As media gets smaller but has ever greater storage capacity, the ease with which it can be passed around and reused requires vigilant adherence to a secure sanitisation model to prevent data leakage.
Certain stories, such as the one of a U.S. military missile air defence system being found on a second-hand hard drive bought on eBay, have highlighted the need for the proper disposal of unwanted hard drives as part of a data leakage prevention strategy. There are now plenty of products and services which ensure that media can be securely disposed of. The CESG Claims Tested Mark Awards Directory currently has eight certified products and services for erasure and disposal.
However, one related area where data leakage can occur but is often overlooked is media reuse. Media reuse commonly occurs when backup media is repeatedly reused in rotational backup schemes. But there are several other situations where it can take place: a laptop, PC or hard drive from an obsolete server is assigned to a different user or system, or a thumb drive or rewritable CD is used by a different person. In addition to thumb drives, mobile phones and PDAs are increasingly being reused within organisations. If sensitive data is left on media that is then reused, it could be seen by anyone who has either physical or logical access to it. In any of these situations, if the storage media hasn't been correctly sanitised, sensitive data could be inadvertently leaked.
But how should you deal with media that you don't want to destroy, but want to reuse? It is essential to have a clear sanitisation and disposal policy which sets out how media holding sensitive data is processed prior to reuse in order to prevent data leakage. For example, if media will be reused to store data with a lower classification or is used in a less secure environment, then it needs to be purged, as opposed to just cleared. Clearing involves making the data on the media unreadable by data, disk or file-recovery utilities, while purging removes the data and protects it from laboratory grade attacks. Any media leaving the organisation, such as the return of leased or hired equipment, should only be returned once any non-removable media has been purged.
You can clear most media using overwriting software, such as the open source tool Darik's Boot and Nuke (DBAN), a self-contained boot disk that securely wipes the hard disks of most computers. To purge data you would need to use a utility such as Secure Erase, which was designed at The University of California. You can also use degaussers, though these will effectively destroy a disk drive by making it permanently unusable. It's important to validate that the purge or clear process has worked and the sanitisation process has been documented, recording the date, media and data sanitised before reusing it.
As media gets smaller but has ever greater storage capacity, the ease with which it can be passed around and reused requires vigilant adherence to a secure sanitisation model to prevent data leakage. A decision flow chart will greatly aid users in checking which sanitisation method is appropriate before reusing any media. A decision flow chart leads you through a series of simple yes/no questions to help you decide the correct action to take. A good example is available on page 20 in the Guidelines for Media Sanitization by the National Institute of Standards and Technology. Finally for those using cloud services, contractually enforce providers to securely clear or purge persistent media before it is reused to ensure the devices are secure.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.
This was first published in June 2010