Dumpster Diving Low Tech Hacking at its Finest


Social Engineering Awareness Part 1: Dumpster Diving

Dumpster diving remains a prevalent security risk for almost every organization. Dumpster diving is a form of Social Engineering that takes very little technical knowledge. A potential hacker’s goal while dumpster diving is to look for any information hidden within the trash to help penetrate a network. A quick list of potential targets containing worthwhile information would look something like this.

14853720458_50af7e99b8_b

Hard Drives CD Drives Flash Drives SD Cards Floppy Disks
Instruction Manuals Receipts Invoices Old Software Old Magazines from vendors like cisco
Company Directory page or book Old Business Cards Diagrams of building or

Network

Anything with signatures Usernames and passwords
Anything with names Fire Escape Plans Old Resumes Spam Mail Sticky notes

What can a hacker do with these tools?

Finding any of these things can become a massive tool for hackers trying to penetrate your network. Old passwords on sticky notes can lead to guessing new ones or even will let hackers reset your password via recovery questions. A company Directory can give hackers a huge list of phone numbers to call and pry more information. Hackers can do a huge amount of damage with very little pieces of information.

What can happen if I don’t dispose of information correctly?

Additionally businesses that fail to dispose of information correctly can deal with fines. CVS was hit with a $2.5 Million dollar fine when they failed to protect customer’s sensitive data by disposing of it properly. They were also forced to set up a “comprehensive information security program” to dispose of information properly. A company in Houston was found to have disposed of hundreds of improperly discarded documents containing personal information from a local tax prepare. Fines for companies like this can be $500 dollars per document or more.

Companies like Cyber Protection Group check your security practices right down to the basics. We take into consideration your document and information destruction policies. If you do not value a good document destruction policy you are basically leaving your information in the open for anyone to find. Vulnerability assessments and penetration testing can be a great way to avoid potential security leaks and fines for later.