Think your company takes data protection seriously? You may need to give it the dumpster diving test. This big bank was pretty surprised what I came up with.
« Homeland Security Entrepreneurship Center Creates Opportunities for Startup Vendors | Main | Steve Speaking at ISC West in Vegas »
February 19, 2009
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c8bd053ef01116885de87970c
Listed below are links to weblogs that reference Scoring big in corporate dumpster diving:
Comments
Verify your Comment
Previewing your Comment
This is only a preview. Your comment has not yet been posted.
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Categories
- Audit
- Authentication
- Books
- Compliance
- Current Affairs
- Dog House
- DreamerGear
- Event Management
- First Look
- Global Security
- Identity & Access Management
- Identity Theft
- InfoSec
- Integrators/Service Providers
- Intelligent Video
- Manufacturers
- Peak Performance
- PSIM
- Rachel's Corner
- Science
- Security Management / Operations
- Software
- TechNews
- TechReviews
- Trends
- Weblogs
Recent Comments
- silagra on Sizing the PSIM market
- viagra online on Sizing the PSIM market
- joko on DreamerGear Review of Verint's Video Management plus Video Analytics
- オテモヤン on Out with PSIM, in with IM - so says NICE
- chimney liner on xtralis includes fire safety in a PSIM architecture
- Footwear Recuiters New York on Out with PSIM, in with IM - so says NICE
- Thomas @ Satellite TV on Identity theft is easy and fun!
- Freddy on We're all Witch Doctors
- Encryption Software on They Talk About "Encryption." They Must Be Smart!
- Ed Vergara on Cisco makes news, but not progress
Hi Steve,
Very fascinating. What would you recommend to stop this problem? It seems to be a hard problem to solve with technology alone as it's hard to automatically detect such violations. It would seem you need stronger policies in place with people managing it on-site. What do you think?
Posted by: John Honovich | February 19, 2009 at 11:20 AM
Steve,
I'm sure you've read Kevin Mitnick's book, The Art of Deception, which details at length the various "unconventional" attacks that can take place against corporate data. These are not unlike your dumpster diving experiment. Effective and scary indeed.
Comprehensive security frameworks designed to secure data both on-line as well as physically do exist. PCI-DSS, for example, devotes an entire section (requirement 9) to security and handling of physical media. It's certainly possible that this bank doesn't have adequate policy, is misclassifying data, or is simply out of compliance.
You make a great point--that we shouldn't develop tunnel vision attempting to secure our on-line systems and neglect other data leakage. A colleague recently pointed out an interesting talk by Bruce Schneier discussing how we as humans perceive and respond to risk. Which I believe plays into your point. We often have the feeling of being secure when we're not--and the other way around. Schneier's talk is available on MP3 at http://usenix.org/publications/multimedia/#sec08 in the talk titled, "Reconceptualizing Security." It's worth a listen.
Posted by: Steve Mitchell | February 19, 2009 at 02:39 PM
Finally got a chance to watch it. Great report Steve! Very depressing but not at all surprising.
About 2 years ago the local paper here wrapped their stacks for delivery in "recycled sheets of paper", unfortunately those recycled sheets had customer data - name/address/ssn/etc.
As an individual, I can go about protecting myself as much as possible only to have a bank or doctor's office or (name your entity here), simply dump my info in the trash for any criminal to retrieve. It's something the customer has no real control over except maybe to pressure businesses to take better care. In some instances it's not even feasible to move to another business for that service.
Posted by: Teresa | February 20, 2009 at 09:30 AM
Nice post Steve. I agree completely with your assessment. When it comes to risk versus reward often the low tech attack comes out on top.
I my opinion, the best approach to this vulnerability is two pronged. Educate your employees and make it easy for them to use secure disposal systems.
With cost cutting in the lime light we should diligently defend these common sense approaches to basic information security.
Posted by: Mica | February 20, 2009 at 11:17 AM
The truth of the matter is that digital security of files has to be of the highest importance if a name is going to survive. We just won't take less than that.
That goes with discarded data. DESTROY IT. That's the ethical thing to do.
I'd be interested in reading an article about different methods that are used to secure and destroy data. Found some good stuff on http://www.justaskgemalto.com but curious about what your take on it would be.
Posted by: Thomas Whitney | February 20, 2009 at 03:15 PM
Steve,
You’re crazy man. Great video! I’m impressed. I learned a long time ago from a very smart LP regional manager, before POS systems. He said “People will only do what you expect, if they know that you are going to inspect.” If any company expects their policies and procedures to be followed with regards to the destruction of sensitive materials they must monitor the behavioral procedures necessary to fulfill the policies. VIDEO is BEST but, someone has to view it on occasion. If an employee perceives that they will be caught if they don’t do their job, they will do their job. We put cameras over cash draws why not shredders? Why shouldn’t we expect to see the employees who handle sensitive data in front of those shredders every day? And you’re still crazy! All the best,
Posted by: Jamie McDonald - PHYSECTECH | February 20, 2009 at 05:48 PM
Thanks for all the comments!
Posted by: Steve Hunt | February 28, 2009 at 08:54 PM
Properly conducted and regular security audits are intended and supposed to identify these kinds of problems. HOWEVER, from personal experience, internal Auditors can/will tend to ignore this particular security risk/vulnerability !
Posted by: Pat | May 11, 2009 at 11:29 PM
Hi Steve,
I'm hoping to reference this link/video in a Dumpster Diving corporate publication to raise awareness.
Could you please let me know if you're ok with this?
Thank you
Posted by: Lindsay | November 02, 2009 at 01:18 PM
Well Steve this was very informative to say the least.
Big business just doesn't realize just how much information they are throwing in the garbage without proper privacy management in place.
For instance...We were involved in a computers for disadvantaged kids awhile back, and were getting palet fulls of disgarded computers. Many we fould came from smaller hospitals and companies, and many with the HD's full of contact and patient information. Once this was found, we contacted the business/hospital involved and returned their computers intact.
God only knows what would of happened to that information if it got into the wrong hands.
Posted by: Bob | December 17, 2009 at 10:39 AM