Secure Data Disposal
To date, there are more mediums for transferring, storing and archiving data than ever before. In this sea of storage, vendors are coming up with new ways to make it easier to convent transfer and access data. Some vendors have given thought to data management and others have not. Most organisations in Europe and the US are now implementing solutions to mange this information asset.
In this article we will cover secure data disposal methods; we will also cover how organisations that reuse the media by donating computers or hard disks are exposed and we will outline some countermeasures to prevent exposure.
There are many forms of storage media in the industry today, the following is a brief list of just a few storage technologies.
Optical media (CD ROM, DVD, BLURay, WORM, etc.)
USB storage flash, hard drives, and other solid sate type storage
Floppy disks and other such media like ZIP drive and Jazz drives (old form of mass storage)
Mobile phones, PDAs, Ipods, music devices and other such devices
Servers and mass storage on SAN or NAS
Remote email and services
As the price of storage reduces the capacity becomes higher, more data can be stored on media for less. The Technology becomes more accessible to the masses, new threats develop.
The typical process flow
Typically we buy some storage media, hard drive, computer, USB flash disk etc. We plug-in the media, start using the media to store our valuable data. Without further thought we fill the device and soon we are looking for a new device that is larger quicker and has more features. It is seldom that we consider the security implications of these operations and more often than not the full device ends up in a cupboard, drawer or forgotten. After sometime the device is thrown out, sold or disposed of without thinking. In this process the data can leak into the wild and fall into the hands of an unauthorised individual.
After visiting an invite only security conference in Scotland, I was speaking with a gentleman from Oxford University. He heads up the IT data recovery and computer forensic/security arm of the university. He was telling me how the department from time to time buy old storage media on Ebay and how they recover the data as part of a challenge. They do this with some students under the close supervision of the forensic department.
Because they work closely with the authorities from time to time the lab comes across some illegal material that they then expose to the authorities and then action is taken if they can track down the perpetrators.
I was quite interested and started asking questions about what type of media and how easy it was to get the data off the media and so on. Soon I could see that it was relatively easy to purchase the hardware, download some free applications and start recovering the data on the media.
Could I find some data?
I then decided to go foraging for data myself, in public places. I walked along with some security colleagues in the banking district of where I consult and true enough we found a dumpster full of computer hardware, the colleague dived in and grabbed some computers. Inside these computers we found hard drives, on these drives we found data. Most of this data was generic but some of it was not. We downloaded some free tools from the internet and started some reconnaissance.
This exercise was performed to build awareness, in a controlled environment. The data was closely guarded by security professionals and then destroyed after the research was concluded.
We were able to get the following information
A valid local login account with the password
Remote access credentials, including the username and password and IP Addresses
WIFI WPA1/2 and WEP keys that were cached on the machine
Server mapped drive paths and file locations
Office files like word, excel, PowerPoint and others
Password files in clear text
Outlook pst and cached emails
Temporary internet files and cookies with credentials
Single Sign On database of all the sites, applications and other security credentials that the user was signing into
Banking information and other financial and very personal information was found
All of this information was extracted in less than one day and was relatively easy to get using only free tools. The amount of information recovered was staggering and I am sure that most of us would not want this information to be public, especially if we were in a corporate environment as this would expose the companies' data asset.
Some of the tools we used
Now that the real life story is over what can you do to better protect your data?
When you buy a device look out for a device that incorporates encryption, presently AES 256 bit is good and is quick on portable devices.
If you have legacy devices that you want to protect you can encrypt them with a tool, truecrypt is free but not great for commercial use as the keys are not centrally stored. McAfee have a good solution that stores key centrally, there are many others on the market that can be used but you need to ensure that the right ciphers are used and that the keys are well managed.
Employ two factor authentication
In previous articles I referred to the death of the password, now more than ever we are seeing how passwords are being easily compromised and how thousands of users are being exposed because of insecure passwords.
When you are done with the media, physically destroy it
Green is the way to go, so recycling is something you most probably want to do. The problem is that security and resource reuse do not fit on the same sentence as this is always a no no. If the data is very sensitive physical destruction is still the best way forward.
There are tools that can be used approved by the DoD that can destroy the data on the hard disk. These tools work by writing many 0000000s and many 1111111111s to the hard drive over and over again, each time is called a pass. So you often see something stating 70 passes meaning it wrote 11111111s then 00000000s then 11111111s etc 70 times.
This can be time consuming as in some networks you may find 1000s of nodes so the cost of decommissioning the hardware physically is expensive. Your CSO needs to weigh up the risk vs reward balance to ensure that appropriate security control is used.
Some people are quite paranoid about their data so the dispose of it in a comprehensive manner.
First they take the hard drive and degauss it, this is a device that flushes the drive with a magnetic field, the hard drive being magnetic by design is wiped by this really strong field. The drive is then shredded through a physical milling device that turns the drive into tiny little metal beads. This process is monitored by a high resolution camera and records the shredding process and the drive serial number that is printed and stuck on the drive as usual.
Figure 1: Before and after
Think twice about selling or the next disposal of your data storage media, it might fall into the wrong hands and when it does the results might be less than desirable. Take the right steps to securing your information asset, encrypt the media, securely wipe the media or physically destroy the media. Rather be safer than sorry...