Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Critical Infrastructure Protection PDD GSA

VIEWS: 6 PAGES: 30

									Sanitization of Electronic Media
      SBU Security Awareness



      January 27, 2005         OCIO/IS
        What is Sanitization?
Which answer best describes sanitization?

    A. Santa Claus taking over the world.

     B. What you experience traveling along
         the Santa Fe Trail in New Mexico.

     C. The sand you get on your feet after
         a walk on the beach.

     D. Clearing data from computer drives.
        What Sanitization is:
The correct answer is “D”:

     D. Clearing data from computer drives.
   What is SBU Information?
Which acronym best describes SBU information?

    A. A brochure of South Boston University.

    B. Smart But Useless nonsense.

    C. Sensitive But Unclassified data.

    D. School Basketball Uniforms.
   What SBU Information is:
The correct answer is “C”:

     C. Sensitive But Unclassified data.
  Information Classifications
     Classified versus Unclassified Information

Classified: Top Secret/Secret/Confidential
 - Rarely handled within GSA
 - e.g. DOD or DHS National Defense Information
 - A totally separate handling process
 - Will not be addressed at this time

Unclassified: Sensitive But Unclassified (SBU)
   Information:
 - Used daily by most GSA associates
 - In numerous forms and media
 - The focus of our discussion
Classified Information Policies
For handing of Classified Information, the following
  references are available:


  Executive Order 12958,
    Classified National Security
    Information as Amended


  GSA Handbook, Classified
    National Security Information,
    ADM P 1025.2D, October 3, 1996
    (Expires: 10/3/06)
 Types of SBU Information
Types of SBU (Unclassified) Information

 -   Financial Information
 -   Privacy (Personnel) Information
 -   Contractual Information
 -   Building (Floor and Space) Plans
 -   Physical Security
 -   IT Security (Technical)
 -   Proprietary Information
 -   Other information not releasable under the
       Freedom of Information Act.
Electronic Media: Then and now
     1974           2004
    Report       Blackberry
 The Challenge: Information
      Technology (IT)
* Biggest headaches to the Federal Government
  - Spread of desktop technologies
      - Protection of the information handled, processed,
              and distributed
      - Classified versus unclassified information.


* Unclassified sensitive information least controlled in
  the realm of most everyday government operations.
   “VA toughens security after PC
         disposal blunders”
   By Judi Hasson,
Federal Computer Week, August 29, 2002
 CASE:
   August 2002, VA Medical Center, Indianapolis Indiana,
   retired 139 desktop computers.
    - Some were donated to schools
    - Others were sold on the open market
    - 3 ended up in a thrift shop where a journalist
        purchased them.
 OMISSION:
   The VA neglected to sanitize the computer's hard drives
   (remove the drives' confidential information).
 RESULTS:
   Many of the computers were later found to contain
   sensitive medical information, including:
    - Names of veterans with AIDS and mental health
      problems.
    - 44 credit card numbers used by that facility.
       SBU Information Laws
For handing of SBU Information, the following
  references are available:

  Privacy Act of 1874 (Public Law 93-579)
 Federal Information Security Management Act (FISMA) of
    2002.
 Office of Management and Budget (OMB) Circular A-130,
   Management of Federal Information Resources, and
   Appendix III, Security of Federal Automated Information
   Systems as Amended.
 Homeland Security Presidential Directive (HSPD-7), Critical
    Infrastructure Identification, Prioritization, and Protection,
    December 17, 2003.
    SBU Information Policies
For handing of SBU Information, the following GSA
  orders are available:

 GSA Order CIO P 2100.1B, GSA Information Technology (IT)
   Security, November 4, 2004

 GSA Order PBS 3490.1, Document security for sensitive but
   unclassified paper and electronic building information,
   March 8, 2002
      Definition: Sanitization of
          Electronic Media
                         SOURCE:
NIST Special Publication 800-18, Guide for Developing Security
  Plans for Information Technology Systems, December 1998
4.4 Planning for Security in the Life Cycle
4.4.5 Disposal Phase
Media Sanitization:
·    The removal of information from a storage medium (such as a hard
    disk or tape) is called sanitization. Different kinds of sanitization
    provide different levels of protection. A distinction can be made
    between clearing information (rendering it unrecoverable by
    keyboard attack) and purging (rendering information unrecoverable
    against laboratory attack). There are three general methods of
    purging media: overwriting, degaussing (for magnetic media only),
    and destruction.
      Sanitization Procedures of
          Electronic Media
Basically the following procedures are best practices:

    a. Hard Drives – Triple over-write or degauss
    b. Tapes – Degauss
    c. Compact Disks – Incinerate or
          chemical destruction
    d. Paper - Shred
    e. Floppy diskettes – degauss, overwrite, or the
         removed internal plastic mylar surface can
         be shredded

Bottom line: Anything containing a microchip or
  plastic Mylar recording surface (iron oxide layers)
  can contain SBU information.
         GSA IT Security Policy
  GSA Information Technology (IT) Security Policy
GSA Order CIO HB 2100.1B

26. Data Classification. The Data Owner shall identify the level of
    protection required for a particular system commensurate with the
    need for confidentiality, integrity, availability, and accountability of the
    data processed by the system.
Sensitivity Levels. Sensitive data is data that is protected from
    unauthorized disclosure (confidentiality) or modification (integrity)
    because of the damage that could result to the Government or
    individuals as a result of such disclosure or modification. The
    sensitivity of the data input, stored, and processed by the system
    dictates the level of protection. Protection criteria for specific
    classifications of information are mandated by public laws. Penalties
    under section (g) of the Privacy Act for negligence of entrusted data
    could result in criminal liability for employees and cause significant
    embarrassment to GSA if information to be protected were
    compromised, corrupted, or unavailable.
       GSA IT Security Policy
  GSA Information Technology (IT) Security Policy
GSA Order CIO HB 2100.1B

Sanitization of Electronic Media
CHAPTER 1.
THE GSA INFORMATION TECHNOLOGY SECURITY PROGRAM
39. Sanitization of Electronic Media.
    Sensitive but unclassified data shall be removed
    from equipment and electronic and optical storage
    media, using methods approved by the Data Owner or
    DAA, before disposal or transfer outside of GSA.
         GSA IT Security Policy
  GSA Information Technology (IT) Security Policy
GSA Order CIO HB 2100.1B

26. Data Classification. The Data Owner shall identify the level of
    protection required for a particular system commensurate with the
    need for confidentiality, integrity, availability, and accountability of the
    data processed by the system.
Sensitivity Levels. Sensitive data is data that is protected from
    unauthorized disclosure (confidentiality) or modification (integrity)
    because of the damage that could result to the Government or
    individuals as a result of such disclosure or modification. The
    sensitivity of the data input, stored, and processed by the system
    dictates the level of protection. Protection criteria for specific
    classifications of information are mandated by public laws. Penalties
    under section (g) of the Privacy Act for negligence of entrusted data
    could result in criminal liability for employees and cause significant
    embarrassment to GSA if information to be protected were
    compromised, corrupted, or unavailable.
 PBS Building Information Policy
Document security for sensitive but unclassified
paper and electronic building information,
GSA Order PBS 3490.1, March 8, 2002
    1. Purpose. This order sets forth the PBS's policy on the
   dissemination of sensitive but unclassified (SBU) paper and
   electronic building information of GSA's controlled space,
   including owned, leased, or delegated Federal facilities.

This document includes direction:
Reasonable care for dissemination of sensitive but unclassified
   (SBU) building information,
Limiting dissemination to authorized users,
Record keeping,
Retaining and destroying documents,
Electronic transfer and dissemination,
Defining the appropriate level of security,
Handling of Freedom of Information (FOIA) requests,
Handling proprietary information owned by Architect/Engineers.
   Electronic Media Affected:
What Hardware is affected:
- Desktop/Hard Drives
   - Laptops/Hard Drives
   - Server/Hard Drives
   - PDAs and Integrated Devices
   - Cell/Camera Phones
   - Miniature Recording Devices
   - Cameras/Removable Flash/Media Memory Cards
   - Peripherals: Printers/Scanners
   - Backup Storage Devices

Backup Storage Devices include:
   - Compact disks (CDs)
   - Floppy diskettes and zip tapes
   - Removal hard and zip drives
   - Flash/Thumb/Pen drives
     Note: Disposal of paper copies cannot be ignored
             Sanitization Techniques
SOURCE:
GSA Standards of Good Practices
Sanitization of Sensitive But Unclassified (SBU)
Data from Magnetic Storage Media
 3. Sanitization Techniques: overwriting, degaussing, and destruction.
       Overwriting
Overwriting is an effective method for clearing data from hard magnetic media (hard drives and disks, but not
     floppy disks or tape). As the name implies, overwriting uses a program to write (1s, 0s, or a combination)
     onto the media. Common practice is to overwrite the media three times in alternating fashion
     "1010101010 ..." then "0101010101 ...." However, it is not uncommon to see overwrites of media up to
     eight times depending on the sensitivity level of the information. Overwriting should not be confused with
     merely deleting the pointer to a file (which typically happens when a delete command is used).
Overwriting requires that the media be in working order (ideally, a bad block map is made prior to sensitive
     data being introduced on the media and another map made after the overwrites). If bad blocks develop
     after the initial mapping which are not corrected during the “overwrite,” then the “overwrite” is
     considered to have "failed" at least insofar as the data potentially resident in the bad block. Similarly if an
     initial bad block map was not made and bad blocks exist after the “overwrite,” we have to assume that
     sensitive data could potentially be on one of the bad blocks. At the point it's a risk decision whether you
     accept the “overwrite” or move on to degaussing or physical destruction of the media.
       Degaussing
Degaussing is a method to magnetically erase data from magnetic media. Two types of degausser exist: strong
     permanent magnets and electric degaussers. Degaussers come in a variety of strengths, and are generally
     categorized as Type I (weakest magnetic field) to Type III (strongest magnetic field). Type I degaussers are
     not particularly useful given the proliferation of high density media -- they're just not strong enough. Type
     II's are generally used for floppy disks, but are generally not strong enough for the high density hard disks
     which typically require the Type III degaussers.
       Destruction
The final method of sanitization is destruction of the media by shredding, burning, sanding, or chemical
     decomposition. For hard disks, typically that means sanding to physically remove the top coated layers of
     the hard disk. Floppy disks and tape can sometimes be shredded. Burning and chemical decomposition
     generally pose some environmental hazards, and should be avoided if possible.
  Erasing and Recovery Levels
There are Levels 1 through 5. Which level do I use?

All levels erase the disk completely. The only difference is how difficult it
    would be for someone to recover data from the disk using sophisticated
    recovery tools (including scanning tunneling electron microscopes).
    Level 1 is the fastest, level 5 is the slowest. Level 5 is the most secure,
    level 1 is the least secure. I personally couldn't recover anything from a
    disk that had been cleaned with level 1, but someone with the know-
    how and a few thousand dollars could. I'm not guaranteeing anything,
    but I doubt the NSA could recover anything from a disk that had been
    cleaned with level 5. Level 3 meets most corporate and nonclassified
    government erasure specifications. Here's what each level does:

1 - A single pass of all zero.
 2 - One pass of random data followed by one pass of all zero.
 3 - Three passes: all zero, all one, all zero.
 4 - Ten passes, some of which are random, followed by one of
 zero.
 5 – 25 passes, three of which are random.
                Sanitization Tools
SOURCE:
Below are just a few of Sanitization tools available:

Darik’s Boot and Nuke (“DBAN”)
WhiteCanyon WipeDrive.
New Technologies M-Sweep.
Paragon Disk Wiper.
DTI Data Disk Wipe.
Acronis Drive Cleanser.
East-Tec Disk Sanitizer.
LSoft Active@ KillDisk.
CyberScrub CyberCide.
Think System Mechanic 4 Pro/DriveScrubber Pro

Note: most meet DOD 5220-22M Standard for Sanitizing Drives:
“Non-Removable Rigid Disks" or hard drives must be sanitized for reuse
   by overwriting all addressable locations with a character, its
   complement, then a random character and verify.”
   Security Risk: Ambient Data
Bottom Line: The deletion of a file or the Reformat of a hard disk provides
    essentially no level of security. Left behind: Ambient data is a forensic term
    which describes, in general terms, data stored in non-traditional computer
    storage areas and formats:
                      - Windows Swap/Page File
These are "scratch pad" files to write data when additional random access memory
    is needed. (100MB to over 1GB. They contain remnants of any work that may
    have occurred.

                     - Unallocated File Space
When files are erased or deleted the file is not actually erased. Data from the
  'erased file' remains behind in an area called unallocated storage space.

                        - File Slack
Files are stored in fixed length blocks of data called clusters. Rarely do file sizes
    exactly match the size of one or multiple clusters perfectly. The extra data
    storage space that is assigned to a file is called "file slack". File slack contains
    padded data from memory and remains undeleted.

                       - Shadow Data
Shadow data contains the remnants of computer data that was written previously to
   a track and it is located slightly outside the track's last write path.
                Contacts
GSA CHIEF INFORMATION OFFICER WEBSITE

        IT Security Points of Contact
  - GSA ISSM/ISSO Contact List 10/15/2004
          http://insite.gsa.gov/_cio/

  - OCIO Security Division (email)
          (ITSecrutiy@gsa.gov)
Free and Commercially Available
                     Sanitization Tools
  PROGRAM/COST/PLATFORM/COMMENTS
AutoClave http://staff.washington.edu/jdlarios/autoclave
Free
Self-booting PC disk
Writes just zeroes, DoD specs, or the Gutmann patterns. Very convenient and easy to use. Erases
     the entire disk including all slack and swap space.

CyberScrub www.cyberscrub.com
$39.95
Windows
Erases files, folders, cookies, or an entire drive. Implements Gutmann patterns.

DataScrubber www.datadev.com/ds100.html
$1,695
Windows, Unix
Handles SCSI remapping and swap area. Claims to be developed in collaboration with the US Air
     Force Information Welfare Center.

DataGone www.powerquest.com
$90
Windows
Erases data from hard disks and removable media. Supports multiple overwriting patterns.

Eraser www.heidi.ie/eraser
Free
Windows
Erases directory metadata. Sanitizes Windows swap file when run from DOS. Sanitizes slack space
     by creating huge temporary files.
Free and Commercially Available
       Sanitization Tools (Cont.)
  PROGRAM/COST/PLATFORM/COMMENTS
OnTrack DataEraser www.ontrack.com/dataeraser
$30-$500
Self-booting PC disk
Erases partitions, directories, boot records, and so on. Includes DoD specs in professional version
     only.

SecureClean www.lat.com
$49.95
Windows
Securely erases individual files, temporary files, slack space, and so on.

Unishred Pro www.accessdata.com
$450
Unix and PC hardware
Understands some vendor-specific commands used for bad-block management on SCSI drives.
     Optionally verifies writes. Implements all relevant DoD standards and allows custom patterns.

Wipe http://wipe.sourceforge.net
Free
Linux
Uses Gutmann's erase patterns. Erases single files and accompanying metadata or entire disks.

WipeDrive www.accessdata.com
$39.95
Bootable PC disk
Securely erases IDE and SCSI drives.
Free and Commercially Available
       Sanitization Tools (Cont.)
  PROGRAM/COST/PLATFORM/COMMENTS
. Wiperaser XP www.liveye.com/wiperaser
$24.95
Windows
Erases cookies, history, cache, temporary files, and so on. Graphical user interface.
                         Other References
Office of Management and Budget Circular A-130, “Management of Federal Information Resources”,
     Appendix III, “Security of Federal Automated Information Resources.”
Establishes a minimum set of controls to be included in Federal IT security programs.

Computer Security Act of 1987.
This statute set the stage for protecting systems by codifying the requirement for Government-wide IT
     security planning and training.

Paperwork Reduction Act of 1995.
The PRA established a comprehensive information resources management framework including security
    and subsumed the security responsibilities of the Computer Security Act of 1987.

Clinger-Cohen Act of 1996.
This Act linked security to agency capital planning and budget processes, established agency Chief
     Information Officers, and re-codified the Computer Security Act of 1987.

Presidential Decision Directive 63, “Protecting America’s Critical Infrastructures.”
This directive specifies agency responsibilities for protecting the nation’s infrastructure, assessing
     vulnerabilities of public and private sectors, and eliminating vulnerabilities.

Presidential Decision Directive 67, “Enduring Constitutional Government and Continuity of Government.”
Relates to ensuring constitutional government, continuity of operations (COOP) planning, and continuity of
     government (COG) operations

OMB Memorandum 99-05, Instructions on Complying with President's Memorandum of May 14, 1998,
     “Privacy and Personal Information in Federal Records.”
This memorandum provides instructions to agencies on how to comply with the President's Memorandum of
     May 14, 1998 on "Privacy and Personal Information in Federal Records."
          Other References (Cont.)
OMB Memorandum 99-18, “Privacy Policies on Federal Web Sites.”
This memorandum directs Departments and Agencies to post clear privacy policies on World Wide Web
    sites, and provides guidance for doing so.

OMB Memorandum 00-13, “Privacy Policies and Data Collection on Federal Web Sites.”
The purpose of this memorandum is a reminder that each agency is required by law and policy to establish
    clear privacy policies for its web activities and to comply with those policies.

General Accounting Office “Federal Information System Control Audit Manual” (FISCAM).
The FISCAM methodology provides guidance to auditors in evaluating internal controls over the
    confidentiality, integrity, and availability of data maintained in computer-based information systems.

NIST Special Publication 800-14, “Generally Accepted Principles and Practices for Security Information
    Technology Systems.”
This publication guides organizations on the types of controls, objectives, and procedures that comprise an
    effective security program.

NIST Special Publication 800-18, “Guide for Developing Security Plans for Information Technology
    Systems.”
This publication details the specific controls that should be documented in a system security plan.

								
To top