300 likes | 462 Views
Sanitization of Electronic Media. SBU Security Awareness. January 27, 2005. OCIO/IS. What is Sanitization?. Which answer best describes sanitization? A. Santa Claus taking over the world. B. What you experience traveling along
E N D
Sanitization of Electronic Media SBU Security Awareness January 27, 2005 OCIO/IS
What is Sanitization? Which answer best describes sanitization? A. Santa Claus taking over the world. B. What you experience traveling along the Santa Fe Trail in New Mexico. C. The sand you get on your feet after a walk on the beach. D. Clearing data from computer drives.
What Sanitization is: The correct answer is “D”: D. Clearing data from computer drives.
What is SBU Information? Which acronym best describes SBU information? A. A brochure of South Boston University. B. Smart But Useless nonsense. C. Sensitive But Unclassified data. D. School Basketball Uniforms.
What SBU Information is: The correct answer is “C”: C. Sensitive But Unclassified data.
Information Classifications Classified versus Unclassified Information Classified: Top Secret/Secret/Confidential - Rarely handled within GSA - e.g. DOD or DHS National Defense Information - A totally separate handling process - Will not be addressed at this time Unclassified: Sensitive But Unclassified (SBU) Information: - Used daily by most GSA associates - In numerous forms and media - The focus of our discussion
Classified Information Policies For handing of Classified Information, the following references are available: Executive Order 12958, Classified National Security Information as Amended GSA Handbook, Classified National Security Information, ADM P 1025.2D, October 3, 1996 (Expires: 10/3/06)
Types of SBU Information Types of SBU (Unclassified) Information - Financial Information - Privacy (Personnel) Information - Contractual Information - Building (Floor and Space) Plans - Physical Security - IT Security (Technical) - Proprietary Information - Other information not releasable under the Freedom of Information Act.
Electronic Media: Then and now 1974 2004 Report Blackberry
The Challenge: Information Technology (IT) * Biggest headaches to the Federal Government - Spread of desktop technologies - Protection of the information handled, processed, and distributed - Classified versus unclassified information. * Unclassified sensitive information least controlled in the realm of most everyday government operations.
“VA toughens security after PC disposal blunders” By Judi Hasson, Federal Computer Week, August 29, 2002 CASE: August 2002, VA Medical Center, Indianapolis Indiana, retired 139 desktop computers. - Some were donated to schools - Others were sold on the open market - 3 ended up in a thrift shop where a journalist purchased them. OMISSION: The VA neglected to sanitize the computer's hard drives (remove the drives' confidential information). RESULTS: Many of the computers were later found to contain sensitive medical information, including: - Names of veterans with AIDS and mental health problems. - 44 credit card numbers used by that facility.
SBU Information Laws For handing of SBU Information, the following references are available: Privacy Act of 1874 (Public Law 93-579) Federal Information Security Management Act (FISMA) of 2002. Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, and Appendix III, Security of Federal Automated Information Systems as Amended. Homeland Security Presidential Directive (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection, December 17, 2003.
SBU Information Policies For handing of SBU Information, the following GSA orders are available: GSA Order CIO P 2100.1B, GSA Information Technology (IT) Security, November 4, 2004 GSA Order PBS 3490.1, Document security for sensitive but unclassified paper and electronic building information, March 8, 2002
Definition: Sanitization of Electronic Media SOURCE: NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, December 1998 4.4 Planning for Security in the Life Cycle 4.4.5 Disposal Phase Media Sanitization: · The removal of information from a storage medium (such as a hard disk or tape) is called sanitization. Different kinds of sanitization provide different levels of protection. A distinction can be made between clearing information (rendering it unrecoverable by keyboard attack) and purging (rendering information unrecoverable against laboratory attack). There are three general methods of purging media: overwriting, degaussing (for magnetic media only), and destruction.
Sanitization Procedures of Electronic Media Basically the following procedures are best practices: a. Hard Drives – Triple over-write or degauss b. Tapes – Degauss c. Compact Disks – Incinerate or chemical destruction d. Paper - Shred e. Floppy diskettes – degauss, overwrite, or the removed internal plastic mylar surface can be shredded Bottom line: Anything containing a microchip or plastic Mylar recording surface (iron oxide layers) can contain SBU information.
GSA IT Security Policy GSA Information Technology (IT) Security Policy GSA Order CIO HB 2100.1B 26. Data Classification. The Data Owner shall identify the level of protection required for a particular system commensurate with the need for confidentiality, integrity, availability, and accountability of the data processed by the system. Sensitivity Levels. Sensitive data is data that is protected from unauthorized disclosure (confidentiality) or modification (integrity) because of the damage that could result to the Government or individuals as a result of such disclosure or modification. The sensitivity of the data input, stored, and processed by the system dictates the level of protection. Protection criteria for specific classifications of information are mandated by public laws. Penalties under section (g) of the Privacy Act for negligence of entrusted data could result in criminal liability for employees and cause significant embarrassment to GSA if information to be protected were compromised, corrupted, or unavailable.
GSA IT Security Policy GSA Information Technology (IT) Security Policy GSA Order CIO HB 2100.1B Sanitization of Electronic Media CHAPTER 1. THE GSA INFORMATION TECHNOLOGY SECURITY PROGRAM 39. Sanitization of Electronic Media. Sensitive but unclassified data shall be removed from equipment and electronic and optical storage media, using methods approved by the Data Owner or DAA, before disposal or transfer outside of GSA.
GSA IT Security Policy GSA Information Technology (IT) Security Policy GSA Order CIO HB 2100.1B 26. Data Classification. The Data Owner shall identify the level of protection required for a particular system commensurate with the need for confidentiality, integrity, availability, and accountability of the data processed by the system. Sensitivity Levels. Sensitive data is data that is protected from unauthorized disclosure (confidentiality) or modification (integrity) because of the damage that could result to the Government or individuals as a result of such disclosure or modification. The sensitivity of the data input, stored, and processed by the system dictates the level of protection. Protection criteria for specific classifications of information are mandated by public laws. Penalties under section (g) of the Privacy Act for negligence of entrusted data could result in criminal liability for employees and cause significant embarrassment to GSA if information to be protected were compromised, corrupted, or unavailable.
PBS Building Information Policy Document security for sensitive but unclassified paper and electronic building information, GSA Order PBS 3490.1, March 8, 2002 1. Purpose. This order sets forth the PBS's policy on the dissemination of sensitive but unclassified (SBU) paper and electronic building information of GSA's controlled space, including owned, leased, or delegated Federal facilities. This document includes direction: Reasonable care for dissemination of sensitive but unclassified (SBU) building information, Limiting dissemination to authorized users, Record keeping, Retaining and destroying documents, Electronic transfer and dissemination, Defining the appropriate level of security, Handling of Freedom of Information (FOIA) requests, Handling proprietary information owned by Architect/Engineers.
Electronic Media Affected: What Hardware is affected: - Desktop/Hard Drives - Laptops/Hard Drives - Server/Hard Drives - PDAs and Integrated Devices - Cell/Camera Phones - Miniature Recording Devices - Cameras/Removable Flash/Media Memory Cards - Peripherals: Printers/Scanners - Backup Storage Devices Backup Storage Devices include: - Compact disks (CDs) - Floppy diskettes and zip tapes - Removal hard and zip drives - Flash/Thumb/Pen drives Note: Disposal of paper copies cannot be ignored
Sanitization Techniques • SOURCE: • GSA Standards of Good Practices • Sanitization of Sensitive But Unclassified (SBU) • Data from Magnetic Storage Media • 3. Sanitization Techniques: overwriting, degaussing, and destruction. • Overwriting • Overwriting is an effective method for clearing data from hard magnetic media (hard drives and disks, but not floppy disks or tape). As the name implies, overwriting uses a program to write (1s, 0s, or a combination) onto the media. Common practice is to overwrite the media three times in alternating fashion "1010101010 ..." then "0101010101 ...." However, it is not uncommon to see overwrites of media up to eight times depending on the sensitivity level of the information. Overwriting should not be confused with merely deleting the pointer to a file (which typically happens when a delete command is used). • Overwriting requires that the media be in working order (ideally, a bad block map is made prior to sensitive data being introduced on the media and another map made after the overwrites). If bad blocks develop after the initial mapping which are not corrected during the “overwrite,” then the “overwrite” is considered to have "failed" at least insofar as the data potentially resident in the bad block. Similarly if an initial bad block map was not made and bad blocks exist after the “overwrite,” we have to assume that sensitive data could potentially be on one of the bad blocks. At the point it's a risk decision whether you accept the “overwrite” or move on to degaussing or physical destruction of the media. • Degaussing • Degaussing is a method to magnetically erase data from magnetic media. Two types of degausser exist: strong permanent magnets and electric degaussers. Degaussers come in a variety of strengths, and are generally categorized as Type I (weakest magnetic field) to Type III (strongest magnetic field). Type I degaussers are not particularly useful given the proliferation of high density media -- they're just not strong enough. Type II's are generally used for floppy disks, but are generally not strong enough for the high density hard disks which typically require the Type III degaussers. • Destruction • The final method of sanitization is destruction of the media by shredding, burning, sanding, or chemical decomposition. For hard disks, typically that means sanding to physically remove the top coated layers of the hard disk. Floppy disks and tape can sometimes be shredded. Burning and chemical decomposition generally pose some environmental hazards, and should be avoided if possible.
Erasing and Recovery Levels There are Levels 1 through 5. Which level do I use? All levels erase the disk completely. The only difference is how difficult it would be for someone to recover data from the disk using sophisticated recovery tools (including scanning tunneling electron microscopes). Level 1 is the fastest, level 5 is the slowest. Level 5 is the most secure, level 1 is the least secure. I personally couldn't recover anything from a disk that had been cleaned with level 1, but someone with the know-how and a few thousand dollars could. I'm not guaranteeing anything, but I doubt the NSA could recover anything from a disk that had been cleaned with level 5. Level 3 meets most corporate and nonclassified government erasure specifications. Here's what each level does: 1 - A single pass of all zero. 2 - One pass of random data followed by one pass of all zero. 3 - Three passes: all zero, all one, all zero. 4 - Ten passes, some of which are random, followed by one of zero. 5 – 25 passes, three of which are random.
Sanitization Tools SOURCE: Below are just a few of Sanitization tools available: Darik’s Boot and Nuke (“DBAN”) WhiteCanyon WipeDrive. New Technologies M-Sweep. Paragon Disk Wiper. DTI Data Disk Wipe. Acronis Drive Cleanser. East-Tec Disk Sanitizer. LSoft Active@ KillDisk. CyberScrub CyberCide. Think System Mechanic 4 Pro/DriveScrubber Pro Note: most meet DOD 5220-22M Standard for Sanitizing Drives: “Non-Removable Rigid Disks" or hard drives must be sanitized for reuse by overwriting all addressable locations with a character, its complement, then a random character and verify.”
Security Risk: Ambient Data Bottom Line: The deletion of a file or the Reformat of a hard disk provides essentially no level of security. Left behind: Ambient data is a forensic term which describes, in general terms, data stored in non-traditional computer storage areas and formats: - Windows Swap/Page File These are "scratch pad" files to write data when additional random access memory is needed. (100MB to over 1GB. They contain remnants of any work that may have occurred. - Unallocated File Space When files are erased or deleted the file is not actually erased. Data from the 'erased file' remains behind in an area called unallocated storage space. - File Slack Files are stored in fixed length blocks of data called clusters. Rarely do file sizes exactly match the size of one or multiple clusters perfectly. The extra data storage space that is assigned to a file is called "file slack". File slack contains padded data from memory and remains undeleted. - Shadow Data Shadow data contains the remnants of computer data that was written previously to a track and it is located slightly outside the track's last write path.
Contacts GSA CHIEF INFORMATION OFFICER WEBSITE IT Security Points of Contact - GSA ISSM/ISSO Contact List 10/15/2004 http://insite.gsa.gov/_cio/ - OCIO Security Division (email) (ITSecrutiy@gsa.gov)
Free and Commercially Available Sanitization Tools PROGRAM/COST/PLATFORM/COMMENTS AutoClave http://staff.washington.edu/jdlarios/autoclave Free Self-booting PC disk Writes just zeroes, DoD specs, or the Gutmann patterns. Very convenient and easy to use. Erases the entire disk including all slack and swap space. CyberScrub www.cyberscrub.com $39.95 Windows Erases files, folders, cookies, or an entire drive. Implements Gutmann patterns. DataScrubber www.datadev.com/ds100.html $1,695 Windows, Unix Handles SCSI remapping and swap area. Claims to be developed in collaboration with the US Air Force Information Welfare Center. DataGone www.powerquest.com $90 Windows Erases data from hard disks and removable media. Supports multiple overwriting patterns. Eraser www.heidi.ie/eraser Free Windows Erases directory metadata. Sanitizes Windows swap file when run from DOS. Sanitizes slack space by creating huge temporary files.
Free and Commercially Available Sanitization Tools (Cont.) PROGRAM/COST/PLATFORM/COMMENTS OnTrack DataEraser www.ontrack.com/dataeraser $30$500 Self-booting PC disk Erases partitions, directories, boot records, and so on. Includes DoD specs in professional version only. SecureClean www.lat.com $49.95 Windows Securely erases individual files, temporary files, slack space, and so on. Unishred Pro www.accessdata.com $450 Unix and PC hardware Understands some vendor-specific commands used for bad-block management on SCSI drives. Optionally verifies writes. Implements all relevant DoD standards and allows custom patterns. Wipe http://wipe.sourceforge.net Free Linux Uses Gutmann's erase patterns. Erases single files and accompanying metadata or entire disks. WipeDrive www.accessdata.com $39.95 Bootable PC disk Securely erases IDE and SCSI drives.
Free and Commercially Available Sanitization Tools (Cont.) PROGRAM/COST/PLATFORM/COMMENTS . Wiperaser XP www.liveye.com/wiperaser $24.95 Windows Erases cookies, history, cache, temporary files, and so on. Graphical user interface.
Other References Office of Management and Budget Circular A-130, “Management of Federal Information Resources”, Appendix III, “Security of Federal Automated Information Resources.” Establishes a minimum set of controls to be included in Federal IT security programs. Computer Security Act of 1987. This statute set the stage for protecting systems by codifying the requirement for Government-wide IT security planning and training. Paperwork Reduction Act of 1995. The PRA established a comprehensive information resources management framework including security and subsumed the security responsibilities of the Computer Security Act of 1987. Clinger-Cohen Act of 1996. This Act linked security to agency capital planning and budget processes, established agency Chief Information Officers, and re-codified the Computer Security Act of 1987. Presidential Decision Directive 63, “Protecting America’s Critical Infrastructures.” This directive specifies agency responsibilities for protecting the nation’s infrastructure, assessing vulnerabilities of public and private sectors, and eliminating vulnerabilities. Presidential Decision Directive 67, “Enduring Constitutional Government and Continuity of Government.” Relates to ensuring constitutional government, continuity of operations (COOP) planning, and continuity of government (COG) operations OMB Memorandum 99-05, Instructions on Complying with President's Memorandum of May 14, 1998, “Privacy and Personal Information in Federal Records.” This memorandum provides instructions to agencies on how to comply with the President's Memorandum of May 14, 1998 on "Privacy and Personal Information in Federal Records."
Other References (Cont.) OMB Memorandum 99-18, “Privacy Policies on Federal Web Sites.” This memorandum directs Departments and Agencies to post clear privacy policies on World Wide Web sites, and provides guidance for doing so. OMB Memorandum 00-13, “Privacy Policies and Data Collection on Federal Web Sites.” The purpose of this memorandum is a reminder that each agency is required by law and policy to establish clear privacy policies for its web activities and to comply with those policies. General Accounting Office “Federal Information System Control Audit Manual” (FISCAM). The FISCAM methodology provides guidance to auditors in evaluating internal controls over the confidentiality, integrity, and availability of data maintained in computer-based information systems. NIST Special Publication 800-14, “Generally Accepted Principles and Practices for Security Information Technology Systems.” This publication guides organizations on the types of controls, objectives, and procedures that comprise an effective security program. NIST Special Publication 800-18, “Guide for Developing Security Plans for Information Technology Systems.” This publication details the specific controls that should be documented in a system security plan.