Social Engineering Awareness Part 1: Dumpster Diving
Dumpster diving remains a prevalent security risk for almost every organization. Dumpster diving is a form of Social Engineering that takes very little technical knowledge. A potential hacker’s goal while dumpster diving is to look for any information hidden within the trash to help penetrate a network. A quick list of potential targets containing worthwhile information would look something like this.
|Hard Drives||CD Drives||Flash Drives||SD Cards||Floppy Disks|
|Instruction Manuals||Receipts||Invoices||Old Software||Old Magazines from vendors like cisco|
|Company Directory page or book||Old Business Cards||Diagrams of building or
|Anything with signatures||Usernames and passwords|
|Anything with names||Fire Escape Plans||Old Resumes||Spam Mail||Sticky notes|
What can a hacker do with these tools?
Finding any of these things can become a massive tool for hackers trying to penetrate your network. Old passwords on sticky notes can lead to guessing new ones or even will let hackers reset your password via recovery questions. A company Directory can give hackers a huge list of phone numbers to call and pry more information. Hackers can do a huge amount of damage with very little pieces of information.
What can happen if I don’t dispose of information correctly?
Additionally businesses that fail to dispose of information correctly can deal with fines. CVS was hit with a $2.5 Million dollar fine when they failed to protect customer’s sensitive data by disposing of it properly. They were also forced to set up a “comprehensive information security program” to dispose of information properly. A company in Houston was found to have disposed of hundreds of improperly discarded documents containing personal information from a local tax prepare. Fines for companies like this can be $500 dollars per document or more.
Companies like Cyber Protection Group check your security practices right down to the basics. We take into consideration your document and information destruction policies. If you do not value a good document destruction policy you are basically leaving your information in the open for anyone to find. Vulnerability assessments and penetration testing can be a great way to avoid potential security leaks and fines for later.