Media Sanitization How to get rid of unwanted data so no one else can get it Do You Have Sensitive Data • Excel spreadsheet of names, addresses, phone numbers, SSN’s and credit card numbers • Full database dump of KEAS or SIS • Full time or student evaluations with names and SSN’s • Financial data – departmental or personal • Contacts in Outlook with addresses, e-mails, phone numbers and birthdays • Any credit card transactions – customers or purchases • Web forms accepting eID and password • Saved usernames and passwords for websites, e.g. banks, retirement fund • Blueprints for constructing a nuclear weapon K-State Policy Draft policy on computer disposal: .085 Disposal of Computers and Electronic Media After local disposition has been authorized, it is the responsibility of the department to ensure that all information is removed from computers and electronic media (e.g., magnetic tapes, CDs, DVDs, hard drives, diskettes, ZIP drives, USB drives, etc.) by physically destroying the media or overwriting the data utilizing approved data destruction procedures before it is disposed of by the department. If the surplus computer is to be transferred to another entity for continued use, the license(s) for any software remaining on the computer, such as the operating system, must be transferable to the receiving department in order to maximize the value of the computer and ensure compliance with software license agreements. It is the responsibility of the transferring department to make sure no other copies are retained unless allowed by license agreements. What can I do with it • • • • • • Keep it forever Throw it away Erase it Erase it securely – reuse media Erase it securely – don’t reuse media Destroy it • Keep in mind that technology is constantly changing, take everything you hear with a grain of salt Keep it forever • A lot of people actually do this • Easy and inexpensive • Doesn’t get rid of it • Someone gets to clean up the mess eventually Throw it away • Easy and inexpensive • Be absolutely certain that there is no sensitive data on the device • Almost impossible to guarantee – violation of policy Erase it • • • • Drag all documents to recycle bin Empty recycle bin Format drive Sufficient to hide data from the casual looker • Doesn’t remove data, just pointers in the file table • Easy to recover data – Restorer 2000 Erase it securely – reuse media • • • • Usually a software based solution DBAN, Eraser, KillDisk Leaves the drive functional / reusable Options to meet most stringent guidelines (DOD, NIST) • Device must be functional to begin with • Time consuming • Requires some tools and knowledge Erase it securely – don’t reuse media • Use a magnetic field to “scramble” magnetic domains on substrate • Garner HD-1(~$2000), degaussing ring • May be used on any magnetic media – hard drives, tapes, floppy disks, etc. • Generally destroys device (R/W heads) or erases low-level format – device unusable • Potentially damaging to nearby devices • Doesn’t work with optical media – CD’s, DVD’s Destroy it • Medium duty cross-cut shredder or microwave for CD’s, DVD’s • Incinerate floppy disks • Fast, inexpensive • Doesn’t work for HD’s • Dangers – toxic fumes or hazardous waste, fire hazard Destroy it, page 2 • Crush HD’s – EDR Disk Crusher $11,500 • Drill or Cut HD’s – drill press or table saw with carbide tipped blades – the more tracks you sever the better • Shred and/or melt HD’s – SEM Model 22 HDD - $50,000+, 3600 lbs. – Outsource ~$7/drive – sending drive off-site Resources • Darik’s Boot and Nuke http://dban.sourceforge.net/ • Eraser http://sourceforge.net/projects/eraser • KillDisk http://www.killdisk.com/downloadfree.htm • Garner HD-1 http://www.garner-products.com/pdf/hd-1.pdf • EDR Disk Crusher http://www.edrsolutions.com/solution.asp • SEM Model 22-HDD http://www.semshred.com/content551.html • NIST Guidelines http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf