Page 91 - StudyBook.pdf
P. 91

General Security Concepts: Attacks • Chapter 2  75


                 NOTE

                      For more information on wardialing and wardriving, refer to Chapters 4
                      and 6, respectively.






                 Dumpster Diving

                 Dumpster diving is the process of physically digging through a victim’s trash in an
                 attempt to gain information. Often it is easy to find client or product information,
                 internal memos, and even password information that have been placed in wastebas-
                 kets. In one famous example, a major clothing company had simply discarded
                 photos and information about their upcoming clothing lineup. It didn’t take long
                 for the carelessly discarded information to wind up in the hands of competitors,
                 doing great damage to the victim company’s plans for a unique product launch. It
                 is important to make sure that your organization has a method of securely dis-
                 posing of the hard copies of confidential information. Even a $15 paper shredder
                 can be enough to help protect your assets. Dumpster diving is closely related to the
                 next topic, social engineering.
                    Another issue related to dumpster diving is the disposal of a company’s remov-
                 able and fixed media. Before a computer is discarded, reassigned, or returned when
                 a lease expires, it’s very important to completely wipe the data from the computer
                 and then physically destroy the drives and media. Security researchers and vendors
                 have been able to purchase used computers and hard disks from auction sites, and
                 then use tools to recover the contents owners thought they erased. Media like
                 CDs, DVDs and floppy disks should be destroyed or shredded, and storage like hard
                 disks should use a wiper utility, or even a machine to degauss the disk, which mag-
                 netically erases the data and leaves the drive unusable.


                 Social Engineering

                 Social engineering is often overlooked in security plans and scenarios, which is
                 unfortunate, because it is one of the most dangerous and easily used methods to
                 infiltrate a victim’s network.The concept is nothing more than creative lying; a con
                 game by a con artist.The lies are often backed up by materials found in dumpster
                 diving, which involves digging through the victim’s trash, looking for important
                 documents, phone lists, and so forth.A much easier way to get information on a




                                                                              www.syngress.com
   86   87   88   89   90   91   92   93   94   95   96