For years, companies have been routinely shredding physical documents to ensure that confidential and sensitive information doesnt fall into the hands of competitors. This practice is partly due to the ease at which Dumpster diving can be carried out.
Indeed, companies believed they were doing their due diligence when they created policies that stated, for example, “any paper containing personal information such as, but not limited to, name, Social Security number, address, phone number, and/or other personal medical or financial information, prior to disposal, must be shredded to protect the privacy of the persons involved.”
They had a policy. They had a shredder. Problem solved. But not for long. New technologies are making it increasingly easy to reconstruct virtually any document, and if you are worried about the security of sensitive material, you should know a little bit about document shredding and document reconstruction.
Shredders themselves come in two basic varieties, strip-cut and crosscut. A strip-cut shredder cuts the paper into strips ranging from a quarter-inch to a half-inch wide. Strip-cut machines are more popular because they are usually less expensive, tend to be quite durable and generally shred faster than crosscut models.
Rather than cutting paper into strips, crosscut shredders reduce it to smaller particles—resembling rectangular confetti and measuring approximately one-quarter inch by 1.5 inches—and provide much more security than strip-cut machines. Putting the document back together would essentially be the same as reassembling a giant jigsaw puzzle whose pieces have little color.
In addition, because of the smaller cuts, bags of crosscut shredded material occupy less space than those containing strip-cut remnants. With crosscut shredders, documents are cut in two directions, producing very small particles. Because the particles are so small, they are self-compacting, reducing overall bulk.
Most people outside the military and intelligence communities have probably given little thought to the idea that shredded documents can somehow be put back together. The reality is that, with enough time and resources, nearly any paper document can be reconstructed, assuming it was not shredded properly.
Cody Ford, president and CEO of Houston-based ChurchStreet Technology Inc., had observed the Enron Corp. financial meltdown when he was working at Enron as an IT consultant. Ford noted the importance of reconstructing shredded documents during the investigation of Enron. In early 2002, he started ChurchStreet.
ChurchStreets proprietary Strip-Shred Reconstruction and Cross-Shred Reconstruction suites enable companies to have their shredded documents reconstructed. With the exception of work done for government intelligence agencies, all client document reconstruction is done on ChurchStreet premises with ChurchStreets equipment.
“The primary reasons for a reconstruction by our clients is to reveal information that was discovered during litigation,” Ford said. “Once one party realizes there are shredded documents involved, they usually want those reconstructed, since they assume the other party is hiding something.”
The process basically works this way: Once ChurchStreet technicians receive document shreds from a client, they determine whether the original document can be salvaged. Then they feed the strips into a scanner. The scanner reads each strip, which is given a unique identification number so that it can be matched to a page. At that point, the ChurchStreet software takes over and performs reconstruction.
The proprietary software does the bulk of the reconstruction work. From a matching perspective, many documents have unique headers and footers, which help the software match related pieces. Other types of documents, such as e-mail, fax cover sheets and memos, have similar formats. In addition, as a general rule, approximately 30 percent of strips are not processed, or matched, as they are blank.
Ford said that success in document reconstruction ultimately depends on three primary factors: the type of documents that were shredded (for example, forms, spreadsheets, graphics or basic documents); the condition of the shreds; and an undisturbed remnants bag, which keeps shreds from the same document together. With a crosscut reconstruction, it is much more important that the collection bag be as undisturbed as possible, given the amount of shredded data.
The innocuous shredding practices of the past are no longer acceptable. When it comes to shredding, the technology developed by ChurchStreet demonstrates that security policy must change and adapt to new threats. Companies that blindly shredded documents in the past must now take a much more formal—and thoughtful—approach to what they want to shred and how they want to shred it. In 2005, nothing is simple in security, especially shredding a piece of paper.
Ben Rothke, CISSP, is a security consultant with ThruPoint Inc., based in New York, and the author of “Computer Security: 20 Things Every Employee Should Know.” He can be reached at [email protected].