When it comes to media, the NIST (National Institute of Standards and Technology) has two categories of types in common use: Electronic (or soft copy) and Hard Copy. The latter includes all of those reams of paper that continue to spew from office printers each and every day.
As much appeal as a paperless office holds, manufacturers just keep making and selling printers and the supplies for them — and one primary reason for this is our inherent desire to hold a tangible copy of the data in our hands. Sometimes this is done for convenience (meetings, leave-behinds, etc.) and other times it is done for legal or administrative purposes (which lead to data retention guidelines and policies).
Regardless of the reason for the paper copy’s existence, there often comes a time when it is no longer needed and must be destroyed so that it does not run the risk of being seen by an unauthorized party. While the act of getting rid of data no longer needed can go by a lot of different names, from a technical standpoint, “sanitation” covers them all. With security being a popular IT certification topic these days, knowing something about sanitation is becoming a necessity more and more to score well on exams.
This guide looks at some of the more common means of hard copy data sanitation and focuses on what you should know as an IT administrator to be able to make an informed decision in the workplace and to be able to choose the best answer on a security-related certification exam.
When it comes time to destroy paper, a paper shredder is usually the first thing that comes to mind. The biggest difference among shredders, from a security standpoint, is the cutting style. While there is a wide range of prices for shredders, usually only a small portion of that difference is related to the cutting style and the price for a particular model is most often tied to features such as capacity, continuous run time, cool down period, safety features, and the ability to handle items other than paper: staples, CDs, credit cards, and paperclips for example. Because of this, it is possible to spend a considerable amount of money for an office-grade or industrial-grade shredder and still not have the level of security that you need.
For purposes of illustration, imagine that there is a compromising document of your CEO from the most recent company party that needs to be destroyed — the consequences could be damaging if it fell into the wrong hands. You need to shred the document, and have a variety of shredder types to choose from. Figure One shows this sensitive document in its original form.
Figure One: A document that needs to be shredded before falling into the wrong hands.
A strip cut shredder is one of the most common found in small offices and home offices. These often include the ability to run a large load without overheating, take some other forms of media (CDs/DVDs) and run for a long time with little maintenance. These shredders work by cutting the paper into ribbons and they have the highest volume of waste of any type of shredder. Figure Two shows the document in the process of being shredded.
Figure Two: Note that the cutters on a strip cut shredder slice the document vertically into ribbons that are each the length of the original document.
The number of strips produced from one sheet of paper is based on the shredder manufacturer/model, but a common number that many produce is 40. As a general rule, the higher the number of pieces produced (the smaller the cut), the higher the security. To get above this number, the next best alternative is a cross-cut shredder.
As the name implies, a cross-cut shredder does not cut in only direction, but rather slices the paper both horizontally and vertically. This produces paper that is either rectangular or diamond shaped, has less waste and is harder to reconstruct. If, for example, the 40 vertical slices from a strip cutter were each cut horizontally ten times, then the output would be 400 pieces, similar to that shown in Figure Three for the same document used in the example.
Figure Three: With a cross-cut shredder, the paper is cut both horizontally and vertically – creating smaller pieces that are more difficult to put back together.
One step above a cross-cut shredder is a micro shredder, the third and final type to look at. These are just like cross cut, but they cut the paper into smaller pieces: square or circular shaped. Figure Four shows the cutting head of a micro cut shredder.
Figure Four: With a micro shredder, the teeth are able to reduce the paper to tiny slivers of paper.
While a strip shredder will produce tens of ribbons from a single piece of paper, and a cross-cut shredder will produce hundreds, a micro shredder will produce in the thousands. It produces the least amount of waste of any of the shredder types looked at and is the most secure. Figure Five shows the output of the example document from a micro shredder.
Figure Five: A micro shredder significantly reduces the likelihood of the document being reconstructed.
To make comparison simpler, all shredders are rated to a DIN (Deutsche Industrial Norm) level (standard 32757-1) to define the maximum size that shredded pieces can be: the higher the level, the smaller the pieces, and the higher the security. Strip shredders tend to be level 1 or 2, while cross cut shredders are level 3 and micro cut are typically level 4. You can find the level of the shredder before you purchase and know what size remnants you will be producing.
One of the primary reasons for destroying paper rather than simply tossing it is to minimize the likelihood of sensitive data’s being compromised by dumpster diving. As the name implies, dumpster diving involves an unauthorized party recovering data from a dumpster that can be either viewed whole (in the case of documents that are simply discarded) or reconstructed to obtain protected information.
To weigh the possibility of dumpster diving succeeding even with shredding, I took the output of the example document from the waste bin of a strip shredder and gave it to seven groups of students (three students each). They were told nothing about the document or its contents and told only to reconstruct it using tape if they could. All seven groups were able to successfully put the document together and the average time was just over ten minutes. Figure Six shows a sample of the reconstructed document.
Figure Six: The output from the strip shredder was able to be reconstructed by all the groups.
The experiment was recreated using the output from a cross cut shredder and the groups it was assigned to were not able to reconstruct it completely, but one did come quite close. No one was even willing to attempt it with the output from the micro shredder.
One oft-suggested security enhancement is to make sure to shred “non-sensitive” documents as well. The more paper that a potential dumpster diver has to sift through — and the more meaningless most of it may be — the more difficult the task before them. To remove any possibility of reconstruction, don’t overlook the possibility of also incinerating the paper (or even the shreddings).
Guidelines and Standards
The NIST was mentioned at the beginning of this article, and their Special Publication 800-88, “Guidelines for Media Sanitation,” is the primary document associated with this topic along with FIPS (Federal Information Processing Standards) 199 “Standards for Security Categorization of Federal Information and Information Systems.” One thing worth pointing out with 800-88, is that their definition of hard copy includes some things an administrator might not otherwise think of (emphasis added):
“Hard copy media is physical representations of information, most often associated with paper printouts. However, printer and facsimile ribbons, drums, and platens are all examples of hard copy media. The supplies associated with producing paper printouts are often the most uncontrolled. Hard copy materials containing sensitive data that leave an organization without effective sanitation expose a significant vulnerability to ‘dumpster divers’ and overcurious employees, risking accidental disclosures.”
The two things to note from this definition are that it is not only outsiders you have to protect the hard copy from (it could easily be the disgruntled employee in another department), and the tools used to produce the paper are at just as much risk of revealing information as the paper itself.
Lastly, the National Security Agency/Central Security Service (NSA/CSS) evaluates devices that meet the guidelines for media sanitation and you can find information at this NSA webpage. A link from that site will take you to the Evaluated Products List (EPL) for crosscut paper shredders. Those devices listed in this NSA document have been evaluated by the NSA/CSA to meet performance requirements outlined in their Specifications (02-01 and 04-02) for machines with dual media destruction capability.
Summing it Up
Paper shredders are available in three main cutting styles and the security level of each (expressed as a DIN level) differs based on that style. A number of other features factor into the price of the shredder, and for that reason it is erroneous to equate price and security. For any security certification exam requiring knowledge about paper destruction, know that strip shredders provide the least security, cross cut more, and micro cut even more.