Security Basics mailing list archives

Re: need to wipe a NAS and be DoD compliant

From: "Stephen John Smoogen" <smooge () gmail com>
Date: Mon, 26 Jun 2006 08:20:33 -0600

On 6/23/06, Lujan Sgt Pedro D <pedro.lujan () usmc mil> wrote:

 SuttonP
From the looks of your e-mail "aafes" the question would need to be
asked if you are located on a military base. If so the local command
would "direct" the use of specific tools that meet their own
requirements. Also at what level of classification are you trying to
wipe? (Unclass, Secret, TS.) There are very limited tools to use, that
meet the DoD requirements, but proper use and prior approval of its use
should be checked on first.

One tool used when "authorized" is BCWipe. It meets the requirements of
DoD 5200.28-STD.

However, I strongly recommend checking with your local command and its
policies before attempting to wipe any system.
Normally if we need something wiped that meets DoD standards, it's
because we are trying to remove some data of a higher classification
level than the device is authorized to store. If this is the case than
you should definitely seek out your IAM / IAO or data section to avoid
getting thrown in jail or losing your job.


Also, SuttonP

If you are just trying to wipe a system for 'reapplication' you will
also need to work with the 'vendor' of the NAS hardware to see if they
have a way to locally run bcwipe versus over the wire. In most cases,
running a bcwipe or similar bit-remover remotely will not work in the
way that makes 'bcwipe' valid.

In most cases, we have had to either find commands that could be run
locally... do an invasive reformat of the drives (eg 1/0/1/0/1/0/1/0
format if the NAS had that kind of burn-in format.) If those were not
available, sending the drives off for appropriate destruction (10mm by
10mm I think) was the only option.

However, all of these were items decided by the ISSO on what was
required for that site.

--
Stephen J Smoogen.
CSIRT/Linux System Administrator

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE

The NSA has designated Norwich University a center of Academic Excellencein Information Security. Our program offers unparalleled Infosec managementeducation and the case study affords you unmatched consulting experience.Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life.


http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

need to wipe a NAS and be DoD compliant suttonp (Jun 23)
- RE: need to wipe a NAS and be DoD compliant Lujan Sgt Pedro D (Jun 26)
  - Re: need to wipe a NAS and be DoD compliant Stephen John Smoogen (Jun 26)
- Re: need to wipe a NAS and be DoD compliant Louis Lerman (Jun 26)
  - Re: need to wipe a NAS and be DoD compliant Charles Fraser (Jun 26)
- Re: need to wipe a NAS and be DoD compliant Gethin Jones (Jun 26)
- Re: need to wipe a NAS and be DoD compliant Neil (Jun 26)
- <Possible follow-ups>
- RE: need to wipe a NAS and be DoD compliant Jasun Tate (Jun 26)
- Re: need to wipe a NAS and be DoD compliant roescue (Jun 27)