Dan Kaufman, head of the Software Innovation Division for DARPA (Defense Advanced Research Projects Agency) was asked a question by Lesley Stahl of 60 Minutes (view 60 Minutes segment) “Can the Internet be fixed? Or do we just have to throw this one out and build a whole new Internet from scratch, with security built in?” His response was “I don’t think the Internet is broken. I think the things we put on the Internet are broken. What we’re doing is we’re putting a lotta devices on it that are unsecure.”
For the controls industry this is a very true statement. However, the human element can and will supersede any measure of security that is put in place. So no matter if every device was replaced on the internet with highly secure, hardened devices, we will find a way to leave ourselves vulnerable.
So what is human patching…?
For the most part we all have varying degrees of understanding about what it means to patch a device, operating system, platform, etc. The basic definition is “…a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance.“
Human patching is a lot like the definition for devices, operating systems, platforms, etc. It is an updating of our thought processes, our habits, how we view the security of our systems, and replacing bad security habits with good security habits. Problem is all it takes is one “un-patched” human to take down an entire company’s security measure. Patching “things” is much easier than humans, as you can image. You can’t just “patch” one person in your organization, you have to “patch” your company’s culture. This takes time.
What needs to be “patched”?
There is a lot of information on the web about changing human behavior as it relates to cyber security. You could spend days researching how to do this and it could leave you feeling overwhelmed. Like the saying goes “you can’t eat the entire elephant in one bite”, you can’t patch your human workforce in one day. Okay… I hate to use a cliché, but here it goes another one… Go after the low hanging fruit first. Here is are some of the “low hanging fruit” you probably have in your organization.
- Realize that any data you possess needs to be protected.
- It is amazing what information you might think is not anything that could be used to gain access. So if the info belongs to the customer, to your organization, or yourself, lock it down.
- When you are not at your computer, lock it. At the very least have a short time on your screen with the password enabled.
- Do not use passwords that have relativity to you such as birthdays, your spouse, or your children. Social engineers love it when you do.
- Have the lock screen enabled on your smart devices. Enabling complex passcode is preferred.
- Do not share your username and passwords with anyone or have them written down.
- We all have tons of usernames and passwords we must remember in to order do our job. Research and put in action a highly encrypted password keeper. Most good password keepers will require a very strong, complex master password.
- If you are not 100% sure of the origin of an email, delete it.
- Do not open attachments that you are not 100% sure they are safe.
- Turn off “automatically download attachments.”
- Keep your operating system, browser, anti-virus and other critical software up to date with the latest patches and definitions.
- Do not give out personal information over the phone or in an email unless you are 100% sure of who is asking.
- Be suspicious. Social engineers use our trusting nature to get what they need.
The controls industry has become safety aware through company culture. This didn’t happen overnight and cyber aware won’t either. Help create a culture of cyber aware inside your organization. One person in the organization that is cyber aware is not enough. It takes every person realizing they are as much a part of the solution as anyone else.