Secure Sanitisation
Download
Report
Transcript Secure Sanitisation
John Sutton
ADISA – Supplier Showcase
18 July 2015
Presentation Contents
UK Government Authorities
Understanding Data Sensitivity
Applying Information Assurance Standard 5
Questions?
ADISA – Supplier Showcase
18 July 2015
18 July 2015
ADISA – Supplier Showcase
UK Data Protection Authorities
Cabinet Office
Centre for Protection of the National Infrastructure
(CPNI)
CESG – National Technical Authority for IA
Information Commissioner’s Office (ICO)
ADISA – Supplier Showcase
18 July 2015
Cabinet Office
Cabinet Office Security Policy Division (COSPD)
Security Policy Framework (SPF)v.5.0
MANDATORY REQUIREMENT (MR)45:Departments and Agencies must ensure that all media used for storing or
processing protectively marked or otherwise sensitive information must be
disposed of or sanitised in accordance with HMG IA Standard No. 5 – Secure
Sanitisation of Protectively Marked or Sensitive Information
Publishes all the Information Assurance Standards (e.g. IAS5)
ADISA – Supplier Showcase
18 July 2015
ICO
Information Commissioners Office - ICO
UK independent authority that upholds information
rights and access, that's in the public interest
Promotes data privacy for individuals
Enforces the:
Data Protection Act
Freedom of Information Act
Has powers of sanction and fines over organisations
for data breaches
ADISA – Supplier Showcase
18 July 2015
CPNI
Centre for Protection of the National Infrastructure
National Infrastructure compromises of:
Communications, Emergency Services, Energy, Finance, Food,
Government, Health, transport and Water
Provides advice on a range of security topics
Physical Security
Personnel Security
Information Security
Cyber Security
Threat and Risk Assessments
ADISA – Supplier Showcase
18 July 2015
CPNI
Physical Destruction
SEAP 8100 – Destruction Equipment
Shredders
CD Declassifiers
Incinerators
Disintegrators
Hammer Mills & Pulverisers
SEAP 8200 – Approved Destruction Organisations
Staff cleared at all levels
Mobile destruction services
Organisation may need to be List X
Catalogue of Security Equipment
18 July 2015
ADISA – Supplier Showcase
CESG
Publications
CESG – National Technical Authority for IA
National Cryptographic Authority
Publishes all IA documentation (except IAS’s)
Crypto Standards
IA Developer Notes
IA Implementation Manuals
IA Notices (CIAN)
Good Practice Guides (GPG)
Busy Readers Guides (BRG)
ADISA – Supplier Showcase
18 July 2015
CESG
Evaluation and Assurance Schemes
CESG Approved Product Scheme - CAPS
CESG Assured Service (Telecoms) - CAS (T)
Common Criteria - CC
CESG Claims Test Mark - CCTM
Commercial Product Assurance - CPA
CESG Tailored Assurance Scheme - CTAS
CESG Listed Advisor Scheme - CLAS
ADISA – Supplier Showcase
18 July 2015
CESG
Degaussing
CESG Degaussing Standard
Lower Level (for RESTRICTED & below)
Higher Level (for CONFIDENTIAL &
above)
CESG Claims Tested Mark (CCTM)
scheme used for approvals at the
Lower Level
CESG approves the use of products,
on the NSA Degausser Product List
at the Higher Level
18 July 2015
ADISA – Supplier Showcase
US National Data Protection Agencies
NIST
National Institute for Standards & Technology
Agency of Department of Commerce
NSA
National Security Agency
DoD
Department of Defense
ADISA – Supplier Showcase
18 July 2015
Data Protection Standards/Guidance
National & International
UK Standards
IAS 1 – Risk Assessment
IAS 5 – Secure Disposal
Good Practice Guide (GPG) 34
IAS6 – Protection of Personal Data
PAS 141
EU Standards
BS EN 15713:2009 (supersedes BS8470)
US Standards
DoD 5220.22M
NIST 800-88
ADISA – Supplier Showcase
18 July 2015
Need for Organisations to Categorise their Data
ADISA – Supplier Showcase
18 July 2015
Compromise of Information
UK Government
Information Properties
Business Impact Levels (BIL)
Confidentiality
Integrity
Availability
ADISA – Supplier Showcase
18 July 2015
BIL
Category
0
UNCLASSIFIED
1
PROTECT
2
PROTECT
3
RESTRICTED
4
CONFIDENTIAL
5
SECRET
6
TOP SECRET
Example IAS1
Impact Level Table
Impact
Level
No detectable impact
0
Causes losses of up to £1,000
1
Causes losses of up to £10,000 or threaten an SME
2
Causes losses of up to £1m or threaten a minor UK company
3
Causes losses of up to £10m or threaten a major UK company
4
Causes losses of up to £100m or threaten a major international
company
5
Causes losses in excess of £100m or threaten the UK economy
6
ADISA – Supplier Showcase
18 July 2015
Risk
Level
Low
Medium
High
Example ILs for a Large National Business
IL
Risk
Level
0
1
Category
Public domain information (i.e. website, public records)
Low
Personal information about staff not in the public domain
(e.g. contact details).
2
Internal information concerning the organisation not publicly available
3
Commercial-in-confidence sales and customer information
4
Medium
5
6
Customer credit card and account details
Board-level remuneration, sales and cash flow forecasts
High
Corporate bank login details, strategic and flotation plans
ADISA – Supplier Showcase
18 July 2015
Personal Information Aggregation
Two types of information aggregation: Accumulation
“simply because there is more information being stored”
Association
“relationships between otherwise low impact information may
have a resultant high impact”
Both types taken separately or jointly may
increase the overall BIL
ADISA – Supplier Showcase
18 July 2015
Effects of Information Aggregation
Accumulation (example)
Association (example)
Number of
Records
Business Impact
Level
1
2
1000
3
5000
4
>5000
5
Name, address, phone number,
driving licence number, DoB,
photo etc
All individually BIL=0
Linked with .......
DNA or finger prints,
Bank/credit card details, NI
number, Passport number, Tax,
benefit or pension details, etc
All individually BIL=o
May cause harm or distress
ADISA – Supplier Showcase
18 July 2015
18 July 2015
ADISA – Supplier Showcase
IAS5 - Media Sanitisation Definitions
Keyboard Attack
Attempting to recover data via the keyboard, using S/W data recovery tools.
Laboratory Attack
Attempting to recover data using computer forensics, microscopy & spinstand techniques.
Clearing
Protects confidentiality of data from keyboard attacks
Media retains highest classification
Media reused (usually) within the same secure environment
Purging
Protects confidentiality of data from laboratory attacks
Media is declassified
Media reused in an insecure environment
Downgrade
A risk-managed clear or purge process
Reduces classification as required
Media reused in another (less) secure environment
Destroy
18 July 2015
Beyond any further use or forensic data recovery
ADISA – Supplier Showcase
HMG IA Standard 5
How to Apply the Secure Sanitisation Process
Determine the media disposition
Reuse (same, equivalent or less security environment?)
Disposal (for use in an insecure environment or
recycling?)
repair/exchange, end of lease or decommissioning
Ascertain Business Impact Level
Use Media Disposition Flowchart to determine the
appropriate Secure Sanitisation Level (SSL).
Refer to IAS5 (Appendix N) to determine which
sanitisation procedure to apply.
18 July 2015
ADISA – Supplier Showcase
Storage Media
Disposition
Decision Flowchart
Start
0-2 (Low Risk)
5-6 (High Risk)
Impact
Levels
3-4 (Medium Risk)
NO
Being
Re-used?
Leaving
Organisational
Control?
NO
YES
Being
Re-used?
NO
YES
YES
Downgrade?
Being
Re-used?
Security
Environment?
YES
NO
NO
Less
Secure
YES
Protective
Marking
Reduction?
Same
or
Equivalent
2 levels
SSL1
CLEAR
SSL1
DESTROY
SSL1
PURGE
SSL2
DESTROY
SSL2
CLEAR
SSL2
PURGE
Validate
Document
Finish
18 July 2015
ADISA – Supplier Showcase
SSL3
DESTROY
SSL3
PURGE
1 level
SSL3
CLEAR
Secure Sanitisation Levels (SSL)
SSL
1
2
3
Clear
Purge
Destroy
Magnetic SSDs Optical Magnetic SSDs Optical Magnetic SSDs Optical
IAS5
Appendix
N
Overwrite
with
CC EAL 1
IAS5
or CCT Mark Appendix
N
Overwrite
IAS5
with CESG
Appendix
Lower
N
or CC EAL 2
Use CD
Erase
software
Use CD
Erase
software,
then
destroy
Overwrite
with
CC EAL 2
Overwrite
with CESG
Higher
products
IAS5
Appendix
N
Use CD
Erase
software
CBP
(e.g. BS:15713)
Degauss at
CESG Lower
IAS5
SEAP Guidance, or
for IL3,
Appendix
CBP
Higher for IL4
N
(e.g. BS:15713)
Use CD
then/or CBP
Erase
(e.g.BS:15713)
software,
Degauss at
then
CESG Higher
destroy
IAS5
Level, then
Appendix
SEAP 8100/8200
destroy to
N
SEAP
8100/8200
ADISA – Supplier Showcase
IAS5 Downgrading
Based on IS1 in-house threat assessments.
Use “IS5 Threat Actor Capability Assessment”
(next slide)
Use IS1 (Part 1- Risk Assessment) to determine Risk
Level
Decide if Risk Level allows media storing.......
IL6 data may be handled as IL3 or IL4 after sanitisation.
IL5 data may be handled as IL2 0r IL3 after sanitisation.
18 July 2015
ADISA – Supplier Showcase
Threat Actor Capabilities
Software recovery techniques
Keyboard attack
User/hacker
Standard hardware based recovery techniques
Laboratory attack
Commercial data recovery
Advanced recovery techniques
Laboratory Attack
20 June 2011
Government sponsored
ADISA – Supplier Showcase
IAS5 Threat Actor
Capability Risk Assessment
IAS1
Capability
Levels
18 July 2015
Threat Actor Expertise &
Potential Compromise Methods
1
Casual or opportunistic threat actor only able to mount low
level keyboard attack with freeware, OS tools or
commercially available tools.
2
Commercial data recovery organisation able to mount any
level of keyboard attack and limited laboratory attacks,
having access to wide inventory of spare parts to recover
data from failed hard drives.
3
Commercial computer forensics organisation able to
mount any level of keyboard attack and a range of
laboratory attacks using in-house software tools and a
range of laboratory attacks, but will only have limited
resources (e.g. time) to recover the sanitised data.
4
Government sponsored threat actors able to mount
sophisticated laboratory attacks using advanced
techniques with unlimited time and storage capacity to
reconstitute the sanitized data from working or nonworking disk drives and also fragments of disk platters.
ADISA – Supplier Showcase
Business IL after Sanitisation
SSL
CLEAR
PURGE
1
IL0 – 2 No Change
IL0 – 2 may be handled as IL0
2
IL3 – 4 No Change
IL 3 – 4 may be handled as IL0
IL5 may be handled as IL4 IL5 may be handled as IL2 or IL3
3
IL6 may be handled as IL5 IL6 may be handled as IL3 or IL4
(Dependent on risk assessment)
18 July 2015
ADISA – Supplier Showcase
18 July 2015
ADISA – Supplier Showcase