Tweet
An important issue to deal with in physical security is the theft of physical devices and equipment. It is not just to avoid interruption of services but also to not loose confidential information to an attacker. Today, as portable devices such as mobile devices, laptops, cell phones, external hard drives, it becomes very important to implement some sort of protection. Such devices may contain confidential information and may also leave the premises. They may be stolen on location but there is also the possibility that such devices can be stolen at any other location where ever the user may bring it. Laptops, work phones are often brought home by an employee with the intent of working from home. Consultants or contractors may also carry information on USB drives when visiting another organization.
Hard Drives
Today, hard drives are fairly small but may have a very high storage capacity and can carry large amounts of confidential data without being noticed. Of course this applies to any device that has the capability to store information such as flash drives, mobile phones, CD/DVD/BluRay disks etc. It is not that uncommon that external storage devices are lost or stolen, compromising the security of an organization in the process. Storage devices that were meant to be used only as backup storage may with time start to carry other kinds of data because the device was at hand, when it was needed. All organizations should have policies in place to ensure devices like this is use in a secure manner, or ban such devices entirely.
Securing portable storage devices is not a hard task to accomplish through the use of modern technology and proper procedures. An effective way to protect confidentiality and integrity of classified information on such devices is to implement encryption. If a portable disk drive is stolen it is less of a concern if the whole drive is encrypted and will protect confidential information to fall into the hands of an attacker. This will, of course, not protect the drive from being stolen in the first place, but if the organization has well implemented backup procedures in place, this will still protect the data from being published or sold. In some cases encryption may be mandatory by law.
Some popular and well tested solutions for encryption includes
Encryption comes at a cost, not necessarily as an economical cost but a performance cost as with most other security controls. The organization has to make a choice and consider if performance is more important than the loss of confidentiality and integrity. An option is to classify information and create a policy stating what information is allowed on encrypted devices and what is not.
An organization also have to protect against actions such as dumpster diving and trash picking for used media. Make sure procedures are in place for storage, handling and proper destruction of storage devices and media en general.
Drive Wiping
This is the act of overwriting all information on the discarded drive. Some organizations put policies in place to make sure drives are formatted in a certain way. This could be overwriting the drive with a special digital pattern of bits through several passes. Other methods should be used for Solid State Drives (SSDs) as they are not mechanical drives and works differently.
Zeroization
This process is usually associated with cryptographic processes and was employed on mechanical cryptographic devices. The device would be reset to 0 to prevent anyone from recovering the key for the device. Today zeroization involves overwriting the content of a disk with zeroes.
Degaussing
This process will permanently destroy any information on a mechanical hard drive or any other magnetic media such as tapes. Tapes are very much in use as a means of storage for backups as modern tapes can hold a lot of information for a very long time and modern tapes does not take up too much space. Degaussing uses a powerful magnet that penetrates the media and reverse or alter the polarity of the magnetic particles on the tape or hard drive platters. After this process has been completed the drive or media can no longer be reused.
The most secure way of making confidential information on any device or media inaccessible is to physically destroy it or melt it and this may sometimes be a requirement.
Hard Drives
Today, hard drives are fairly small but may have a very high storage capacity and can carry large amounts of confidential data without being noticed. Of course this applies to any device that has the capability to store information such as flash drives, mobile phones, CD/DVD/BluRay disks etc. It is not that uncommon that external storage devices are lost or stolen, compromising the security of an organization in the process. Storage devices that were meant to be used only as backup storage may with time start to carry other kinds of data because the device was at hand, when it was needed. All organizations should have policies in place to ensure devices like this is use in a secure manner, or ban such devices entirely.
Securing portable storage devices is not a hard task to accomplish through the use of modern technology and proper procedures. An effective way to protect confidentiality and integrity of classified information on such devices is to implement encryption. If a portable disk drive is stolen it is less of a concern if the whole drive is encrypted and will protect confidential information to fall into the hands of an attacker. This will, of course, not protect the drive from being stolen in the first place, but if the organization has well implemented backup procedures in place, this will still protect the data from being published or sold. In some cases encryption may be mandatory by law.
Some popular and well tested solutions for encryption includes
- PGP
- VeraCrypt
- Microsoft Bitlocker
Encryption comes at a cost, not necessarily as an economical cost but a performance cost as with most other security controls. The organization has to make a choice and consider if performance is more important than the loss of confidentiality and integrity. An option is to classify information and create a policy stating what information is allowed on encrypted devices and what is not.
An organization also have to protect against actions such as dumpster diving and trash picking for used media. Make sure procedures are in place for storage, handling and proper destruction of storage devices and media en general.
Drive Wiping
This is the act of overwriting all information on the discarded drive. Some organizations put policies in place to make sure drives are formatted in a certain way. This could be overwriting the drive with a special digital pattern of bits through several passes. Other methods should be used for Solid State Drives (SSDs) as they are not mechanical drives and works differently.
Zeroization
This process is usually associated with cryptographic processes and was employed on mechanical cryptographic devices. The device would be reset to 0 to prevent anyone from recovering the key for the device. Today zeroization involves overwriting the content of a disk with zeroes.
Degaussing
This process will permanently destroy any information on a mechanical hard drive or any other magnetic media such as tapes. Tapes are very much in use as a means of storage for backups as modern tapes can hold a lot of information for a very long time and modern tapes does not take up too much space. Degaussing uses a powerful magnet that penetrates the media and reverse or alter the polarity of the magnetic particles on the tape or hard drive platters. After this process has been completed the drive or media can no longer be reused.
The most secure way of making confidential information on any device or media inaccessible is to physically destroy it or melt it and this may sometimes be a requirement.