Rock-paper-scissors

(Please note this post was originally published in the Spanish version of Security Art Work last 20th Nov 2012)

A couple of weeks ago I saw ARGO, a film directed by and starring Ben Affleck. I have to admit that I didn’t put much hope in it (Daredevil did much evil to Ben Affleck… well, that one and many others), but it turned out to be more than good (it gets a 7.4 in filmaffinity).

Without getting into spoilers, ARGO it is based on a true story that takes place in Iran in 1979 in the middle of social riots. In order to say as little as possible, there is an attack on the United States Embassy, which decides to destroy all the existing information (indeed they first talk about burning the documentation but they finally use shredders). The Embassy is assaulted but a group of people from the Embassy flees and takes refuge “somewhere” in Iran. Since they haven’t burnt all the documentation, the attackers retrieve the documents shredded trying to recover information that allows them to identify the fugitives. And that’s all I can say.

What I mean is that sometimes we don’t give the paper documentation the necessary importance; we could say it is indeed often undervalued; not everything are passwords and encryption. In the same way, when we shred documentation, we often think that any shredder is good for this task.

But it is the same to use WEP than WPA2 to encrypt a Wi-Fi? It’s format c: command the same than using use a specialized iterative wiping tool? I guess we agree the answer is no. And regarding documentation is exactly the same. If we do not use proper destruction methods our documentation can be retrieved (ask the forensics devoted to this type of offense). While it is clear that burning documentation ensures that nobody will have access to it, to make a bonfire at the office is not probably the best option.

I would like to introduce the standard DIN 32757-1 concerning destruction of documentation. This standard is derived from the German Institute for standardization and goes back to… 1985 (as you can see it is not exactly recent). This standard establishes five levels for the destruction of documentation, depending on the final size of the strips or crushed particles:

  • Security level 1 for general documentation, let’s say public, cut into strips (10.5 mm) or fragments (10.5 x 40 – 80 mm) and smaller than 2,000 mm square size.
  • Security level 2 for internal public documentation cut into strips (3.9 – 5.8 mm) or fragments (28 × 28 mm) and smaller than 800 mm square size.
  • Security level 3 for confidential documentation cut into strips (1.9 mm) or fragments (0.9 x 30-50 mm) and smaller than 320 mm square size.
  • Security level 4 for restricted confidential documentation cut in fragments (1. 9 × 15 mm) and smaller than 30 mm square size.
  • Security level 5 for documentation unrated cut into fragments (0.78 x 11 mm) and smaller than 10 mm square size.

There is a sixth level, not considered by the standard which establishes the size of fragment smaller than 5 mm.

I wanted to explain these levels to highlight than this classification was already back in the nineties 90, but as it often happens there is a newest norm, the standard DIN 66399 2011. This new norm introduces the concept category of information, what we can equate with information classification in ISO 27001 standard. In this sense it defines three categories (1, 2 and 3). The first one applies to internal information that is public within the Organization, the second is for confidential information limited to certain profiles and the third category for restricted confidential high-level information.

In addition it sets 7 levels of security; the previous level 4 is changed to a new one whose maximum particle size is 160 mm square, level 4 is now level 5, level 5 becomes level 6 and unofficial level 6 becomes level 7. The recommendations on the minimum safety levels for implementation in the destruction of documentation depending on the category are:

  • For the first category, internal information of a public nature, any level of security.
  • For the second category, confidential information with limited access, from the third level of security.
  • For the third category, high level restricted confidential information, from the fourth level.

So, from now on, when buying a paper shredder machine, consider not only how many sheets can it destroy at the same time, but also the level of security provided by it. And if they you have suppliers of document destruction, in addition to requesting the prior confidentiality agreement remember to require an adequate level of safety in the destruction, without forgetting the certificate of destruction.

In summary, having a paper shredder does not warrant that the shredded documentation is unrecoverable in most cases (of course, it will always depend on the time and resources of the attacker). Maybe that paper strips you put on the trash everyday are being recovered by someone, somewhere.