Guidelines for Media and Data Sanitizing
When information systems are taken offline and retired, great care must be taken to ensure media that stored the data in the system remains protected through the retirement process. If media used is going to be removed and discarded, or re-purposed, organizations must ensure data that was stored on the media is completely sanitized . According to NIST Special Publication 800-88, data may pass through multiple organizations, systems, and storage media in its lifetime. As a result, more than one party may be responsible for sanitizing media and as such, this responsibility is not limited to the organizations that created the data, or is it the destination place the data ends up at, but also intermediaries who store or process the information along the way. The overall concern of media sanitization is not with the media itself, but is with the recorded information the media contains. In other words, the key objective of media sanitization is assuring confidentiality of the data on the media.
There are two primary types of media in common use, hard copy and electronic, also known as soft copy. Hard copy media are physical representations of information, most often associated with paper printouts. However, printer and facsimile ribbons, drums, and platens are all examples of hard copy media. Electronic media are devices containing bits and bytes such as hard drives, random access memory (RAM), read-only memory (ROM), disks, flash memory, memory devices, phones, mobile computing devices, networking devices, and office equipment.
Sanitizing is a process to render access to data on media inaccessible for a given level of recovery effort. The level of effort applied when attempting to retrieve data may range widely. For example, an attacker may attempt keyboard attacks without the use of specialized tools, skills, or knowledge of the media characteristics. On the other end of the spectrum, an attacker may have extensive capabilities and be able to apply state of the art laboratory techniques.
The categories of sanitizing are Clear, Purge, and Destroy. Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. Example, rewriting with a new value or using a menu option to reset the device to the factory state. Purge applies physical or logical techniques that render Target data recovery infeasible using state of the art laboratory techniques. Destroy renders data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data. The organization should assess the nature of the medium on which data is recorded, assess the risk to confidentiality, then choose the appropriate type(s) of sanitization.
Cryptography and Cryptographic Erase. Many storage manufacturers have released storage devices with integrated encryption and access control capabilities, also known as Self-Encrypting Drives (SEDs). SEDs feature always-on encryption which reduces the likelihood that unencrypted data is inadvertently retained on the device. The end user cannot turn off the encryption which ensures that data in the designated areas are encrypted. Cryptographic Erase (CE) enables sanitization of the target data’s encryption key. This leaves only the cipher text remaining on the media which sanitizes the data by preventing read-access. Without the encryption key used to encrypt the target data, the data is unrecoverable. Do not use CE to purge media if the encryption was enabled after sensitive data was stored on the device without having been sanitized first. Do not use CE if it is unknown whether sensitive data was stored on the device without being sanitized prior to encryption. CE should only be used as a sanitization method when the organization has confidence that the encryption keys used to encrypt the Target Data have been appropriately protected (Kissel, Regenscheid, Scholl & Stine, 2014).
Physical destruction of disk media and disk heads of hard drives makes it more difficult to recover data from media. To help prevent keyboard and simple laboratory data recovery techniques, disk heads should be prevented from flying over the spinning disk. Significant media damage reduces the effectiveness of laboratory attacks. Physical techniques should generate surface deformations in excess of 0.001 inch and preclude normal reading through a disk head. This is sufficient to render attacks planned to recover data of the drive prohibitively costly. Physical techniques include; bending, drilling, cutting, and shredding. Bending he disk platters to an internal angle of at least 5 degrees. An abrupt bend is preferred. Drilling should produce holes greater than 0.25 inch. The outer tracks and most of the remaining tracks should be penetrated. Cutting should penetrate all tracks of the disk surface. Cuts may be accomplished by physical or thermal means. Shredding to a chip size less than 1.5 inches. Shredding circuit boards to a chip size less than 0.5 inches will also likely damage the flash memory. Another technique used for physical destruction is thermal destruction. Thermal destruction not only deforms the magnetic media but also purges data contained on the media. Incineration or smelting entails heating to temperatures where the substrate melts or fractures (DON CIO Privacy Team, 2010).
Kissel, R., Regenscheid, A., Scholl, M., & Stine, K. (2014, December 1). Guidelines for Media Sanitization – NIST Special Publication 800-88. Retrieved August 6, 2015, from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
DON CIO Privacy Team. (2010, August). Methods for Hard Drive/Disk Destruction. Retrieved August 5, 2015, from http://www.doncio.navy.mil/ContentView.aspx?ID=1867