You would not believe what has been recovered from dumpsters from professional security teams who, while performing a test of a company’s security, dug through the trash.
Trash from banks and health care facilities in particular provide a plethora of sensitive information that hackers look for. Names, addresses, phone numbers, social security numbers, and financial information are the most obvious targets, but what are some of the less obvious? Old software disks from system updates tell the hacker what software you are using. A bill from your utilities or even your computer support company can give away vital information to a hacker who is willing to disguise himself to gain physical access to your building. Though most hackers will not want to risk physical entry to your system, trash recovered from security tests have provided everything from administrator level passwords to layouts of your internal network.
Also, physical machines discarded often offer a wealth of information. The most obvious is hard drives left intact inside the machines. But, also, the outside of the system can provide information too. You have corporate asset tags that tell exactly what company owned the machine. Corporate Network ID tags sometimes have the network name and internal IP Address listed, this information could also be used. Some people even tape passwords to machines and monitors.
Just a side note, many large companies use network ID tags. Great idea, but could you make them smaller, or place them on the back or bottom of the machines? Or, just limit the information on them. They stick out like a sore thumb to any visitor walking through the building.
Also, on the same note, let’s talk about network diagrams. Can we not post full size diagrams of the complete network on the outside of our cubicles in the computer department? Several large companies that I have been in proudly displayed their full network maps for all to see. One company made it like the center piece of their operations area. Never mind the fact that it was in full view of anyone meandering around the building…
Informational value from computers is the most obvious, but what about the copy machine that you are going to throw out? Did you know that most copiers have hard drives inside and could contain copies of images that were photocopied on the machine?
We have covered several different avenues of gaining pertinent information from trash. What do we do to defend against it? Shred your documents and CD/DVD’s that are being discarded. Post company policy that all sensitive materials MUST be shredded when discarding. Provide special garbage cans when employees move to a different office to make sure that “useless” desk clutter and “old” documents are shredded. Some companies even go to the extent to burn the shredded documents. Most cities frown upon this now, but as long as you have a good quality shredder this should not be a problem.
Hard drives should be securely wiped before being removed from computers, high end printers and copier machines. Formatting or deleting the files is not enough, they can still be recovered. The drives must be securely wiped. Several secure drive erase programs exist. Jetico provides commercial industrial strength data wipe software that is used by military contractors and the DOD, they also offer a small office, home user version.
For companies with no money to spare, several free opensource utilities exist. Using something is better than nothing at all. After wiping, it is always a good idea to pull drives immedietly from machines being scrapped, so they don’t accidently get left in the PC. Manufacturers can help with making sure photocopy drives are erased.
One last note to this long post, it is always better to have employees wipe drives than to trust that your disposal company will do it. On more than one occasion I have seen used computers sold that still had company data on the hard drives.