This chapter covers two physical attacks that target sensitive information: shoulder surfing and dumpster diving. Both are part of the SY0-701 exam domain 'Threats, Vulnerabilities, and Mitigations' under Objective 2.2, which requires you to explain various types of attacks and their mitigations. Shoulder surfing involves observing a user's screen or keyboard to steal credentials or data, while dumpster diving involves retrieving discarded documents or media to uncover confidential information. Understanding these attacks is critical because they bypass technical controls and exploit human and physical weaknesses. This chapter will detail how each attack works, how to defend against them, and what the exam expects you to know.
Jump to a section
Imagine you work in an open-plan office where everyone has their computer screen angled toward the aisle. A coworker named Bob walks by and, instead of looking straight ahead, he deliberately glances at your screen while you type your password. That's shoulder surfing. Now imagine that after hours, a janitor named Alice empties your trash bin into a larger bag, but before she disposes of it, she pulls out a crumpled sticky note with your Wi-Fi password written on it. That's dumpster diving. Both Bob and Alice are after the same prize: your credentials. Bob uses his eyes to capture information in real time, exploiting the fact that your screen is visible to passersby. Alice uses her hands to sift through discarded materials, exploiting the fact that you threw away sensitive information instead of shredding it. The mechanism of shoulder surfing relies on direct line-of-sight and lack of privacy; the mechanism of dumpster diving relies on the assumption that trash is safe. In the digital world, shoulder surfing is countered by privacy filters and screen positioning, while dumpster diving is countered by shredding policies and secure disposal. Just as you would pull down a window shade to block Bob's view, you would feed documents into a cross-cut shredder to make Alice's job impossible. Both attacks are low-tech but highly effective because they target the weakest link: human behavior.
What Are Shoulder Surfing and Dumpster Diving?
Shoulder surfing is a social engineering attack where an attacker looks over a victim's shoulder to obtain sensitive information, such as passwords, PINs, or confidential data displayed on a screen. It exploits the lack of visual privacy in public or shared spaces. Dumpster diving is the act of searching through trash (physical or digital) to find discarded sensitive information, such as documents, hard drives, or old media. Both are classified as physical attacks because they require physical presence or access to physical objects.
How Shoulder Surfing Works Mechanically
The attack follows a simple process: 1. Observation: The attacker positions themselves to have a clear line of sight to the victim's screen or keyboard. This could be standing behind, beside, or even using a reflective surface like a window or mirror. 2. Capture: The attacker visually records the information as it is entered or displayed. For example, watching keystrokes to capture a password or reading an email on screen. 3. Exploitation: The attacker uses the captured information, often immediately, to access systems or accounts.
Modern variants include using binoculars, cameras, or smartphones to record from a distance. Shoulder surfing can also target PIN pads at ATMs or point-of-sale terminals.
Key Components and Variants
Direct Shoulder Surfing: The attacker is in close proximity, typically within a few feet.
Remote Shoulder Surfing: The attacker uses optical devices like telescopes or high-zoom cameras to observe from a distance.
Shoulder Surfing via Reflections: The attacker observes reflections in windows, glasses, or shiny surfaces.
Shoulder Surfing in Crowded Spaces: Common in airports, coffee shops, and public transportation.
How Dumpster Diving Works Mechanically
Target Identification: The attacker identifies an organization or individual's trash disposal area, such as dumpsters, recycling bins, or trash rooms.
Retrieval: The attacker physically accesses the trash, often at night or during off-hours to avoid detection.
Sifting: The attacker searches through the trash for items like printed documents, sticky notes, old hard drives, CDs, or even hardware.
Information Extraction: The attacker extracts sensitive data, such as usernames, passwords, network diagrams, or financial records.
Exploitation: The attacker uses the information to launch further attacks, such as social engineering or direct system access.
Key Components and Variants
Physical Dumpster Diving: Searching through physical trash bins or dumpsters.
Digital Dumpster Diving: Searching through digital trash, such as recycle bins, deleted files, or unsecured cloud storage.
Trash Trawling: A more organized form where attackers follow trash collection schedules to intercept bags.
Data Remnants: Information left on discarded hard drives, USB drives, or mobile devices that were not properly wiped.
Exploitation and Defenses
Shoulder Surfing Defenses:
Use privacy screens or filters that limit viewing angles.
Position screens away from public view.
Use strong passwords and enable multi-factor authentication (MFA) to reduce the impact of password theft.
Be aware of surroundings and shield the keyboard when entering PINs or passwords.
Use biometric authentication where possible.
Dumpster Diving Defenses:
Implement a clean desk policy that mandates shredding of sensitive documents.
Use cross-cut shredders (not strip-cut) for paper disposal.
For electronic media, use degaussers or physical destruction (e.g., shredding hard drives).
Conduct regular audits of trash disposal procedures.
Implement secure disposal contracts with certified vendors.
Real Command/Tool Examples
While shoulder surfing and dumpster diving are primarily physical attacks, the exam may test related concepts like data remanence. For example, the shred command on Linux can overwrite files to prevent recovery:
shred -vfz -n 3 sensitive_document.pdfThis overwrites the file three times with random data, then zeros it out. For hard drives, tools like dd can be used to wipe entire drives:
dd if=/dev/urandom of=/dev/sda bs=4096 status=progressHowever, these are not direct defenses against shoulder surfing or dumpster diving but relate to data destruction.
Identify Target and Location
The attacker first identifies a target individual or organization. For shoulder surfing, this might be someone entering a password at a public kiosk or an employee working on a laptop in a café. For dumpster diving, the attacker identifies the trash disposal area, often after hours. The attacker may conduct reconnaissance to determine when the target is likely to be vulnerable (e.g., during lunch breaks) or when trash is collected. Tools like Google Maps or simple observation help locate dumpsters. Logs or security cameras may show the attacker loitering, but if no surveillance is present, this step goes undetected.
Gain Proximity or Access
For shoulder surfing, the attacker positions themselves within visual range. This could be standing behind the victim, sitting at an adjacent table, or using a reflective surface. The attacker may use a smartphone to record from a distance. For dumpster diving, the attacker physically approaches the trash bin. They may need to climb fences or bypass locks. Security cameras might capture this approach, but attackers often wear hoods or masks. In a SOC, an analyst might notice unusual activity near trash areas on CCTV, but without correlation, it may be dismissed.
Capture Information
The attacker visually captures the information. For shoulder surfing, this means reading the password as it is typed or viewing sensitive data on screen. The attacker may write it down or memorize it. For dumpster diving, the attacker sifts through trash and collects documents, sticky notes, or media. They may take photos of documents rather than removing them to avoid detection. In a digital context, the attacker might recover files from a discarded hard drive using forensic tools like `dd` or `foremost`. Logs of file access on a recovered drive would show the attacker's activity if the drive was later connected to a system.
Exploit Captured Data
The attacker uses the captured information to gain unauthorized access. For example, a password obtained via shoulder surfing is used to log into the victim's email or corporate VPN. Data from dumpster diving, such as a network diagram, helps the attacker plan a targeted attack. The attacker may combine this with other social engineering techniques. In a SOC, this step might trigger alerts if the attacker tries to log in from an unusual location or device. For example, a successful login from an IP address that doesn't match the victim's typical pattern could indicate compromised credentials.
Cover Tracks
To avoid detection, the attacker may erase any evidence of their physical presence. For shoulder surfing, this is usually not needed as the attack leaves no digital trace. For dumpster diving, the attacker may rearrange trash to conceal their activity. They might also avoid taking original documents, instead photographing them. In a SOC, there may be no logs to analyze unless the attacker uses the stolen data in a way that generates alerts. The lack of direct evidence makes these attacks difficult to detect after the fact.
Scenario 1: Shoulder Surfing at a Coffee Shop A penetration tester is hired to assess a company's security awareness. The tester visits a coffee shop near the company's headquarters and observes an employee working on a laptop. The employee's screen is visible from the side, and the tester can see them logging into the corporate VPN. The tester notes the password and later uses it to access the company's internal network. The company's SOC might have VPN logs showing a successful login from an unusual IP (the coffee shop's Wi-Fi), but without correlation to the physical observation, it appears legitimate. The correct response would be to implement multi-factor authentication (MFA) and provide security awareness training on visual privacy. A common mistake is to rely solely on strong passwords without MFA, which does not prevent shoulder surfing if the password is observed.
Scenario 2: Dumpster Diving at a Hospital A malicious actor gains physical access to a hospital's dumpster area behind the building. They find unshredded patient records containing names, Social Security numbers, and medical histories. The attacker uses this information to commit identity theft. The hospital's SOC might have no direct visibility into the dumpster area, but an audit of trash disposal procedures would reveal the lack of shredding. The correct response is to implement a secure disposal policy with cross-cut shredders and contract with a certified disposal vendor. A common mistake is to assume that strip-cut shredding is sufficient, but strips can be reassembled. The hospital should also consider data encryption and access controls to mitigate the impact of physical breaches.
Scenario 3: Digital Dumpster Diving from Old Hard Drives
A company decommissions old computers and sells them to a recycler without wiping the hard drives. A buyer discovers the drives contain unencrypted financial data and customer information. The attacker uses this data to launch phishing campaigns. The SOC might detect the phishing attempts but may not trace them back to the discarded drives. The correct response is to implement a data destruction policy that includes degaussing or physical destruction of drives. A common mistake is to rely on simple file deletion or formatting, which does not prevent data recovery using tools like Recuva or PhotoRec. The company should use tools like shred or DBAN for secure erasure.
Exactly What SY0-701 Tests Objective 2.2 asks you to 'explain various types of attacks and their mitigations.' Shoulder surfing and dumpster diving are listed under 'Physical attacks.' The exam expects you to:
Differentiate between shoulder surfing, dumpster diving, and other physical attacks like tailgating or piggybacking.
Identify appropriate mitigations: privacy filters, clean desk policies, shredding, and secure disposal.
Recognize that these attacks are low-tech and exploit human behavior, not technical vulnerabilities.
Common Wrong Answers and Why 1. 'Use encryption to prevent shoulder surfing' – Encryption protects data at rest or in transit, but does not prevent visual observation of a screen or keyboard. Candidates choose this because they think encryption solves everything. 2. 'Implement a firewall to prevent dumpster diving' – Firewalls are network security devices; they have no effect on physical trash. Candidates confuse network and physical security. 3. 'Shoulder surfing can be prevented by using complex passwords' – Complex passwords are harder to guess but still visible when typed. The attack captures the password directly, regardless of complexity. 4. 'Dumpster diving is not a threat because trash is private property' – Attackers often trespass, but the threat is real. Candidates assume legal protections prevent attacks.
Specific Terms and Values - 'Privacy filter' or 'screen filter' – the primary mitigation for shoulder surfing. - 'Cross-cut shredder' vs. 'strip-cut shredder' – cross-cut is more secure. - 'Clean desk policy' – a policy requiring employees to clear desks of sensitive documents. - 'Degausser' – a device that uses magnetic fields to erase data from magnetic media. - 'Data remanence' – the residual representation of data that remains after attempted erasure.
Trick Questions - A question might describe an attacker looking over a shoulder at a monitor. The answer is shoulder surfing, not 'visual hacking' (a non-standard term) or 'phishing' (which is electronic). - A scenario about finding documents in a trash bin is dumpster diving, not 'social engineering' (though it can be part of social engineering). - A question about using a privacy filter is a mitigation, not a detection method.
Decision Rule If the scenario involves direct observation of a screen or keyboard, the attack is shoulder surfing. If it involves searching through trash or discarded media, it is dumpster diving. Mitigations should focus on preventing visual access or destroying physical data. If the answer choice involves technical controls like encryption or firewalls, eliminate it unless it specifically addresses data at rest on discarded media.
Shoulder surfing is a physical attack that relies on direct visual observation of sensitive information.
Dumpster diving involves searching through trash for discarded sensitive data.
Privacy filters (also called screen filters) limit the viewing angle to prevent shoulder surfing.
Cross-cut shredders are more secure than strip-cut shredders for destroying paper documents.
A clean desk policy requires employees to clear desks of sensitive documents when not in use.
Degaussing or physical destruction is required for secure disposal of magnetic media like hard drives.
Both attacks exploit human behavior and physical access, not technical vulnerabilities.
Multi-factor authentication (MFA) reduces the impact of stolen passwords from shoulder surfing.
Data remanence is the leftover data after deletion; proper wiping (e.g., using shred or DBAN) is needed.
SY0-701 tests these as part of Objective 2.2 under physical attacks.
These come up on the exam all the time. Here's how to tell them apart.
Shoulder Surfing
Involves visual observation of screens or keyboards
Occurs in real-time; attacker captures data as it is entered/displayed
Mitigated by privacy filters, screen positioning, and awareness
Leaves no physical evidence; hard to detect after the fact
Targets active data entry or display
Dumpster Diving
Involves physical retrieval of discarded materials
Occurs after data has been disposed; attacker accesses historical data
Mitigated by shredding, secure disposal, and clean desk policies
May leave physical evidence of tampering (e.g., disturbed trash)
Targets residual data on discarded media
Mistake
Shoulder surfing only happens in crowded public places.
Correct
Shoulder surfing can occur anywhere an attacker has line-of-sight, including private offices with glass walls, waiting rooms, or even through windows from outside. The key is visual access, not crowd density.
Mistake
Dumpster diving is illegal, so it's not a real threat.
Correct
While dumpster diving may be illegal in some jurisdictions (especially if trespassing is involved), attackers frequently ignore legal boundaries. The threat is real, and organizations must protect data regardless of legal protections.
Mistake
Using a privacy filter completely prevents shoulder surfing.
Correct
Privacy filters reduce the viewing angle but are not foolproof. An attacker positioned directly behind the user can still see the screen. They also do not protect against keyboard observation or reflections.
Mistake
Shredding documents into strips is enough to prevent dumpster diving.
Correct
Strip-cut shredders produce long strips that can be reassembled with effort. Cross-cut shredders produce confetti-like pieces that are much harder to reconstruct. For highly sensitive data, cross-cut or micro-cut shredders are recommended.
Mistake
Dumpster diving only applies to physical trash.
Correct
Dumpster diving can also refer to digital trash, such as deleted files, recycle bins, or unsecured cloud storage. Attackers may search through digital trash for sensitive information that was not properly deleted.
Shoulder surfing is a physical attack where an attacker observes a user's screen or keyboard to capture sensitive information like passwords or PINs. It occurs in public or shared spaces. The primary mitigation is using privacy filters and being aware of surroundings. On the exam, remember that it is a low-tech attack that does not require technical skills.
Use a privacy filter on your monitor, position your screen away from public view, and shield your keyboard when typing passwords. Enable multi-factor authentication so that even if a password is stolen, the attacker cannot access your account. On the exam, privacy filters are the most direct mitigation.
Dumpster diving is the act of searching through trash to find discarded sensitive information, such as documents, hard drives, or sticky notes with passwords. It is a physical attack that can lead to data breaches. Mitigations include shredding documents, using secure disposal services, and implementing a clean desk policy.
Dumpster diving may be illegal if it involves trespassing or if the trash is on private property. However, in some public areas, it may be legal. Regardless of legality, organizations must protect their data by properly destroying sensitive materials before disposal. On the exam, assume it is a threat that requires mitigation.
Shoulder surfing involves real-time observation of data entry or display, while dumpster diving involves retrieving discarded data after the fact. Shoulder surfing is mitigated by visual privacy controls; dumpster diving is mitigated by proper data destruction. Both are physical attacks under Objective 2.2.
A privacy filter is a physical screen overlay that narrows the viewing angle, making the screen appear dark to anyone not directly in front of it. It is the primary defense against shoulder surfing. On the exam, know that it is a prevention control, not a detection control.
A clean desk policy requires employees to clear their desks of sensitive documents and lock them away when not in use. This reduces the risk of shoulder surfing and dumpster diving. On the exam, it is a procedural control that supports physical security.
You've just covered Shoulder Surfing and Dumpster Diving — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?