Someone else’s trash is another man’s treasure

Everyone in a company is responsible for company’s data security. A company can spend billions of dollars on all kinds of security equipment, but it only takes one person for company’s security to be compromised [1].

Among various techniques and methods used during Penetration Test sometimes we also do “Dumpster Diving”, which involves searching throughout the trash or garbage looking for something useful to gain access to the network or to get data that helps at next steps. Seemingly innocent information like organizational charts, calendar entries, or phone records can be used in a social engineering attack.

During one of the Penetration Test projects we found documents like:

  • invoices,
  • contracts,
  • names,
  • addresses,
  • Identity Card information,
  • birthday dates,
  • other personal information.

This happens, because companies/people are not paying enough attention about what is thrown into dumpsters outside the buildings. Afterwards, the security companies performing Penetration Test only have to put puzzles together in order to prepare attack scenarios and infiltration into the company’s internal network is highly possible. To prevent Dumpster Diving a company should establish disposal policy for all print-outs, storage media, etc. Additionally, all employees should be educated as well and maybe trash should not be accessed without proper permissions.

thestockmasters.com

Reference

[1] http://www.sans.org/reading-room/whitepapers/engineering/social-engineering-manipulating-the-source-32914

Objavil polona, dne5.6.2015