---

Mitnick’s abilities spooked the judge assigned to his case. The judge’s move to physically separate him from any person he could “influence” is a tremendous validation for the threat of social engineering, or the ability to prey on people’s trust of others. Mitnick had used social engineering to hack into computer systems as valuable as those housed at the U.S. National Security Council. Simply put, social engineering encompasses varied methods a hacker uses to pretend to be an authorized user of the network. Social engineering can occur through many methods, including online, telephone and even by physically impersonating an individual in the office.



Social engineering exists today. Any employee can leak valuable security information about computer networks to outsiders. As no company can exist without employees, the fact that people individually are security risks is an inevitable reality. Beyond social engineering, users can leave computer systems vulnerable by accidentally (or purposely) changing the security settings on their machines. By both employee interactions with other individuals, and by employees’ use of their own computer equipment, the risk of security vulnerabilities is significant.

Fortunately, there is an answer to the risk of social engineering and the threats posed by employee use of company machines. Security policy automation, an emerging security software concept, removes many security risks by implementing a security policy across enterprise systems and consistently auditing and monitoring systems for compliance.

In many ways, security policy automation is the missing link within an organization’s plan for security.

Establishing policies

For many companies, the concept of a security policy is not new. Written security policies are a set of documented security rules and configurations that are intended to guard a company from threats to its equipment, employees and computer information. As an exercise, these policies are helpful in raising the visibility of security concerns and creating a heightened understanding of security risks. Companies correctly establish company-wide committees representing multiple departments to handle the task of creating written standards for an organization to follow. Often, written security policies include guidelines for the physical security of company offices, the protection of written or produced intellectual property, and the electronic security of information stored on or transferred by computers.

The motivations for the new wave of security policy creation are numerous. Most companies are motivated by the heightened attention to homeland security and have created security committees or task forces to make recommendations on security procedures. Written security policies are often the result of these efforts.

Companies are also under pressure to develop policies to comply with federal regulations. The Health Insurance Portability and Accountability Act, or HIPAA, requires all healthcare organizations to have in place a system for ensuring privacy of patient records and health information by April 2003. It is not that healthcare organizations are not relatively secure today. Now, the federal government wants these organizations to prove their security is sound. Writing security policies is a way to help satisfy this requirement.

Similarly for financial institutions, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to implement certain technical and physical safeguards. Often times, in order to evaluate where network vulnerabilities are hiding out as part of the compliance process, a full network audit needs to be conducted.

Using the right tools

No matter what the motivation, security policies are a solid fundamental toward a secure enterprise. Tools exist for helping in the creation of written security policies. Software applications are available to lead company security officers through a series of templates that define security policy standards.

Templates within these software applications exist for crafting security policies that meet a variety of guidelines. Policy templates include ISO 17799 for enterprises, a GLBA template for financial institutions, and a HIPAA template for healthcare organizations.

The templates are critical, since writing an effective security policy is not easy. Templates help ensure that the security policy created is practical enough to be consistently implemented across an enterprise. Simply put, creating a policy without thought of implementation of that policy is a means to failure. As InfoWorld’s Mandy Andress wrote in a November 2001, “There's a fine line between creating an enforceable policy and discussing the technologies used to enforce that policy.”

Many security consulting companies understand the importance of security policies, but they also know that the vast majority of security policies are not implemented and instead are sitting on shelves collecting dust. And if they are implemented, policy compliance is verified only periodically, which is not often enough. Ongoing enforcement of security policies is vital, not only to eliminate the threat of security breaches, but also to ensure necessary compliance with federal regulations.

Quite often, internal threats to a network's security are caused by users performing legitimate actions that unintentionally cause significant security consequences. For example, when a user installs a new software package on a network desktop system, it could change configurations on the user’s machine. These new configurations, such as altering password settings, leave the user’s machine and ultimately the entire network vulnerable to security violations, intrusions and infiltration. The vulnerability might go unnoticed for days or weeks if the written security policy is not constantly and consistently enforced.

---

Source and more: ZDNET