11.4. Securing Refuse
In Chapter 6, I discussed the dangers of 'dumpster diving'. To recap, this is where an intruder literally goes through your garbage looking for information that helps formulate or augment a plan of attack. While the defenses to this may seem obvious, they're clearly not or it wouldn't be a problem. There are things you need to take into consideration when mitigating the risk this poses:
What Ends Up in the Trash – If you can prevent (or least reduce the quantity of) confidential, sensitive or privileged information finding its way into the trash then the physical security of the dumpsters themselves becomes a moot point. This should be your approach before thinking about anything else. Any paper waste that contains client information, emails, phone lists, and so on should be shredded using a cross shredder. How far you go beyond that is up to you. Some companies have policies that insist that all shredded information is burned or transported to the local dump by trusted parties. However this is not practical in my opinion. Avoid throwing electronic media in the trash if possible but all media you do discard should be cryptographically scrubbed prior to disposal (see Chapter 6).
Dumpster Security – Ideally, refuse containers should be secure though this is not as easy as it sounds and far from practical. Dumpsters need to be accessed by at least two parties: the cleaning crew and the collection crew. If the dumpsters are locked, these people need to be issued ...
Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
