 
|
|
When pen testers don MarigoldsKen Munro, managing director, SecureTest From the September 2007 issue of Infosecurity magazine I remember a great line from the WarGames movie: Matthew Broderick is being investigated by the FBI, and is asked for the phone number he used to dial in to the ‘WOPR’, the giant military computer which is able to kick off global thermonuclear war. He replies that he threw it away to which the FBI agent responds: “I know, we found it in the trash.” In this era of identity theft, it still amazes me how much information can be gleaned by picking through rubbish bags. It’s not exactly glamorous, but one of the most effective routes to mine information is to don a pair of Marigolds and start rooting through banana skins and sandwich wrappers. In recent weeks, we found documentation ranging from credit card statements, pension valuations, bank account details, a utility bill, a photocopy of a driving licence and even a Dictaphone tape. What more could you need to steal an identity? When considering the home environment, the problem isn’t quite as bad as it was, as retailers now obfuscate credit card numbers on receipts. Individuals are probably a little more aware of the consequence of throwing away personal information, hence the surge in sales of personal shredders. However, people seem to forget some of the basics of data protection as soon as they walk into the office. Disposal of physical documents can be lax. So what should an organisation do about this? Many businesses think they have avoided this issue by investing in confidential data bins; separate bins around the office for papers to be deposited for shredding. These are collected by a trusted waste management company and securely destroyed. Great idea, but now you’ve got all of your sensitive data in a bin marked ‘confidential data’! How do you ensure this goldmine of information isn’t raided before the bin is collected? Is it kept locked? How big is the slot through which papers are deposited – could any of the contents be pulled out? Have you thought about theft of the bin itself? When social engineering, we think we’ve hit the jackpot when we find these bins. Several times we’ve walked out of an office building on test exercises carrying an unlocked box full of confidential information. Then you have the problem of staff actually using these confidential data bins; they find it far easier to put papers in the regular bin under their desk. The ideal solution is to implement a system of protective marking, much like government has been doing for years to great effect. However even then, you need to accept that not everyone will follow it, so you need to mitigate the impact of documents ‘leaking’ out of the organisation in the rubbish. So, go find your dumpsters: at the very least these bins should
be covered by a CCTV camera but that camera needs to be monitored.
Even then your security procedures may not be watertight. All it
takes is for a hacker to fool your security guard by posing as a
binman or groundsman and it’s still possible to access these
bins unchallenged. Maybe rubber gloves are overkill, but take a wander around your building in the next couple of days, see how papers are disposed of, find your dumpsters, maybe even have a rummage around the cleaner ones to see what information is in there. You might find something to surprise senior management with; we do! SecureTest is a UK penetration testing firm. A built-in weakness: column by Ken Munro on building control systems (May/June 2007) Lost highway: column by Ken Munro on IP networks and roads (June 2006)
|
|
