I recently mentioned that NIST had released Draft Special Publication 800-88: Guidelines for Media Sanitization. This document outlines the concerns involving roles and responsibilities, data classification, and destruction of the information stored on any media. We all know that this generally includes hard drives but when you start to sit down and think about it there are so many other media types that we must consider: Floppies, CD/DVD disks, DVD RAM, MiniCD disks, tapes, Thumb drives, Zip/Super disks, iPods and other MP3 devices, external hard drives, etc. One item (of many) that my list is missing is system memory. Although this has not necessarily been an issue to this point, in the June 3, 2006 episode of CyberSpeak Jesse Kornblum talked about retrieving residual process information from memory after a system has been rebooted. (Check the CyberSpeak show comments for several links to more information about this issue as posted by several of CyberSpeak's listeners.)
According to the NIST document there are three ways to deal with information on any of these media types.
- Clean - is achieved by overwriting the memory so that the information on it cannot be easily retrieved by attempting to access the data through normal system operations.
- Purge - involves degaussing or executing the "Secure Erase " feature on Serial ATA drives.
- Destroy - can be accomplished through disintegration, pulverization, melting, incineration, shredding, or sanding depending on the type of media being destroyed.
Each one of these methods has its own challenges and drawbacks. Cleaning a system by overwriting the media can be very time consuming depending on the size of the media and the overwriting algorithm being used for the process. Purging through degaussing is know to make certain media types unusable. Destruction can be a huge and costly undertaking in resources and man-hours as well as the environmental issues. However, it is the overall consensus of Pub 880-88 that any media leaving the control of the original owners should be destroyed to avoid any possible exposure of information.
Let's face reality. Destroying media can turn into a relatively expensive proposition. Especially when the media can be reused in other departments within an organization. We all know what is really going to happen. When a person or department needs a new system for more processing or storage capabilities their old system is redistributed to replace an older system in a different department. The older system is then redistributed in the same fashion or it is retired. In these cases "cleaning" the media is generally the course taken. Of course common sense needs to be used when redistributing a system. It is probably not advisable to permit a hard drive or other media from a business or financial department to be rotated to another department that may not use the same types of media protection procedures. However, end user activity can also increase the sensitivity of the stored information through casual personal use or outright inappropriate behavior such as was seen in the recent disclosure of Veteran's Affair information.
One method that can be leveraged to determine the sensitivity of a piece of media is to scan it with a tool that will search through its stored files and identify files that contain potentially sensitive information. A tool that I have recently been exposed to is Spider which is maintained and distributed by Cornell University's IT Security Department. This software has versions that run on Linux and Windows systems. It will search through a mounted file system for specific information that includes: Social Security numbers (SSN), credit card numbers, and any regular expression as defined by the user. The results are output to a text or comma delimited file for easy investigation. Investigation of the results is necessary due to the potential for false positives.
In an attempt to familiarize myself with this tool's functionality I created several files with a bogus SSN in it. I created several different types of files:
- txt - text file
- doc - Microsoft Word document
- xls - Microsoft Excel document
- ppt - Microsoft PowerPoint document
- odt - Open Office Writer document
- ods - Open Office Calc document
For each of these documents I created two different files. One that contained a SSN separated by dashes (123-45-6789) and one without dashes (123456789). All of these files were located in a folder on the Desktop of a Windows XP system. After a full system scan was completed the results identified the txt, doc, ppt, and xls files that contained the dashed SSN. Only one document that did not contain dashes in the SSN was flagged and that was the Microsoft Word document. None of the Open Office documents were flagged as containing a SSN. Additionally, six other files were flagged as containing a SSN but these were easily discounted as false positives. We can conclude from these results that this is not necessarily a full proof solution but it is definitely a step in the right direction.
In conclusion, storage media has to be properly maintained and disposed of once it has reached the end of its life cycle. Identify media containing sensitive information by monitoring how and who has used it and by utilizing software designed to help identify files containing sensitive information. At a minimum "clean" any media that is going to be redistributed within your organization and "destroy" anything that is going to leave your control.
Go forth and do good things,
Cutaway
NIST, CyberSpeak, Spider, Cornell, security, Security Ripcord, Jesse Kornblum