Re: Data in transit (with a twist)...

[Bog Witch <iambogwitch () gmail com>]

Hi Cribbar,

It would help if you could define exactly what standards you need to
adhere to. Is this HMG info?

It is fairly clear that you are indicating that the best solution will
be to encrypt all the data being stored on the tapes, is there a
reason for you NOT doing this? (apart from cost)

With regard to the third-party contractor securely erasing HDDs for
you, I would urge caution. I was recently offered 2nd hand laptops
that were being sold off (through the back door) from a disposals
company. The company had accreditation. It would be far better for you
to securely erase your own hard disk drives or physically destroy them
on-site. The stated requirements for a 7x (or 35x!) overwrite are
based on VERY old HDD densities and an overwrite of one or two passes
should be sufficient to prevent recovery by all but a fully-funded
government organisation (and they would probably have more efficient
ways to spend their money) That said, if you're working to a mandated
policy, you may have to stick to it.

HTH,

Bog

On Wed, Nov 23, 2011 at 4:11 PM, cribbar <crib.bar () hotmail co uk> wrote:
> Hey Guys,
>
> This is not so much a pen testing question (although perhaps you pen test
> physical transfers) – but as many of you are absolute security experts, some
> I assume will be CHECK/CREST approved – it is a valuable resource I’d like
> to tap into for some general brainstorming and advice.
>
> I need some best practice controls, ideally in the form of a best practice
> checklist that will satisfy internal and external auditors - for when our
> data is in transit. The twist is, I am not on about “In transit” in terms of
> electronic transfer; – I am on about backup tapes and redundant drives
> physically being transferred from one site to another. The data on such
> falls into “fairly sensitive”, i.e. no credit card details, but a degree of
> personal data non the less.
>
> I’ve got 2 scenarios really –
>
> (1) All “servers” and backup facilities are in a secure data centre (lets
> say building A). When they are physically taken out of this environment and
> transferred, I class this data and media as “vulnerable”, whereas on site,
> in terms of physical security I have reasonable assurance the data is
> “relatively safe”.
>
> Redundant (those flagged as ready for disposal) drives out of the few
> remaining physical servers (some process/store sensitive data) are initially
> transferred to local HQ (building B). These drives ARENT encrypted. Also,
> backup tapes (again NOT encrypted) are transferred from building A >
> building B as part of disaster recovery ops.
>
> (2) We also have building C which is where the main employees office is.
> From here redundant IT kit, such as old PC’s are flagged up as ready for
> collection. IT collect the kit and it is stored in building B. Once the
> store in building B is high enough, a local 3rd party service will collect
> the PC’s, and “data-wipe” them. Workstation drives ARENT encrypted. Laptop
> devices ARE encrypted.
>
> We need some procedural safeguards in all of this. Especially around
> accountability, integrity, and confidentiality.  I am struggling to locate a
> really detailed best practice guide around physical collection, physical
> transfer and storing of redundant hardware and backup media in an
> unencrypted state. I assume this falls under “asset management” but again I
> am struggling to find a comprehensive best practice checklist that I can
> align procedures around. I want to align our procedures with best practice
> in this area from a reputable source, but to my surprise there doesn’t seem
> to be much out there. However, perhaps searching asset management is the
> wrong terminology in IT circles.
>
> The risks are obvious. We are essentially transferring highly sensitive data
> from different sites in an unencrypted state (issue in itself). There are
> accountability, integrity and confidentiality risks to the hardware AND data
> resident on this media. There is also potential availability risks in
> relation to the backup media, as well as the integrity and confidentiality
> risks to the data and backup media. This must fall into compliance for
> issues like PCI and HIPAA.
>
> Any best practice or comments will help no end.
>
> Thanks for your time in reading this.
>
> Cheers,
>
> Cb
>
> --
> View this message in context: http://old.nabble.com/Data-in-transit-%28with-a-twist%29...-tp32874247p32874247.html
> Sent from the Penetration Testing mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------