Re: Advice regarding servers and Wiping Drives after testing

["Jay" <jay.tomas () infosecguru com>]

It may be helpful to know the data classifcation of the date prior to suggesting a solution.

If you are a goverment or intelligence agency /  consultant it would be greatly different than if you were a 
Landscaping company keeping track of how much sh*t you had left.

If speed is of great important you may look at renting a degausser. (about $600 a week)

Its about Risk Management = How much time and money you are going to use is determined on the value of the data and 
outcome if there is exposure.

Jay

----- Original Message -----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
To: security-basics () securityfocus com
Sent: Tue, 28 Aug 2007 20:01:47 +0200
Subject: Re: Advice regarding servers and Wiping Drives after testing

On 2007-08-27 sec sam wrote:
> I am concerned about an upcoming DR Test and only have a total of 32
> consecutive hours to do the test.
>
> I am trying to find comfort in recommending option number 1 listed
> below. I am wondering if anyone has concerns about going with option 1
> listed below.  This option has risen to the top of the list because it
> meets the time constraints.
>
> 1) At the end of the test techs will remove the raid array from each
> of the 3 servers (striped).
> Disks will then be shuffled within the array and if possible between
> servers too.
> An array will then be re created on each of the 3 servers.
> Estimated time to complete task is 25-60 minutes.
> There is a lot I don't like about this scenario the biggest being that
> I cant find anything that discourages this practice for wiping data- I
> hear lots of different administrators say that is how they do it... I
> don't like to take that as  proof that it is a good practice though.

That's most definitely insufficient, because most of the disks will
remain untouched, and therefore data on them may still be recoverable.

> These would take more time than we can afford to spend but they might
> provide a higher degree of certainty that data has been effectively
> wiped out.
> 2) Use a drive wipe utility (there are many) and perform a wipe of the
> systems to dod standards (120Gigs would take Hours and the products do
> not seem to work in servers with Raid arrays-- At least that is what
> we are finding)
>
> 3) Encrypt the 3 servers using a harddrive encryption software.
> Not a bad option as AES128 encryption would  encrypt the data but
> encrypting 120Gigs at 10 gigs per hour is about 12 hours of work.

4) Wipe all drives in a single pass with random data. I have yet to see
anyone being able to recover data from modern harddisks after that
procedure.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq