Kevin Mitnick was placed in solitary confinement in 1995 out of fear of a revolutionary corporate security risk that Mitnick had learned to exploit. The reserved and non-violent Mitnick had for years been breaking into some of the nation's most secure networks with a combination of solid computer hacking ability mixed with an uncanny way of coaxing information out of people -- information about computer passwords, for example. Mitnick had already served time for stealing computer phone network information after convincing a security guard to let him into the phone company headquarters.
Mitnick's abilities spooked the judge assigned to his case. The judge's move to physically separate him from any person he could "influence" is a tremendous validation for the threat of social engineering, or the ability to prey on people's trust of others. Mitnick had used social engineering to hack into computer systems as valuable as those housed at the US National Security Council. Simply put, social engineering encompasses varied methods a hacker uses to pretend to be an authorised user of the network. Social engineering can occur through many methods, including online, telephone and even by physically impersonating an individual in the office.
Social engineering exists today. Any employee can leak valuable security information about computer networks to outsiders. As no company can exist without employees, the fact that people individually are security risks is an inevitable reality. Beyond social engineering, users can leave computer systems vulnerable by accidentally (or purposely) changing the security settings on their machines. By both employee interactions with other individuals, and by employees' use of their own computer equipment, the risk of security vulnerabilities is significant.
Fortunately, there is an answer to the risk of social engineering and the threats posed by employee use of company machines. Security policy automation, an emerging security software concept, removes many security risks by implementing a security policy across enterprise systems and consistently auditing and monitoring systems for compliance.
In many ways, security policy automation is the missing link within an organisation's plan for security.
Establishing policies
For many companies, the concept of a security policy is not new. Written security policies are a set of documented security rules and configurations that are intended to guard a company from threats to its equipment, employees and computer information. As an exercise, these policies are helpful in raising the visibility of security concerns and creating a heightened understanding of security risks. Companies correctly establish company-wide committees representing multiple departments to handle the task of creating written standards for an organisation to follow. Often, written security policies include guidelines for the physical security of company offices, the protection of written or produced intellectual property, and the electronic security of information stored on or transferred by computers.
The motivations for the new wave of security policy creation are numerous. Most companies are motivated by the heightened attention to national security and have created security committees or task forces to make recommendations on security procedures. Written security policies are often the result of these efforts.
