Knowledge Base

Destruction

posted Feb 12, 2012, 10:16 AM by David Khorram

National Institute of Standards and Technology, NIST Special Publication 800-88

Destruction of media is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting. If destruction is decided upon due to the high security categorization of the information or due to environmental factors, any residual medium should be able to withstand a laboratory attack. *Disintegration, Incineration, Pulverization, and Melting. These sanitization methods are designed to completely destroy the media. They are typically carried out at an outsourced metal destruction or incineration facility with the specific capabilities to perform these activities effectively, securely, and safely. *Shredding. Paper shredders can be used to destroy flexible media such as diskettes once the media are physically removed from their outer containers. The shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality level that the information cannot be reconstructed. Optical mass storage media, including compact disks (CD, CD-RW, CD-R, CD-ROM), optical disks (DVD), and magneto-optic (MO) disks must be destroyed by pulverizing,crosscut shredding or burning. Destruction of media should be conducted only by trained and authorized personnel. Safety, hazmat, and special disposition needs should be identified and addressed prior to conducting any media destruction. 

Purging

posted Feb 12, 2012, 10:15 AM by David Khorram

National Institute of Standards and Technology, NIST Special Publication 800-88

Purging information is a media sanitization process that protects the confidentiality of information against a laboratory attack. For some media, clearing media would not suffice for purging. However, for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged. A laboratory attack would involve a threat with the resources and knowledge to use nonstandard systems to conduct data recovery attempts on media outside their normal operating environment. This type of attack involves using signal processing equipment and specially trained personnel. Executing the firmware Secure Erase command (for ATA drives only) and degaussing are examples of acceptable methods for purging. Degaussing of any hard drive assembly usually destroys the drive as the firmware that manages the device is also destroyed. Degaussing is exposing the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains. A degausser is a device that generates a magnetic field used to sanitize magnetic media. Degaussers are rated based on the type (i.e., low energy or high energy) of magnetic media they can purge. Degaussers operate using either a strong permanent magnet or an electromagnetic coil. Degaussing can be an effective method for purging damaged media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes. Degaussing is not effective for purging nonmagnetic media, such as optical media [compact discs (CD), digital versatile discs (DVD), etc.). [SP 800-36, Guide to Selecting Information Security Products] 


Cleaning

posted Feb 12, 2012, 10:14 AM by David Khorram

 National Institute of Standards and Technology, NIST Special Publication 800-88

Clearing information is a level of media sanitization that would protect the confidentiality of information against a robust keyboard attack. Simple deletion of items would not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities. It must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. For example, overwriting is an acceptable method for clearing media. There are overwriting software or hardware products to overwrite storage space on the media with non-sensitive data. This process may include overwriting not only the logical storage location of a file(s) (e.g., file allocation table) but also may include all addressable locations. The security goal of the overwriting process is to replace written data with random data. Overwriting cannot be used for media that are damaged or not writeable. The media type and size may also influence whether overwriting is a suitable sanitization method. [SP 800-36]. Studies have shown that most of todayxs media can be effectively cleared by one overwrite. 

Disposal

posted Feb 12, 2012, 10:13 AM by David Khorram


National Institute of Standards and Technology, NIST Special Publication 800-88 
Disposal is the act of discarding media with no other sanitization considerations. This is most often done by paper recycling containing non-confidential information but may also include other media. 

General information

posted Feb 12, 2012, 10:11 AM by David Khorram



National Institute of Standards and Technology, NIST Special Publication 800-88

The key in deciding how to manage media in an organization is to first consider the information, then the media type. The security categorization of the information, along with internal environmental factors, should drive the decisions on how to deal with the media. Again, the key is to first think in terms of information confidentiality, then by media type. In organizations, information exists that is not associated with any categorized system. This information is often hard copy internal communications such as memoranda, white papers, and presentations. Sometimes this information may be considered sensitive. Examples may include internal disciplinary letters, financial or salary negotiations, or strategy meeting minutes. Organizations should label these media with their internal operating classifications and associate a type of sanitization described in this publication. There are different types of sanitization for each type of media. We have divided media sanitization into four categories: disposal, clearing, purging and destroying. Disposal exists where media are just tossed out with no special disposition given to them. Some media can be simply disposed if information disclosure would have no impact on organizational mission, would not result in damage to organizational assets, would not result in financial loss or would not result in harm to any individuals. Disposal is mentioned to assure organizations that all media does not require sanitization and that disposal is still a valid method for handling media containing non-confidential information. Since disposal is not technically a type of sanitization, it will not be mentioned or addressed outside of this section. Companies must put in place plans to securely erase data or destroy it.

Cornell University Best Practices for Media Destruction

posted Feb 11, 2012, 8:04 PM by David Khorram

Best Practices for Media Destruction

Media destruction, either physical or electronic, is intended to prevent data disclosure. Some ways data may be disclosed are:

  • Computers that are disposed of or sold without appropriate media destruction practices. (More information is available on this page. See Media Destruction Services or Information About Media Destruction if You Don't Use a Service.)
  • Hard drives returned to vendors as defective are frequently repaired and returned to service with data intact. 
  • Disposed functional hard drives are a valuable commodity and present significant risk of data disclosure if not properly treated. 

Drives that will not be reused should be physically destroyed. This page includes information about ano-fee Cornell service you can use or alternative methods for physical disposal. Even if the drive is to be reused it should be erased using one of the recommended tools or applications described below.

Different terms may be used to refer to disk or file erasure. Some common terms are disk wiping and secure deletion.

WHAT ARE THE STANDARDS FOR MEDIA DESTRUCTION?

  • DoD 5220.22: Functional drives should be overwritten 3 times prior to disposal or reuse.
  • NIST 800-88: Modern hard disks can defy conventional forensic recovery after a single wiping pass. 

Note: As of 2001, ATA (thought not SCSI) drives support a secure-overwrite command that should eliminate all data on the drive much more rapidly than operating system-level utilities. Certain specialty hardware supports this.

WHAT IS THE SECURITY OFFICE RECOMMENDATION?

Our recommendation acknowledges the NIST document, but maintains consistency with other practices throughout higher-education and industry. 

  • For drives that will be reused or disposed of in a functional state: use of a reputable erasure utility implementing DoD 5220.22. A 3-pass wipe of a large hard disk is time-intensive.
  • For drives that are defective, dead, or sufficiently unresponsive that they do not complete the 5220.22 wipe protocol:  physical destruction prior to RMA or disposal.

DESTRUCTION PRACTICE BY MEDIA

MediaReuseDisposal
Hard DiskDoD 5220.22 erase prior to formatPhysical destruction (drill or hammer)
Floppy DiskDegauss or erase prior to formatPhysical destruction, degauss, or erase
Caseless Optical (CD/DVD)Typically N/APhysical destruction (break into pieces or uniformly abrade surface)
ZIP/CartridgeDoD 5220.22 erasePhysical destruction or degauss
Small solid state, USB/FlashErasing is unpredictable, but nonetheless recommended prior to formatPhysical destruction
TapesDegaussPhysical destruction or degauss


MEDIA DESTRUCTION SERVICES

NO-FEE CORNELL SERVICE FOR MEDIA DESTRUCTION: R5

R5 Operations (Respect, Rethink, Reduce, Reuse, Recycle) will securely collect and arrange for the destruction of magnetic media, specifically hard drives, in addition to the systems/electronics they presently recycle. The items are sent to Sunnking, Inc. in Brockport, NY for dismantling and recycling. All hard drives from Cornell are 100% destroyed. 

Items that can be picked up by R5 include: monitors, CPUs and hard drives, keyboards, circuit boards, cables, mice, printers, copiers, microwave ovens, televisions, cell phones, power cords, extension cords, power strips, answering machines, fax machines, typewriters, pagers, cameras, VCR/DVD/8-track players, CDs, remote controls, radios, and stereos. 

There are no limits on the number of items that can be picked up.

This service is offered at no-fee and is intended to complement other secure destruction methods, not to replace existing practices or means currently in use. It is another option to comply with best practices in a secure, affordable, and convenient way. For more information or to arrange for pick-up, contact R5 Operations by email at: recycle@cornell.edu, or by phone: (607) 254-1666.

Note: The R5 service doesn't accept tapes (reel to reel, VHS, etc.). The following vendors provide secure shredding for tapes. (These vendors do charge a fee.)

  • Cintas: contact Tim Bentley at 716-773-7281
  • Shred-it: contact Brian Lee at 877-607-4733
  • Rogers Service Group: 607-797-7333

INFORMATION ABOUT MEDIA DESTRUCTION IF YOU DON'T USE A SERVICE

PHYSICAL DESTRUCTION

The objective of physical destruction is to badly warp or distort the platters, rendering the drive or any of its components inoperable. Recommended methods:

  • Drilling the drive in several locations perpendicular to the platters and penetrating clear through from top to bottom. 
  • Hammering or crushing is equally effective but more labor intensive. 

Destroying the logic section of the drive without damaging the platters is insufficient and not recommended.

DISK AND FILE ERASURE

Disk and File Erasure Software

The following utilities meet industry best practices for data sanitization on common read/write media including:

  • Hard disks
  • Floppy disks
  • USB drives
UtilityDiskFilePC/WinMacOther
DBAN
http://www.dban.org
How to use DBAN
YNYYFloppy or CD bootable x86 system
Eraser
http://eraser.heidi.ie
YYYNN
Sdelete
http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx
YYYNN
Disk Utility (OSX native)
YYNYN
Wipe/Shred (Linux native)
YYNNCommon Linux distributions
Dd/dcflddYYNNUNIX utility

File Erasure Features in Applications

The following features included in application software meet industry best practices for data sanitization in individual files.

ApplicationFeaturePC/WinMacOther
IdentityFinder
ShredYYN
Spider3EraseYNN
Spider 2008
Secure Erase
YNN

Hardware Erasure

  • For Drives That Will Be Reused: Wiebetech Drive eraser (http://weibetech.com/products/Drive_eRazer.php): Able to rapidly erase PATA/SATA hard drives using either multi-pass overwrite or the ATA-6 secure erase command. This device is for small to medium volume sanitization of operational drives.
  • For Drives That Will Not Be Reused: Where drive use is not possible or not desirable, magnetic media should be degaussed or mechanically shredded.  The no-fee campus service described abovewill pick up your drives and securely dispose of them.
    You can also use the self-service degausser hosted by Cornell Recycling. For more information, see the degausser page. About degaussing: Degaussing modern hard disks requires magnets capable of generating fields several orders of magnitude stronger than those required to blank audio and video tapes. As degaussing destroys hidden portions of the drive used for bad block recovery, drive head positioning, and other functions, drives subject to it will be nonfunctional. For these reasons, physical destruction is the preferred practice.

Note about solid state devices: USB thumb drives, compact flash, MMC/SD, and the like are unreliable in the face of disk wiping protocols. Multi-pass wiping is not technically relevant for solid-state devices. More importantly, solid-state storage has a very limited number of read/write cycles and is designed with considerable surplus. This surplus storage is used to relocate data away from failing data segments. Wipe utilities cannot guarantee that all originally allocated blocks have been wiped. Further, they cannot insure new data is properly committed to the device. If disposal is the ultimate goal, physical destruction is strongly recommended.

1-6 of 6