1. No category

Media Clearing and Sanitization (CSG-08\G)

UNCLASSIFIED
COTS SECURITY GUIDANCE
(CSG)
MEDIA CLEARING AND
SANITIZATION
CSG-08\G
August 2009
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
This page intentionally left blank.
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
Foreword
The Media Clearing and Sanitization (CSG-08\G) is an unclassified publication, issued
under the authority of the Chief, Communications Security Establishment Canada (CSEC).
Suggestions for amendments should be forwarded through departmental communications
security channels to your Client Services Representative at CSEC.
For further information, please contact CSEC’s ITS Client Services area by e-mail at
[email protected] or call (613) 991-7654.
Effective Date
This publication takes effect on 08/28/2009.
Carey Frey
Director, IT Security Industry Program
© Government of Canada, Communications Security Establishment Canada 2009
It is not permissible to make copies or extracts from this publication without the written consent of CSEC.
2009
i
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
This page intentionally left blank.
ii
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
Table of Contents
Foreword......................................................................................................................... i
Effective Date ................................................................................................................. i
Table of Contents ......................................................................................................... iii
List of Tables ................................................................................................................. v
1
Introduction ........................................................................................................... 1
1.1
Degrees of Media Sanitization...................................................................... 1
1.1.1 Clearing ............................................................................................. 1
1.1.2 Sanitization ........................................................................................ 1
1.2
Non-Electronic Data Storage........................................................................ 1
2
Overview ................................................................................................................ 3
2.1
Media Types................................................................................................. 3
2.1.1 Non-electronic media ......................................................................... 3
2.1.2 Magnetic media ................................................................................. 3
2.1.3 Optical media..................................................................................... 4
2.1.4 Semi-conductor storage devices........................................................ 4
2.2
Media Clearing and Sanitization Methods .................................................... 5
2.2.1 Overwriting......................................................................................... 5
2.2.2 Secure Erase (ANSI) ......................................................................... 6
2.2.3 Encryption.......................................................................................... 6
2.2.4 Degaussing........................................................................................ 7
2.2.5 Physical Deformation ......................................................................... 7
2.2.6 Shredding and Disintegration............................................................. 7
2.2.7 Material Separation/Fractionation Recycling Technology .................. 8
2.2.8 Grinding, Hole Punching, and Hammer-milling .................................. 8
2.2.9 Incineration ........................................................................................ 8
2.2.10 Knurling.............................................................................................. 9
3
Security Issues ...................................................................................................... 9
3.1
Overwriting ................................................................................................... 9
3.1.1 Magnetic Media ................................................................................. 9
3.1.2 Solid State Media............................................................................. 11
3.2
Secure Erase (ANSI) .................................................................................. 12
3.2.1 Applicable Media ............................................................................. 12
3.2.2 Secure Erase Implementations........................................................ 12
3.3
Encryption .................................................................................................. 12
3.3.1 Applicable Media ............................................................................. 12
3.3.2 Authentication .................................................................................. 12
3.3.3 Storage and destruction of decryption keys ..................................... 13
3.4
Degaussing ................................................................................................ 13
2009
iii
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
3.5
3.6
3.7
3.8
3.9
3.10
4
iv
3.4.1 Applicable Media ............................................................................. 13
3.4.2 Magnetic coercivity and Magnetic Orientation ................................. 13
3.4.3 Re-use after degaussing.................................................................. 14
3.4.4 Maintenance and operation ............................................................. 14
Physical Deformation.................................................................................. 15
3.5.1 Applicable Media ............................................................................. 15
3.5.2 Acceptable Physical Deformation Techniques................................. 15
Shredding and Disintegration ..................................................................... 15
3.6.1 Applicable Media ............................................................................. 15
Material separation/fractionation recycling technology ............................... 16
Grinding, Hammer-milling and Pulverization .............................................. 16
3.8.1 Applicable Media ............................................................................. 16
3.8.2 Pulverization .................................................................................... 16
Incineration................................................................................................. 16
3.9.1 Applicable Media ............................................................................. 16
3.9.2 Melting or Combustion Point............................................................ 17
3.9.3 Particle Filter.................................................................................... 17
Knurling ...................................................................................................... 17
Glossary and Acronyms ..................................................................................... 17
4.1
Glossary ..................................................................................................... 17
4.2
Acronyms ................................................................................................... 18
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
List of Tables
Table 1: Security Features Checklist: Media Clearing and Sanitization ........................ 20
2009
v
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
This page intentionally left blank.
vi
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
1
Introduction
This document addresses Media Clearing and Sanitization products.
1.1
Degrees of Media Sanitization
There are two degrees of media sanitization, clearing and sanitization.
1.1.1 Clearing
Clearing refers to the erasure of sensitive data so that the media can be re-used within the same
department at the same level of sensitivity.
Clearing does not downgrade the sensitivity of the media; it only provides assurance that the
“need to know” principle will not be violated.
1.1.2 Sanitization
Sanitization refers to the destruction of data on a storage medium in a manner that precludes any
reasonable hope of recovery1 of the data. It includes processes for the physical destruction of the
media, as well as non-destructive processes which allow the media to be re-used in a different
department or at a lower level of classification. Sanitization is concerned with preserving the
confidentiality of the data.
1.2
Non-Electronic Data Storage
This document does not directly address the destruction of non-electronic data storage, such as
paper hard copy, microfiche/microfilm, or photographs. However, many characteristics/desired
features of the physical destruction methods addressed in this document are applicable to the
destruction of such non-electronic storage media as well.
1 Reasonable hope: if a threat agent with opportunity, motivation and capability believes the presumed
value of the data is worth the time and cost to attempt to recover it. CSEC ITSG-06
2009
1
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
This guidance is for generic media clearing and sanitization techniques and products. Some of
these techniques are not suitable for the sanitization of classified material; other techniques may
be used to sanitize classified material only in combination with other techniques. In particular,
media containing Secret or Top Secret material may require two separate sanitization processes –
e.g. triple overwrite followed by disintegration or shredding, encryption followed by
incineration, or equivalent as specified by ITSG-06: Clearing and Declassifying Electronic Data
Storage Devices.
This guidance does not apply to controlled cryptographic items (CCI). CCI are subject to
separate destruction and disposal instructions issued by CSEC to departmental COMSEC
authorities.
For more detail on sanitization requirements, and particularly for disposal of classified material,
the reader is referred to ITSG-06, available at
http://www.cse-cst.gc.ca/documents/publications/itsg-csti/itsg06-eng.pdf
2
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
2
Overview
2.1
Media Types
2.1.1 Non-electronic media
Sanitization of hard copy non-electronic media, such as paper, film, or microforms, is out of
scope for this publication.
However, as these media are normally destroyed by shredding, disintegration, or incineration,
the principles for shredding, disintegration, and incineration devices, as described elsewhere in
this annex, can be assumed to apply to non-electronic media as well.
2.1.2 Magnetic media
Magnetic media is media, such as magnetic tapes or disks, capable of storing information in the
form of electromagnetic signals.
2.1.2.1
Magnetic tape
Magnetic tape is a medium for magnetic recording, generally consisting of a thin magnetizable
coating on a long, narrow strip of plastic. Nearly all recording tape is of this type, whether used
for recording audio or video or for computer data storage.
2.1.2.2
Floppy disk
A floppy disk is a data storage medium composed of a thin, flexible disk of magnetic storage
material, encased in a square or rectangular plastic shell. Floppy disks come in sizes of 8", 5.25",
and 3.5" formats. They are read and written by a floppy disk drive of the appropriate size.
2.1.2.3
Magnetic stripe
A magnetic stripe, often shortened to “magstripe”, is a band of magnetic material, usually
mounted on a plastic card. The stripe is read by physical contact and swiping past a reading
head.
Magnetic stripes are commonly used in credit cards, identity cards, and transportation tickets.
2.1.2.4
Hard drives
A hard drive, also commonly referred to as a hard disk drive (HDD), hard disk or fixed disk
drive, is a non-volatile storage device which stores digitally encoded data on rapidly rotating
platters with magnetic surfaces.
2009
3
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
2.1.2.5
Magnetic Core Memory
Magnetic core memory, also referred to as ferrite-core memory or core memory, is an early form
of random access computer memory. It uses small magnetic ceramic rings to store information
via the polarity of their magnetic field.
2.1.2.6
Magnetic Bubble Memory
Bubble memory is a type of non-volatile computer memory that uses a thin film of a magnetic
material to hold small magnetized areas, known as bubbles, which each store one bit of data.
2.1.3 Optical media
Optical media uses polycarbonate material to store digital information. The data is accessed and
read using laser diode technology. Optical media generally comes in three forms - Read Only
Memory (ROM), Write Once Read Many (WORM), and Rewriteable (RW).
2.1.3.1
Compact Disk
A Compact Disc (CD) is an optical disc, originally developed to store digital audio, but
subsequently adapted to store digital data. Standard CDs have a diameter of 120 mm, but smaller
disks of 80 mm diameter are also available.
The original audio technology was later adapted and expanded. In addition to audio CD and CD–
Read-Only Memory (CD-ROM), the most common forms are CD-Rewritable (CD-RW) and CDRecordable (CD-R).
2.1.3.2
Digital Video Disk
Digital Video Disk (DVD) is an optical disc storage media format, typically of the same size and
shape as a CD but with much higher storage capacity. Its main uses are video and data storage.
DVD-Read-Only Memory (DVD-ROM) stores data which can only be read and not written;
DVD-Recordable (DVD-R) and DVD Plus Recordable (DVD+R) are competing WORM
standards; DVD-Random Access Memory (DVD-RAM), DVD-Rewritable (DVD-RW), or DVD
Plus Rewritable (DVD+RW) disks can be re-written multiple times.
2.1.4 Semi-conductor storage devices
2.1.4.1
Programmable Read-Only Memory
Programmable Read-Only Memory (PROM) is a form of digital memory where the setting of
each bit is locked by a fuse (an electrical component that is designed to permanently break an
electrically conductive path when the current through the path exceeds a specified limit) or
antifuse (an electrical device that starts with a high resistance and is designed to permanently
create an electrically conductive path when the voltage across the antifuse exceeds a certain
level).
4
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
The key difference between ROM and PROM is that with PROM, the programming is applied
after the device is constructed. Once the PROM has been programmed, it can no longer be
written to.
2.1.4.2
Erasable Programmable Read-Only Memory
Erasable Programmable Read-Only Memory (EPROM) is a type of non-volatile computer
memory chip. Once programmed, an EPROM can be erased by exposing it to strong ultraviolet
light so that it can be reprogrammed with new data.
2.1.4.3
Electrically Erasable Programmable Read-Only Memory
Electrically Erasable Programmable Read-Only Memory (EEPROM) is a type of non-volatile
memory consisting of arrays of floating-gate transistors. It is commonly used to store small
amounts of data such as calibration tables or device configuration.
EEPROM can be programmed and erased electrically using a process called field emission (also
referred to as Fowler-Nordheim tunneling), a quantum mechanical process in which electrons
tunnel through a barrier in the presence of a high electric field.
2.1.4.3.1
Flash memory
Flash memory is a specific type of EEPROM that can be electrically erased and reprogrammed
in large blocks. Because EEPROM erase cycles are slow, the large block sizes used in flash
memory erasing give it a significant speed advantage over old-style EEPROM when writing
large amounts of data.
It is a non-volatile computer memory that is commonly used for data storage in a variety of
devices including memory cards, Universal Serial Bus (USB) flash drives, digital cameras,
Personal Digital Assistants (PDAs) and smartphones (e.g., BlackBerry).
2.2
Media Clearing and Sanitization Methods
2.2.1 Overwriting
Overwriting is the removal or erasure of information from a storage device by writing
combinations of one and zero bits to all storage areas of the drive, thus replacing any existing
data bits.
2.2.1.1
Magnetic Media
To clear a drive for re-use at the same or higher classification level, a single overwrite is usually
sufficient.
To sanitize a hard drive (Protected B and below) using software overwrite utilities, a triple
overwrite involving three passes of the overwrite software is required. In accordance with RCMP
overwrite criteria, as detailed in ITSG-06 Annex B, the first pass writes all ones to the media, the
second pass writes all zeroes (equivalently, the first pass writes all zeroes and the second pass
2009
5
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
writes all ones), and the third pass writes a pseudo-random pattern that can be read back to verify
results.
To sanitize a hard drive (Protected B and below) using a RCMP-qualified implementation of the
ANSI standard “Secure Erase” function, a single pass of the Secure Erase function is acceptable.
2.2.1.2
Solid State Media
In general, overwriting is not recommended for sanitization of solid state media, due to the lack
of overwrite product testing and verification for most solid-state media. However, there are
some Common-Criteria (CC) certified overwrite processes to erase solid-state memory and
storage areas in specified all-in-one printer/copier devices. In addition, there are some overwrite
software products that are RCMP-qualified to erase USB storage devices containing solid-state
memory.
2.2.1.2.1
BlackBerry
In addition there is a CSEC-tested overwrite utility for BlackBerry handheld devices.
2.2.2 Secure Erase (ANSI)
Secure Erase is an overwrite technology developed by the University of California at San Diego
(UCSD) Center for Magnetic Recording Research (CMRR), using a firmware-based process to
overwrite a hard drive. Secure Erase is a hard-drive overwrite command, defined in the
American National Standards Institute (ANSI) Integrated Device Electronics (IDE) Advanced
Technology Attachment (ATA) and Small Computer System Interface (SCSI) disk drive
interface specifications. Secure Erase runs inside drive hardware and completes in about oneeighth the time of a conventional three-pass block software overwrite.
Most ATA drives manufactured after 2001 support the Secure Erase command and successfully
pass Secure Erase validation testing at the CMRR. A Secure Erase standard also exists for SCSI
drives, but it is optional and not currently implemented in most SCSI drives.
2.2.3 Encryption
Although it is not a clearing or sanitization method, strong encryption combined with security of
the encryption key may provide a degree of protection comparable to overwriting, for Protected
B and below. In this context, it refers to whole disk encryption of the entire media over the
entire life cycle of the media. File encryption, folder encryption, or other forms of partial disk
encryption are not sufficient, as they may not encrypt sensitive data residing in temporary files,
page files, deleted files, registry and operating system boot files, unused sectors, slack space, and
hidden partitions.
For guidance on choosing a media encryption product, refer to Media Encryption Guidance.
6
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
Media encryption is neither intended by manufacturers - nor recommended by CSEC - to replace
other means of sanitization. It is intended to protect “data at rest” in the event of loss or theft,
which is outside the scope of this annex. For guidance on using encryption to protect lost or
stolen devices, refer to Media Encryption Guidance.
In the context of media sanitization, encryption should be used only for clearing media for re-use
within an equivalently secure environment, or in combination with one of the other media
sanitization methods described herein. For routine disposal, encryption is not a substitute or
replacement for other forms of sanitization, and should be supplemented by an approved
sanitization process.
2.2.4 Degaussing
Degaussing is the application of magnetic force of sufficient power to erase all data on a given
magnetic data storage device. The effectiveness of this method depends on the relative strength
of the magnetic force available in the degaussing product and the magnetic retention properties
of the data storage device. Degausser products are approved by the CSEC on the basis of
independent testing by the CMRR.
2.2.5 Physical Deformation
Physical deformation involves the use of tools such as a sledge hammer, nail gun, vise, etc, to
cause extreme physical damage to a storage device in order to delay, impede, or discourage an
attacker from attempting to recover data from it.
Physical Deformation is primarily intended for emergency destruction when no approved
sanitization method is readily available.
2.2.6 Shredding and Disintegration
2.2.6.1
Shredding
Shredding is a form of destruction that is accomplished by reducing the media to small pieces of
uniform size and shape. Though normally used to destroy paper, some shredders may be suitable
for thin electronic media such as CDs, DVDs, or magnetic stripe cards. Shredders are approved
by the RCMP on the basis of the size and shape of the resulting strips or particles that the cutters
produce.
2.2.6.2
Disintegration
Disintegration is accomplished by a non-uniform cutting or shredding mechanism (e.g., rotating
blades within a closed container) that reduces the media to pieces of random size and shape.
2009
7
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
Disintegrators are suitable for a variety of media of almost any size. A screen is utilized on the
output side to catch oversize pieces, which are returned for more shredding.
2.2.7 Material Separation/Fractionation Recycling Technology
Material separation and fractionation is an environmental recycling process in which computer
products can be shredded by multi-stage disintegrators to a size small enough to meet media
sanitization requirements. Later stages of the process may further reduce and separate residue
components to produce commodity-grade materials for recycling.
The centrifuge fractionation process delaminates dissimilar materials to enable separation of
metals from non-metals, so that further reduction techniques can then separate out various “pure”
metals according to their different specific gravities. RCMP approval of sites that offer this
recycling service for destruction of sensitive electronic media is based on the initial three-stage
disintegrator process that occurs before the material ever reaches the centrifuge; the centrifuge
fractionation stages that follow are an environmental bonus.
2.2.8 Grinding, Hole Punching, and Hammer-milling
2.2.8.1
Grinding
Grinding involves using a machine to grind the Electronic Data Storage Device (EDSD) into
small pieces.
2.2.8.1.1
Surface Grinding
Specialized CD surface grinders are capable of reducing the data-bearing layer of an optical disk
to fine powder, while leaving the disk itself intact for recycling or disposal.
2.2.8.2
Hole Punching
An alternative to surface grinding is the use of a special machine to punch thousands of tiny
holes into optical disks (CD or DVD), to destroy the data-bearing layer.
2.2.8.3
Hammer-milling
Hammer mills are durable utility grinders capable of grinding most material. The material is fed
into the device and forced into repeated contact with a series of rotating, hardened hammers that
do the grinding. The mill is encircled by a screen that allows only suitably small-sized particles
to escape.
2.2.9 Incineration
Incineration involves the destruction of EDSDs in incinerators that are environmentally
approved for plastics and other material.
8
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
2.2.10 Knurling
For media sanitization, knurling involves the use of a machine (“knurl rollers”) to apply pressure
and heat to optical disks (CD or DVD) to elongate and curl them to a slight degree. The intent of
this process is to deform the optical “pits” and “lands” on the disk, to effectively destroy the
data.
The potential of this process for destruction and disposal in the Government of Canada (GC) has
not been determined.
3
Security Issues
Security issues are grouped here based on the media clearing and sanitization technology being
considered.
In addition to destroying the data, the sanitization process includes the manual removal of
external indications that the device once contained sensitive data. EDSDs that have been
sanitized may be declassified and disposed of as unclassified waste or surplus material.
3.1
Overwriting
In general, overwriting as a form of sanitization applies only to magnetic media at the level of
Protected B and below. It also may apply to some solid-state media (e.g. Flash), provided that
the overwrite software has been independently verified for effectiveness and completeness of
operation. Not all media types can be overwritten; it may not be possible to overwrite failed
drives and torn or damaged tapes.
3.1.1 Magnetic Media
3.1.1.1
Clearing versus sanitization
To clear magnetic media, overwriting with a single pass, plus verification, is sufficient.
To sanitize magnetic tape, single pass overwrite and verification is sufficient.
To sanitize magnetic disks using software overwrite product, overwriting with at least three
passes plus verification is required. The first pass should be all zeroes (or all ones), and the
second pass should be all ones (or all zeroes); in any event, the second pass should write the
complement of the bits written during the first pass. The third pass should be a pseudo-random
pattern that can be inspected to verify the success of the overwrite process.
To sanitize magnetic disks using a RCMP-qualified implementation of the ANSI Secure Erase
command feature, a single pass is sufficient.
To sanitize core or bubble memory, overwriting the media twice with pseudo-random patterns
and a third time with a known pattern, followed by spot verifications, is recommended.
2009
9
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
3.1.1.2
Calculation of disk space
In order to verify that the overwrite software is not missing any disk spaces, it is critical for the
human operator to compare the accessible amount of disk space as reported by the overwrite
software to the actual amount of disk space as determined from manufacturer documentation, for
the make and model of the hard disk drive that is being overwritten.
To determine the capacity of a hard disk drive:
• Remove cover of Personal Computer (PC) and read the make and model number of the hard
disk drive
• Refer to the manufacturer literature or website for specific technical information on that
model. Disregard the MB or GB ratings, as it will not be clear whether these are computed in
decimal or binary. Note the geometry specification in Cylinders, Heads (sides), Sectors per
track, and sector size (usually 512 bytes).
To avoid confusion, the disk capacity should be computed in number of bytes according to the
following formula:
Cylinders * Heads * Sectors * Sector size
Note:
When calculating disk space, it is important to remember that terms such as kilobyte, megabyte, and
gigabyte do not necessarily refer to exact powers of ten. In binary usage, a kilobyte represents 210, or 1024
bytes; a megabyte represents 220, or 1,048,576 bytes; and a gigabyte represents 230, or 1,073,741,824 bytes.
In decimal usage, however, a kilobyte represents 103, or 1000 bytes; a megabyte represents 106, or
1,000,000 bytes; and a gigabyte represents 109, or 1,000,000,000 bytes.
For a 100 GB drive, therefore, this confusion could result in 7,374,182,400 bytes being unaccounted for. It
is important, therefore, to ensure that the software reporting the disk capacity specifies whether the
capacity is reported in binary or decimal measurements.
3.1.1.3
Software Inability to Address All Disk Spaces
There is a large diversity in the manufacture of hard disk technology and the interfaces with
various operating systems. A given software package may not work reliably on some platforms.
Among the more common problems is the failure of the software to overwrite data in protected
or bad sectors. Often, this data can be retrieved by other software that goes further down in the
software control layers to access disk geography, or by simple laboratory devices – e.g., a spin
scan and recording head would be sufficient (microscopy would not be required).
3.1.1.3.1
The track-edge phenomenon
Data remnants can remain at track boundaries (edges). The read-write heads do not always pass
concentrically over the exact centre of the original bit pattern - mostly due to mechanical and
electrical variables and tolerances. The result is that residual “track edges” of the original bit
patterns may remain on the disk platter even though the bulk of the track has been overwritten.
10
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
These track edges can be detected in a laboratory setting using sophisticated magnetic force
microscopy techniques.
HDD technology does not provide for software to adjust the drive-head positioning mechanism,
therefore it is impossible for any overwrite software to ensure track-edge coverage. Due to the
expense and difficulty of recovering usable data from the track edges, however, this is not
considered to be a security concern for Protected B and below.
3.1.1.3.2
Redundant Arrays of Inexpensive Disks
Redundant Arrays of Inexpensive Disks (RAID) and other forms of file systems may scatter data
across the disks, or may write data in different locations when overwrites occur, using logical
mechanisms in the device driver to prevent accessing the old data. These logical mechanisms
are not sufficient for sanitization as old data may remain on the disks.
3.1.1.4
Independently evaluated overwrite software
Independent evaluation provides assurance that the product does what it claims to do. In the
case of overwriting, there are a number of independently evaluated overwrite products available
for magnetic media, but not generally for solid-state media.
3.1.2 Solid State Media
In general, overwriting as a form of sanitization is not recommended for solid state media, due to
the lack of tested overwrite products for this type of storage medium.
There are some Common Criteria certified overwrite processes to erase solid-state memory and
storage areas for specific devices. In addition, some overwrite products that are RCMP-qualified
to sanitize magnetic media may also be capable of overwriting solid-state USB media.
In all cases, the use of such products to sanitize solid-state media must be accompanied by
careful verification to ensure that the process has fully overwritten all accessible storage areas of
the device.
3.1.2.1
Wear levelling
Wear levelling is a technique for prolonging the service life of some kinds of erasable computer
storage media, such as flash memory.
EEPROM and flash memory media have individually erasable segments, each of which can be
put through a finite number of erase cycles before becoming unreliable. Wear-levelling attempts
to work around these limitations by arranging data so that erasures and re-writes are distributed
evenly across the medium. In this way, no single sector prematurely fails due to a high
concentration of write cycles. These systems distribute the use of cells by internally translating
locations to lesser-used areas, while hiding that fact from the outside. In other words, the
location actually written to is not the location indicated. When a data location is written, it must
be written without intervening buffering or mechanisms.
2009
11
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
Some media types, such as flash memory, use wear levelling to prolong the life of the media; in
this case, attempts to write to the drive will be intercepted by the device driver and the actual
sectors overwritten may not be the sectors specified by the software. For this reason, it is
important that the overwriting software access the drive directly, and not through the device
driver.
3.1.2.2
Blackberry
There is a CSEC-tested overwrite utility for BlackBerry handheld devices. This utility is not
available for other devices.
3.2
Secure Erase (ANSI)
3.2.1 Applicable Media
Secure Erase is currently supported by manufacturers in most modern ATA drives, but not
generally in SCSI drives.
3.2.2 Secure Erase Implementations
To activate Secure Erase, UCSD CMRR provides a free download program that will work on
most ATA drives manufactured after 2001. In addition, the RCMP has qualified some
commercial implementations of Secure Erase, contained in hardware products that are available
to GoC departments under NMSO.
3.3
Encryption
The use of encryption for media sanitization refers only to whole disk encryption, in which the
entire drive is encrypted continuously throughout its life cycle.
Whole disk encryption does not usually require specialised training or operator expertise, but
does require IT support staff to be knowledgeable in the configuration and handling of the
encryption product and keying material.
3.3.1 Applicable Media
Encryption in lieu of clearing and sanitization may apply to electronic storage media t the level
of Protected B and below, where the strength of the encryption and the security of the keying
material are known and understood by competent technical authority. In case of doubt, the
encryption should always be complemented by overwriting prior to disposal of the media.
3.3.2 Authentication
For encryption to be used in lieu of sanitization, strong (two-factor) authentication is
recommended. Most commercially available whole disk encryption products support two-factor
authentication methods.
12
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
3.3.3 Storage and destruction of decryption keys
In order to dispose of encrypted media, it is necessary to ensure that the decryption key has been
destroyed. If multiple copies of the decryption key exist, then they all need to be accounted for
and properly destroyed.
If the decryption key is stored on the drive that is being disposed of, the portion of the drive
containing the decryption key needs to be sanitized and the key deleted to an acceptable
standard.
If the decryption key is stored on a drive other than the one being disposed of, it needs to be
either securely deleted or adequately protected, to ensure that it cannot later be matched up with
the drive in question.
If the decryption key is stored on a separate token, the token needs to be sanitized, to ensure the
key is destroyed.
3.4
Degaussing
3.4.1 Applicable Media
Degaussing is applicable only to magnetic media. It cannot be used on paper or film, optical
media such as CDs and DVDs, semi-conductor media such as flash memory devices, or other
non-magnetic media.
For bubble memory, all shielding material must be removed prior to degaussing.
For hard drives, any external shielding material such as brackets must be removed before
degaussing.
3.4.1.1
Failed or damaged media
Degaussing is equally effective on failed or damaged drives, torn tapes, or other magnetic media
that are not writable.
3.4.2 Magnetic coercivity and Magnetic Orientation
3.4.2.1
Magnetic coercivity
Resistance to magnetic change is referred to as coercivity and is measured in Oersteds (Oe). In
general, HDDs manufactured between 1999 and 2003 have coercivity up to 3,000 Oe, and a
degausser must be approved for that level to ensure complete data erasure. HDDs manufactured
in 2004-2005 have coercivity of 4,000 Oe and beyond, with the trend continuing in 2006 to
5,000 Oe, where it is expected to remain through at least 2008.
2009
13
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
The higher the coercivity of a magnetic medium, the more powerful the degausser will have to
be to erase it. Practically, this means that older degaussing equipment may not be designed with
sufficient magnetic strength to degauss newer drives.
3.4.2.2
Magnetic Orientation
Magnetic orientation of data on the disk is another factor that affects degausser capability. On
conventional drives, the magnetic regions are placed horizontally, but since 2006 the magnetic
regions are placed perpendicularly on some hard drives. This enables the drive to squeeze more
data into the same area, but may make the data more resistant to erasure by older degaussers.
3.4.2.3
Future expansion
When purchasing a degausser, it is important to take into consideration the expected lifetime of
the device and ensure that it has sufficient strength to deal with reasonably anticipated increases
in magnetic coercivity as well as the perpendicular magnetic orientation of data on many newer
hard drives.
3.4.2.4
Coercivity ratings
While magnetic tape coercivity ratings are often readily available, hard-disk coercivity ratings
are often considered sensitive proprietary information by the manufacturer, and may not be
obtainable.
In such cases, it is important to ensure that the degausser is strong enough to handle the
maximum coercivity rating available at the time the drives were manufactured.
3.4.3 Re-use after degaussing
Some tapes can be re-used after degaussing, but others cannot. For example, some types of
magnetic tape contain factory-recorded servo tracks that will be destroyed by degaussing,
rendering the tape unusable.
Modern hard drives have such high coercivity that the magnetic field required to erase them will
permanently damage delicate drive components such as the head positioning mechanisms.
3.4.3.1
Warranty coverage
In the case of drives or tapes that fail while under warranty, degaussing may invalidate the
warranty coverage because it prevents the vendor from analyzing why the product failed. This
needs to be taken into consideration in the original purchase contract, or the department should
expect to bear the cost of replacement rather than release a failed drive containing sensitive data
to the vendor.
3.4.4 Maintenance and operation
It is not possible for users to verify that a degaussing operation has properly erased a disk.
Therefore any assurance in the process must come from using and maintaining the degausser
14
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
strictly in accordance with manufacturer instructions, and applying it only to such classes of
drive or tape for which it has been specifically tested and approved. This requires that users be
trained to use and maintain the product correctly.
3.5
Physical Deformation
3.5.1 Applicable Media
Physical Deformation is recommended only for emergency destruction to prevent the imminent
capture of sensitive material by hostile parties. This is not recommended if more effective
techniques are available2.
3.5.2 Acceptable Physical Deformation Techniques
The purpose of the deformation is to damage the media storage areas and read/write mechanisms
to ensure that laboratory reconstruction or analysis will be slow and difficult. Acceptable
Physical Deformation Techniques include use of a nail gun (with the charges but without the
nails); an electric drill; firearm or other high-impact device; crushing in a vise; and a sledge
hammer.
3.6
Shredding and Disintegration
3.6.1 Applicable Media
Shredding applies to sheet stock or thin media such as CDs, DVDs, or magnetic stripe cards.
Disintegration applies to all media types where re-use of the media is not required.
In particular, media that cannot be over-written, or for which there is no approved reliable
overwriting method, are candidates for shredding and disintegration. This includes optical media
(e.g., CD, CD-RW, DVD, etc), solid-state media (e.g., “Flash”), damaged magnetic media (failed
hard drives), and any magnetic media containing data at a level higher than Protected B, as well
as rewritable CDs and DVDs, which do not do a true erase and are not approved for overwriting
as a means of sanitization.
3.6.1.1
Particle Filter
To qualify as valid destruction, the disintegration or shredding must reduce the media to pieces
that meet the maximum acceptable size as determined by a particle filter. The particle filter
2 A digital camera used by William Biggart, a free-lance photojournalist who was killed on September 11,
2001, was found under the wreckage of the World Trade Center North Tower, smashed by tons of falling
rubble. Despite the physical destruction of the camera, the data remained intact; over 150 photographs,
the last one taken only a minute and a half before the tower collapsed, were recovered from the destroyed
camera and published posthumously.
2009
15
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
would be selected to catch oversized pieces and return them for more shredding, while allowing
smaller pieces to pass for disposal.
3.7
Material separation/fractionation recycling technology
This is a new recycling technology available in Canada that has the capability to destroy entire
computers and other equipment, and that separates residual material components for
environmental recycling. The process ensures that only a minimal amount of residue is sent to
land-fill sites.. Two commercial facilities that offer this service – both located near Toronto –
include multi-stage disintegration processes that are suitable for destruction of sensitive
electronic storage media.
3.8
Grinding, Hammer-milling and Pulverization
3.8.1 Applicable Media
These techniques apply to all media types, except where noted below.
3.8.1.1
Surface Grinding for Optical Disks
This process is approved for CDs only, at all levels of sensitivity. The grinding process must
remove all the information bearing layer (the silver coating on the surface of the CD) leaving
behind only the transparent plastic disk.
DVDs cannot be sanitized by surface grinding because the information-bearing layer is
sandwiched in the centre.
Prior to surface grinding, all exterior markings and labels should be removed.
3.8.2 Pulverization
Pulverization is a process of smashing or crushing material. This may be effective for
destruction of hard drives, provided that the pulverization is done to such an extent that the disk
surfaces cannot subsequently be separated from the rest of the destroyed material for laboratory
analysis. Currently, crushing is not an approved sanitization method for hard drives higher than
Protected B.
3.9
Incineration
3.9.1 Applicable Media
Incineration is most commonly used with flammable or burnable material such as paper,
magnetic tape, or plastic.
16
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
3.9.2 Melting or Combustion Point
To ensure complete incineration, the incinerator needs to reach a temperature high enough to
melt or burn the media. For example, to incinerate a hard drive encased in steel, the incinerator
would have to be hot enough to melt the steel casing.
3.9.3 Particle Filter
To prevent oversized pieces from escaping the incineration process, the incinerator must provide
a particle filter that will catch oversized pieces and allow them to be returned for additional
incineration.
3.10 Knurling
There are currently no approved products that use knurling for sanitization of media.
4
Glossary and Acronyms
4.1
Glossary
Clearing
The process of erasing an EDSD in a manner that allows it to be reused within an equivalent or higher security environment (ITSG-06)
Coercivity
Resistance to magnetic change
Knurling
A manufacturing process used to apply pressure and heat to optical
disks (CD or DVD) to elongate and curl them to a slight degree. The
intent of this process is to deform the optical “pits” and “lands” on the
disk to effectively destroy the data
Oersted
A unit of measurement of magnetic coercivity
Sanitizing
The process of erasing or destroying an EDSD in a manner that
precludes any reasonable hope of recovery of the data – i.e., the risk of
compromise following sanitization is low or non-existent (ITSG-06)
Reasonable hope
Reasonable hope exists if a threat agent with opportunity, motivation
and capability believes the presumed value of the data is worth the
time and cost to attempt to recover it (ITSG-06)
2009
17
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
4.2
Acronyms
3DES
Triple-Data Encryption Standard (Triple-DES)
AES
ANSI
ATA
Advanced Encryption Standard
American National Standards Institute
Advanced Technology Attachment
CC
CD
CD-R
CD-ROM
CD-RW
CMRR
CMVP
CSEC
Common Criteria
Compact Disk
CD-Recordable
CD-Read-Only Memory
CD-Rewritable
Center for Magnetic Recording Research
Cryptographic Module Validation Program
Communications Security Establishment Canada
DES
DVD
DVD-R
DVD-RAM
DVD-ROM
DVD-RW
DVD+R
DVD+RW
Data Encryption Standard
Digital Video Disk
DVD-Recordable
DVD-Random Access Memory
DVD-Read-Only Memory
DVD-Rewritable
DVD Plus Recordable
DVD Plus Rewritable
EAL
EDSD
EEPROM
EPROM
Evaluation Assurance Level
Electronic Data Storage Device
Electrically Erasable Programmable Read-Only Memory
Erasable Programmable Read-Only Memory
GB
GC
Gigabyte
Government of Canada
HDD
Hard Disk Drive
IDE
IT
ITSG
Integrated Device Electronics
Information Technology
Information Technology Security Guide
MB
Megabyte
NMD
Non-Magnetic Drive
Oe
Oersted
PC
PDA
PKI
PROM
Personal Computer
Personal Digital Assistant
Public Key Infrastructure
Programmable Read-Only Memory
18
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
RAID
RAM
ROM
RW
Redundant Array of Independent Disks
Random Access Memory
Read-Only Memory
Rewritable
SCSI
Small Computer System Interface
UCSD
USB
University of California at San Diego
Universal Serial Bus
WORM
Write Once-Read Many
2009
19
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
Table 1: Security Features Checklist: Media Clearing and
Sanitization
Product Name:
Security Features Checklist for Media Clearing and Sanitization Products
Item
1.0
1.1
Recommended Features
Core Security Functionality
Overwriting – Magnetic Media
For magnetic media at the level of Protected B and below, the product should be
capable of overwriting the entire disk with at least three complete passes in the
case of software overwrite, or it should use a RCMP-qualified implementation of
Secure Erase to provide single-pass sanitization of hard rives that support SE.
1.1.1
Independent Evaluation – Magnetic Media
Software overwrite products, as well as hardware implementations of Secure Erase,
should be independently verified by recognized testing authorities and be RCMPqualified under a PWGSC NMSO.
1.1.2
Training – Magnetic Media
The vendor should provide training and certification in the operation and
maintenance of the product.
1.1.3
Decimal versus Binary Disk Space Calculation – Magnetic Media
When reporting available disk space, the product should specify whether the value
is reported in decimal (powers of 10) or binary (powers of 2) units of measurement.
This will prevent confusion about the actual number of bytes on the media so that
the human operator can accurately determine if the reported disk space matches the
true disk space.
1.2
Overwriting – Solid State Media
The product should be certified by a recognized testing authority for the device or
media being sanitized. Some RCMP-qualified hard-drive overwrite products
available under NMSO may also be capable of overwriting USB solid-state storage
devices.
1.2.2
Verification of Overwrite – Solid State Media
It is essential that the product be capable of verifying that the overwrite process
was fully and properly completed, or provide a means by which the human
operator can verify that the process was fully completed
20
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
Security Features Checklist for Media Clearing and Sanitization Products
Item
1.3
Recommended Features
Encryption
For media at the level of Protected B and below. For encryption-based products,
the media should be encrypted in its entirety throughout the entire lifecycle.
1.3.1
Independent Evaluation - Encryption
The product should include an encryption module that has been tested against the
FIPS 140-1 or 140-2 under the CSEC/NIST Cryptographic Module Validation
Program (CMVP), and/or the product should be listed under the CSEC ITS
Prequalified Products Program (IPPP) or other testing program recognized by
CSEC.
1.3.2
Algorithms - Encryption
The encryption-based product should use algorithms approved by the CSEC for use
in the GoC.
1.3.3
Destruction of Decryption Keys
The encryption-based product should allow decryption keys to be securely
destroyed for sanitization.
1.4
Degaussing
Degaussing has no effect on non-magnetic drives such as optical media and semiconductor technology. Degaussers should be used only for the particular magnetic
media classes, types and coercivities for which the degausser product has been
specifically tested and approved.
1.4.1
Independent Evaluation – Degaussers
The product must be approved by the CSEC, based on the NSA Approved
Degausser List, for the type and coercivity of magnetic media to be sanitized.
1.4.2
Proper use & maintenance - degaussing
The degaussing product should be used & maintained strictly in accordance with
manufacturer directions to ensure complete data destruction. This is because it
may not be possible to verify destruction of data on media that has been made
unreadable by the degaussing process; therefore, it is necessary to have high
assurance that the degausser is used & maintained properly.
2009
21
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
Security Features Checklist for Media Clearing and Sanitization Products
Item
1.5
Recommended Features
Physical Deformation
For routine destruction, the product should be RCMP-qualified for the type and
sensitivity of media to be sanitized. For emergency destruction, unqualified
products should be used only when data devices are in imminent danger of capture
by hostile parties.
1.6
Shredding and Disintegration
The product should be capable of reducing the media to pieces that meet the
maximum acceptable size specified by the RCMP (explained in the CSEC ITSG06) for the type and sensitivity of media to be destroyed.
1.6.1
Independent Evaluation – shredding…
The product should be listed in the RCMP Security Equipment Guide (SEG) for
the type and sensitivity of media to be destroyed.
1.6.2
Particle Filter – shredding…
The product should incorporate a particle filter to catch oversized pieces and return
them for additional shredding or disintegration, while allowing smaller pieces to
pass for disposal.
1.7
Material Separation/Fractionation Technology
Companies that provide this service should be approved by the RCMP. RCMP
approval ensures that data storage media will be reduced to a sufficient degree to
ensure sanitization, and that departmental inspectors are able to monitor the
progress of their material through the disintegration process at least to the point at
which complete data destruction is assured.
1.8
Grinding, Hammer-Milling, Pulverization
The product should include a filter to ensure that no particles above a predetermined threshold escape.
1.8.1
Independent Evaluation – grinders etc
The product should be listed in the RCMP Security Equipment Guide (SEG) for the
type and sensitivity of media to be destroyed.
22
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
Security Features Checklist for Media Clearing and Sanitization Products
Item
1.8.2
Recommended Features
CD Surface Grinding
The product should be capable to completely remove the coloured informationbearing surface layer of a CD. The product should not be used for DVDs because
the data-bearing layer on DVDs is sandwiched in the middle and is not susceptible
to surface grinding.
1.9
Incineration
The product should include a filter to ensure that particles above the RCMPspecified threshold cannot escape incineration.
1.9.1
Completeness of Incineration
The product should provide a means of inspection to ensure that no partially
incinerated particles above the size threshold remain.
1.10
Knurling
This type of technology has not been evaluated by the RCMP or the CSEC and
should not be used.
2.0
2.1
3.0
3.1
4.0
4.1
Conformance to Standards
N/A
Authentication
N/A
Public Key Infrastructure Standards
N/A
5.0
Cryptographic Standards
5.1
Product Testing
The product should be listed under the IPPP or other testing program recognized
by the CSEC, or, as a minimum, the product encryption component should be
certified under the CMVP.
5.2
Algorithms
The media encryption product should use CSEC approved algorithms.
6.0
Assurance
2009
23
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
Security Features Checklist for Media Clearing and Sanitization Products
Item
6.1
Recommended Features
Common Criteria Protection Profile and Security Target
For products evaluated under the Common Criteria, the product should be
evaluated to a Protection Profile that addresses security features that are relevant to
the organization, as indicated in the evaluation Security Target report.
6.2
Evaluation Assurance Level
Products chosen from the Common Criteria Evaluated Products List should include
needed security features that have been evaluated to a level that is appropriate for
the intended environment.
7.0
7.1
8.0
8.1
Configurability
N/A
Usability
Training
The vendor should offer training for operators in the use of the product.
8.2
Maintenance
The vendor should offer training for maintainers in the maintenance of the product.
9.0
9.1
10.0
10.1
Manageability
N/A
Scalability
Degree of Scalability
The product should be capable of scaling to service small organizational networks
(i.e. supporting less than 500 users) to large organizational networks (i.e.
supporting 50,000 users or more).
24
2009
UNCLASSIFIED
Media Clearing and Sanitization (CSG-08\G)
Security Features Checklist for Media Clearing and Sanitization Products
Item
10.2
Recommended Features
Accommodation of Future Technology
The product should be capable of accommodating anticipated advances in
technology throughout the expected lifecycle of the sanitization product.
Use of older sanitization techniques on newer media products with improved
technology may result in inadvertent security breaches, as the older technology
may be inadequate to deal with technological advances. For example, the
effectiveness of degaussing products is strongly affected by increases in magnetic
coercivity of hard-disk alloys as well as manufacturer changes in the orientation of
magnetic regions on the disk.
2009
25

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz