Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Media sanitization - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Media sanitization
Conventional wisdom tells us that deleting data is an insufficient means of protecting your sensitive information from being obtained from discarded media. However, recently upon reviewing an NIST publication from last month, I ran across an interesting paragraph that reads as follows:

Advancing technology has created a situation that has altered previously held best practices regading magnetic disk type storage media. Basically the change in track density and the related changes in the storage medium have created a situation where the acts of clearing and purging the media have converged. That is, for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack.

This is a signficant change in stance from the often quoted U.S. Department of Defense 5220.22-M disk erasing standard that suggests a minimum of 3 overwrites and a verify is necesarry to properly sanitize data. Now before rushing out and changing all of your purging applications to single pass only, please notice the quoted paragraph from the NIST article is fairly specific about a type of hard drive, size and manufacture date. Nonetheless, this points to what we will hopefully see as a trend as time passes that it will hopefully require less passes to properly sanitize our media.

As a related issue, let's talk a moment about the last time your media sanitization policies were updated. Do they take into account media sources other than hard drives? It is becoming increasingly more difficult to contain and identify all sources where data is stored, but a thorough security program should consider all of these devices in their protection and sanitization routines. Examples of often overlooked devices include cell phones, PDAs, USB thumb drives and digital cameras. Appendix A of the NIST article mentioned above provides a fairly good list of places where data is stored along with the recommended action for sanitizing or destroying them.

Related to the topic of considering other places where sensitive data is stored electronically, reader Cornelius from Australia offers this recent article from The Sydney Morning Herald: http://www.smh.com.au/news/phones--pdas/secrets-spill-from-secondhand-mobiles/2006/08/31/1156817011704.html
Brian

22 Posts

Sign Up for Free or Log In to start participating in the conversation!