Friday, June 17, 2011

Destruction of Sensitive Information

Destruction of sensitive information has being on the agenda of many organizations and governments. As a result, numerous standard were developed such as U.S. Department of Defence (DoD) 5220.22-M, National Institute of Standards and Technology (NIST) 800-88 and Canada Communications Security Establishment (CSE) ITSG-06, to provide guidance to the IT administrators and owners to protect against information retrieval when recycling or disposing of storage media.
NIST lists four types of sensitization types: disposal, cleaning, purging and destroying. In most cases, disposal of the storage media is not considered as secure method of discarding media containing sensitive information. The rest of this paper will review the defined standard for the data cleaning standards.
Cleaning refers to a method of removing sensitive infromation that would protect the data “against a robust keyboard attack” (Richard Kissel at. al., 2006). Simple deletion of files is not sufficient for clearing as operating systems simply mark the appropriate entries in the FAT File Allocation Table, or equivalent in other file systems, as deleted leaving in the Data Region unchanged. As a result, the data could be potentially recovered using forensic tools. Up until 2001, the standard method of securely clearing sensitive information was overwriting the data with zero, one, random or predefined patterns such as “Gutmann Method” (Peter Gutmann, 1996). For example, Communications Security Establishment (2006) defines overwrite process as “process itself must include a minimum of three passes including 1s, 0s, and a pseudo-random pattern over the entire accessible area of the magnetic tape or disk, followed by verification of results by the human operator.”
The intent of the overwriting process is to overcome the the track-edge phenomenon allowing recovery of the magnetic pattern residue from track boundaries using magnetic force microscope. Using the microscope, the researches examine the relative peaks of magnetic transitions, to recover the binary data. Although the attack on the track-edges were documented in the laboratory environment, “it requires a very well equipped research laboratory with costly microscopy equipment and highly trained researchers with a great deal of time and patience” Communications Security Establishment (2006). Moreover, as the data written to the magnetic media become and more dense. According to Seagate press release (2011), it has reached “areal density of 625 Gigabits per square inch”, which is 310 million times over the density of the first hard drive. As a result, the effort required to recover the data makes it virtually impossible. Richard Kissel et. al. (2006) writes that “studies have shown that most of today’s media can be effectively cleared by one overwrite.”
Furthermore, since about 2001, all ATA IDE, SATA and SCSI hard drive manufacturer include support for the "Secure Erase" or “Secure Initiate” commands which writes binary zeros using internal fault detection hardware. Although the method not does precisely follows the DoD 5220.22 “three writes plus verification” specification, the university of California Magnetic Recording Research (2008) “showed that the erasure security is at the level of DoD 5220, because drives having the command also randomize user bits before storing on magnetic media”. Moreover, NIST Special Publication 800-88 classifies “Secure Erase” command as acceptable method of purging, equivalent to media degaussing.


No comments:

Post a Comment