Data Spill – An Everyday Threat to National Security

28 Jun 2017 | Michael Waksman

Data has a frequent troublesome habit of residing somewhere it shouldn't. In national security spaces, classified data can end up on unclassified or lower level classification systems. This is known as a data spill. Other terms to describe this type of event include classified spill, contamination, and classified message incident. But they all mean the same thing 
- classified data existing in a location where it is not authorized.

How Do Data Spills Happen?

Several scenarios can lead to a data spill. A file moved to the wrong location is an obvious common example. In that situation, either a person with clearance or an automated process with clearance moves a file from a classified system to a system with lower classification or no classification.

Accidental email distribution is another typical fault that leads to a data spill. Perhaps the wrong file was mistakenly attached to an email. Or someone accidentally clicked ‘Reply all’ rather than ‘Reply’ in a thread. In addition, mismarked files on servers, improperly marked hard copies or media, and Department of Defense (DoD) classification changes can all lead to data spills.

What Kind of Data Spills Happen?

There are three main categories of data spills:

  • Inadvertent
    If someone had no reason to believe their actions would lead to a data spill, it can be called inadvertent. Relying on improperly marked data for decision making is a typical cause for an inadvertent spill.
  • Willful
    When an individual purposefully disregards procedures or policies and causes a data spill, this is considered willful. Intentionally bypassing security controls is an example of this.
  • Negligent
    Somewhere between the previous categories is the negligent data spill that occurs when a person acts unreasonably and causes an unauthorized disclosure. This can happen through careless attention to detail or a reckless disregard for procedures.

Whichever the category, the outcome is the same – protected data has become vulnerable by sitting somewhere it should not.

Responding to a Data Spill

If an organization has respect for information technology and resources dedicated to IT security, there will most likely be a reaction plan in place should a data spill occur. Most frequently, a Facility Security Officer (FSO), Information Assurance Manager and IT security personnel are all dedicated to the protection of data. It is their responsibility to mitigate and investigate data spills.

An appropriate response to a data spill most often takes three phases:

  • Detection and reporting
    If you discover a data spill, you must report it immediately and take no action yourself on the data, including deletion or forwarding. DoD contractors can report to the Original Classification Authority (OCA), Information owner/originator, Information System Security Manager (ISSM), Activity Security Manager, or Responsible Computer Incident Response Center. For other industry reporting, contact the Facility Security Officer (FSO), the Information Systems Security Manager (ISSM), or the Information Systems Security Officer (ISSO).
  • Risk assessment and containment
    Repair can begin now that the spill has been noticed and the appropriate authorities have been contacted. The authorities will tally the risks associated with the breach and will seek guidance from the data owner. Deletion or further spreading of the classified data is still prohibited during this phase, and the systems involved in the spill are usually isolated for that purpose.
  • Clean up
    Specific clean up procedures vary between the DoD and cleared defense contractors, but most include software overwriting of affected data sectors.

Correcting the data spill can be a minor task or a massive undertaking depending on the sensitivity of the data, the level of clearance of the systems and the personnel involved, and the kind of contaminated storage media.

Wiping Files or Entire Hard Drives Involved in a Data Spill

In the event of a data spill, all involved endpoints should be wiped. The wiping process can target selected files or entire disks. Either way the software used during the clean up phase should meet the following requirements:

  • A minimum of three-cycle overwriting sanitization is required to be a complete wipe (different specifications can be required by different organizations). The first cycle writes a pattern, the second follows with the complement pattern, and the third and final cycle is a different, unclassified pattern.
  • Random data reading for overwrite verification should be included in the software, although a separate utility can be used for verification.
  • Printed results of wipe including disk integrity reporting needs to be included in the wipe software. Bad sectors or blocks on a disk require that the disk be destroyed or degaussed.
  • Whole disk wipes must be complete, including partition tables, user data, operating systems, and any boot records. They must also wipe Device Configuration Overlay (DCO) sectors if the disks are ATA-6. A whole disk wipe must also be able to clear a Host Protected Area (HPA).
     

Clean Up a Data Spill with BCWipe

Trusted for over 10 years by the U.S. Defense Community, Jetico's BCWipe is the de-facto standard for classified data spill clean up, wiping selected files beyond forensic recovery.

For whole disk wiping requirements, Jetico’s BCWipe Total WipeOut can overwrite partition tables, user data, operating systems, boot records, DCO hidden sectors on ATA-6 disks and HPA.

Both solutions:

  • Feature DoD, DoE and creation of proprietary wiping schemes
  • Include reporting functions
  • Work on Windows, Mac and Linux (BCWipe Total WipeOut is OS independent)
  • Don’t require an internet connection

Contact us to request a free trial or learn more about our solutions for data spills.

Center for Development of Security Excellence. "Student Guide Data Spills Short". [Online], Available: http://www.cdse.edu/multimedia/shorts/spills/common/cw/data/CDSE_DS_Student_Guide.pdf [28 June 2017]. 
Defense Security Service. "DSS ISFO Process Manual for C&A of Classified Systems under NISPOM". August 15, 2010. 
Defense Security Service. "Manual for the Certification and Accreditation of Classified Systems under the NISPOM, Version 3.2". November 15, 2013. [Online], Available: http://www.dss.mil/documents/odaa/ODAA%20Process%20Manual%20Version%203.2.pdf [28 June 2017]. 
Environmental Protection Agency (EPA). "Spillage of Classified Information onto Unclassified Systems". Environmental Protection Agency (EPA) Information Procedure, November 9, 2015. [Online], Available: https://www.epa.gov/sites/production/files/2015-09/documents/cio-2150-p-20-0.pdf [28 June 2017]. 
NIST. "IR-9 INFORMATION SPILLAGE RESPONSE". NIST Special Publication 800-53 (Rev. 4). [Online], Available: https://nvd.nist.gov/800-53/Rev4/control/IR-9 [28 June 2017].

Michael Waksman Jetico CEO
Michael Waksman
Michael Waksman has been serving as CEO of Jetico since 2008, nearly doubling the size of the company during his tenure. He brings more than 15 years of communications, technology and leadership experience.

Before joining Jetico, Waksman was instrumental in creating the corporate identity of Valimo Wireless, raising global brand awareness, building a more commercially-driven team and initiating enterprise customer relations. That was the basis for replicating it for Jetico's wide user base throughout the U.S. Defense community, the compliance market and vast personal privacy market.

Waksman is vice-chairman of the Cyber Group for the Association of Finnish Defense and Aerospace Industries. Recognized as a security and privacy advocate, he is a frequent speaker at international events, occasionally on behalf of the Finnish cyber security industry. In 2012, Waksman was honored with The Security Network's Chairman's Award for fostering collaboration between the United States and Finland. As a native New Yorker he has been living in southern Finland for over 10 years.