Learn about wireless security from our guides. Learn about the types of attacks and how to protect against them. Practical tips for safe use of wireless technology.
1016 
Dumpster diving in the context of cybersecurity is about finding discarded sensitive information. This can include both paper documents and digital devices. Those who do this can use the data they find to steal personal information, commit fraud or gain unauthorized access to networks. This highlights the importance of proper disposal and destruction of sensitive information. We look at how dumpster diving can lead to data leaks and discuss methods to prevent such incidents. It is important to understand the need for secure data deletion to protect sensitive information.
Dumpster diving is looking for treasure in someone else’s trash. In the information technology (IT) world, dumpster diving is a technique used to obtain information that can be used to launch an attack or gain access to a computer network from discarded items.
Dumpster diving isn’t limited to searching the dumpster for obvious treasures like passcodes or passwords written on sticky notes. Seemingly innocent information, such as a phone list, calendar, or organizational chart, can be used to help an attacker gain access to a network using social engineering techniques.
To prevent bin lovers from learning something valuable from trash, experts recommend that businesses establish a recycling policy where all paper, including printouts, is shredded in a cross shredder before recycling, all media is erased, and all staff are trained. about the danger of untraceable garbage.
Recycled computer equipment can become a gold mine for criminals. Information can be recovered from media, including drives that have been improperly formatted or erased. This includes stored passwords and trusted certificates. Even without a data carrier, equipment can contain Trusted Platform Module (TPM) data or other hardware identifiers that are trusted by the organization. An attacker can also use the hardware to identify the hardware manufacturer to create potential exploits.
Medical and HR records can have legal implications if they are not properly disposed of. Documents that contain personally identifiable information (PII) must be destroyed or the organization could be subject to violations and potential fines. For example, in 2010 a medical billing office in Massachusetts was fined $140,000, and in 2014 a health care provider in Kansas City, Missouri was fined $400,000.
Social engineering uses relationships to trick others into giving an attacker access or performing a certain action. The main goal of social engineering is to establish trust between the attacker and the victim. Dumpster diving is a method of obtaining information that attackers use to establish trust. An attacker can also take any computer equipment they find, but the main goal of a dumpster diving attack is usually to obtain information about the organization. Criminals can use even harmless documents.
Attackers can use name lists, such as directories and telephone directories, in a number of ways. Employee names can be used to guess computer user names, attack personal web accounts, or steal personal information. A list of names can also be used as part of an overall phishing campaign against an organization or as a phishing attack against an executive.
Phone numbers can be used in conjunction with caller ID spoofing to trick employees into saying different information during voice phishing (vishing). An attacker might call an employee: “Hi, this is John from accounting. Bill, our finance manager, needs the numbers by tonight. I asked Debbie and she told me to talk to you. Can you help?”
Social engineering attacks use information gathered during dumpster diving. If an attacker finds a top-up receipt in a vending machine, they can gain access to a location that isn’t open by impersonating a service worker with a badge on the same day and time as the scheduled delivery. Attackers can use this access to launch a shoulder attack or install a keylogger to gain access to the network.
While taking proper care of your trash can seem like a lot of work, there are processes you can put in place to help prevent a dumpster diving attack. This should be documented and clearly explained to employees.
Have a documented decommissioning process. Ensure that all identifying information is removed from computer equipment before disposal or sale. This includes securely erasing data from hard drives and clearing TPM data. Remove any trust factors in the organization’s databases, such as domain trust relationships, media access control (MAC) address authentication, or expiring trust certificates.
Use an appropriate secure media removal process. This can include securely erasing discs, shredding compact discs (CDs) and degaussing the magnetic drive.
Have a data retention policy and use certificates of destruction for sensitive data. A data retention policy should define how long documents and data should be kept and how they should be disposed of. A certificate of destruction must be created and submitted for legal tracking.
Make shredding convenient. Provide easy access to shredders next to trash cans or use secure shredder bins next to each trash can. For employees who work from home, provide home paper shredders.
Train employees. Provide information on proper disposal and typical social engineering practices. Do not allow employees to take home printouts or give employees old computer equipment.
Secure shopping cart. Use locked trash cans and recycling bins, or keep trash in a safe place until it’s picked up. Use proven equipment recyclers.
1016 
1070 
840