Lessons Learned While Performing 'Hands On' Teaching in a Live Environment

In West Virginia (WV) the county sheriff’s office is a central point of interaction between the local government and the people who are served by these elected officials. While law enforcement extends well beyond, this central point of contact, typically the county sheriff website, is not only a great starting point for the citizens to interact with local law enforcement, but also an entry point for potential illegal activities. The county sheriff’s offices websites in WV are also the central point for online payment of local taxes, thus making these sites a potential target for electronic misdeeds that would range from defacement to theft and potentially beyond. This study team examined the websites for the 55 counties of WV, in part as a classroom exercise, for potential vulnerabilities ranging from standard server scans to potential exposure through social media (SM) sites where information can be inferred. The majority of SM usage showed professional pages on LinkedIn and Facebook and newer SM sites were not used. The study findings suggest that an overwhelming majority have outsourced services to third party cloud service providers. Overall WV sheriff offices practice good cyber hygiene however, two areas of potential problems are in the duplicate IP addresses found in the cloud service providers shared servers, running multiple services with multiple tenants on the same physical server and the existence of legacy information. The study was neither comprehensive, nor intrusive in nature, but did serve to verify the security posture of the various counties sheriff offices allowing for a fingerprinting of a group of sites in the same industry allowing for a general overall view of security by sector in the public service space. The study also suggested the need for periodic re-checking suggesting a less intense degree, a practice that should be performed regularly in any secure architecture and acts as a public record for interested citizens. A final lesson from the class experience re-iterates the importance of proper scoping.