The hacker ethic of demanding access to all information for free--and the willingness to break the law to prove it--is not really the attack for which you want to plan. Rather, you need to envision your opponent just a few rungs down on the ethics ladder--it's not mischief, it's malice. And while you may recognize this individual, you may not fully understand the scam being run on you and your company.

The methodology for security specialists is basically to monitor, detect and respond. The average middle manager's time and attention is consumed by projects. Any extra time is dedicated to keeping up with the pace of technology change. Except for the nominal things managers have to do about protecting directories or securing passwords, they're not concerned about security. If front-line managers have no security awareness, it's difficult to expect their reports to have any either. The majority of staff has no significant understanding of the organization's security needs, and as a result, the most effective security attack is simply to ask someone for the information you need. The workplace fosters a de facto trust in everyone who walks through the door--and that trust is misplaced.

Getting the Details Do you have a personnel policy that reflects your security requirements. Is that policy disseminated and enforced? There is a conflict of purpose between hiring managers and recruitment professionals. Hiring managers want to get the right person for the position, recruiters want to work off their queue of requests. Couple that with a tight labor market and overwhelming project loads, and it becomes very easy for people to hide past experiences and misrepresent themselves. Even when references and backgrounds are checked, former managers are reluctant to tell the full story of a ex-employee's exploits because of threats of lawsuits. So, letting the wolf in the door has become increasingly common.

The answer is to develop a degree of experience and awareness within the corps of first-line supervisors and managers. The best security bastion is awareness and training. Once detected, a comprehensive, legally defensible plan needs to be enacted in order to document the transgression, isolate and cripple the offender's ability to cause further damage and remove them from the organization through the nearest exit.

Your organization may have the best network security possible. Assuming you take my rants about misplaced trust to heart, you may now be sensitized to inside jobs. But the next question is: Can someone just walk off with your servers? Simply looking at the protocols your servers use and your staff's references are not enough. You're still open to attack. Site selection and planning do come into play. Do you own the building in which you operate or do you rent? Do you have a lock on the computer room or a guard with an Uzi at the front door? Is admission to your site controlled, limited or are all noncleared persons escorted?

The drawbacks to security breaches are grim--loss of revenue, damage to reputation, downtime, stolen intellectual property, lawsuits and so on. And, any real-world example means examining every link of that chain of trust. One needs to understand and question how each link is joined; miss one and that's where you're vulnerable.

Are you feeling like you should look over your shoulder every time you walk down the hall to the water cooler? Well, I'm sorry, but I don't have a silver bullet; I just wanted to get you thinking about a problem that we're facing as an industry. Vendors have found it easier to talk about security than implement it. When they do talk about it, it's about security products they can sell you. What a surprise! In reality, personnel and physical security play a more important role than vendors or analysts care to admit. In the future, the problem will get worse. The economy will continue to expand, and the quality and quantity of talent will continue to shrink. This will expose more flaws in the hiring of staff and, thereby, present more opportunity for attack. No matter the size of your organization or your budget, there are few tenets on security that you can follow. On the physical security front, it's obvious: provide limited access to critical server infrastructure areas. Less obvious is the need for a clearly defined perimeter protected by a locking system that provides an audit trail. Areas within your facility should be categorized with open, controlled, limited or excluded access. Entry and exit to controlled, limited and excluded access areas should be monitored by appropriately trained personnel with security clearance.

As for personnel practices, patience is a virtue: Hire the right person for the job rather than the first person who comes along. Practice due diligence when it comes to checking references and credentials, and foster a sense of partnership between HR and hiring managers. You also should create a security policy and "best practices" list targeted at first-line supervisors and HR. And finally, don't hide your dirty laundry. If security is breached, publicize it appropriately within your organization. Conduct an event analysis on what happened, find out what failed and figure out what you can do in the future to prevent it from ever happening again.

Brian Walsh is the founder of bwalsh.com, Portland, Ore., a networking and com-munications consulting firm specializing in Internet and client/server product strategies, development and testing. He can be reached at www.bwalsh.com.