Reporters and pundits alike in the US news media have been discussing data and device destruction recently. In particular, they’ve been discussing data destruction with, for example, BleachBit, and device destruction with a sledgehammer. I have not heard any of them discuss the rules NIST (the National Institute of Standards and Technology) has laid out. While these don’t apply in all cases, it is worth looking at them for private businesses and most government agencies.
Before we get to the NIST rules, let’s look at “BleachBit”. BleachBit is a free program designed to clean disks. It can remove mail files, browser history, individual files, and personal data from hundreds of applications. Users can even create programs to remove data from virtually any program. The discussion in the news has been that it removes data so that it cannot be recovered. It does this (according to its website) by overwriting the data. This is a common task. There are multiple available for the task and Windows has a built-in tool to do that, too.
The Windows tool overwrites free or unused space on a drive. It is a function of the cipher tool. That tool also manages encryption of drives, among other things. The command I use to clean my hard drive space periodically is
cipher /w: device
According to NIST, when a device that handles classified data is to be retired, any sensitive data needs to be removed:
Before a mobile device component permanently leaves an organization (such as when a leased server’s lease expires or when an obsolete mobile device is being recycled) or is reassigned to another user, the organization should remove any sensitive data from the mobile device. The task of scrubbing all sensitive data from storage devices such as hard drives and memory cards is often surprisingly difficult because of all the places where such data resides and the increasing reliance on flash memory instead of magnetic disks. See NIST SP 800-88, Guidelines for Media Sanitization [SP800-88], for additional information and recommendations on removing data from mobile devices.
The referenced Guidelines for Media Sanitization is 64 pages long. It discusses data sanitization and device destruction for magnetic, optical, flash and ROM media. The section on flash storage (found in phones and PDAs, among other devices) is summarized on p36 in Table A-9. It lists three steps for data destruction, Clear, Purge, and Destroy. The Destroy step is the one in the news (I have seen no comments about whether or not the other two steps were performed on the mobile devices discussed), let’s look at that. The wording is simple: “Shred, Disintegrate, Pulverize, or Incinerate by burning the device in a licensed incinerator.” That requirement is used in the guidelines for other storage types, too.
The terms shred, disintegrate, and pulverize are defined at the end of the document. The closest to this case is “pulverize”. I do not know whether or not smashing with a sledgehammer fulfills the definition of “the act of grinding to a powder or dust” or not. Nor do I know whether or not these guidelines apply in this case or not.
Regardless of whether or not a company or agency formally requires following the NIST guidelines, they are at a minimum a good starting point for multiple tasks including data destruction.
We do discuss data destruction in Learning Tree’s System and Network Security Introduction. It can be, as NIST notes, “surprisingly difficult”. It takes understanding the principles and required actions and implementing them correctly.
Does your company or agency use the NIST data and devise destruction guidelines? Let us know in the comments below.
To your safe computing,