Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/25/2013
10:29 AM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

OPSEC Lessons From The Courtroom Sidebar

Jury duty leads to interesting observations on courtroom technology and operational security practices

Last week, I experienced the jury selection process for the first time. Having watched plenty of TV shows and movies that involve courtroom scenes, I have to say it was a pretty exciting experience. As a geek, though, it was hard not to also be interested in all of the different electronic and computer technologies being used in the courtroom.

The state attorneys were on their laptops, the judge and court clerk were on their desktops, and microphones recorded everything said in the courtroom. Whenever things were "on the record," a plexiglass sign lit up to indicate the microphones were recording. All pretty basic stuff so far, until it was time for someone to approach the bench -- which happened numerous times due to the personal nature of many of the questions asked.

As a potential juror and attorneys from both sides approached the judge's bench to discuss a private matter, the judge hit a button that immediately began broadcasting white noise through speakers above the potential jurors sitting in the selection box and those sitting out in the general seating area. The effectiveness of the white noise was unnerving. While I'm sure they were speaking in soft voices at the bench, I was nevertheless in awe of the inability to hear what was going on. It was like a sudden denial-of-service attack against my auditory senses.

My childish sense of wonderment eventually faded, and I started looking around at other technology in the courtroom. I was surprised that the state attorneys do not use any type of privacy filter for their laptop screens. From my view on the selection panel, and most likely the first row in the general seating area, it was not hard to make out which applications were in use and read some of the text. I would think that sensitivity of the data viewed on those laptops would warrant protections to prevent shoulder surfing, but maybe they've never thought about it.

To me, this is basic operational security. The attorneys should be aware of individuals nearby who could potentially see their screen and take precautions to ensure it doesn't happen. Now, it could be that based on the setting (i.e., the courtroom), there was no perceived threat of shoulder surfing. Maybe the attorneys would be much more aware in an environment like a coffee shop or sitting on a bench in the courthouse hallway. It's hard to say without questioning them directly.

As a penetration tester, I repeatedly see operational security issues in all different types of industries and environments. From coffee shops to cubicles, the only exception seems to be doctor offices and individuals who deal specifically with medical records within their company; however, equally sensitive financial and personal information is not typically given the same level of discretion.

Maybe there was a risk assessment performed and someone chose that privacy filters weren't necessary. Or more than likely, no one has thought about it. What if there had been security training and awareness for users that taught them about basic operational security with their laptops and tips on protecting sensitive data? There is more of a chance that users would be more aware of their surroundings and take more care to shield their laptop screens from wandering eyes.

There are many out there who will say user awareness efforts are a waste of time, but that's typically because those people are doing it wrong. They do not engage users, empower them, or teach them something that they can take with them and use in their everyday lives.

Having designed an awareness program and taught it for nearly four years, it was the last point that had the most impact on users. Just by including little tips and tricks the users could use at home to protect themselves and their kids, they immediately became more engaged and interested in the content.

Obviously, getting users to care more about security is tough, but the author of the InformationWeek Report "Endpoint Security: Get Users to Care About Security" lays out a five-step program that can help organizations tailor their efforts to be more effective.

  1. Visit: Face-to-face meetings, brown bag lunches, and walkaround courtesy calls from security personnel help emphasize the importance and put a "face" on security.
  2. Appeal to Self-Interest: Show how the security training at work can apply directly to users' home lives, where malware and phishing can impact their personal and family environments.
  3. Stay Credible: Focus on customer service and being the strategic business technology provider.
  4. Post Propaganda: Partner with corporate communications or marketing to raise awareness as to why security matters; successful propaganda relies on fewer words, stronger images.
  5. Enlist Top Brass: Awareness programs fare better when there is buy-in from the top and leadership speaking about security beyond the usual "do and do not's" from IT security personnel.

Humans are by far one of the hardest resources to secure, yet they can be more effective than any technological control we put in place. Is security awareness hard? Yes. Is it useless? Only if you're doing it wrong.

John Sawyer is a Senior Security Analyst with InGuardians, Inc. The views and opinions expressed in this blog are his own and do not represent those of his employer. He can be reached at [email protected] and found on Twitter @johnhsawyer.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27840
PUBLISHED: 2021-05-12
A flaw was found in samba. Spaces used in a string around a domain name (DN), while supposed to be ignored, can cause invalid DN strings with spaces to instead write a zero-byte into out-of-bounds memory, resulting in a crash. The highest threat from this vulnerability is to system availability.
CVE-2021-20202
PUBLISHED: 2021-05-12
A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to ...
CVE-2021-28649
PUBLISHED: 2021-05-12
An incorrect permission vulnerability in the product installer for Trend Micro HouseCall for Home Networks version 5.3.1179 and below could allow an attacker to escalate privileges by placing arbitrary code on a specified folder and have that code be executed by an Administrator who is running a sca...
CVE-2021-31519
PUBLISHED: 2021-05-12
An incorrect permission vulnerability in the product installer folders for Trend Micro HouseCall for Home Networks version 5.3.1179 and below could allow an attacker to escalate privileges by placing arbitrary code on a specified folder and have that code be executed by an Administrator who is runni...
CVE-2021-32607
PUBLISHED: 2021-05-12
An issue was discovered in Smartstore (aka SmartStoreNET) through 4.1.1. Views/PrivateMessages/View.cshtml does not call HtmlUtils.SanitizeHtml on a private message.