What you will learn from this tip: Your trash could be an attacker's key to successfully gathering private information about your company. Find out what's in your dumpster that could fall into the wrong hands, and measures for secure trash disposal.
Information security practitioners need to be on intimate terms with their organizations' garbage. While the thought of rooting through the trash may not top your list of desirable activities,
Trash cans yield all sorts of interesting information. During assessments I have conducted, I have found all of the following goodies in corporate trash:
- Bank account numbers and balances
- Credit card numbers
- Travel plans of key employees, which could reveal business plans
- Product design documents
- Marketing studies
- Vendor information
- Customer names
Think about the handwritten notes from meetings, the reports discarded because the printer jams in the middle of the job, the network diagrams that are slightly out of date and other potentially useful (to an intruder) and harmful (to you) information that gets thrown out daily.
Paper is bad enough, but discarded computer media can multiply the attacker's haul by orders of magnitude. Discarded CD-ROMs, DVDs and hard drives can provide gigabytes of potentially useful information to the bad guys – and they have the advantage of being electronically searchable, making the miscreants' jobs less tedious.
Fortunately, there are a number of simple steps you can take to make your trash a less inviting target for adversaries:
Destroy CD-ROMs, DVDs and floppy disks before disposing of them. Shredders specifically designed for these media are available at office supply stores and online.
When disposing of hard disk drives, thoroughly erase all information from them by overwriting the entire drive multiple times. An open source solution called Darik's Boot and Nuke (DBAN, available from dban.sourceforge.net) provides a bootable floppy or CD that does the job quite nicely. Better yet, secure your data and work out your aggressions by opening the drive and pounding the heck out of the platters with a hammer.
- Shred all discarded paper waste. By shredding everything, you relieve employees of the responsibility of deciding what information is confidential and what is not. Besides, seemingly innocuous scraps of paper can be very useful to an attacker -- especially when combined with other seemingly innocuous scraps of paper.
You have a number of choices regarding shredding. You can purchase shredders and make them available to employees. If you choose to do this, be sure to purchase "cross cut" units, which produce confetti rather than those that produce strips. This will make it more difficult for the determined attacker to reassemble documents. Also, make it easy for employees to shred documents by placing shredders in convenient locations.
If your office generates a lot of paper or if the noise of shredders would be distracting, there are services that provide outsourced shredding. Typically, these providers place locked trash containers around your office that they periodically empty. Employees can place paper and computer media in these containers for disposal. When the document destruction company collects the contents of the bins, they either take them back to a central location for destruction (less expensive) or will shred it on site in their truck (more expensive). In either case, you are provided with a document certifying the destruction of your information. Firms charge for their services by the container or box load, or by the amount of time required to shred the documents.
Using a document destruction contractor requires some homework. Especially in the case of an offsite document destruction firm, you need to be sure that the company is reputable and that it performs background checks on its employees. Look for companies that are well established, can provide references from organizations you trust and who are willing to let you visit their facilities. The document destruction industry has a trade organization, the National Association for Information Destruction. NAID's Web site (www.naidonline.org) contains a directory of member and certified firms in the US and abroad.
Becoming a garbologist is not the most exciting or glamorous part of info security assessment, but it can be an effective and low cost way to plug information leaks in your organization. So, sit down with your management and talk trash!
About the author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (http://www.liquidnet.com), the #1 electronic marketplace for block trading and the fifth fastest growing private company in America according to Inc. Magazine's 23rd annual Inc. 500 list of the fastest growing privately held companies in America.
This was first published in January 2008