How would you ensure secure media sanitization SSD?

Shredding

A simple form of media sanitization is shredding, a type of physical destruction. Though this term is sometimes used in relation to overwriting of data, here shredding refers to the process of making data printed on hard copy, or on smaller objects such as floppy or optical disks, unrecoverable. Sensitive information such as printed information needs to be shredded prior to disposal in order to thwart a dumpster diving attack. Dumpster diving is a physical attack in which a person recovers trash in hopes of finding sensitive information that has not been securely erased or destroyed.

Shredding

A simple form of media sanitization is shredding, a type of physical destruction. Though this term is sometimes used in relation to overwriting of data, here shredding refers to the process of making data printed on hard copy, or on smaller objects such as floppy or optical disks, unrecoverable. Sensitive information such as printed information needs to be shredded prior to disposal in order to thwart a dumpster diving attack.

Paper shredders cut paper to prevent object reuse. Strip-cut shredders cut the paper into vertical strips. Cross-cut shredders are more secure than strip-cut, and cut both vertically and horizontally, creating small paper “confetti”. Given enough time and access to all of the shredded materials, attackers can recover shredded documents, though it is more difficult with cross-cut shredders.

Dumpster diving is a physical attack in which a person recovers trash in hopes of finding sensitive information that has been merely discarded in whole rather than being run through a shredder, incinerated, or otherwise destroyed. Figure 3.1 shows locked shred bins that contain material that is intended for shredding. The locks are intended to ensure that dumpster diving is not possible during the period prior to shredding.

Encryption as a Countermeasure

Let’s start by first mentioning cryptography in a general sense. After all, the TPM device and TPM services in Windows Vista are obviously focused on encryption. The TPM is mainly designed to create, store, and protect encryption keys, password hashes, and digital certificates.

The first thing we should say here is that no single countermeasure will fully protect digital assets from attack. In fact, there is probably not a combination of countermeasures that can ensure 100 percent protection from attack. Cryptography is no exception to that rule. Consider this as you read vendor product claims, white papers, and other industry articles that tout TPM as the end of your search for a secure enterprise.

Several sources are currently touting media sanitization as a feature of the TPM. The argument goes that you can clear the TPM in a matter of seconds, and your data is gone. No more spending money on and waiting hours for National Security Agency (NSA) media sanitization procedures to work. Just clear the TPM and your data is gone forever. There are two important points here:

When you clear the TPM your data is not gone. Only the key that was used to wrap the key that was used to encrypt that data is gone. The data, in encrypted form, still exists on the drive.

Encryption can be defeated by brute force attacks.

This is not meant to argue that encryption is insecure. The fact of the matter is that with current computing power, it would take a state-of-the-art desktop machine more than 100 trillion years to brute force your data if it is encrypted using the 128-bit Advanced Encryption Standard (AES)! Obviously, if it takes trillions of years to crack into your data, it’s safe. We raise this issue only because a lot of talk is circulating about using the clearing of the TPM as a media sanitization method, when technically speaking, the data is not destroyed and it can be attacked using brute force. Now those brute force attacks may very well remain infeasible for the next 2,000 years. However, there is a chance that leaps in the power of computers over the next two decades or a flaw discovered in the AES algorithm could make brute forcing a 128-bit AES encryption seem as easy as cracking the Data Encryption Standard (DES) is today.

Tools & Traps…

Now that we’ve addressed that caveat, let’s look at the power at our fingertips. Where the TPM and its capability to give us a more robust encryption platform help the most is simply in the fact that the data we are protecting is increasingly moving outside the walls of the enterprise. As we mentioned before, employees are going ever more mobile, with laptops replacing desktops, and cell phones, PDAs, and even MP3 players providing more and more storage and remote connectivity features. Those firewalls, proxies, DMZs, and other layered perimeter protection rings we designed and built in the past are doing a great job at keeping the bad stuff out. What we have increasingly less ability to do is keep the assets we protect in.

This is where encryption and the trusted platform come to the rescue. Encrypting data, especially when we utilize full-disk encryption technologies such as BitLocker Drive Encryption, allows us to create an environment where employees are carrying our security perimeter with them wherever they go. That encryption creates a boundary wherever the device and the data are between the data and the outside world. There are, of course, already software-only solutions for full-disk encryption, but the TPM provides better protection of encryption keys because key recovery techniques that may have worked fairly well against keys held in software are not likely to work against keys protected by the TPM.

Our protection is strengthened even more by the fact that many normal attacks which involve subverting the system software will not work. As soon as part of the system has been modified, the chain of trust will cease to extend to that part of the system. The platform will not load, and the data will not be able to be recovered by simply creating a backdoor in some poorly coded software. The only piece of software we have to rely upon is the tiny bit of code known as the CRTM. Because this code is small and relatively simple, it is easier to ensure that there are no vulnerabilities in it. Buffer overflows and backdoors tend to get lost in a program of tens of thousands of lines of code.

Either brute force cracking methods or attacks on the hardware itself will be required. As long as the data was encrypted using large keys and a secure algorithm, brute force attacks will prove to be a fruitless endeavor, and hardware attacks require a lot more skill and resources than running the canned attack code available on the Internet which is used against software.

Notes from the Underground…

Media sanitation

The information security concern regarding information disposal and media sanitization resides not in the media but in the recorded information. The issue of media disposal and sanitization is driven by the information placed intentionally or unintentionally on the media.

Information systems capture, process, and store information using a wide variety of media. This information is located not only on the intended storage media but also on devices used to create, process, or transmit this information. These media may require special disposition in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality. Efficient and effective management of information that is created, processed, and stored by an information technology (IT) system throughout its life, from inception through disposition, is a primary concern of an information system owner and the custodian of the data.

With the use of increasingly sophisticated encryption, an attacker wishing to gain access to an organization's sensitive information is forced to look outside the system itself for that information. One avenue of attack is the recovery of supposedly deleted data from media. These residual data may allow unauthorized individuals to reconstruct data and thereby gain access to sensitive information. Sanitization can be used to thwart this attack by ensuring that deleted data cannot be easily recovered.

When storage media are transferred, become obsolete, or are no longer useable or required by an information system, it is important to ensure that residual magnetic, optical, electrical, or other representation of data that has been deleted is not easily recoverable. Sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed.

Information disposition and sanitization decisions occur throughout the system life cycle. Critical factors affecting information disposition and media sanitization are decided at the start of a system's development. The initial system requirements should include hardware and software specifications as well as interconnections and data flow documents that will assist the system owner in identifying the types of media used in the system.

Media Sanitation

The information security concern regarding information disposal and media sanitization resides not in the media but in the recorded information. The issue of media disposal and sanitization is driven by the information placed intentionally or unintentionally on the media.

Information systems capture, process, and store information using a wide variety of media. This information is located not only on the intended storage media but also on devices used to create, process, or transmit this information. These media may require special disposition in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality. Efficient and effective management of information that is created, processed, and stored by an IT system throughout its life, from inception to disposition, is a primary concern of an information system owner and the custodian of the data.

With the use of increasingly sophisticated encryption, an attacker wishing to gain access to an organization’s sensitive information is forced to look outside the system itself for that information. One avenue of attack is the recovery of supposedly deleted data from media. These residual data may allow unauthorized individuals to reconstruct data and thereby gain access to sensitive information. Sanitization can be used to thwart this attack by ensuring that deleted data cannot be easily recovered.

When storage media are transferred, become obsolete, or are no longer usable or required by an information system, it is important to ensure that residual magnetic, optical, electrical, or other representation of data that has been deleted is not easily recoverable. Sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed.

Information disposition and sanitization decisions occur throughout the system life cycle. Critical factors affecting information disposition and media sanitization are decided at the start of a system’s development. The initial system requirements should include hardware and software specifications as well as interconnections and data flow documents that will assist the system owner in identifying the types of media used in the system.

Memory and Remanence

The 2015 exam update added timely topics such as remanence properties of SSDs, discussed next, followed by a discussion of computer memory itself.

Media sanitization or destruction of data

It is time to destroy data or its associated media once an organization has identified that it is no longer operationally or legally required. While some data might not be sensitive and so not warrant thorough destruction, an organization will have data that must be verifiably destroyed or otherwise rendered nonusable if the media on which it is housed is recovered by a third party.