Defeating the dumpster divers

When you send a sensitive personnel file to the recycling bin on your PC Windows desktop or reformat your entire hard drive, the data you created may appear to be gone, but from a cyberthief’s point of view it’s certainly not forgotten. Agency security managers have long known that simple erase and reformatting commands do little more than remove operating system indexes that help users quickly locate files. The information remains intact and potentially accessible to anyone using easily available data-recovery software.To close security gaps, the Defense Department and the National Institute of Standards and Technology circulated guidelines for overwriting data and bombarding media with magnetic fields to cleanse storage media of sensitive information.But now, with the proliferation of storage media in a wide range of devices, even DOD finds itself scrambling to stay a step ahead of information thieves. “The department is in the early stages of formulating specific enterprisewide guidance regarding cleansing and disposal of newer technologies, such as flash memory,” said Maj. Patrick Ryder, a spokesman at the Office of the Assistant Secretary of Defense. As agencies such as DOD update their data-destruction policies, many security managers are combining sanitization techniques for heightened protection while also taking advantage of the falling storage-media prices. Their conclusion is that for ultimate security, the most prudent strategy may be to physically destroy the hard drives, tape cartridges, thumb drives and other media that contain sensitive information. “The cost of drives is getting so cheap now, our policy is to destroy a drive that holds anything more than unclassified, nonsensitive information,” said Bill Hunteman, associate chief information officer of cybersecurity at the Energy Department. “This gives us a high level of assurance that information won’t potentially be leaked.”High-capacity hard drives aren’t the only technologies prompting security managers to consider pulverizing storage media under an industrial press or dipping it into a vat of acid. Hard drives packed in disk arrays by the tens or hundreds are overwritten using the same software as individual drives. But the high data volumes in arrays make the process even more time consuming, extending the job in some cases beyond a day, depending on data volumes and the number of overwrites needed for security, said Paula Laughlin, director of global services marketing at storage vendor EMC.The company now provides on- and off-site array and disk drive sanitization services using its proprietary tools. EMC also offers buyout programs for agencies that lease arrays if they choose to destroy the drives at the end of the contract rather than return the hardware, Laughlin added.Some security officials fear that the time required to overwrite terabyte-size storage capacities could lead to shortcuts in data-sanitization policies. “When the process takes too long, the job just is not going to get done,” said Bill Margeson, chief executive officer of CBL Data Recovery Technologies, a recovery service that also offers free disk-overwriting software. Flash-memory devices such as thumb drives, cell phones and personal digital assistants present other data-wiping challenges. Flash memory is nonvolatile, so information isn’t erased when the device is shut down. “It’s decidedly more difficult to remove data when you really want to get rid of it,” said Carmi Levy, senior research analyst at Info-Tech Research Group. “So just as with hard drives, when you delete a file held in flash memory, it doesn’t necessarily disappear. Even worse, because the memory is designed to remember data even when power isn’t available, sometimes ghosts of old files can appear. Even after you’ve wiped it a couple of times, the file may still be retrievable.”In addition to raising security concerns, disposing of storage media is expensive. DOE and DOD don’t itemize data-destruction costs in their information technology operating budgets. But Zaman Khan, director of business development at systems integrator Intelligent Decisions, estimated that agencies pay $15 to $20 apiece to cleanse or destroy each storage device, including staff time for the procedure itself and audits to account for each procedure.Tools used to cleanse or destroy storage media are only part of the data-protection equation. Formal policies and enforcement measures to assure the tools are being used effectively are also essential. “We tend to look at data-handling problems as technology issues,” Levy said. “In fact, they are driven more by processes and behaviors. The first step for any organization is to recognize that [improper data destruction] is a significant risk for them.” Kentucky has maintained formal data sanitization policies since 2003, but for Toby Whitehouse, the state’s chief information security officer, having a policy isn’t sufficient.“We’ve had a lot of discussions over the last few years about what happens when you sit a technician in front of a set of computers and say, ‘Wipe all of these machines,’ ” Whitehouse said. “How do you really know that that’s occurred?”Kentucky put some checks in place to audit the process. Before computers or hard drives leave government, Kentucky requires someone from the IT staff of the relevant agency to sign documentation attesting to the device’s cleansing. The state’s Division of Surplus Property, the clearinghouse for decommissioned technology, won’t accept equipment without the proper documentation. The division then releases the devices for public auction.Although Whitehouse said he believes that process protects the data, he worries about people who use the tediousness of media cleansing as an excuse for taking shortcuts. He said Kentucky is looking for way to reduce the burden on IT staff members so that no one is tempted to skip a cleansing.Some commercial companies use the complexities of data disposal as a selling point for outsourcing the job. Intelligent Decisions, which offers cleansing and disposal services for public and private organizations, counts the Veterans Affairs Department as a client. To address chain-of-custody concerns that arise when agencies let data-laden equipment leave their premises, the company developed an application that tracks each device during shipment and processing.  The application uses a secure Web portal that creates a shipping label with a unique control number for each unit. Clients can choose to use commercial delivery companies or their own staff to transport the devices. When the equipment arrives at the processing center, Intelligent Decisions matches the manifest against a physical inventory of the shipment. If the container was damaged or if storage devices are missing, the company notifies the agency. “They will either send somebody here for an inspection or we will do a reverse logistics of the shipping route to find out what happened,” Khan said. Media that arrives at Intelligent Decisions is slated for destruction by a pulverizing press. However, for extra safety, some devices may first be degaussed, a process that uses strong magnets to jumble information until it’s unreadable. This two-step process guards against any recognizable data remaining on disk-platter shards, Khan said. After pulverization, a recycling company hauls away the remains, separates the various materials and sells the metals for reprocessing. Khan said VA is talking with the company about ways to dispose of thumb drives. The two have yet to reach a recycling agreement because of the unique chain-of-custody challenges created by the drives’ small size. “A lot of media, including flash drives, don’t have serial numbers,” Khan said. “So how do we account for each thumb drive that is being sent to us?” One potential solution under consideration is nylon-mesh socks equipped with RFID chips to house each drive and provide tracking capabilities. Khan estimates the RFID socks would cost about 25 cents each.Despite safeguards, many agencies are slow to entrust media containing sensitive data to outsourcers for destruction. “Personally, I’m more of a hands-on person who likes to see that it’s been done correctly,” Whitehouse said. “Putting that job in the hands of other people?  That’s a trust level that maybe eventually we’ll get to, but I’m personally not there yet.”