For example:

  • When a file is erased in some systems, only the file name is discarded. The data remains.
  • If a file is overwritten with random '1s' and '0s,' forensics experts can still retrieve the original data by means of fringe track analysis.
  • Even if the data is overwritten several times, there are advanced magnetic analysis techniques that recover several layers of data deep.
  • Slack files and other hidden temporary data system repositories are often forgotten by the OS and can be easily recovered by COTS forensics tools.
We all spend a great deal of time protecting the security and privacy of data when it resides in our data centers, wired to the world, but we sorely lack in protecting that same data when it comes off-line and is relegated to the dust heap of the local computer fairs.

The first thing a company needs is a data-destruction policy. In the physical world this means policies and procedures for shredding papers, burning waste and mangling CDs and floppies. In the logical world, a destruction policy has to be quantum in nature, making sure that the magnetic orientations of the ferrous oxide particles produces no valuable information. Here, as in so many other areas, policy - from the top down - is critical.

There are three fundamental ways to destroy data on magnetic media. The most extreme involves totally disassembling the drive, scratching off the magnetic surfaces of the disks and then melting the constituent components into post-data sludge. For the truly paranoid - think the government and military - this is the only rational approach.

For most of us, this is overkill. Keep in mind that security is never perfect. All we can do is raise the bar by increasing the impediments and obstacles to put any potential data recovery well beyond any cost-benefit analysis.

The second way is to overwrite the entire disk with random data. Not bad, but if someone really, really wants to target your firm, and is willing to go through some extra effort, a certain amount of the original data is still recoverable.

Third, and the one I prefer is degaussing. A degausser generates an intense magnetic field, strong enough to scramble the magnetic bits and pieces so there's really no reliable or cost-effective way to glean any of your secrets.

The degaussing method is the easiest, most effective method, requires the least manpower and no CPU time. Merely cycle the drives through, say the shipping department, and proceduralize the degaussing. It's that simple.

When developing a sanitization or data-destruction policy, look at your needs from several different angles:

  • Time is a key determinant in how to sanitize data. How long is the data going to be valuable? One day? One week? A year? Forever? The longer the data has real value the higher the quality of the data sanitization needed.
  • How many compliance standards do you have to meet? Keep in mind that your compliance requirements live on, even if the hard disks are long gone.
  • Ask your lawyers about the company's liability if proprietary, employee, or customer data reaches the public domain - read the Internet.
  • What is your firm's downstream liability if the data disclosure affects other organizations and people not directly under your control?
  • Is creating a policy and assigning one person to carry out the sanitization process reasonable insurance against any future litigation?
Think about the information your systems contain that you don't want on the front page of the New York Times or posted at www.thesmokinggun.com. Think about how a corporate adversary could use your discarded drives to profit from them and harm you. Think about your personal responsibility in data protection.

Just think about it. And then make sure you aren't singing the Post Storage Blues.

Resources:

  • www.datadev.com/hdhardisdriv.html
  • www.datalinksales.com/degaussers/hd1.htm
  • www.cyberscrub.com
  • www.diskwiper.com

    • Published May 3, 2005 – Reads 12,889
    Copyright © 2005 SYS-CON Media, Inc. — All Rights Reserved.
    Syndicated stories and blog feeds, all rights reserved by the author.

    More Stories By Winn Schwartau

    Winn Schwartau is one of the country's leading experts on information security,
    infrastructure protection and electronic privacy. He balances his time between writing, lecturing, teaching and building corporate and
    national security-awareness programs and consulting to multinational organizations and
    governments worldwide. He is president and founder of Interpact, Inc., The Security Awareness Company
    (www.thesecurityawarenesscompany.com).

    Comments (0)

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.