The state attorneys were on their laptops, the judge and court clerk were on their desktops, and microphones recorded everything said in the courtroom. Whenever things were "on the record," a plexiglass sign lit up to indicate the microphones were recording. All pretty basic stuff so far, until it was time for someone to approach the bench -- which happened numerous times due to the personal nature of many of the questions asked.
As a potential juror and attorneys from both sides approached the judge's bench to discuss a private matter, the judge hit a button that immediately began broadcasting white noise through speakers above the potential jurors sitting in the selection box and those sitting out in the general seating area. The effectiveness of the white noise was unnerving. While I'm sure they were speaking in soft voices at the bench, I was nevertheless in awe of the inability to hear what was going on. It was like a sudden denial-of-service attack against my auditory senses.
My childish sense of wonderment eventually faded, and I started looking around at other technology in the courtroom. I was surprised that the state attorneys do not use any type of privacy filter for their laptop screens. From my view on the selection panel, and most likely the first row in the general seating area, it was not hard to make out which applications were in use and read some of the text. I would think that sensitivity of the data viewed on those laptops would warrant protections to prevent shoulder surfing, but maybe they've never thought about it.
To me, this is basic operational security. The attorneys should be aware of individuals nearby who could potentially see their screen and take precautions to ensure it doesn't happen. Now, it could be that based on the setting (i.e., the courtroom), there was no perceived threat of shoulder surfing. Maybe the attorneys would be much more aware in an environment like a coffee shop or sitting on a bench in the courthouse hallway. It's hard to say without questioning them directly.
As a penetration tester, I repeatedly see operational security issues in all different types of industries and environments. From coffee shops to cubicles, the only exception seems to be doctor offices and individuals who deal specifically with medical records within their company; however, equally sensitive financial and personal information is not typically given the same level of discretion.
Maybe there was a risk assessment performed and someone chose that privacy filters weren't necessary. Or more than likely, no one has thought about it. What if there had been security training and awareness for users that taught them about basic operational security with their laptops and tips on protecting sensitive data? There is more of a chance that users would be more aware of their surroundings and take more care to shield their laptop screens from wandering eyes.
There are many out there who will say user awareness efforts are a waste of time, but that's typically because those people are doing it wrong. They do not engage users, empower them, or teach them something that they can take with them and use in their everyday lives.
Having designed an awareness program and taught it for nearly four years, it was the last point that had the most impact on users. Just by including little tips and tricks the users could use at home to protect themselves and their kids, they immediately became more engaged and interested in the content.
Obviously, getting users to care more about security is tough, but the author of the InformationWeek Report "Endpoint Security: Get Users to Care About Security" lays out a five-step program that can help organizations tailor their efforts to be more effective.
- Visit: Face-to-face meetings, brown bag lunches, and walkaround courtesy calls from security personnel help emphasize the importance and put a "face" on security.
- Appeal to Self-Interest: Show how the security training at work can apply directly to users' home lives, where malware and phishing can impact their personal and family environments.
- Stay Credible: Focus on customer service and being the strategic business technology provider.
- Post Propaganda: Partner with corporate communications or marketing to raise awareness as to why security matters; successful propaganda relies on fewer words, stronger images.
- Enlist Top Brass: Awareness programs fare better when there is buy-in from the top and leadership speaking about security beyond the usual "do and do not's" from IT security personnel.
Humans are by far one of the hardest resources to secure, yet they can be more effective than any technological control we put in place. Is security awareness hard? Yes. Is it useless? Only if you're doing it wrong.
John Sawyer is a Senior Security Analyst with InGuardians, Inc. The views and opinions expressed in this blog are his own and do not represent those of his employer. He can be reached at [email protected] and found on Twitter @johnhsawyer.