如何在Windows下安全擦除数据
社会网络|2019年10月2日
Bitlocker和自加密硬盘驱动器可以更容易地删除数据,使其无法恢复。这就是“密码擦除”方法的工作原理。
版权©2019Raybet2
类似
我是CSO在线的苏珊·布拉德利。
那天是我办公室的“电子垃圾日”,坦率地说,我用了一把老式的锤子来销毁硬盘。但显然这并不是在所有地方都适用。十多年前,微软列出了10条安全法规和第3条法律,如果坏人可以不受限制地访问你的电脑。它不再是你的电脑了。这些天,如果他们可以无限制地访问这些硬盘,情况也一样。所以,在你处理电子信息的时候,要确保电子设备电脑,扫描仪,打印机,手机,想想你储存在这些电子信息上的所有数字信息,以及在你回收或处理之前如何销毁这些电子信息。国家标准和技术协会在800- 88这个特别的出版物中有指导,告诉你需要做什么。你有几个选择。有一些第三方工具,你可以使用来擦除和消毒驱动器。在这个例子中,我只是擦除了回收站。 And there's some sensitive information there that I don't want out. We can choose what kind of level of of drive we can do.
我们可以做美国陆军。我想甚至撕碎以前的版本。
在bitlocker和自加密硬盘驱动器的时代,知道数据何时被添加到硬盘驱动器,无论是加密之前还是加密之后,意味着你可以做出可能的改变,使整个硬盘不可读。在自加密硬盘驱动器的情况下,您可以更改现有的密码,即数据加密密钥和数据不再可读。这个过程被称为加密擦除,它已经被ISO和NIST认可为可接受的数据卫生方法。为了使用它,请确保测试流程以确保无法恢复数据。现在请注意,最近bit locker和它处理加密的方式有了一些变化。现在回到去年11月,有一些信息表明研究人员对手机加密硬盘进行了一些研究。内梅亨大学(Radboud University)的研究人员发现,一些固态硬盘允许攻击者绕过磁盘加密功能,在不知道用户选择磁盘加密密码的情况下访问本地数据。在消费者领域,有一些模型提供了自我加密。他们发现这些驱动器实际上是能够被破坏的。现在回到11月这个问题出现的时候,微软实际上建议你可以想出一个组策略来强制软件加密,然后对驱动器进行非加密再加密以确保安全。 So now they've done one better in the recent September Updates. In late September what's called the D week updates for Windows 10 specifically for Windows 10 1803, 1709 , 1703 and 1607. They've actually changed how bit locker is handled. As noted right down here changes the default setting for bit locker when encrypting a self encrypting hard drive. Now they default to to use software encryption for newly encrypted drives. If you have an existing drive that's using the self encrypting hard drive method it won't change it. But notice this is going forward if you have any brand new self encrypting hard drive from the manufacturer bit Locker will instead use software. So how do you know what kind of encryption you have whether hardware or software. Well if you put in the command from a command prompt manage-bde.exe -status you can see right here where it says encryption method. If that has AES or some other listing there. That means its software based. If the word hardware is there it specifically then is tied to the hardware. So again look for encryption method. And if it just is AES then you know its software method not hardware. Specific group policy you're looking for is under computer configuration policies administrative templates windows components bit locker drive encryption under the setting of configure use of hardware based encryption for fixed data drives you want to choose the setting to disable. When it's set to disable bit lockerr cannot use hardware based encryption and instead uses software based encryption by default. Unfortunate the only way to move data from a potentially hackable hardware drive encryption method to the more protected software base is unencrypted. Change the methodology that you used re encrypted again. Obviously you want to plan on the proper encryption settings going forward or test your SSD drives to make sure that they're doing the proper encryption. But what happens when you move to the cloud and you no longer have control of that physical location. You then have to rely on statements agreements and contracts. For example in the Microsoft privacy statement they note in their privacy section. That if you terminate a cloud subscription Microsoft will store the customer data in a limited function account for 90 days to give you time to extract the data or renew your subscription. During this period you'll get several warnings from Microsoft indicating that your data is about to be removed. After the retention period Microsoft will disable that account and delete the customer data including any backup copies. Microsoft in their own data centers follows the NIST guidelines for data destruction. What about Azure? What if we do in a virtual machine in Azure? Remember there's lots more things to virtual machines than just the subscription itself. So you want to make sure that you go up to the Azure portal. Not only remove the virtual machine but also think about the other things that you've left behind. For example network interfaces public ip addresses. Storage blobs operating system disks data disks so you want to make sure you go through all of the places where you've stored data up in the cloud and make sure those are deleted as well. Always take the time to review where your date is located. Remember where it's stored. And make sure you delete all those locations. As always don't forget to sign up for the TechTalk channel from IDG. look for us on the YouTube channel. Until next time. This is Susan Bradley for CSO Online.
那天是我办公室的“电子垃圾日”,坦率地说,我用了一把老式的锤子来销毁硬盘。但显然这并不是在所有地方都适用。十多年前,微软列出了10条安全法规和第3条法律,如果坏人可以不受限制地访问你的电脑。它不再是你的电脑了。这些天,如果他们可以无限制地访问这些硬盘,情况也一样。所以,在你处理电子信息的时候,要确保电子设备电脑,扫描仪,打印机,手机,想想你储存在这些电子信息上的所有数字信息,以及在你回收或处理之前如何销毁这些电子信息。国家标准和技术协会在800- 88这个特别的出版物中有指导,告诉你需要做什么。你有几个选择。有一些第三方工具,你可以使用来擦除和消毒驱动器。在这个例子中,我只是擦除了回收站。 And there's some sensitive information there that I don't want out. We can choose what kind of level of of drive we can do.
我们可以做美国陆军。我想甚至撕碎以前的版本。
在bitlocker和自加密硬盘驱动器的时代,知道数据何时被添加到硬盘驱动器,无论是加密之前还是加密之后,意味着你可以做出可能的改变,使整个硬盘不可读。在自加密硬盘驱动器的情况下,您可以更改现有的密码,即数据加密密钥和数据不再可读。这个过程被称为加密擦除,它已经被ISO和NIST认可为可接受的数据卫生方法。为了使用它,请确保测试流程以确保无法恢复数据。现在请注意,最近bit locker和它处理加密的方式有了一些变化。现在回到去年11月,有一些信息表明研究人员对手机加密硬盘进行了一些研究。内梅亨大学(Radboud University)的研究人员发现,一些固态硬盘允许攻击者绕过磁盘加密功能,在不知道用户选择磁盘加密密码的情况下访问本地数据。在消费者领域,有一些模型提供了自我加密。他们发现这些驱动器实际上是能够被破坏的。现在回到11月这个问题出现的时候,微软实际上建议你可以想出一个组策略来强制软件加密,然后对驱动器进行非加密再加密以确保安全。 So now they've done one better in the recent September Updates. In late September what's called the D week updates for Windows 10 specifically for Windows 10 1803, 1709 , 1703 and 1607. They've actually changed how bit locker is handled. As noted right down here changes the default setting for bit locker when encrypting a self encrypting hard drive. Now they default to to use software encryption for newly encrypted drives. If you have an existing drive that's using the self encrypting hard drive method it won't change it. But notice this is going forward if you have any brand new self encrypting hard drive from the manufacturer bit Locker will instead use software. So how do you know what kind of encryption you have whether hardware or software. Well if you put in the command from a command prompt manage-bde.exe -status you can see right here where it says encryption method. If that has AES or some other listing there. That means its software based. If the word hardware is there it specifically then is tied to the hardware. So again look for encryption method. And if it just is AES then you know its software method not hardware. Specific group policy you're looking for is under computer configuration policies administrative templates windows components bit locker drive encryption under the setting of configure use of hardware based encryption for fixed data drives you want to choose the setting to disable. When it's set to disable bit lockerr cannot use hardware based encryption and instead uses software based encryption by default. Unfortunate the only way to move data from a potentially hackable hardware drive encryption method to the more protected software base is unencrypted. Change the methodology that you used re encrypted again. Obviously you want to plan on the proper encryption settings going forward or test your SSD drives to make sure that they're doing the proper encryption. But what happens when you move to the cloud and you no longer have control of that physical location. You then have to rely on statements agreements and contracts. For example in the Microsoft privacy statement they note in their privacy section. That if you terminate a cloud subscription Microsoft will store the customer data in a limited function account for 90 days to give you time to extract the data or renew your subscription. During this period you'll get several warnings from Microsoft indicating that your data is about to be removed. After the retention period Microsoft will disable that account and delete the customer data including any backup copies. Microsoft in their own data centers follows the NIST guidelines for data destruction. What about Azure? What if we do in a virtual machine in Azure? Remember there's lots more things to virtual machines than just the subscription itself. So you want to make sure that you go up to the Azure portal. Not only remove the virtual machine but also think about the other things that you've left behind. For example network interfaces public ip addresses. Storage blobs operating system disks data disks so you want to make sure you go through all of the places where you've stored data up in the cloud and make sure those are deleted as well. Always take the time to review where your date is located. Remember where it's stored. And make sure you delete all those locations. As always don't forget to sign up for the TechTalk channel from IDG. look for us on the YouTube channel. Until next time. This is Susan Bradley for CSO Online.
受欢迎的
从IDG.tv精选视频