Data sanitisation – protecting confidential data from recovery

Assets when they are reused or disposed of, must be subject to an appropriate sanitisation process to ensure confidential information cannot be recovered. Many organisations do not sanitise data storage before re-use internally. However, more worryingly, many organisations are not sanitising data storage media before devices are sold on, leaving them exposed to data theft, industrial espionage and potential extortion.

There are a number of risks that appropriate disk sanitisation processes treat:

  • Recovery of confidential information by an employee when a device is re-used. For example, the reassignment of a end user device to a malicious employee may allow recovery of data that can be used to violate privacy, access confidential corporate data, and in some cases achieve extortion or blackmail—either the business or the original user.
  • Recovery of corporate data after a device is sold. Storage devices could be obtained by threat actors after devices are decommissioned as part of a regular hardware refresh, and confidential data could be extracted.
  • Removing residual deleted data from devices, helping to implement data retention and deletion policies. This is less obvious than the above two examples, but with widespread availability of forensic tools, residual data could be recovered and put the organisation in a data breach situation.

These risks are not that far-fetched. The regular analysis of hard drives for sale by the University of Glamorgan and BT has uncovered numerous and substantial data on devices that have been put up for sale, including data on intercepting intercontinental ballistic missiles, bank details, NHS records, security logs from embassies, data from a major defence contractor and more.

The Glamorgan-BT study showed 40-50% of used hard drives contain sensitive data.

In the age of GDPR, the consequences to an organisation of public discoveries could be substantial. This residual data could be because the hard drive is from an ex-corporate system, or, more worryingly, as a result of data copied off a corporate system and onto a personal device. See my previous blog post on removable device controls for options about the latter.

So what can be done about this? The solution, as with all information security challenges, is part process and part technology. At a corporate level establish a process that manages all forms of digital media, mapping their lifecycle from first-use through to disposal. This should specify how media will be handled as it enters and exits the IT function.

Commissioning, changes of custodian, re-use for other projects, indeed any event that changes the relationship between the data custodian and the data being used, is fair game for some form of data sanitisation process. Moreover, drives entering the organisation should be routinely wiped to ensure any malware payloads are comprehensively removed.

When it comes to disposal of data storage devices, drive wiping is essential. However the process used depends on the nature of the data risk assessment, and standards such as IAS5 are flexible in how this is approached depending on the data concerned. For example, a device that has only processed public news feeds for an information display and will be re-used for the same purpose is in a different risk category to a device used to routinely process payroll data that is being sold on eBay. It’s important for an organisation to set out a policy or standard on what they consider to be appropriate sanitisation based on contextual factors, such as data type, user, and so on.

For data at the lowest protective marking of an organisation, good commercial tools may be sufficient. A sensible algorithm should be selected, for example, HMG InfoSec Standard No. 5 Lower Standard (2 pass).This allows for non-destructive sanitisation and re-use of a device within an organisation, or sale of the device to recoup IT capital expenditure. This balances information security risk, cost and flexibility for the organisation. For example, at the time of writing, Blancco would service this requirement with the added benefit of NCSC CPA certification.

“Some device types have to be approached carefully. An example of this is an SSD, where the capabilities of traditional wiping tools may be insufficient.”

Some device types have to be approached carefully. An example of this is an SSD, where the capabilities of traditional wiping tools may be insufficient. In an SSD the Flash Translation Layer (FTL) implements a dynamic mapping strategy that improves performance, however this limits sanitisation to the logical layer and not the physical hardware layer of the device. In simple terms, while the device may report data is wiped, that may not be the case.

For magnetic media, a suitable tool is Blancco, which while being NCSC CPA certified, has in the NCSC security procedures document a caveat that does not extend certification to its SSD wiping module. Similarly, Hybrid HDDs, floppy disks, tape, optical discs are not covered.

Software tools also have to be handled carefully, and at all times blanking software must be protected to ensure its ongoing validity. Starting with initial download, the wiping product should be verified using multiple independent checksums, ideally from separate Internet connections. Cloud file insight tests could also be used as an additional check.

Configuration settings must be appropriately configured, for example to meet CPA or other suitable authority guidelines. The underlying device must also be configured correctly, the typical example being write-protection of an MBR that may cause a wiping tool to exit prematurely and not wipe the disk. Finally when wiping is completed, a certificate must always be generated and ideally a copy held with the wiped device in an anti-static storage bag or container.

Ensure all media devices are appropriately labelled according to their state at all stages of the process. You should also have an incident management process in-place to handle any security-related event.

More sensitive data storage devices can be exposed to further processing, for example, HMG InfoSec Standard No. 5 Higher Standard (3 pass). Products like Blancco can support a number of different algorithms, whose variable cost is time: the more extended the process, perhaps involving multiple passes or expensive random number generation, the greater the time taken to complete the process.

For highly sensitive data storage devices and/or non-functioning data storage devices, a range of destructive techniques are available, typically centring on the use of a degausser such as Kroll Ontrack Degausser (version 3.0 and later are CPA certified). These will render the device unusable. A degausser works by applying a strong magnetic field to a device, causing the residual data to be removed. However, there are limitations – CPA certification requires the media to have been manufactured up to and including, but not after, the date of CPA certification. In addition, optical and solid state devices cannot be wiped using a degausser, and results from hybrid drives will be unreliable. It is best in general to combine non-destructive techniques in addition to the use of a degausser to ensure reliable data removal where possible, though the unsuitable devices mentioned will require alternative methods.

Other options include physical shredding, for both highly sensitive devices and also device types that cannot be wiped through software (e.g. optical, hybrid, and SSD). These can sometimes be available as a mobile service.

One might think that in an age of Full Disk Encryption, the need for data sanitisation is removed. In the re-use scenario, the keys for the device could simply be thrown away and the device re-imaged. In practice that is not always the case. FDE is only as secure as the security policy that governs it. An attacker (such as an “evil maid”) seeking to obtain access to a non-TPM FDE secured data storage device may want to get hold of the PIN or pass phrase for the device and the master key using a malicious bootloader. At a later time they might seek to image the disk, and in that scenario might be able to recover some original encrypted disk sectors. Had sanitisation been undertaken, then both the original data and the newly encrypted data would be protected.

What is often overlooked is the risk of sanitisation activity in itself: introducing a process for wiping your storage devices could, paradoxically, create new risks. There are lots of risks when it comes to sanitisation, and a significant risk is the insider threat. By virtue of the existence of a sanitisation process and the centralisation of that process typically to a single individual or team, organisations can unwittingly create much greater payback for a malicious insider if they are able to subvert it.

A person involved in data sanitisation could replace hard drives and retain original drives for later analysis, alter the sanitisation process to introduce weaknesses, transfer data off devices perhaps using an escrow key from AD, and so on. For most sanitisation processes, devices will be held in a queue and the protection of that queue is important. Media used for blanking tools must also be protected against tampering. “Hard drive mountains” of disks awaiting wiping can easily be created, and most removable media devices do not have unique asset tags making the management of such stockpiles challenging. It’s important to consider the management of data sanitisation holistically, to minimise any additional technical risk.

Data sanitisation process and technology are both significant undertakings, and require good planning and organisational measures. But the benefits are significant and a well-implemented sanitisation policy, including destructive methods, will help a great deal in improving data hygiene and GDPR compliance.

Three things you can do now:

  • Build up a policy based on leading standards such as IAS5 and NIST SP 800-88 R1
  • Execute the policy using certified products, test it, and subject it to continuous improvement (for example as part of ISO 27001 ISMS PDCA)
  • Incorporate the sanitisation policy in organisational risk assessments and treat risks to create acceptable residual risk levels