620    Chapter 11 • Operational and Organizational Security: Incident Response

             tion of employment).While this won’t completely eliminate tailgating, it will limit
             the number of people who attempt or allow security breaches.

             Dumpster Diving

             Another threat that can be overlooked in companies is dumpster diving.As with tail-
             gating, it is about as low tech a method of threatening security as anyone could
             think of. It literally involves getting into a dumpster and going through the trash,
             searching through garbage bags, looking in wastebaskets, and other places where
             people may have disposed sensitive information.
                 The reason that this method of breaching security remains popular, is because it
             is so effective. In addition to the rotting refuse of people’s lunches, one can find
             discarded printouts of data, papers with usernames and passwords, test printouts that
             have Internet Protocol (IP) address information, and even old hard drives, CDs,
             DVDs, and other media containing the information you’d normally have to hack
             the network to obtain. Even the most innocuous waste may provide a wealth of
             information. For example, printouts of e-mail will contain a person’s name, e-mail
             address, contact information, and other data that could be used for social engi-
             neering purposes (discussed in the next section).
                 There are many solutions to resolving dumpster diving as a security issue.
             Dumpsters can be locked with a padlock to limit access, or they can be kept in
             locked garages or sheds until they’re ready for pickup. Companies can also imple-
             ment a shredding policy, so that any sensitive information is shredded and rendered
             unusable by anyone who finds it.This is especially important if the company has a
             recycling program, in which paper products are kept separate. If documents aren’t
             shredded, the recycling containers make it even easier to find information, as all of
             the printouts, memos, and other documentation are isolated in a single container.
             Because discarded data isn’t always in paper form, companies also need to implement
             a strict hardware and storage media disposal policy, so that hard disks are completely
             wiped and old CDs and DVDs containing information are destroyed. By obliterating
             the data before the media is disposed, and protecting the waste containers used after-
             wards, dumpster diving becomes difficult or impossible to perform.

             Social Engineering

             Hacking may be done through expert computer skills, programs that acquire infor-
             mation, or through an understanding of human behavior.This last method is called
             social engineering.When social engineering is used, hackers misrepresent themselves
             or trick a person into revealing information. Using this method, a hacker may ask a
             user for their password, or force the user to reveal other sensitive information.


          www.syngress.com