Which explains a method to avoid violation of personal information through dumpster diving

Organizations that want adequate security should go beyond internal controls, management strategies, and privilege policies. The proper destruction of business data and documents is essential.. Even with the high-end innovation tools available at hackers’ disposal, dumpster diving remains one of the popular methods used to gather information. 

Never dump documents or other sensitive information in your trash.  Identity thieves can use it with other illegal means to plan cyberattacks against your business. Statistics show that Americans receive more than 4 million spam emails every year, and more than 88% of the information was obtained via dumpster diving. 

For that reason, organizations should have a comprehensive understanding of dumpster diving in cybersecurity, and how to prevent it. This article discusses everything you need to know. 

Let’s dive in! Firstly, what is dumpster diving?

What is Dumpster Diving?

Getting familiar with the dumpster diving definition is the first step to fight this attack. Here, cyberattackers take the idiom “One man’s trash is another man’s treasure” to a whole new realm. 

Dumpster diving in cybersecurity is the process of investigating an individual or organization’s trash to retrieve information that could be used to compromise network resources or plan a cyberattack. 

A person going through your trash can gather enough data to create a complex profile and commit identity theft. Aside from physical trash, cyberactors can also access recycle or electronic waste bins for sensitive information that can severely compromise your company. Cybercriminals often use malware to achieve this.

What Data Can Dumpster Divers Obtain?

When a dumpster diver goes through your trash, they’re looking for any information to execute a cyberattack. Some of the data such criminals can obtain from your trash include:

• Domicile or email addresses
• Private passwords, PINs, or any other sensitive data
• Bank account statements
• Digital signatures
• Duplicate copies of driver’s license, pan cards, or other identity cards
• Policy manuals, employees’ phone numbers, and strategic printouts
• Medical reports, former employees’ biometric info
• Cell phone numbers

• Financial statement information, such as ledger accounts, balance sheets, and audit reports

What Attacks Start with Dumpster Diving?

Dumpster diving is the first step in many kinds of cyberattacks. One of them is social engineering, which is the use of human interaction to lure victims into divulging sensitive information. 

The main aim of a social engineering attack is to build trust with the target before getting them to reveal confidential data or act on fraudulent instructions Dumpster diving is one of the numerous ways social engineer attackers can gather information to establish trust. 

For example, if they retrieve a receipt for restocking a product, they can disguise themselves as an employee with the same name and time as the expected delivery to gain access to sensitive resources. They can use this access to install a keylogger or other malware to gain access to system resources.

Another attack that utilizes dumpster diving is identity theft. These thieves search trash cans for information, such as bills or other paperwork with sensitive information. They can use such data to open new credit card accounts, impersonating you and possibly accessing funds from your account.

How to Prevent Dumpster Diving in Cybersecurity?

To prevent dumpster divers from learning any valuable information about you or your organization, establish a disposal policy Ensure all unwanted information, documents, notes, and hardware is properly destroyed. Below are a few practices to prevent dumpster diving in cybersecurity.

Implement a Trash Management Plan

Implement a plan to effectively manage your trash and recycle bins as part of your Data Loss Prevention strategy. Trash can be in two forms: Digital and physical. Determine how to discard unwanted documents, notes, books, and hardware. The plan should also detail what information to keep and discard. 

For instance, if a customer or employee is no longer with your organization, it’s important to properly delete their data. In the case of physical trash, you can shred or burn paperwork.

Practice Storage Media Deletion

Practice strict and consistent storage media deletion. Get rid of DVDs and CDs or any other drives containing personal identifiable information such as photos, videos, or any other sensitive information. If you have computers, laptops, or other hardware to discard, dispose of them properly and wipe all files and programs to prevent future damages. 

Enforce a Data Retention Policy

Enforce a data retention policy that governs and monitors how long information must be kept and disposed of when it’s no longer relevant. Additionally, ensure the policy encompasses the purpose of processing information. 

Employees should always know how to handle, store, and discard company data in all its forms. . Moreover, a certificate of destruction for sensitive data is also crucial. 

Use a Shredder

Place secure shredder bins next to every trash can within your work environment. Don’t just tear and dump your paperwork in bins as attackers can easily join them together and retrieve information to plan a cyberattack. The shredder completely destroys documents with sensitive information. 

Educate Employees

Conduct regular educational programs to train employees on proper information disposal and other attack prevention strategies. Explain what your data retention policy entails and how they must abide by it. Employees should never take printouts, photocopies, old computers, or any other company information home for disposal. 

Keep Trash in a Safe Location Before Disposal

It may sound simple, but it’s extremely important to keep your trash in a safe location before disposal. You can use locked recycling bins or trash cans. 

You can also build a fence around the dumpster to avoid any intrusion. While this can’t guarantee 100% security, it does create a barrier to prevent perpetrators from accessing and retrieving information. 

Use Trusted Recycling Companies

If you want to employ a recycling company to help handle your waste disposal, ensure it’s a trusted company. Perpetrators can disguise themselves as recycling companies to gain access to your information. Conduct adequate research on the company before entrusting them with your waste.

Final Thoughts

Dumpster diving remains one of the many ways used by attackers to gather information about their targets. If you want to prevent dumpster diving criminals from getting any valuable company information, implement all the prevention tips discussed in this article. 

Use a shredder to destroy all paperwork containing sensitive data and create adequate awareness by training your staff to prevent such an attack.

The post What is Dumpster Diving in Cybersecurity? appeared first on EasyDMARC.

*** This is a Security Bloggers Network syndicated blog from EasyDMARC authored by EasyDmarc. Read the original post at: https://easydmarc.com/blog/what-is-dumpster-diving-in-cybersecurity/

Dumpster diving is looking for treasure in someone else's trash. In the world of information technology (IT), dumpster diving is a technique used to retrieve information that could be used to carry out an attack or gain access to a computer network from disposed items.

Dumpster diving isn't limited to searching through the trash for obvious treasures, such as access codes or passwords written down on sticky notes. Seemingly innocent information, such as a phone list, calendar or organizational chart, can be used to assist an attacker using social engineering techniques to gain access to the network.

To prevent dumpster divers from learning anything valuable from trash, experts recommend that businesses establish a disposal policy where all paper -- including printouts -- is shredded in a cross-cut shredder before being recycled, all storage media is erased and all staff is educated about the danger of untracked trash.

Disposed computer hardware can be a gold mine for attackers. Information can be recovered from storage media, including drives that have been improperly formatted or erased. This includes stored passwords and trusted certificates. Even without the storage media, the equipment may include Trusted Platform Module (TPM) data or other hardware IDs that are trusted by an organization. An attacker may also be able to use the hardware to identify the equipment manufacturer to craft potential exploits.

Medical and personnel records may have legal consequences if not properly disposed of. Documents that contain personally identifiable information (PII) must be destroyed, or the organization could be exposed to breaches and potential fines. For example, in 2010, a medical billing office in Massachusetts was fined $140,000, and in 2014, a medical provider in Kansas City, M.O., was fined $400,000.

Dumpster diving and social engineering attacks

Social engineering is using human interaction to trick another person into giving access or performing an action for the attacker. A primary goal of social engineering is to establish trust between the attacker and the target. Dumpster diving is a way for attackers to gain information that they use to establish trust. While attackers will also take any computer equipment they find, typically, the primary focus of a dumpster diving attack is to gain information about an organization. Even innocuous documents can be used by an attacker.

A list of names -- such as a directory or phone list -- can be used in many ways by an attacker. Employees' names can be used to guess their computer username, to attack their personal web accounts or for identity theft. A name list can also be used as part of a general phishing campaign against an organization or a spear phishing attack against an executive.

Telephone numbers can be used with caller ID spoofing to coerce an employee to reveal other information in a voice phishing (vishing) attack. An attacker could use this to call an employee with a story like, "Hi, this is John in accounting. The head of finance, Bill, needs some numbers by tonight. I asked Debbie, and she said to talk to you. Can you help me?"

Social engineering attacks use information gathered from dumpster diving. If attackers find a receipt for a vending machine restocking service, they may pretend to be employees of the service with a name badge on the same day and time as an expected delivery to gain access to areas that are not open to the public. Attackers could use this access to do a shoulder surfing attack or install a keylogger to gain access to the network.

How to prevent a dumpster diving attack

Although it may seem like a lot of work to properly care for trash, processes can be put in place to help prevent a dumpster diving attack. These should be documented and clearly explained to employees.

• Have a documented equipment decommissioning process. Ensure all identifiable information is removed from computer equipment before it is disposed of or sold. This includes securely erasing data from hard drives and clearing TPM data. Remove any trust factors in organizational databases, such as domain trust relationships, media access control (MAC) address authentication or expiring trust certificates.
• Use the appropriate secure storage media deletion process. This may include securely erasing disk drives, shredding compact discs (CDs) and degaussing magnetic storage.
• Have a data retention policy, and use certificates of destruction for sensitive data. Data retention policies should state how long documents and data should be kept and how they should be discarded. A certificate of destruction should be created and filed for legal tracking.
• Make shredding convenient. Provide easy access to shredders next to recycling bins, or use secure shred bins next to every trash can. For employees who work from home, provide home paper shredders.
• Educate employees. Provide information on proper disposal and typical social engineering methods. Do not allow employees to take printouts home, and do not give old computer equipment to employees.
• Secure trash. Use locked trash and recycling bins, or keep refuse in a secure area until it is ready to be picked up. Use trusted equipment recyclers.