Sanitization of Electronic Media

1
Sanitization of Electronic Media
SBU Security Awareness
January 27, 2005
OCIO/IS
2
What is Sanitization?
Which answer best describes sanitization?
A. Santa Claus taking over the world.
B. What you experience traveling
along the Santa Fe Trail in New
Mexico. C. The sand you get
on your feet after a walk on
the beach. D. Clearing data
from computer drives.
3
What Sanitization is
The correct answer is D
D. Clearing data from computer drives.

4
What is SBU Information?
Which acronym best describes SBU information?
A. A brochure of South Boston
University. B. Smart But
Useless nonsense. C.
Sensitive But Unclassified data.
D. School Basketball Uniforms.
5
What SBU Information is
The correct answer is C
C. Sensitive But Unclassified data.
6
Information Classifications
Classified versus Unclassified
Information Classified Top
Secret/Secret/Confidential - Rarely handled
within GSA - e.g. DOD or DHS National Defense
Information - A totally separate handling
process - Will not be addressed at this
time Unclassified Sensitive But Unclassified
(SBU) Information - Used daily by
most GSA associates - In numerous forms and
media - The focus of our discussion
7
Classified Information Policies
For handing of Classified Information, the
following references are available Executive
Order 12958, Classified National Security
Information as Amended  GSA Handbook,
Classified National Security Information,
ADM P 1025.2D, October 3, 1996 (Expires
10/3/06)
8
Types of SBU Information
Types of SBU (Unclassified) Information
- Financial Information - Privacy
(Personnel) Information - Contractual
Information - Building (Floor and Space)
Plans - Physical Security - IT
Security (Technical) - Proprietary
Information - Other information not
releasable under the Freedom of
Information Act.
9
Electronic Media Then and now
  1974 2004 Report
Blackberry    
10
The Challenge Information Technology (IT)

Biggest headaches to the Federal Government
- Spread of desktop technologies - Protection
of the information handled, processed, and
distributed - Classified versus unclassified
information. Unclassified sensitive
information least controlled in the realm of most
everyday government operations.
   
11
VA toughens security after PC disposal blunders
By Judi Hasson, Federal Computer Week, August
29, 2002 CASE August 2002, VA Medical
Center, Indianapolis Indiana, retired 139
desktop computers. - Some were donated
to schools - Others were sold on the
open market - 3 ended up in a thrift
shop where a journalist purchased
them. OMISSION The VA neglected to
sanitize the computer's hard drives
(remove the drives' confidential information).
RESULTS Many of the computers were later
found to contain sensitive medical
information, including - Names of
veterans with AIDS and mental health
problems. - 44 credit card numbers used
by that facility.
12
SBU Information Laws
For handing of SBU Information, the following
references are available Privacy Act of
1874 (Public Law 93-579) Federal
Information Security Management Act (FISMA) of
2002. Office of Management and
Budget (OMB) Circular A-130, Management
of Federal Information Resources, and
Appendix III, Security of Federal Automated
Information Systems as Amended.
Homeland Security Presidential Directive
(HSPD-7), Critical Infrastructure
Identification, Prioritization, and Protection,
December 17, 2003.
13
SBU Information Policies
For handing of SBU Information, the following GSA
orders are available GSA Order CIO P
2100.1B, GSA Information Technology (IT)
Security, November 4, 2004 GSA Order PBS
3490.1, Document security for sensitive but
unclassified paper and electronic building
information, March 8, 2002
14
Definition Sanitization of Electronic Media


SOURCE NIST Special Publication 800-18,
Guide for Developing Security Plans for
Information Technology Systems, December 1998 4.4
Planning for Security in the Life Cycle 4.4.5
Disposal Phase Media Sanitization       The
removal of information from a storage medium
(such as a hard disk or tape) is called
sanitization. Different kinds of sanitization
provide different levels of protection. A
distinction can be made between clearing
information (rendering it unrecoverable by
keyboard attack) and purging (rendering
information unrecoverable against laboratory
attack). There are three general methods of
purging media overwriting, degaussing (for
magnetic media only), and destruction.
15
Sanitization Procedures of Electronic Media
Basically the following procedures are best
practices a. Hard Drives
Triple over-write or degauss b. Tapes
Degauss c. Compact Disks Incinerate or
chemical destruction
d. Paper - Shred e. Floppy diskettes
degauss, overwrite, or the
removed internal plastic mylar surface can
be shredded Bottom line
Anything containing a microchip or plastic Mylar
recording surface (iron oxide layers) can contain
SBU information.
16
GSA IT Security Policy
GSA Information Technology (IT) Security
Policy GSA Order CIO HB 2100.1B 26. Data
Classification. The Data Owner shall identify
the level of protection required for a particular
system commensurate with the need for
confidentiality, integrity, availability, and
accountability of the data processed by the
system. Sensitivity Levels. Sensitive data is
data that is protected from unauthorized
disclosure (confidentiality) or modification
(integrity) because of the damage that could
result to the Government or individuals as a
result of such disclosure or modification. The
sensitivity of the data input, stored, and
processed by the system dictates the level of
protection. Protection criteria for specific
classifications of information are mandated by
public laws. Penalties under section (g) of the
Privacy Act for negligence of entrusted data
could result in criminal liability for employees
and cause significant embarrassment to GSA if
information to be protected were compromised,
corrupted, or unavailable.
17
GSA IT Security Policy
GSA Information Technology (IT) Security
Policy GSA Order CIO HB 2100.1B
Sanitization of Electronic Media CHAPTER 1. THE
GSA INFORMATION TECHNOLOGY SECURITY PROGRAM 39.
Sanitization of Electronic Media.
Sensitive but unclassified data shall be removed
from equipment and electronic and
optical storage media, using methods
approved by the Data Owner or DAA,
before disposal or transfer outside of GSA.
18
GSA IT Security Policy
GSA Information Technology (IT) Security
Policy GSA Order CIO HB 2100.1B 26. Data
Classification. The Data Owner shall identify
the level of protection required for a particular
system commensurate with the need for
confidentiality, integrity, availability, and
accountability of the data processed by the
system. Sensitivity Levels. Sensitive data is
data that is protected from unauthorized
disclosure (confidentiality) or modification
(integrity) because of the damage that could
result to the Government or individuals as a
result of such disclosure or modification. The
sensitivity of the data input, stored, and
processed by the system dictates the level of
protection. Protection criteria for specific
classifications of information are mandated by
public laws. Penalties under section (g) of the
Privacy Act for negligence of entrusted data
could result in criminal liability for employees
and cause significant embarrassment to GSA if
information to be protected were compromised,
corrupted, or unavailable.
19
PBS Building Information Policy
Document security for sensitive but unclassified
paper and electronic building information, GSA
Order PBS 3490.1, March 8, 2002 1. Purpose.
This order sets forth the PBS's policy on the
dissemination of sensitive but unclassified (SBU)
paper and electronic building information of
GSA's controlled space, including owned, leased,
or delegated Federal facilities. This document
includes direction Reasonable care for
dissemination of sensitive but unclassified
(SBU) building information, Limiting
dissemination to authorized users, Record
keeping, Retaining and destroying documents,
Electronic transfer and dissemination,
Defining the appropriate level of security,
Handling of Freedom of Information (FOIA)
requests, Handling proprietary information owned
by Architect/Engineers.
20
Electronic Media Affected
What Hardware is affected - Desktop/Hard
Drives - Laptops/Hard Drives -
Server/Hard Drives - PDAs and Integrated
Devices - Cell/Camera Phones -
Miniature Recording Devices -
Cameras/Removable Flash/Media Memory Cards
- Peripherals Printers/Scanners - Backup
Storage Devices Backup Storage Devices include
- Compact disks (CDs) - Floppy
diskettes and zip tapes - Removal hard and
zip drives - Flash/Thumb/Pen drives
Note Disposal of paper copies cannot be
ignored
21
Sanitization Techniques
SOURCE GSA Standards of Good Practices Sanitizati
on of Sensitive But Unclassified (SBU) Data from
Magnetic Storage Media 3. Sanitization
Techniques overwriting, degaussing, and
destruction. Overwriting Overwriting is an
effective method for clearing data from hard
magnetic media (hard drives and disks, but not
floppy disks or tape).  As the name implies,
overwriting uses a program to write (1s, 0s, or a
combination) onto the media. Common practice is
to overwrite the media three times in alternating
fashion "1010101010 ..." then "0101010101 ...."
However, it is not uncommon to see overwrites of
media up to eight times depending on the
sensitivity level of the information.
Overwriting should not be confused with merely
deleting the pointer to a file (which typically
happens when a delete command is used). 
Overwriting requires that the media be in
working order (ideally, a bad block map is made
prior to sensitive data being introduced on the
media and another map made after the overwrites).
If bad blocks develop after the initial mapping
which are not corrected during the overwrite,
then the overwrite is considered to have
"failed" at least insofar as the data potentially
resident in the bad block. Similarly if an
initial bad block map was not made and bad blocks
exist after the overwrite, we have to assume
that sensitive data could potentially be on one
of the bad blocks. At the point it's a risk
decision whether you accept the overwrite or
move on to degaussing or physical destruction of
the media. Degaussing Degaussing is a method to
magnetically erase data from magnetic media. Two
types of degausser exist strong permanent
magnets and electric degaussers. Degaussers come
in a variety of strengths, and are generally
categorized as Type I (weakest magnetic field) to
Type III (strongest magnetic field). Type I
degaussers are not particularly useful given the
proliferation of high density media -- they're
just not strong enough. Type II's are generally
used for floppy disks, but are generally not
strong enough for the high density hard disks
which typically require the Type III
degaussers. Destruction The final method of
sanitization is destruction of the media by
shredding, burning, sanding, or chemical
decomposition. For hard disks, typically that
means sanding to physically remove the top coated
layers of the hard disk. Floppy disks and tape
can sometimes be shredded. Burning and chemical
decomposition generally pose some environmental
hazards, and should be avoided if possible.
22
Erasing and Recovery Levels
There are Levels 1 through 5. Which level do I
use? All levels erase the disk completely. The
only difference is how difficult it would be for
someone to recover data from the disk using
sophisticated recovery tools (including scanning
tunneling electron microscopes). Level 1 is the
fastest, level 5 is the slowest. Level 5 is the
most secure, level 1 is the least secure. I
personally couldn't recover anything from a disk
that had been cleaned with level 1, but someone
with the know-how and a few thousand dollars
could. I'm not guaranteeing anything, but I doubt
the NSA could recover anything from a disk that
had been cleaned with level 5. Level 3 meets most
corporate and nonclassified government erasure
specifications. Here's what each level does 1
- A single pass of all zero. 2 - One pass of
random data followed by one pass of all zero. 3
- Three passes all zero, all one, all zero. 4
- Ten passes, some of which are random, followed
by one of zero. 5 25 passes, three of
which are random.
23
Sanitization Tools
SOURCE Below are just a few of Sanitization
tools available Dariks Boot and Nuke
(DBAN) WhiteCanyon WipeDrive. New Technologies
M-Sweep. Paragon Disk Wiper. DTI Data Disk
Wipe. Acronis Drive Cleanser. East-Tec Disk
Sanitizer. LSoft Active_at_ KillDisk. CyberScrub
CyberCide. Think System Mechanic 4
Pro/DriveScrubber Pro Note most meet DOD
5220-22M Standard for Sanitizing Drives
Non-Removable Rigid Disks" or hard drives must
be sanitized for reuse by overwriting all
addressable locations with a character, its
complement, then a random character and verify.
24
Security Risk Ambient Data
Bottom Line The deletion of a file or the
Reformat of a hard disk provides essentially no
level of security. Left behind Ambient data is
a forensic term which describes, in general
terms, data stored in non-traditional computer
storage areas and formats
- Windows Swap/Page File These are
"scratch pad" files to write data when additional
random access memory is needed. (100MB to over
1GB. They contain remnants of any work that may
have occurred.
- Unallocated File Space When files are erased
or deleted the file is not actually erased. Data
from the 'erased file' remains behind in an area
called unallocated storage space.
- File Slack Files are
stored in fixed length blocks of data called
clusters. Rarely do file sizes exactly match the
size of one or multiple clusters perfectly. The
extra data storage space that is assigned to a
file is called "file slack". File slack contains
padded data from memory and remains undeleted.
- Shadow
Data Shadow data contains the remnants of
computer data that was written previously to a
track and it is located slightly outside the
track's last write path.
25
Contacts
GSA CHIEF INFORMATION OFFICER WEBSITE
IT Security Points
of Contact - GSA ISSM/ISSO Contact List
10/15/2004
http//insite.gsa.gov/_cio/
- OCIO Security Division (email)
(ITSecrutiy_at_gsa.gov)
26
Free and Commercially Available Sanitization
Tools
PROGRAM/COST/PLATFORM/COMMENTS AutoClave
http//staff.washington.edu/jdlarios/autoclave Fre
e Self-booting PC disk Writes just zeroes, DoD
specs, or the Gutmann patterns. Very convenient
and easy to use. Erases the entire disk including
all slack and swap space. CyberScrub
www.cyberscrub.com 39.95 Windows Erases files,
folders, cookies, or an entire drive. Implements
Gutmann patterns. DataScrubber
www.datadev.com/ds100.html 1,695 Windows,
Unix Handles SCSI remapping and swap area. Claims
to be developed in collaboration with the US Air
Force Information Welfare Center. DataGone
www.powerquest.com 90 Windows Erases data from
hard disks and removable media. Supports multiple
overwriting patterns. Eraser www.heidi.ie/eraser
Free Windows Erases directory metadata. Sanitizes
Windows swap file when run from DOS. Sanitizes
slack space by creating huge temporary files.
27
Free and Commercially Available Sanitization
Tools (Cont.)
PROGRAM/COST/PLATFORM/COMMENTS OnTrack
DataEraser www.ontrack.com/dataeraser 30500 Sel
f-booting PC disk Erases partitions,
directories, boot records, and so on. Includes
DoD specs in professional version
only. SecureClean www.lat.com 49.95 Windows Sec
urely erases individual files, temporary files,
slack space, and so on. Unishred Pro
www.accessdata.com 450 Unix and PC
hardware Understands some vendor-specific
commands used for bad-block management on SCSI
drives. Optionally verifies writes. Implements
all relevant DoD standards and allows custom
patterns. Wipe http//wipe.sourceforge.net Free L
inux Uses Gutmann's erase patterns. Erases single
files and accompanying metadata or entire
disks. WipeDrive www.accessdata.com 39.95 Bootab
le PC disk Securely erases IDE and SCSI drives.
28
Free and Commercially Available Sanitization
Tools (Cont.)
PROGRAM/COST/PLATFORM/COMMENTS . Wiperaser XP
www.liveye.com/wiperaser 24.95 Windows Erases
cookies, history, cache, temporary files, and so
on. Graphical user interface.
29
Other References
Office of Management and Budget Circular A-130,
Management of Federal Information Resources,
Appendix III, Security of Federal Automated
Information Resources. Establishes a minimum set
of controls to be included in Federal IT security
programs.   Computer Security Act of 1987. This
statute set the stage for protecting systems by
codifying the requirement for Government-wide IT
security planning and training.   Paperwork
Reduction Act of 1995. The PRA established a
comprehensive information resources management
framework including security and subsumed the
security responsibilities of the Computer
Security Act of 1987.   Clinger-Cohen Act of
1996. This Act linked security to agency capital
planning and budget processes, established agency
Chief Information Officers, and re-codified the
Computer Security Act of 1987.   Presidential
Decision Directive 63, Protecting Americas
Critical Infrastructures. This directive
specifies agency responsibilities for protecting
the nations infrastructure, assessing
vulnerabilities of public and private sectors,
and eliminating vulnerabilities. Presidential
Decision Directive 67, Enduring Constitutional
Government and Continuity of Government. Relates
to ensuring constitutional government, continuity
of operations (COOP) planning, and continuity of
government (COG) operations   OMB Memorandum
99-05, Instructions on Complying with President's
Memorandum of May 14, 1998, Privacy and Personal
Information in Federal Records. This memorandum
provides instructions to agencies on how to
comply with the President's Memorandum of May 14,
1998 on "Privacy and Personal Information in
Federal Records."  
30
Other References (Cont.)
OMB Memorandum 99-18, Privacy Policies on
Federal Web Sites.  This memorandum directs
Departments and Agencies to post clear privacy
policies on World Wide Web sites, and provides
guidance for doing so.   OMB Memorandum 00-13,
Privacy Policies and Data Collection on Federal
Web Sites.  The purpose of this memorandum is a
reminder that each agency is required by law and
policy to establish clear privacy policies for
its web activities and to comply with those
policies.   General Accounting Office Federal
Information System Control Audit Manual
(FISCAM).  The FISCAM methodology provides
guidance to auditors in evaluating internal
controls over the confidentiality, integrity, and
availability of data maintained in computer-based
information systems.   NIST Special Publication
800-14, Generally Accepted Principles and
Practices for Security Information Technology
Systems.  This publication guides organizations
on the types of controls, objectives, and
procedures that comprise an effective security
program.   NIST Special Publication 800-18,
Guide for Developing Security Plans for
Information Technology Systems.  This
publication details the specific controls that
should be documented in a system security
plan.