What is Dumpster Diving in Cybersecurity?
Organizations that want adequate security should go beyond internal controls, management strategies, and privilege policies. The proper destruction of business data and documents is essential.. Even with the high-end innovation tools available at hackers’ disposal, dumpster diving remains one of the popular methods used to gather information.
Never dump documents or other sensitive information in your trash. Identity thieves can use it with other illegal means to plan cyberattacks against your business. Statistics show that Americans receive more than 4 million spam emails every year, and more than 88% of the information was obtained via dumpster diving.
For that reason, organizations should have a comprehensive understanding of dumpster diving in cybersecurity, and how to prevent it. This article discusses everything you need to know.
Let’s dive in! Firstly, what is dumpster diving?
What is Dumpster Diving?
Getting familiar with the dumpster diving definition is the first step to fight this attack. Here, cyberattackers take the idiom “One man’s trash is another man’s treasure” to a whole new realm.
Dumpster diving in cybersecurity is the process of investigating an individual or organization’s trash to retrieve information that could be used to compromise network resources or plan a cyberattack.
A person going through your trash can gather enough data to create a complex profile and commit identity theft. Aside from physical trash, cyberactors can also access recycle or electronic waste bins for sensitive information that can severely compromise your company. Cybercriminals often use malware to achieve this.
What Data Can Dumpster Divers Obtain?
When a dumpster diver goes through your trash, they’re looking for any information to execute a cyberattack. Some of the data such criminals can obtain from your trash include:
- Domicile or email addresses
- Private passwords, PINs, or any other sensitive data
- Bank account statements
- Digital signatures
- Duplicate copies of driver’s license, pan cards, or other identity cards
- Policy manuals, employees’ phone numbers, and strategic printouts
- Medical reports, former employees’ biometric info
- Cell phone numbers
- Financial statement information, such as ledger accounts, balance sheets, and audit reports
What Attacks Start with Dumpster Diving?
Dumpster diving is the first step in many kinds of cyberattacks. One of them is social engineering, which is the use of human interaction to lure victims into divulging sensitive information.
The main aim of a social engineering attack is to build trust with the target before getting them to reveal confidential data or act on fraudulent instructions Dumpster diving is one of the numerous ways social engineer attackers can gather information to establish trust.
For example, if they retrieve a receipt for restocking a product, they can disguise themselves as an employee with the same name and time as the expected delivery to gain access to sensitive resources. They can use this access to install a keylogger or other malware to gain access to system resources.
Another attack that utilizes dumpster diving is identity theft. These thieves search trash cans for information, such as bills or other paperwork with sensitive information. They can use such data to open new credit card accounts, impersonating you and possibly accessing funds from your account.
How to Prevent Dumpster Diving in Cybersecurity?
To prevent dumpster divers from learning any valuable information about you or your organization, establish a disposal policy Ensure all unwanted information, documents, notes, and hardware is properly destroyed. Below are a few practices to prevent dumpster diving in cybersecurity.
Implement a Trash Management Plan
Implement a plan to effectively manage your trash and recycle bins as part of your Data Loss Prevention strategy. Trash can be in two forms: Digital and physical. Determine how to discard unwanted documents, notes, books, and hardware. The plan should also detail what information to keep and discard.
For instance, if a customer or employee is no longer with your organization, it’s important to properly delete their data. In the case of physical trash, you can shred or burn paperwork.
Practice Storage Media Deletion
Practice strict and consistent storage media deletion. Get rid of DVDs and CDs or any other drives containing personal identifiable information such as photos, videos, or any other sensitive information. If you have computers, laptops, or other hardware to discard, dispose of them properly and wipe all files and programs to prevent future damages.
Enforce a Data Retention Policy
Enforce a data retention policy that governs and monitors how long information must be kept and disposed of when it’s no longer relevant. Additionally, ensure the policy encompasses the purpose of processing information.
Employees should always know how to handle, store, and discard company data in all its forms. . Moreover, a certificate of destruction for sensitive data is also crucial.
Use a Shredder
Place secure shredder bins next to every trash can within your work environment. Don’t just tear and dump your paperwork in bins as attackers can easily join them together and retrieve information to plan a cyberattack. The shredder completely destroys documents with sensitive information.
Conduct regular educational programs to train employees on proper information disposal and other attack prevention strategies. Explain what your data retention policy entails and how they must abide by it. Employees should never take printouts, photocopies, old computers, or any other company information home for disposal.
Keep Trash in a Safe Location Before Disposal
It may sound simple, but it’s extremely important to keep your trash in a safe location before disposal. You can use locked recycling bins or trash cans.
You can also build a fence around the dumpster to avoid any intrusion. While this can’t guarantee 100% security, it does create a barrier to prevent perpetrators from accessing and retrieving information.
Use Trusted Recycling Companies
If you want to employ a recycling company to help handle your waste disposal, ensure it’s a trusted company. Perpetrators can disguise themselves as recycling companies to gain access to your information. Conduct adequate research on the company before entrusting them with your waste.
Dumpster diving remains one of the many ways used by attackers to gather information about their targets. If you want to prevent dumpster diving criminals from getting any valuable company information, implement all the prevention tips discussed in this article.
Use a shredder to destroy all paperwork containing sensitive data and create adequate awareness by training your staff to prevent such an attack.