18

Has anyone ever had to deal with an unauthorized laptop accidentally getting Top Secret level data on it?

How did you quarantine the system. Were you required to turn in the entire laptop or were you able to destroy/format the HDD?

NISPOM says that incineration or physical destruction of the HDD is required, but I just wanted to get peoples experiences with this type of situation.

Clarification: the data was released to us as unclass (marked as such) and then was later found to have the class data on it. at which point they called us to lock everything down.

Conclusion:

laptops seized and we are told that the free space will be wiped after a forensic expert takes a look at it. if everything works out we should have our laptops and data back in a few days.

Crash893
  • 351
  • 1
  • 10
  • 11
    Holy $^*@! If you haven’t already called your FSO, do it immediately. That laptop is now TS and needs to be treated and protected as such. I would expect that every physical component of the item formerly known as a laptop will be crushed, smashed, melted, dissolved, extruded, shredded, and used as target in a artillery range. – this.josh Aug 11 '11 at 07:28
  • 7
    Do we already have a law saying: "If people ask legal questions (especially with lots of abbreviations) on an international English language site and don't mention their country, they are from the USA"? – Hendrik Brummermann Aug 11 '11 at 07:54
  • 1
    @this.josh yes we contacted the agency involved and the fso immedeatly they how ever wont be able to get to our location till monday so we have the laptop in a secure safe. My question is more of what should i expect when they get here. (and yes holy @#$# was the first thing out of my mouth) – Crash893 Aug 11 '11 at 16:37
  • @hendrik brummermann sorry location = USA – Crash893 Aug 11 '11 at 16:37
  • @this.josh In that order? Seems impractical. – Iszi Jan 08 '13 at 19:50
  • as follow up to this, we stored the laptops one work one personnel (mac-book air ouch) in the TS safe, a few days later the NSA called a meeting at the primes office building and we had our TS courier carry the two triple boxed laptops where they were confiscated, several months later they randomly arrived via fedex with a reciepte slip and had not been fully formatted (ie the os was still mostly intact and you could boot and log in) we ended up formating them anyway and reinstalling anyway just in case. – Crash893 Jan 08 '13 at 22:44
  • @Iszi - Josh wasn't being serious with that list. – Ramhound Jan 09 '13 at 15:25
  • @Ramhound Neither was I. – Iszi Jan 09 '13 at 15:29

6 Answers6

12

This an incident you need to handle and I am guessing that a standard response has not been detailed in your documentation.

Realize that your system is malfunctioning. It is not operating the the way it was intended to.

  1. Isolate your system [meaning your network(s) and physical facility if possible] to prevent the data from leaving your system. Take care to cause as little change to individual assets as possible. You want the state of the assets to stay constant until you can assess them.
  2. Identify the source or sources of the data leak.
  3. Isolate the leak source or sources to prevent further contamination in your system. Again, try to preserve there current state as much as possible. This will help you identify assets contaminated by the source.
  4. Identify all assets that may have been contaminated by the source or sources.
  5. Isolate the potentially contaminated assets. I know it is getting repetitive, but preserve the state of each asset as much as possible. These assets will help you assess the extent of the contamination.
  6. Treat all potentially contaminated assets at the level of the contamination. In this case TS.
  7. Verify that the remaining assets are not contaminated.
  8. Breathe, have something to eat or drink, take a short break, because the rest of your day/week/month is going to be painful.
  9. Discuss and plan remediation of contaminated assets. Planning well here will allow you to understand the scope of the problem, who is impacted, and how long you expect it to take.
  10. Execute the remediation plan and periodically report on progress.
  11. Pain
  12. Vacation

Has anyone ever had to deal with an unauthorized laptop accidentally getting Top Secret level data on it?

I have not. I have been involved in containment and remediation of sensitive data.

How did you quarantine the system?

I have not been involved with the primary contaminated system, only secondary systems.

For systems suspected of contamination:

  • Posted restricted area notice sign on the door.
  • Locked the door.
  • Removed network communications.
  • Shutdown the system to preserve as much of the current state as possible.
  • Analyzed the system to check for presence of data in question.
  • If detected, moved the system to a secure area for sanitization.

Were you required to turn in the entire laptop or were you able to destroy/format the HDD?

The agency involved will determine the action to be taken, and the policies and practices may vary from agency to agency.

I do not have personal experience, but given that TS is described as 'Such material would cause "exceptionally grave damage" to national security if made publicly available.' I would expect that every physical component of the item formerly known as a laptop will be crushed, smashed, melted, dissolved, extruded, shredded, and used as target in a artillery range.

The consequence of the release of the information compared to the value of the laptop, the other software and data on the laptop, and any other adjacent items of value, makes it clear that preventing the release of the data is worth the cost of total destruction of the laptop.

alexwlchan
  • 177
  • 11
this.josh
  • 8,843
  • 2
  • 29
  • 51
  • this is all correct, but your answer says nothing about OPs questions about what to do after isolating the system - what to do with the hardware once the isolation and forensics have been done, and that looks to me as OPs primary concern – tkit Aug 12 '11 at 08:30
  • @pootzko You are right. I will add my orginal comment under the question to my answer. – this.josh Aug 12 '11 at 17:35
  • 1
    +1 for detailing the actual issue - leakage from the TS system, and not just dealing with the fallout (the laptop / hardware). – AviD Aug 14 '11 at 08:38
11

I used to work IT at an Airforce Base for a while and we actually had a couple of incidents like this happen.

First and foremost, make sure you notify the appropriate authorities of the incident. They will be able to instruct you further based on their current security policies.

  1. You need to isolate access to the laptop. Shut it down completely, boot into the bios and disable the network devices. If there are any wireless switches, make sure those are set to off.

  2. Make sure you property identify the classified material and the scope of where it might reside on your system. And take the proper steps to remove it.

  3. Then defragment the hard drive and find a utility to push all of the existing files on the hard drive to the front of the drive. Then you can safely run a utility to securely wipe the remaining disk space.

That is a common technique used to cleanse a system, but don't attempt this without first reporting the incident and verifying that you have permission to perform these actions. Different types of incidents call for different responses and it's imperative to identify issue correctly so that the correct actions can be taken. The steps above are not a solution for every incident. They're just a good generic starting point.

Trev
  • 244
  • 2
  • 3
  • 1
    We were told that the media needed to be sanitized. Do you think they mean just the HDD or the entire laptop – Crash893 Aug 11 '11 at 16:39
  • 12
    No, don't change the state of the system yourself unless you are specifically instructed and qualified to analyze and remediate! – this.josh Aug 11 '11 at 16:54
  • 1
    The 'media' they are referring to is the storage device containing the information. If it is on the hard drive I would sanitize that. There is no need to destroy the laptop or anything. You'll have to check the specs of your laptop, but typically, the harddrive is the only persistent storage used. RAM will flush itself after it's lost power and there aren't generally other easily flashable nvram modules on laptops. What Josh said applies, make sure you have authorization before doing anything. – Trev Aug 11 '11 at 16:55
  • @Trev He hasn't disclosed the make, model, or configuration of laptop. How do you know what persistent storage is or is not part of the laptop? – this.josh Aug 11 '11 at 17:46
  • 3
    @this.josh which is why I told him to check the specs. Crash: Again, don't do anything you aren't authorized and property trained to do. Just wait until they get there. And make sure the laptop stays disconnected, offline, and in a secure location. – Trev Aug 11 '11 at 17:58
  • We immediately powered laptops at work down and tossed them into our secure safe. The problem is that one of the laptops was a workers home MAC BOOK which apple in their infinite douche-bag wisdom has made it almost impossible for a normal human to remove the laptop and not screw the entire thing up. – Crash893 Aug 12 '11 at 15:38
  • marked as answer since it was the closest to what happened – Crash893 Aug 15 '11 at 19:47
  • Note: Though RAM does technically clear itself some time after power loss, I believe NISPOM (and/or other relevant specifications) has detailed procedures for sanitizing that as well. Make sure those are followed. – Iszi Jan 08 '13 at 19:53
6

If the information is of that high level, after the isolation and forensics parts are done it never ever leaves the organisation functional and in one piece. You could securely wipe and reuse it for the purpose of usage under the same high classification if needed, but again - it stays within the organisation. When the laptop is ready for retirement it gets securely wiped and physically destroyed.

And if your organisation is really dealing with Top Secret information, then information is what is valued the most and it is of top priority. In that case, the cost of a laptop is not traded for the cost of information.

tkit
  • 3,272
  • 5
  • 28
  • 36
4

The two core issues in any jurisdiction should be:

  • notify the relevant body
  • protect the asset (in this case it is the data - not the laptop)

The notified body will tell you exactly what to do with the device so you shouldn't need to work out what you need to do from that point onwards, but depending on your environment you will need to decide on a course of action prior to receiving guidance.

If you are an organisation which generally handles TS information you should have a procedures document - follow it!

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • The problem is that we do deal with ts information but usually onsite not at our headquarters where most of the staff is NOT cleared. – Crash893 Aug 12 '11 at 15:41
  • 1
    If there is anyone cleared there, it should be handed to one of them straightaway:-) – Rory Alsop Aug 12 '11 at 17:16
  • 3
    Holy $#!+! How did the data get to HQ? There appear to be missing or ineffective controls at some point. A (hopefully cleared) individual's personal MacBook entered a TS system (bad), an unauthorized data transfer took place (worse), the transfer was not noticed (critical problem), the MacBook was not checked on removal (fail!), the MacBook was potentially accessible by uncleared employees (ouch). – this.josh Aug 12 '11 at 17:25
  • Sorry if i wasn't clear before, The information was released as unclass and then later found to contain TS information – Crash893 Aug 15 '11 at 19:42
4

I had a similar issue when I was consulting for the NSA. They had some classified data that needed to be analyzed on our specialized hardware. They insisted on physical destruction of the hard drive and RAM.

I'm still kind of baffled why the RAM had to be physically destroyed. They said the rule was anything that can store data. But the CPU can store data -- it has caches and registers that store data too. And the RAM is as volatile as the CPU.

But that was the rule, so that's what we did.

David Schwartz
  • 4,203
  • 24
  • 21
  • I agree that it's a little paranoid, but it's true that data stored in RAM decays gradually. Depending on the chip make and environmental conditions data can be present for at least 10 minutes. http://www.securitytube.net/video/111 – RJFalconer Sep 29 '11 at 12:34
1

Realize that the relevant question is not "how do we sanitize the data" (a quick boot to DBAN would do that) but "how do we remediate this failure in a way that restores trust to the system". That's why the procedures appear so damn stupid sometimes: especially depending on the data involved, trust in the system may be more valuable than the data itself.

Notify your security officer and isolate the system. Do not attempt remediation yourself. Let them wipe the drive, but more importantly, let them wave their magic wand over the system and return everything to status quo. Most likely, the ceremony is even more important than the data.

Reid Rankin
  • 1,062
  • 5
  • 10