Comment Articles

Security: Fighting the enemy within

Roberto Medrano for ZDNet.com ZDNet US

Published: 21 Feb 2003 16:47 GMT

Kevin Mitnick was placed in solitary confinement in 1995 out of fear of a revolutionary corporate security risk that Mitnick had learned to exploit. The reserved and non-violent Mitnick had for years been breaking into some of the nation's most secure networks with a combination of solid computer hacking ability mixed with an uncanny way of coaxing information out of people -- information about computer passwords, for example. Mitnick had already served time for stealing computer phone network information after convincing a security guard to let him into the phone company headquarters.

Mitnick's abilities spooked the judge assigned to his case. The judge's move to physically separate him from any person he could "influence" is a tremendous validation for the threat of social engineering, or the ability to prey on people's trust of others. Mitnick had used social engineering to hack into computer systems as valuable as those housed at the US National Security Council. Simply put, social engineering encompasses varied methods a hacker uses to pretend to be an authorised user of the network. Social engineering can occur through many methods, including online, telephone and even by physically impersonating an individual in the office.

Social engineering exists today. Any employee can leak valuable security information about computer networks to outsiders. As no company can exist without employees, the fact that people individually are security risks is an inevitable reality. Beyond social engineering, users can leave computer systems vulnerable by accidentally (or purposely) changing the security settings on their machines. By both employee interactions with other individuals, and by employees' use of their own computer equipment, the risk of security vulnerabilities is significant.

Fortunately, there is an answer to the risk of social engineering and the threats posed by employee use of company machines. Security policy automation, an emerging security software concept, removes many security risks by implementing a security policy across enterprise systems and consistently auditing and monitoring systems for compliance.

In many ways, security policy automation is the missing link within an organisation's plan for security.