Securely deleting data is a requirement of most regulatory requirements. But many organizations struggle with just how to do this in a way that is both secure and compliant. Some ways to do this include using software to overwrite the data, using a degaussing tool to electronically damage the drives, and physically destroying them.

Make sure you keep in mind that whatever method you use, the goal is risk mitigation rather than risk elimination. You’re trying to mitigate the most risk for the least money. So while DBAN and smash therapy aren’t perfect, they do the job pretty well for what you need them to do. If you’re the DOD or NSA then of course you need to do something else. But if you’re the DOD or NSA you already knew that.

Another part of the HIPAA and SOX requirements is auditable documentation. NIST has a guide (linked below) which gives you a generic form for the types of data you need to track, including method of sanitization, serial number, who performed the test, etc. It is also beneficial to document your methodology since the auditors will want to see that along with your wiping logs.

DBAN is one of the most useful tools out there; it does several forms of wiping to remove data from all types of drives, including SCSI and older hardware. If the drives are all ATA and manufactured within the last five years (erring on the side of caution), the SecureErase command is more thorough and faster. This command is implemented in a number of utilities, probably the best known one being put out by UCSD and called Secure Erase (linked below). Obviously physical destruction is an option too; it can be fun and cathartic to take a sledgehammer to the drives, and old platters can make a great mobile for the crib geek’s ceiling.

Wiping portable media is a different issue entirely. Backup tapes, thumb drives and portable hard drive storage are three such examples of portable media. Each has its own challenges. I’ve addressed the hard drive issue above, but probably the best way to wipe the other two is physical destruction. It’s an easy process for small USB drives but can be difficult to do safely with backup tapes. I’d suggest contacting your paper records disposal company and asking them if they can provide this service for you. You may find that their rates are low for this sort of thing.

NIST Special Publication 800-88 – Guidelines for Media Sanitization
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

DBAN
http://www.dban.org/

Secure Erase
http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

National Industrial Security Program Operating Manual DoD 5220.22-M 2006 (Deprecated)
https://www.dss.mil/GW/ShowBinary/DSS/isp/odaa/documents/nispom2006-5220.pdf

Data Erasure
http://en.wikipedia.org/wiki/Data_erasure

Data Remanence
http://en.wikipedia.org/wiki/Data_remanence

Marcus Ranum’s method of physical destruction
http://www.ranum.com/security/computer_security/editorials/diskcrypt/index.html

In the past couple of months, the Freakonomics blog asked why there has been such a downturn in the familiar Viagra and Nigerian prince Spam. The author attributed this to the cost of spamming not being worth the rates of return anymore. Most commentators pointed to better spam filtering software.

While it does seem that anti-spam filtering has improved, there might be more to the reasons of the observed downturn. There are noted temporary declines whenever some of the bad guys’ ISPs get taken down, but that the general trend is toward continued spamming. Interestingly, though, anecdotal evidence (my spam filter) doesn’t suggest that the spammers are spending much time coming up with new tricks to avoid detection.

So back to the Freakonomics theory: a change in business models. From what we’ve been seeing, cyber criminals seem to be spending more time focusing on different types of attacks on your inbox. In the last year or so, we in the Information Security business have seen a dramatic rise in phishing attacks, particularly more targeted phishing attacks.

Phishing attacks in which a criminal targets smaller regional areas have been quite popular. Criminals will try to find an area where there are only a few financial institutions and then send emails, text messages and leave voice mails for victims they believe are in that area. These messages will either be of the traditional kind, asking for sensitive information over the Internet, or they will instruct the recipient to call a 1-800 number to divulge information. The criminals then charge money on credit cards and withdraw from ATMs.

In addition, criminals are targeting businesses more frequently. Using legitimate-looking emails impersonating organizations like the IRS, UPS and Better Business Bureau are common in these attacks. The goals here are less about sensitive information and more about installing malicious software to infiltrate a company. Usually here the goal is to get access to a corporate bank account and transfer money electronically.

So it seems that the Freakonomics guys were right, it does come down to simple economics and opportunity costs. Spam is cheaper and easier per email, but phishing brings in far more money. Enough money, in fact, that organized crime groups can set up processing centers to do all the work while the cyber kingpins drive around in their Maseratis in Marseilles. That beats Nigeria any day.

In the movie “Live Free or Die Hard,” street-wise cop John McClain battles it out with the bad guys using computers to carry out their crimes. In this movie, we are introduced to a term called a “Fire Sale” where hackers take out critical systems to cause chaos. It is literally a movie plot terror threat, and seems pretty unlikely to happen outside of the theaters.

But late last week we got news of a similar scenario being carried out in foreign countries. Cyber criminals extorting public utilities with threats of taking down the facility. It seems that in at least one case, the attackers made good on their threats, affecting multiple cities. The Daily Mail of London indicates that these attacks have been carried out as near as “Central and South American countries including Mexico.”

Given what I know about SCADA systems from reading public documents and making some guesses based on my experiences, I’d say it’s entirely plausible that unauthorized access could be gained to these systems. While the speech mentions utilities outside the US, I wouldn’t be surprised if there are unauthorized users inside some American public utility companies. And we know that SCADA systems have been compromised before. Both with and without “insider information.” Just recently, a 15 year old kid was able to take control of city trams in Lodz, Poland with an IR remote control and caused one car to jump the tracks and hit another tram.

One set of regulations, NERC-CIP, was passed, ironically, the day before the big Northeast blackout of 2003. It’s ironic because the outage may have been exacerbated, by systems failing to perform as they were intended because of the Blaster worm. Recently some SCADA systems were put through a well publicized attack scenario where the adversarial team gained full control and was able to damage physical equipment in the scenario.

Organized crime has been doing this kind of thing for years, operating by extorting companies for “protection money.” The difference here is that someone around the world can threaten and carry out these attacks. Cyber criminals have been known to extort companies in other industries. A type of malicious software called “ransomware” encrypts or steals documents from your hard drive and extorts you to get the data back. Hiding one’s tracks is only slightly easier (you have to deliver the money somewhere), but where it’s really different is that the attacker never has to set foot in the jurisdiction of the place where the action is carried out. He can be sitting in a cafe in a non extradition country.

Will we see this kind of extortion happening in the US? I doubt it. Cyber criminals need to be able to get away with the money. Disrupting the American power grid would cause too much attention to be put on them from the wrong people — those who could and would spare no expense to make sure they were caught. As Hans Gruber says in the original “Die Hard” movie, “When you steal $600, you can just disappear. But when you steal $600 million, they will find you.” In other words, the higher value your target, the more that will be invested to track down the attackers.

SCADA systems have traditionally been more impervious because they are arcane. But as this 2006 SANS webcast and this Information Week article indicate, in the last few years SCADA systems have been connected to the Internet and wireless networks, and have been transitioning to Windows architecture. In other words, many systems run on a platform that attackers know well and are connected to systems which allow greater external access. So the lesson is clear that anyone running SCADA systems needs to be especially diligent in protecting them.