As a Security Architect, I spend most of my time thinking about cyber security. In fact most of the people I know in the I.T. industry must think about cyber security on some level every single day. They for the most part have at least a passing understanding of why cyber security is important — the basics of password security, how to avoid suspicious emails, you know, the nuts and bolts of user-level cyber security.
Recently however it has been brought glaringly to my attention that the average citizen just does not think about cyber security in those terms.
A few months ago I had a routine doctor’s appointment for my regular physical. After meeting with me for a few minutes, asking me questions and typing my answers into the networked PC in the exam room, the doctor left to go gather some information for me – leaving me alone in the exam room with the aforementioned PC.
The back of the screen had been facing me, so I could not see the screen he was typing on, but after he left something compelled me to take a peek. Just as I feared, he had left the screen wide open, failing to perform the standard <CTRL>–<ALT>–<DEL> sequence to lock the terminal. There were my private health records on the screen, and there in the upper right-hand corner was a search box prompting me to “Enter Patients Name”.
I of course took no nefarious actions, but went back to my seat and sat down. The doctor had left me alone with an open terminal, and the ability to type in any patients name and see their private health records, too. And mind you, this particular doctors office is part of a much larger Health and Wellness conglomerate that owns several of the largest hospitals in the area, and most of the smaller clinics and doctors offices. As a result, 90% of the patients within a hundred miles of there were in that database.
Needless to say, when the doctor returned, I explained the oversight, and the requirements of HIPPA, etc. He did not seem impressed. “Are you kidding me?” he replied. “I would have to type in a password every time I sat down!”.
Yes doctor. Yes, you would.
More recently, my wife and I traveled outside the country for some rest and relaxation. While stopping by the Concierge desk at our resort one morning, I noticed that the computer on the desk faced the public, was wide open to me, and had an un-protected Ethernet jack on the back of the monitor right there that I could easily get to.
I joked with my wife that all I needed was my laptop, and I would be on their internal network. She doubted me, so I dug a bit further while we waited. A quick scan of the lobby around us revealed security cameras pointed at the front door, at the elevators, and of course at the front desk across the room. They did not bother to point any camera’s at the Concierge desk. Tourists going on excursions were apparently not a threat.
I decided that if somebody were to wander casually by this desk at say, midnight or one in the morning, when the lobby was empty, and they appeared to be pausing to use the desk to access their laptop for a moment, (a perfectly ordinary occurrence) they could then un-plug the Ethernet cable from the back of that monitor and plug it into their laptop. They would be on the internal corporate network, behind the firewall, and not on the “public wireless”. They could do some network scanning for assets, plant a worm or other malware, and then be off. They could totally get away with it.
“Absolutely” I answered my wife. “I could get on and off their internal network, and they wouldn’t even know I had been there.” Again, I of course did no such thing in reality. But I could have.
These two incidents have gotten me thinking about cyber security for the general public. For those folks who don’t live and breath cyber security like I do. We need to do a better job of educating the public, not just about their own passwords or the security of their home PC’s (which is as far as most public cyber security information goes), but on the other ways that hackers can compromise an environment.
Simple things like locking a terminal when you step away – every time you step away. Or securing publicly accessible Ethernet jacks with tamper-proof housings. There are lots of things that small business and private citizens could do to improve their security.
- Ensure that all physical Ingress points to your network are properly secured.
- Implement Network Access Control whenever possible to prevent unknown devices from connecting to your network
- Enforce a policy that encrypts all removable media (thumb drives, SSD drives, etc).
- Educate your workforce with cyber security training, and repeat that training at regular intervals. There are numerous free online resources to do this.
- Enforce a policy that requires all sensitive data sent via email be encrypted.
I have put together a list of some good cyber security awareness training that is free, and available online. You can see the list here. Sometimes, remembering the little things can make the biggest difference.
Remember that cyber security is everyone’s responsibility!