Data Destruction – CompTIA Security+ SY0-501 – 5.8

What’s the best way to permanently remove data from a storage device? In this video, you’ll learn about the challenges associated with destroying data.

<< Previous Video: Security Controls Next: Handling Sensitive Data >>

As we think about the lifecycle of all of our systems and data, at some point there will be a need to dispose of our systems and the storage devices that hold our data. Many environments have restrictions on exactly what type of data you’re able to destroy. In those cases, you may need to store the data offsite instead of destroying it.

If you are planning to dispose of storage devices, you certainly don’t want to put them out with the normal trash. People do manage to find these devices by rummaging around in your dumpsters. And you certainly don’t want any of your data to be in the hands of a third party.

If you’re planning to reuse these storage devices, then you need some method to make sure that all of the data on that device has been sanitized. You don’t want to move these storage devices between systems and then find out that some of the old data now exists on the new system.

Sometimes important information can be thrown out with the trash. You don’t want someone going into your trash bins to find it. You may want to consider securing your garbage by putting a fence and a lock around your dumpsters.

Many organizations have a policy for shredding their documents. So even if somebody did come across all of this disposed data, they would have to put everything back together again, which would certainly take a lot of time. It’s common for governments to avoid this completely by simply burning everything that they never want anyone else to be able to see.

If you do plan on burning these documents, there’s no going back. So make sure that the documents that are sent to be incinerated are not documents that you’re going to need later.

Another form of disposal where there’s no going back is turning all of that paper into pulp and using it as recycled paper. This is where the paper is put into a large tank to remove the ink. The paper is then pulped to create recycled paper.

If you need to destroy a physical storage device, then you may want to think about shredding it or pulverizing it. This uses machinery to break up the components themselves and completely destroying the storage device. You can do the same thing yourself if you have a drill or a hammer. You can drill directly through all of the platters, rendering them unreadable.

You can also do this more elegantly by using electromagnetics. A degausser will send a magnetic field throughout the device, which will remove all of the data from the storage platters and destroy all of the electronics on the device. And like paper, we can use heat to incinerate these products, making sure that they are completely destroyed.

Many organizations don’t perform this destruction themselves. They may bring in a third party that shreds all of their paper. Or they may hand off all of their storage devices to go into a pulverizer or that’s owned by a third party.

If you are working with a third party to provide this service, then you need some type of verification that the destruction is complete. You want to be sure that you get a certificate of destruction that creates a paper trail verifying that all of the data you gave to this third party was completely destroyed.

There may be times when you would like to be able to reuse some of the storage media for another system. In those cases, we need some way to sanitize or purge the data, either from part of the existing data store or database, or from the entire storage device. In those cases, it may be useful to use a piece of software that can wipe the data, either from a section of a storage device, or it can delete everything that might be on a particular storage medium.

An example of problems that occur during the destruction process happened in July of 2013 with the UK National Health Service Surrey. They provided hard drives to a third party. They wanted all of them destroyed. There were 3,000 patient records on these devices, and they received a destruction certificate from the third party.

Unfortunately, the drives were not actually destroyed, and they ended up on eBay and were sold to someone else. This person contacted authorities, and the National Health Service was fined over 200,000 pounds.

There were some very simple things that could have been done prior to handing off these drives to a third party. If you needed to securely delete certain files, you could have used Sdelete, which is part of the downloads from Microsoft Windows Sysinternals.

If you wanted to delete everything on the drive, you could have used a utility like DBAN, which is Darik’s Boot and Nuke. That will delete everything on a particular drive. And lastly, you could have taken your own drill and at least made one hole into the storage device, rendering it unusable, and having the third party finish the process by putting it into their pulverizers.