Despite increased digitization and other paper reduction efforts, global paper usage has nonetheless increased in the last 30-odd years. With the average officer worker in the US using 10,000 sheets of copy paper annually, the security risks related to the circulation of potentially sensitive documents pose a serious issue for information security officers, as well as anyone concerned with whose hands their documents might eventually end up in. The primary hardware solution for secure document destruction is typically a document or paper shredder, ranging from consumer and mid-range commercial shredders to more high-end solutions, such as super micro-cut shredders. The size – and hence the security, or resistance to reconstruction – of the shredded pieces are typically inversely proportional to the cost of the device. In other words, the smaller the resultant shredded pieces, and the harder the document is to reconstruct, the more expensive the shredder. While a strip-cut shredder may cost around $30, it will only shred a document into a few dozen strips, thus rendering the document relatively susceptible to reconstruction. A cross-cut shredder can go for around $50, and will cut a given document into around 300 pieces; micro-cut shredders can retail for upwards of $100, but can shred a document into thousands of pieces. Finally, commercial, high-security super micro-cut shredders can reduce a single document to more than 10,000 pieces – effectively powder form, but are typically priced in the lower five-figure range. Given that for most general use cases one will not have a $15,000 shredder budget, one may then have to consider a low-cost counter-forensic strategy, such as both document and source obfuscation so as to bolster the after-life security of documents shredded via sub-optimal equipment. That is to say, hardware limitations due to budgetary constraints may be counter-balanced by deploying low-cost, counter-forensic best practices. Thus given the relatively broad threat model of someone potentially being able to reconstruct a given shredded document and extract valuable, actionable intelligence from it that one may not wish unauthorized parties to have known, the operative question to address is then how can one foil shredder forensics and document reconstruction practices to protect documents even after they have been shredded? The first step in solving this problem is making sure to take proper care of one's shredder. Prolonged shredder usage leads to shredded paper build-up in the shredder chassis (or head) and amongst the blades. Build-up does not typically trigger any noticeable warnings from the shredder hardware, as for instance overheating would, nor does it overtly stop the shredder from operating outright. Instead, build-up poses a much more pernicious problem: the shredder may continue to function, and yet its operation will not be at full capacity, with clogged paper potentially resulting in documents not being shredded to full specifications, as the old paper may impede the full rotation of the shredder blades. One must, therefore, always be sure to perform routine cleaning and de-clogging of the underside of the shredder head, making certain beforehand that the shredder is fully discharged and disconnected from all power sources. These manual operations should be scheduled as a routine component of a document destruction workflow both at scheduled intervals and after the execution of bulk jobs. Many modern shredders advertise their multi-sheet shredder capability, boldly stating that they are, for example, '10-sheet' shredders on the packaging. These bulk sheet shredders, however, may pose a significant security risk due to the fact that multiple shredded page fragments could become stuck together, thus at a minimum potentially linking a multi-page document together, and hence decreasing the amount of separate pieces an adversary would need to reconstruct the shredded document. The takeaway here is to either always shred one sheet at a time or to bundle unrelated documents together to give the false perception of linkability where there is none. Similarly, the golden rule is to always increase entropy. If increasing entropy through decreasing the size of the shredded segment is too cost prohibitive, then a low-cost alternative to bolster entropy increase is to simply shred more documents. We can easily imagine the utility of excess shredding with a simple thought experiment: consider if you only have one document you genuinely don't wish anyone to be able to retrieve, and 99 documents which you don't care if anyone reads. If you then only shred the one document and throw out the other 99 unshredded, it would be much easier to isolate and reconstruct that single confidential document than it would be if you simply shredded all 100 documents. Aside from proper cleaning of the shredder and increasing document entropy, a third tier of shredder counter-forensics, which we may call source obfuscation, is predicated upon physical modification of the shredder hardware to foil forensic analysis that may link the shredded document to a given shredder. Shredder blades made by different manufacturers (and in turn, different models amongst the same manufacturers) may cut a given document into uniquely-sized pieces, with the blades further leaving unique markings along the edges of the shredded pieces, not unlike the chamber of a gun leaves unique imprints on a fired bullet, leading to ballistic fingerprinting. Shredder fingerprinting may be foiled via augmentation of the shredder blades via, for instance, the application of a metal file to the blades following a particularly sensitive shredding job. Similarly, the shredder head may be disassembled and the blades realigned to further distort the potential of linking the size of the shredded document pieces to a given shredder. A regular rotation of shredder brands may also be instituted at a policy level, leading to an acquisition of a new shredder on a, for instance, monthly basis, as would be concordant with a specifically-developed threat model. If you wish to learn more about document destruction best practices, we will be giving a presentation on shredder counter-forensics at BSides Tampa 2016 on Saturday, April 16th, at the Steston College of Law, where we'll also be glad to try and answer any questions anyone may have.
About the Authors: Nikita Mazurov is a postdoctoral researcher with the Living Archives project at Malmo University, focusing on issues revolving around archival privacy. Kenny Brown, CISSP, is a Senior Federal Consultant at VMWare working on automation and operations management.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.
