The social engineering threat to your business

A little bit of charm goes a long way

By Matthew Stibbe

How do you rob a bank? Guns and masks are so old-fashioned. These days, your budding bank robber uses a combination of technology and charm.

Earlier this year police foiled an attempt to steal GBP 220m from Sumitomo Mitsui Bank in the City of London. The criminals behind the attempt allegedly infiltrated the firm posing as cleaners and installed key loggers on certain computers. These devices recorded every key press on the targeted machines: passwords, account numbers and the rest.

But it's not just banks that are at risk from this kind of attack. In fact, "it's easier to target an SME. They're less aware and they have less IT resource in-house and fewer people banging the drum about passwords and security," reckons Ken Munro, Managing Director of SecureTest.

�It's easier to target an SME. They're less aware and have less IT resource.�

He should know. His company carries out penetration tests for companies who want to see how secure their businesses are. His 'mission impossible' team try to break into computer rooms, get past reception desks, tap into wireless networks and the rest.

"We never fail," he says. "In one case, our challenge was to get into a large well-locked-down, dark server room where only three people had PIN numbers and we got in by social engineering the three of them."

He has a nice collection of camera phone pictures of companies' server rooms, which he uses to prove how easy it was for his staff to blag their way in. Another frighteningly effective trick is to send a director (their names and addresses are publicly available at Companies House) a CD or memory stick with a custom-written trojan on it, which installs a software key logger.

His advice:

•	Don't trust any files you're sent, whether by email, CD or memory stick
•	Stop CDs auto-running
•	Educate staff about the risks of social engineering. Consider hiring professional trainers
•	Establish clear, effective telephone protocols. Never disclose names, email addresses or private information such as passwords, home addresses etc
•	Anonymise everything you can. Use generic email addresses on your website, for example, and anonymise domain name and IP address registrations
•	Make sure you have a security policy and that it covers physical security
•	Vet cleaners and other 'invisible' and subcontracted staff as well as IT support people and general employees.
•	Make sure network sockets that aren't in use are immediately disconnected at the source so they can't be used by intruders, especially ones in semi-public areas like meeting rooms
•	Review visitor procedures. Is anyone allowed onsite without an escort or badge? When people turn up unannounced does anyone check the credentials?
•	Encourage staff to challenge strangers inside the building. Munro even suggests offering a reward

Once you think you've got good systems in place, then it's time to test - and this is where companies like SecureTest come in.

"You can't stop everyone," warns Munro, "you've seen Ocean's 11. There are people as good as that in the real world." However, they tend to go after big fish. Lower down the food chain, if you can make life difficult for would-be Danny Oceans they might just move on and go after an easier target."

What next?

Read Matthew's previous columns in our Security Bulletin archive.

How's your overall approach to security? Find out if you could be doing more with our interactive security check.

Sign into Microsoft Small Business+ for free web-based training and software support.

More info >

Our free newsletters are packed full of business advice and ideas - plus all the latest news

See an example

Get the latest bulletins and updates direct from Microsoft

All recent updates

Internet Explorer update

	Search bCentral.co.uk for: