Transcript Presentation title

Not Protectively Marked
© Copyright QinetiQ
Data Destruction
– HMG Standards
Dr. P. Turner – Technical Manager
www.QinetiQ.com
© Copyright QinetiQ limited 2011
1
Not Protectively Marked
© Copyright QinetiQ
Communications-Electronics Security Group (CESG)
• CESG is the UK Government’s National Technical Authority for Information
Assurance (IA)
− “ Information Assurance is the confidence that information systems will protect the information
they handle and will function as they need to, when they need to, under the control of legitimate
users. “
• Provide policy and assistance on the security of communication and electronic
data for central Government, agencies, Armed Forces and also work with the
wider public sector including Health, Law Enforcement and Local Government
www.QinetiQ.com
© Copyright QinetiQ limited 2011
2
Not Protectively Marked
© Copyright QinetiQ
CESG Acronyms
CAPS – CESG Assisted Products Service - helps private sector companies to develop cryptographic
products for use by HMG
CCTM – CESG Claims Tested Mark - provides a government quality mark for the public and private
sectors based on accredited independent testing, designed to prove the validity of security functionality
claims made by vendors
CC – Common Criteria – also an ISO Standard 15408
ITSEC – Information Technology Security Evaluation and Certification scheme - the security features of
IT systems and products are tested independently of suppliers to identify logical vulnerabilities Testing is
undertaken by ‘CLEFs’ ComerciaL Evaluation Facilities
CHECK - IT health check services for HMG and the wider public sector of systems handling protectively
marked information
CLAS - CESG Listed Adviser Scheme - a partnership linking the unique Information Assurance
knowledge of CESG with the expertise and resources of the private sector.
CPA – Commercial Product Assurance scheme – two levels of certification : Foundation grade
certification represents a basic level of confidence in security behaviours of a product. Augmented
grade certification means that CESG evaluators have spent more time and effort investigating the
product's working, and have required it to exhibit additional security properties.
www.QinetiQ.com
© Copyright QinetiQ limited 2011
3
Not Protectively Marked
© Copyright QinetiQ
Information Assurance Standard No. 1 (IAS1)
IAS1 - Technical Risk Assessment - Issue 3.51, October 2009
Aim :
“… to provide a risk assessment and risk treatment process that allows Analysts,
Accreditors, Senior Information Risk Owner and other interested parties to:
• Analyse a proposed or existing system to identify risks and estimate the
levels of those risks;
• Select appropriate controls to manage the treatable risks.”
IAS1 available from : http://www.cesg.gov.uk/publications/policy.shtml
www.QinetiQ.com
© Copyright QinetiQ limited 2011
4
Not Protectively Marked
© Copyright QinetiQ
Information Assurance Standard No. 5 (IAS5) (1)
IAS5 – Secure Sanitisation - Issue 4.0, April 2011
Aim :
“… provides HMG policy for managing the risks that arise when storage media
that has stored or processed protectively marked or otherwise sensitive
information is released for re-use or disposal.”
Associated Documents:
• CESG Good Practice Guide No. 34, Scenarios for the Practical Application of IS5, Issue
1.0, April 2011
• CESG Developers Note No.18, Vendor Guidance on Secure Sanitisation Products and
Services, Issue 1.0, April 2011
Documents available on request by sending an email to :
[email protected]
www.QinetiQ.com
© Copyright QinetiQ limited 2011
5
Not Protectively Marked
© Copyright QinetiQ
Information Assurance Standard No. 5 (IAS5) (2)
Provides a risk based approach and advice and guidance for the following media
types:
• BluRay Disks, CD’s, DVD’s
• Dynamic RAM (DRAM), EPROM, EEPROM, Flash, FPGA, Static RAM (SRAM),
• Magnetic Disks and Hard Disks, Magnetic Tapes
• Monitors, Network Devices, Office Equipment, Personal Electronic Devices, Screen
Controllers
• SMART cards and SIM cards
• Paper and Microform
www.QinetiQ.com
© Copyright QinetiQ limited 2011
6
Not Protectively Marked
© Copyright QinetiQ
Information Assurance Standard No. 5 (IAS5) (3)
Sanitisation Methods:
• Overwriting
− device remains operative
− media overwritten with NPM data
− Lower & Higher Overwriting standards apply to magnetic media – see Developers Note No.18
• Degaussing
− Uses a strong magnetic field to remove data, device rendered inoperative
• Physical Destruction
Unacceptable Techniques:
− Encryption
− ATA Secure Erase
www.QinetiQ.com
© Copyright QinetiQ limited 2011
7
Not Protectively Marked
© Copyright QinetiQ
Information Assurance Standard No. 5 (IAS5) (4)
Attack Types:
• Non-invasive: these are attacks that represent any attempt to retrieve data without additional
assistance from physical equipment. The likely threat actor is an enthusiastic amateur with operating
system tools or Commercial Off The Shelf (COTS) data retrieval software utilities.
• Laboratory level 1 ‘Basic’: this type of attack does not require in-depth knowledge, nor access to
sophisticated or sensitive equipment. Likely examples include swapping of components on magnetic
disc drives to overcome rudimentary damage. Legitimate organisations would typically offer
commercial data recovery services of this type.
• Laboratory level 2 ‘Intermediate’: this type of attack is sophisticated and requires deep knowledge
and access to technically advanced facilities. A successful attack could be mounted against storage
media that have been subject to a level of sanitisation. A likely example is magnetic force
microscopy. A legitimate organisation possessing this level of capability would be an academic
research institute.
• Laboratory level 3 ‘Extensive’: this type of attack is of the highest sophistication and may be
carried out on media extensively damaged, partially destroyed or subjected to the most rigorous nondestructive sanitisation procedures. It may include techniques that are currently unknown, or that
may be developed in the future. There will be no known legitimate organisations with this capability,
but Foreign Intelligence Services (FIS) may be able to perform attacks of this type.
www.QinetiQ.com
© Copyright QinetiQ limited 2011
8
Not Protectively Marked
© Copyright QinetiQ
Information Assurance Standard No. 5 (IAS5) (5)
Sanitisation Outcomes:
• Release for re-use within the same or equivalent secure environment - where storage
media is to be re-used at the same protective marking
• Release for re-use within a less secure environment - permits a reduction in handling
requirements to a lower Business Impact Level
• Release for re-use in any environment (non-destructive) – release to an environment
that is not trusted
• Destruction for final disposal - permits storage media to be declassified with no further
sanitisation considerations. This option is generally chosen at the end of service life, or
where risk or cost dictates that destruction is the only feasible choice
www.QinetiQ.com
© Copyright QinetiQ limited 2011
9
Not Protectively Marked
© Copyright QinetiQ
Questions ?
www.QinetiQ.com
© Copyright QinetiQ limited 2011
10
Not Protectively Marked
© Copyright QinetiQ
Solid State Media
Memory Sticks & Solid State Disks
• Predominantly based on NAND memory technology (occasionally NOR)
Advantages over magnetic storage
• Not affected by magnetic radiation
• Speed of access
• More robust - no moving parts
Disadvantages
• Data retention life time – typically 10 years
• Limited number of re-write cycles
• Cost… at the moment, reducing all the time
www.QinetiQ.com
© Copyright QinetiQ limited 2011
11
Not Protectively Marked
© Copyright QinetiQ
Solid State Media – The Data Deletion Issue
Wear Levelling
• NAND endurance varies by manufacturer 5-100K Program/Erase Cycles
• Used to extend the life of the SSD memory
• Algorithm / technique used varies depending upon manufacturer of controller device
and storage capacity
• Flash Translation Layer (FTL)
• Additional storage capacity above that available via the user interface (USB / ATA/
SATA) – typically 4 to 25% capacity
The Issues (without invasive techniques) are :
• there is no standard way to bypass the FTL and be sure that an overwriting application
is/can access the full capacity of every chip within a device
• there is no standard way of reporting the number of bad blocks within a device
www.QinetiQ.com
© Copyright QinetiQ limited 2011
12
Not Protectively Marked
© Copyright QinetiQ
Solid State Media – Wear Levelling in action (a simple
example)
www.QinetiQ.com
© Copyright QinetiQ limited 2011
13
Not Protectively Marked
© Copyright QinetiQ
Questions ?
www.QinetiQ.com
© Copyright QinetiQ limited 2011
14