Is The Data On Your CD Really Destroyed?
|
|
Stolen Computers Have Health Insurer
Feeling Blue and Cross
|
Stolen Computers Trigger a Big Financial Bite and Public Relations Nightmare
ADDITIONAL LINKS:
- Updates on New and Pending Legislation.
- New Enterprise Level Data Erasure methods
- NIST special publication 800-88 media sanitization guidelines
|
Can we just say this up front? The expenditure of a few thousand dollars in October could have saved BlueCross BlueShield of Tennessee $7 million dollars (and counting) over the long term. That’s the amount of money the Chattanooga-based health insurer has spent so far on damage control from the latest high profile private data breach event to hit the medical services industry. It’s likely of fraction of what the final bill will total.
In October 2009, private data belonging to about 500,000 BCBS customers was stolen by unknown criminal parties, along with 57 PC’s on which it was stored. The decommissioned computers were warehoused in a vacant office building awaiting return to the vendor under the terms of the lease agreement. The hard drives contained a wide range of member records, including benefit I.D. numbers, social security numbers and possibly diagnoses or diagnostic codes. According to reports in the Chattanooga Times Free Press, the company has received 8,728 member calls related to the theft so far, and about 20,500 members of BlueCross plans have taken advantage of the company’s offer for free credit monitoring services.
BCBS of Tennessee is now in the process of identifying what data may have been on the drives and notifying customers about the privacy breach. Here’s the kicker: the deployment of an inexpensive, hardware-based HDD purging solution would not only have cleared the data from the drives, it would have also provided an audit trail to verify exactly what was destroyed. All 57 drives could have been erased in less than a day.
Because this type of data destruction technology is cited by NIST in its Media Sanitization Guidelines Special Publication 800-88, Blue Cross would have been in automatic compliance with HITECH regulations. BCBS would have been exempt from penalties and most likely from notification requirements. To comply the Health Information Technology for Economic and Clinical Health Act adopted last year, BCBS must notify attorneys general in 32 states.
The most troubling aspect of this scenario is that the base scenario – storage of decommissioned hard drives and other electronic media without purging end of life data files – is a series of disasters waiting to happen across the country and around the world.
A more complete summary of the HITECH bill’s provisions are available here. |
|
Personal Data Privacy and Security Act of 2009:
First of More Aggressive Federal Oversight
|
Personal Data Privacy and Security Act Specifies More Aggressive Sentences
ADDITIONAL LINKS:
- Updates on New and Pending Legislation.
- Comparison of hard drive erasure methods
- NIST special publication 800-88 media sanitization guidelines
|
Senator Leahy’s new bill ups the ante for acts of data piracy and also failure to report data breaches. Fraud involving digitized or electronic personally identifiable information (including identify theft) can be considered grounds for racketeering charges, which carry far more significant criminal penalties and sentences. The Act directs the U.S. Sentencing Commission to update its guidelines for fraudulent use of private data and for concealment of security breaches. As written, the new law will also establish an Office of Identity Protection under the FTC umbrella, and impose new standard on GSA contracts.
A more complete summary of the bill’s provisions are available here. |
|
The IEEE has issued new data security standards for office printers and copy machines.
|
Is your networked printer a data breach waiting to happen?
|
by Sean O’Leary
While most of the world has been scrambling to fend off data breaches across the IT security spectrum, another problem has been lurking just below the surface. According to an article in DarkReading, an online data security newsletter published by InfoWeek, networked printers are a potential source of data breaches that have been all but ignored by both owners and security professionals. In response, the Institute of Electrical and Electronics Engineers (IEEE) has issued 2600 Profile, a new security standard that covers networked printers and copy machines. Otherwise known as the “IEEE P2600 family of standards for hardcopy devices and system security”, the initiative covers laser printers, copiers and other seemingly innocuous multifunction devices.
The new standards, developed by Xerox, Canon, Epson and other major players in the market segment, specify a number of guidelines for manufacturing and deploying secure printers, including password protection, hard drive encryption and electronic “shredding,” and security logs. It also includes an overwrite function that destroys residual data on the disk, a feature Xerox has begun adding to their most recent models.
Residual data on what disk? Right. It’s easy to forget that copiers and digital printers incorporate computers into their inner workings and are equipped with hard drives the same as any PC or laptop. Not only are copiers and printers repositories of vast amounts of data, they are also components in the networked enterprise environment, and therefore vulnerable to hacking. Decommissioning or selling a printer therefore carries with it the same risk of data theft as a similar scenario for a PC.
According to the experts, no printer related data breaches have been reported. But as is so often the case with this sort of thing…it’s only a matter of time. Meanwhile, the new IEEE standards are in the process of certification and approval. |
|
Three key attributes separate software overwriting (clearing) HDD data sanitization methods from Secure Erase enabled hardware devices.
|
Firmware based Security Erase devices are able to access hidden partitions in order to erase hard drives
|
by Michael Cheslock
There are three major attributes that separate software overwriting (clearing) HDD data sanitization methods from Secure Erase enabled hardware devices. Getting each of these factors right is essential in developing an effective end of life protocol:
The first, and most important, is Security Compliance:
NIST Guidelines for Media Sanitization serve as the benchmark for hard drive sanitization methodologies in the United States. Although we still come across the term DoD 5220 fairly often, it is important to understand it is a document that is regularly abused by software companies.
Despite the chatter, DoD 5220 has not recommended overwriting, or any other hard drive sanitization methodology since the 1994 revision. No version of DoD 5220 since that year makes any mention of hard drive erasure methodologies. The only national guideline is NIST SP 800-88. This document clearly rates Secure Erase in a higher category than overwriting utilities (a “purge” of all data, versus a “clear”). Furthermore, specific devices such as CPR Tools’ Hammer offers a G-List remapped sector data destruction utility called gRase. gRase accesses and erases data in “bad sectors” that most software tools (and many hardware tools) leave behind.
Within this category, the most powerful emerging concerns are certification and defensible audit trails. In the event of litigation, it is essential to ensure that a tamper-resistant log (with checksum to demonstrate any changes to the drive after erasure) is presented to verify that hard drive are sanitized in accordance with current guidelines. For software solutions in general, there is no automated logging capability that tracks which procedures are executed on what drives, who is executing them, and when they are being executed.
The next major factor is efficiency of Execution:
When you consider the basics, it should be obvious that firmware based solutions are inherently more effective precisely because they are executed from the firmware of the drive. Interface, OS, and BIOS barriers are all removed from the process.
Software overwriting tools are designed to write random bits of data to all user accessible sectors of a drive. The software is then loaded onto a machine or server, from which they execute the overwrite procedure. Most of these overwriting tools execute multiple passes. Outdated versions of DoD 5220-22.M recommended triple overwrite, or three consecutive passes, to effectively render hard drive data unrecoverable. But it is now understood, and has been for some time, that multiple passes do not offer added any significant assurance of security. A single pass is adequate for clearing media, but no number of passes will achieve purge.
Many software applications give the user the ability to overwrite a particular partition, or section of a drive, and ignore others, effectively allowing the user to accidentally or on purpose overwrite less than the entire drive. For example, it is very easy to ask such applications to overwrite the “C drive” but not the “D drive”, when, if fact, both partitions exist physically on the same hard disk drive, and both contain sensitive information. User error is common when using software solutions, and it is a risk. On the other hand, high end hardware devices are directly connected, and erase everything on any disk to which they are connected.
Furthermore, firmware executed procedures are impossible to interrupt externally. These, among other factors, are the reasons purging is ultimately recommended above clearing in NIST SP 800-88.
The final major factor is Speed:
Because Secure Erase is executed from the firmware, it is not limited by processor or BUS speeds, or by the drive interface. It can execute a full secure erase on a drive in 1/18th the time it takes to perform a less effective 7 pass overwrite using software. Similarly, a triple overwrite procedure using software will take up to 8 times as long to perform as a more effective Secure Erase process, sometimes longer. In fact, when compared to even a single pass overwrite, it is still often more than twice as fast.
Furthermore, software solutions disable the workstation during the entire procedure, severely hindering productivity.
Related to the speed issue is the surprising amount of electrical energy required to clear a hard drive using a software product. From a green perspective, the hardware devices are clear winners.
But that’s the subject of a different post. |
|
70 Million Military Veteran’s records exposed due to lax end of life practices
|
NARA privacy breach could have been avoided by purging data on defective HDD
ADDITIONAL LINKS:
- Updates on Regulatory topics affecting data security laws.
- HIPAA privacy rule summary
- NIST special publication 800-88 media sanitization guidelines
|
In November 2008, the National Archives and Records Administration (NARA) sent out an unsanitized hard drive for repair by the vendor. The drive, which was a component in a six drive RAID array used in the administration eVetRecs, contained an Oracle database with the health and discharge records of millions of veterans dating back to 1972. When outside contractor GMRI determined the drive to be defective, it was sent to another outside vendor for recycling – with the private information it contained intact.
Now, according to a story in Wired Online, an NARA IT manager is claiming that the agency’s ongoing practice of failing to sanitize hard drives before sending them off site exposes veterans to identity theft. Interviewed for Wired.com online privacy, crime and security page, Hank Bellomy, a NARA IT manager, is charging that the failure to purge data from recycled drives is symptomatic of a larger problem among Government record keeping agencies. His comments to Wired are an indication of the frustration experienced by many other IT managers caught in a web of seemingly conflicting policies:
“I said you can’t turn them back in,” said Bellomy. “The data is Privacy Act — it’s against the law. We have no clue how many drives have been sent back over the past seven years since this system was in place. I am a government employee and I’m a veteran, and just this year had both my credit cards replaced because they were compromised.”
NARA is simultaneously claiming that the lost drives are no big deal and changing their policy in response to the criticism. The agency now requires that drives be destroyed in house. The agency’s position is that there is no problem here because they have signed privacy agreements with their contractors. Of course, the hole in the “vendor accountability” argument is made painfully clear by the fact that the missing drive still can’t be located.
This is where it gets complicated, because NARA’s maintenance contract requires that it return defective drives for inspection or else pay a $2,000 replacement fee. As we have discussed any number of times in this space, government agencies in general are experiencing confusion as to what the current standard might be for dealing with protection of end of life cycle private data. In this case, the HDD in question represents a Catch 22 for NARA. In order to determine whether the drive is defective, it must be taken off premises, which is already a compromise of best practices. If they don’t send it out, they spend more taxpayer money on a new drive.
The solution to the quandary is referenced obliquely in the same article: remove the data prior to recycling. The National Institute of Standards and Technology (NIST) now recommends firmware based purging methods that remove data on HDDs beyond the possibility of forensic recovery – without destroying the drive itself. (OMB rules also recommend that government agencies follow these same NIST standards.) The highest level of purging cited in the NIST guidelines is performed by a device called the SCSI Hammer, developed by forensic recovery experts CPR Tools. The device would have solved the NARA dilemma by removing the data from the drive while allowing it to be inspected and subsequently recycled. The SCSI Hammer also generates a legally defensible audit trail that details the drives’ unique serial numbers, the erasure and erasure verification processes used, and even a checksum to demonstrate changes to drive data after erasure. Whether the agency or the outside contractor is responsible for this potentially massive data breach is merely a technicality for the 70 million veterans whose private info is on the lost HDD. If it had been purged of data, there would not be a problem.
Read more about the SCSI Hammer here. |
|
New HITECH regulations include renewed focus on HIPAA compliance
|
Stimulus Bill Includes Increases In Fines for HIPAA Privacy Breaches
ADDITIONAL LINKS:
- Updates on Regulatory topics affecting data security laws.
- HIPAA privacy rule summary
- NIST special publication 800-88 media sanitization guidelines
|
It appears that some elements of the American Recovery and Reinvestment Act are having a positive affect on the economy. However, less prominent components of the massive legislative package may have greater longer-term impact on companies that manage and store private data. One such regulation is the HITECH Act, otherwise known as the Health Information Technology for Economic and Clinical Health Act. This $19.7 Billion act expected to not only expand the definition and enforcement of HIPAA compliance, it will also broaden the spectrum of what companies must comply.
In general, the new Act imposes notification requirements on covered entities, business associates, vendors of personal health records (PHR) and related entities in the event of certain security breaches relating to protected health information (PHI). On a finacial level, civil penalties for HIPAA violations have increased signifiantly, up to $1.5 million a year. In addition, unwarranted disclosure of personal health information (PHI) could result in criminal prosecution and potential jail time. A security breach that results in PHI being compromised must now be disclosed, and each effected individual must be notified. If more than 500 users are impacted, the event must be reported to the Dept of HHS.
Read more about HITECH fines and penalties here. |
|
Free application compares electrical costs of software overwrite methods vs. firmware device to sanitize hard drives
|
Free Energy Calculator compares electrical costs of software overwrite methods vs. firmware device to sanitize hard drives
|
Generally speaking, the two emergent methods of erasing data from hard drives fall under the categories of software clear and hardware-based data sanitization products. The National Institute for Standards and Testing (NIST) rates these two technologies at the highest level of security for methods that don’t require physical destruction.
Software based data destruction applications write patterns of meaningless data (a combination of 1s and 0s) onto the hard drive. This process usually requires several passes. The older, Department of Defense standard requires 3 levels of overwriting.
Hardware based devices connect directly to the drive and wipe the data using Security Erase, an NSA mandated protocol embedded in most ATA/SATA hard drives.
When comparing the relative benefits of software vs. hardware HDD data destruction technologies, one often overlooked factor is the electric bill. This is one area in which hardware based solutions have a clear advantage over software applications. Here’s why:
Software-based applications operate within the computer’s OS, so their processing speed is limited by the clock speed of the computer. For a large drive, the time required to overwrite the data may be quite extensive, requiring hours or even days.
Hardware devices, on the other hand, erase hard drive data at the speed of the drive. Not only are these devices inherently faster than software clearing applications, they require only one erasing cycle. Since a hardware solution doesn’t require a computer at all, the energy requirement is much lower than for a software clear products.
Even many professionals aren’t aware that a PC crunching away on data can run up your electric bill. If you’re clearing one hard drive and have a few hours to spare, then the increase in cost probably won’t bankrupt you. However, for operations that need to erase data on an ongoing basis or that have multiple hard drives to sanitize as part of an end-of-life protocol, the numbers can be worth talking about.
To quantify the different energy requirements between hardware and software sanitation products, CPR Tools has developed an energy use calculator. This easy-to-use desktop utility allows users to compate the true energy costs of running eradication software (otherwise known as “clear” or “software overwrite”) with the cost of using the Hammer hand-held device. The utility may be downloaded at no charge here. |
|
Not all erasure methods “see” the hidden areas of a hard drive
|
|
Firmware based Security Erase devices are able to access hidden partitions in order to erase hard drives
|
by Ray Leventhal
CPR Tools
Many hard drive manufacturers employ segmenting schemes or layers of obscurity that can be used to limit the apparent or visible capacity of a hard drive. DCO and HPA are two common features that can be used to alter the visible space on a drive, sometimes for the purpose hiding data. When it comes to erasing this data, firmware based ATA Security Erase methods are far more capable of accessing these areas than software methods.
HPA, or Host Protected Area, sets a hidden partition commonly used as a ‘recovery partition’. Manufacturers such as Dell and HP (and many others) use this space as a recovery partition to be used if the system is to be reset to factory conditions.
DCO, or Device Configuration Overlay can also be used to limit the available space on a hard drive. It also provides additional device configuration functionality in its ability to toggle certain drive features. Some of these features include security, HPA support, 48 bit support, UDMA levels and various S.M.A.R.T. settings. Not all drives support DCO and of those that do, not all DCO features are supported.
Software erasure methods require the use of an operating system and a computer. Advanced users can hide information using HPA and DCO partitions, which essentially obscures the data from software erasure applications. Further, with software erasure methods, if the process is interrupted, the as-yet untouched portions of the drive will still contain whatever data was written there. In other words, when running software-based products to erase data, only the areas of the drive seen by the operating system can be addressed and erased.
For most drives however, firmware-based ATA Security Erase products disregards any such limiting factors (HPA, DCO, etc) and addresses the hard drive using the drive’s own firmware and logic. The operating system is therefore irrelevant to this process.
Note that not all products that support ATA Security Erase address HPA or DCO areas. Some, such as CPR Tools’ Hammer™ device, provide the option to specifically clear HPA and DCO partitions if they exist, prior to beginning an eradication process. CPR Tools’ best practice recommendations for ‘purge’ include the application of a random password before beginning the ‘purge’ process. This is recommended to ensure that any data is securely locked and unavailable, even if the eradication process is interrupted.
Finally, note that firmware-based products erase the drive at its highest available write speed, precluding the need to transfer data and update information to the operating system and software. This is why hardware eradication is a more certain process than software based data erasure.
An extended discussion of this topic may be found here.
|
|
Fines Up to $3,500 for Failure to
Draft IT Security Plans
|
|
New Safeguard rule from the FTC require an expanded list of businesses and organizations to submit data security plans
ADDITIONAL LINKS:
- FACTA rule for disposal of sensitive consumer data.
- The Sarbanes-Oxley Act
- The Gramm-Leach-Bliley Act
- HIPAA privacy rule summary
- NIST special publication 800-88 media sanitization guidelines
- Search all government regulations
|
Following a decade of state and federal data security legislation activity, the executive branch now appears poised to start enforcing those laws. Beginning August 1, the Federal Trade Commission will require businesses, non-profits and other organizations to draft written identity theft preparedness policies. The Safeguards Rule requires all affected organizations to design, implement and maintain safeguards to protect customer information.
The rule is intended to detail systemic procedures put in place to prevent breaches and theft of private electronic data. The plans pertain to the entire data life cycle, including data in motion, data at rest and end of life scenarios. The new rules apply to businesses that collect and store sensitive personal information, including names, addresses, Social Security numbers, bank-account and credit-card numbers, etc. Included in the new rules are retailers, financial institutions, credit card issuers, educational institution, medical facilities, government agencies and trade associations.
Authorized under the Fair and Accurate Credit Transactions Act, the new “Red Flag” rules apply to a broader range of businesses than previously targeted. It authorizes fines of up to $3,500 per incident.
The Gramm-Leach-Bliley Act grants authority to eight federal agencies and individual states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to “financial institutions,” which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional “financial institutions” are regulated by the FTC.
For an in depth treatment of end-of-life PC / Hard drive sanitation practices, please visit this link.
|
|
Ghana Electronic Data Piracy Exploits
Lax Electronic Data Destruction
|
|
Is your decommissioned PC here?
ADDITIONAL LINKS:
- NAID announces certification program
- Overview of data destruction methods for hard drives
|
Northtrop Grumman was among several corporations embarrassed when sensitive corporate data was discovered for sale in a Ghana stolen information flea market. The hairy security situation was revealed to the world in a June 2009 report by a team of journalists who originally set out to expose health and safety conditions in the electronic waste ghettos of West Africa. As a bonus, they discovered that the nations of West Africa have become a repository not only for the Western world’s electronic waste, but also for its “used” data. Not surprisingly, entrepreneurs in these impoverished places have discovered a data goldmine waiting to be exploited in PC hard drives that have not been purged or destroyed.
In the specific case of Northrop Grumman, stolen information was comprised of hundreds of sensitive documents relating to government contracts, including Defense agencies. However, data breaches and theft from decommissioned hard drives is increasing in virtually every aspect of commercial and consumer activity.
According to IT security experts, the process of establishing best practices for end-of-life data scenarios has been neglected to a large degree by government officials, IT professionals and corporate officials. As a result, data that was presumed erased or otherwise disposed of ends up in the wrong hands. For example, simply turning a PC or hard drive over to a third party “assets disposal” contractor doesn’t assure sensitive data has been destroyed. Organizations such as the National Association of Information Destruction (NAID) have implemented certification programs that assure data owners of a chain of custody.
With companies and organizations increasingly interested in recycling, the need for certified, legally defensible audit trails has seen an uptick. New “best practice” standards developed by NIST and other agencies are now emerging as corporations, organizations and government entities reassess the real life demands of custody and control. PC end-of-life strategies may include any number of scenarios, including physical destruction, recycling or re-deployment. Each one of these solutions requires that existing data be destroyed beyond recovery before committing to the final stage.
For an in depth treatment of end-of-life PC / Hard drive sanitation practices, please visit this link.
|
|
Outstanding Selection of Specialty Shredding Systems
|
