Transcript Document 7385537

Sanitization of Electronic Media
SBU Security Awareness
January 27, 2005
OCIO/IS
What is Sanitization?
Which answer best describes sanitization?
A. Santa Claus taking over the world.
B. What you experience traveling along
the Santa Fe Trail in New Mexico.
C. The sand you get on your feet after
a walk on the beach.
D. Clearing data from computer drives.
What Sanitization is:
The correct answer is “D”:
D. Clearing data from computer drives.
What is SBU Information?
Which acronym best describes SBU information?
A. A brochure of South Boston University.
B. Smart But Useless nonsense.
C. Sensitive But Unclassified data.
D. School Basketball Uniforms.
What SBU Information is:
The correct answer is “C”:
C. Sensitive But Unclassified data.
Information Classifications
Classified versus Unclassified Information
Classified: Top Secret/Secret/Confidential
- Rarely handled within GSA
- e.g. DOD or DHS National Defense Information
- A totally separate handling process
- Will not be addressed at this time
Unclassified: Sensitive But Unclassified (SBU)
Information:
- Used daily by most GSA associates
- In numerous forms and media
- The focus of our discussion
Classified Information Policies
For handing of Classified Information, the following
references are available:
Executive Order 12958,
Classified National Security
Information as Amended
GSA Handbook, Classified
National Security Information,
ADM P 1025.2D, October 3, 1996
(Expires: 10/3/06)
Types of SBU Information
Types of SBU (Unclassified) Information
-
Financial Information
Privacy (Personnel) Information
Contractual Information
Building (Floor and Space) Plans
Physical Security
IT Security (Technical)
Proprietary Information
Other information not releasable under the
Freedom of Information Act.
Electronic Media: Then and now
1974
Report
2004
Blackberry
The Challenge: Information
Technology (IT)
* Biggest headaches to the Federal Government
- Spread of desktop technologies
- Protection of the information handled, processed,
and distributed
- Classified versus unclassified information.
* Unclassified sensitive information least controlled in
the realm of most everyday government operations.
“VA toughens security after PC
disposal blunders”
By Judi Hasson,
Federal Computer Week, August 29, 2002
CASE:
August 2002, VA Medical Center, Indianapolis Indiana,
retired 139 desktop computers.
- Some were donated to schools
- Others were sold on the open market
- 3 ended up in a thrift shop where a journalist
purchased them.
OMISSION:
The VA neglected to sanitize the computer's hard drives
(remove the drives' confidential information).
RESULTS:
Many of the computers were later found to contain
sensitive medical information, including:
- Names of veterans with AIDS and mental health
problems.
- 44 credit card numbers used by that facility.
SBU Information Laws
For handing of SBU Information, the following
references are available:
Privacy Act of 1874 (Public Law 93-579)
Federal Information Security Management Act (FISMA) of
2002.
Office of Management and Budget (OMB) Circular A-130,
Management of Federal Information Resources, and
Appendix III, Security of Federal Automated Information
Systems as Amended.
Homeland Security Presidential Directive (HSPD-7), Critical
Infrastructure Identification, Prioritization, and Protection,
December 17, 2003.
SBU Information Policies
For handing of SBU Information, the following GSA
orders are available:
GSA Order CIO P 2100.1B, GSA Information Technology (IT)
Security, November 4, 2004
GSA Order PBS 3490.1, Document security for sensitive but
unclassified paper and electronic building information,
March 8, 2002
Definition: Sanitization of
Electronic Media
SOURCE:
NIST Special Publication 800-18, Guide for Developing Security
Plans for Information Technology Systems, December 1998
4.4 Planning for Security in the Life Cycle
4.4.5 Disposal Phase
Media Sanitization:
·
The removal of information from a storage medium (such as a hard
disk or tape) is called sanitization. Different kinds of sanitization
provide different levels of protection. A distinction can be made
between clearing information (rendering it unrecoverable by
keyboard attack) and purging (rendering information unrecoverable
against laboratory attack). There are three general methods of
purging media: overwriting, degaussing (for magnetic media only),
and destruction.
Sanitization Procedures of
Electronic Media
Basically the following procedures are best practices:
a. Hard Drives – Triple over-write or degauss
b. Tapes – Degauss
c. Compact Disks – Incinerate or
chemical destruction
d. Paper - Shred
e. Floppy diskettes – degauss, overwrite, or the
removed internal plastic mylar surface can
be shredded
Bottom line: Anything containing a microchip or
plastic Mylar recording surface (iron oxide layers)
can contain SBU information.
GSA IT Security Policy
GSA Information Technology (IT) Security Policy
GSA Order CIO HB 2100.1B
26. Data Classification. The Data Owner shall identify the level of
protection required for a particular system commensurate with the
need for confidentiality, integrity, availability, and accountability of the
data processed by the system.
Sensitivity Levels. Sensitive data is data that is protected from
unauthorized disclosure (confidentiality) or modification (integrity)
because of the damage that could result to the Government or
individuals as a result of such disclosure or modification. The
sensitivity of the data input, stored, and processed by the system
dictates the level of protection. Protection criteria for specific
classifications of information are mandated by public laws. Penalties
under section (g) of the Privacy Act for negligence of entrusted data
could result in criminal liability for employees and cause significant
embarrassment to GSA if information to be protected were
compromised, corrupted, or unavailable.
GSA IT Security Policy
GSA Information Technology (IT) Security Policy
GSA Order CIO HB 2100.1B
Sanitization of Electronic Media
CHAPTER 1.
THE GSA INFORMATION TECHNOLOGY SECURITY PROGRAM
39. Sanitization of Electronic Media.
Sensitive but unclassified data shall be removed
from equipment and electronic and optical storage
media, using methods approved by the Data Owner or
DAA, before disposal or transfer outside of GSA.
GSA IT Security Policy
GSA Information Technology (IT) Security Policy
GSA Order CIO HB 2100.1B
26. Data Classification. The Data Owner shall identify the level of
protection required for a particular system commensurate with the
need for confidentiality, integrity, availability, and accountability of the
data processed by the system.
Sensitivity Levels. Sensitive data is data that is protected from
unauthorized disclosure (confidentiality) or modification (integrity)
because of the damage that could result to the Government or
individuals as a result of such disclosure or modification. The
sensitivity of the data input, stored, and processed by the system
dictates the level of protection. Protection criteria for specific
classifications of information are mandated by public laws. Penalties
under section (g) of the Privacy Act for negligence of entrusted data
could result in criminal liability for employees and cause significant
embarrassment to GSA if information to be protected were
compromised, corrupted, or unavailable.
PBS Building Information Policy
Document security for sensitive but unclassified
paper and electronic building information,
GSA Order PBS 3490.1, March 8, 2002
1. Purpose. This order sets forth the PBS's policy on the
dissemination of sensitive but unclassified (SBU) paper and
electronic building information of GSA's controlled space,
including owned, leased, or delegated Federal facilities.
This document includes direction:
Reasonable care for dissemination of sensitive but unclassified
(SBU) building information,
Limiting dissemination to authorized users,
Record keeping,
Retaining and destroying documents,
Electronic transfer and dissemination,
Defining the appropriate level of security,
Handling of Freedom of Information (FOIA) requests,
Handling proprietary information owned by Architect/Engineers.
Electronic Media Affected:
What Hardware is affected:
- Desktop/Hard Drives
- Laptops/Hard Drives
- Server/Hard Drives
- PDAs and Integrated Devices
- Cell/Camera Phones
- Miniature Recording Devices
- Cameras/Removable Flash/Media Memory Cards
- Peripherals: Printers/Scanners
- Backup Storage Devices
Backup Storage Devices include:
- Compact disks (CDs)
- Floppy diskettes and zip tapes
- Removal hard and zip drives
- Flash/Thumb/Pen drives
Note: Disposal of paper copies cannot be ignored
Sanitization Techniques
SOURCE:
GSA Standards of Good Practices
Sanitization of Sensitive But Unclassified (SBU)
Data from Magnetic Storage Media
3. Sanitization Techniques: overwriting, degaussing, and destruction.
Overwriting
Overwriting is an effective method for clearing data from hard magnetic media (hard drives and disks, but not
floppy disks or tape). As the name implies, overwriting uses a program to write (1s, 0s, or a combination)
onto the media. Common practice is to overwrite the media three times in alternating fashion
"1010101010 ..." then "0101010101 ...." However, it is not uncommon to see overwrites of media up to
eight times depending on the sensitivity level of the information. Overwriting should not be confused with
merely deleting the pointer to a file (which typically happens when a delete command is used).
Overwriting requires that the media be in working order (ideally, a bad block map is made prior to sensitive
data being introduced on the media and another map made after the overwrites). If bad blocks develop
after the initial mapping which are not corrected during the “overwrite,” then the “overwrite” is
considered to have "failed" at least insofar as the data potentially resident in the bad block. Similarly if an
initial bad block map was not made and bad blocks exist after the “overwrite,” we have to assume that
sensitive data could potentially be on one of the bad blocks. At the point it's a risk decision whether you
accept the “overwrite” or move on to degaussing or physical destruction of the media.
Degaussing
Degaussing is a method to magnetically erase data from magnetic media. Two types of degausser exist: strong
permanent magnets and electric degaussers. Degaussers come in a variety of strengths, and are generally
categorized as Type I (weakest magnetic field) to Type III (strongest magnetic field). Type I degaussers are
not particularly useful given the proliferation of high density media -- they're just not strong enough. Type
II's are generally used for floppy disks, but are generally not strong enough for the high density hard disks
which typically require the Type III degaussers.
Destruction
The final method of sanitization is destruction of the media by shredding, burning, sanding, or chemical
decomposition. For hard disks, typically that means sanding to physically remove the top coated layers of
the hard disk. Floppy disks and tape can sometimes be shredded. Burning and chemical decomposition
generally pose some environmental hazards, and should be avoided if possible.
Erasing and Recovery Levels
There are Levels 1 through 5. Which level do I use?
All levels erase the disk completely. The only difference is how difficult it
would be for someone to recover data from the disk using sophisticated
recovery tools (including scanning tunneling electron microscopes).
Level 1 is the fastest, level 5 is the slowest. Level 5 is the most secure,
level 1 is the least secure. I personally couldn't recover anything from a
disk that had been cleaned with level 1, but someone with the knowhow and a few thousand dollars could. I'm not guaranteeing anything,
but I doubt the NSA could recover anything from a disk that had been
cleaned with level 5. Level 3 meets most corporate and nonclassified
government erasure specifications. Here's what each level does:
1 - A single pass of all zero.
2 - One pass of random data followed by one pass of all zero.
3 - Three passes: all zero, all one, all zero.
4 - Ten passes, some of which are random, followed by one of
zero.
5 – 25 passes, three of which are random.
Sanitization Tools
SOURCE:
Below are just a few of Sanitization tools available:
Darik’s Boot and Nuke (“DBAN”)
WhiteCanyon WipeDrive.
New Technologies M-Sweep.
Paragon Disk Wiper.
DTI Data Disk Wipe.
Acronis Drive Cleanser.
East-Tec Disk Sanitizer.
LSoft Active@ KillDisk.
CyberScrub CyberCide.
Think System Mechanic 4 Pro/DriveScrubber Pro
Note: most meet DOD 5220-22M Standard for Sanitizing Drives:
“Non-Removable Rigid Disks" or hard drives must be sanitized for reuse
by overwriting all addressable locations with a character, its
complement, then a random character and verify.”
Security Risk: Ambient Data
Bottom Line: The deletion of a file or the Reformat of a hard disk provides
essentially no level of security. Left behind: Ambient data is a forensic term
which describes, in general terms, data stored in non-traditional computer
storage areas and formats:
- Windows Swap/Page File
These are "scratch pad" files to write data when additional random access memory
is needed. (100MB to over 1GB. They contain remnants of any work that may
have occurred.
- Unallocated File Space
When files are erased or deleted the file is not actually erased. Data from the
'erased file' remains behind in an area called unallocated storage space.
- File Slack
Files are stored in fixed length blocks of data called clusters. Rarely do file sizes
exactly match the size of one or multiple clusters perfectly. The extra data
storage space that is assigned to a file is called "file slack". File slack contains
padded data from memory and remains undeleted.
- Shadow Data
Shadow data contains the remnants of computer data that was written previously to
a track and it is located slightly outside the track's last write path.
Contacts
GSA CHIEF INFORMATION OFFICER WEBSITE
IT Security Points of Contact
- GSA ISSM/ISSO Contact List 10/15/2004
http://insite.gsa.gov/_cio/
- OCIO Security Division (email)
([email protected])
Free and Commercially Available
Sanitization Tools
PROGRAM/COST/PLATFORM/COMMENTS
AutoClave http://staff.washington.edu/jdlarios/autoclave
Free
Self-booting PC disk
Writes just zeroes, DoD specs, or the Gutmann patterns. Very convenient and easy to use. Erases
the entire disk including all slack and swap space.
CyberScrub www.cyberscrub.com
$39.95
Windows
Erases files, folders, cookies, or an entire drive. Implements Gutmann patterns.
DataScrubber www.datadev.com/ds100.html
$1,695
Windows, Unix
Handles SCSI remapping and swap area. Claims to be developed in collaboration with the US Air
Force Information Welfare Center.
DataGone www.powerquest.com
$90
Windows
Erases data from hard disks and removable media. Supports multiple overwriting patterns.
Eraser www.heidi.ie/eraser
Free
Windows
Erases directory metadata. Sanitizes Windows swap file when run from DOS. Sanitizes slack space
by creating huge temporary files.
Free and Commercially Available
Sanitization Tools (Cont.)
PROGRAM/COST/PLATFORM/COMMENTS
OnTrack DataEraser www.ontrack.com/dataeraser
$30$500
Self-booting PC disk
Erases partitions, directories, boot records, and so on. Includes DoD specs in professional version
only.
SecureClean www.lat.com
$49.95
Windows
Securely erases individual files, temporary files, slack space, and so on.
Unishred Pro www.accessdata.com
$450
Unix and PC hardware
Understands some vendor-specific commands used for bad-block management on SCSI drives.
Optionally verifies writes. Implements all relevant DoD standards and allows custom patterns.
Wipe http://wipe.sourceforge.net
Free
Linux
Uses Gutmann's erase patterns. Erases single files and accompanying metadata or entire disks.
WipeDrive www.accessdata.com
$39.95
Bootable PC disk
Securely erases IDE and SCSI drives.
Free and Commercially Available
Sanitization Tools (Cont.)
PROGRAM/COST/PLATFORM/COMMENTS
. Wiperaser XP www.liveye.com/wiperaser
$24.95
Windows
Erases cookies, history, cache, temporary files, and so on. Graphical user interface.
Other References
Office of Management and Budget Circular A-130, “Management of Federal Information Resources”,
Appendix III, “Security of Federal Automated Information Resources.”
Establishes a minimum set of controls to be included in Federal IT security programs.
Computer Security Act of 1987.
This statute set the stage for protecting systems by codifying the requirement for Government-wide IT
security planning and training.
Paperwork Reduction Act of 1995.
The PRA established a comprehensive information resources management framework including security
and subsumed the security responsibilities of the Computer Security Act of 1987.
Clinger-Cohen Act of 1996.
This Act linked security to agency capital planning and budget processes, established agency Chief
Information Officers, and re-codified the Computer Security Act of 1987.
Presidential Decision Directive 63, “Protecting America’s Critical Infrastructures.”
This directive specifies agency responsibilities for protecting the nation’s infrastructure, assessing
vulnerabilities of public and private sectors, and eliminating vulnerabilities.
Presidential Decision Directive 67, “Enduring Constitutional Government and Continuity of Government.”
Relates to ensuring constitutional government, continuity of operations (COOP) planning, and continuity of
government (COG) operations
OMB Memorandum 99-05, Instructions on Complying with President's Memorandum of May 14, 1998,
“Privacy and Personal Information in Federal Records.”
This memorandum provides instructions to agencies on how to comply with the President's Memorandum of
May 14, 1998 on "Privacy and Personal Information in Federal Records."
Other References (Cont.)
OMB Memorandum 99-18, “Privacy Policies on Federal Web Sites.”
This memorandum directs Departments and Agencies to post clear privacy policies on World Wide Web
sites, and provides guidance for doing so.
OMB Memorandum 00-13, “Privacy Policies and Data Collection on Federal Web Sites.”
The purpose of this memorandum is a reminder that each agency is required by law and policy to establish
clear privacy policies for its web activities and to comply with those policies.
General Accounting Office “Federal Information System Control Audit Manual” (FISCAM).
The FISCAM methodology provides guidance to auditors in evaluating internal controls over the
confidentiality, integrity, and availability of data maintained in computer-based information systems.
NIST Special Publication 800-14, “Generally Accepted Principles and Practices for Security Information
Technology Systems.”
This publication guides organizations on the types of controls, objectives, and procedures that comprise an
effective security program.
NIST Special Publication 800-18, “Guide for Developing Security Plans for Information Technology
Systems.”
This publication details the specific controls that should be documented in a system security plan.