Cybersecurity and cybersafety threats abound. As a CTO, it's important to know what the right steps to take are to protect sensitive data and protect network integrity.
This page outlines some of the essential understandings Miguel Guhlin brings to the table when safeguarding the district, its schools, network, staff, and students.
HB2689 is considering language like this (04/01/2019):
- "The district ’s cybersecurity coordinator shall report to the agency any cyber attack, attempted cyber attack, or other cybersecurity incident against the district cyber infrastructure as soon as practicable after the discovery of the attack or incident."
1- Clarifying Vocabulary
There is a beguiling amount of jargon and vocabulary relevant to cybersecurity (systems and things) and cybersafety (people).
Let's explore this vocabulary in more detail.
- Cybersafety: The safe and responsible use of technology (Source), of which digital citizenship plays a key role
- Cyberbullying: Cyberbullying is bullying that takes place over digital devices like cell phones, computers, and tablets. Cyberbullying can occur through SMS, Text, and apps, or online in social media, forums, or gaming where people can view, participate in, or share content. Cyberbullying includes sending, posting, or sharing negative, harmful, false, or mean content about someone else. It can include sharing personal or private information about someone else causing embarrassment or humiliation. Some cyberbullying crosses the line into unlawful or criminal behavior (Source).
- Digital Citizenship: The self-monitored habits that sustain and improve the digital communities you enjoy or depend on (Source)
- Cybersecurity: Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security (Source)
- Content Filters: On the Internet, content filtering (also known as information filtering) is the use of a program to screen and exclude from access or availability Web pages or e-mail that is deemed objectionable (Source)
- Data Breach: A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property (Source).
- Denial of Service (DOS)/Distributed Denial of Service (DDOS) Attack: A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent legitimate users from accessing the service. In a DoS attack, the attacker usually sends excessive messages asking the network or server to authenticate requests that have invalid return addresses (Source). In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more (Source).
- Firewall: Software/hardware that blocks external attacks from malicious attackers
- Malware: A catch-all term for malicious software targeting computers and mobile devices. 170M malware events in 2014 (Source).
- Personally Identifiable Information (PII): Personally identifiable information (PII), or sensitive personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context (Source).
- Phishing: An attack that impersonate user(s) to obtain data access via email. Nearly 50% of users fall for this.
- Point of Sale (POS) Intrusion: An attack that targets a device transacting a sale. Account for 30% of data breaches.
- Ransomware: A form of malware in which rogue software code effectively holds a user's computer hostage until a "ransom" fee is paid. Ransomware often infiltrates a PC as a computer worm or Trojan horse that takes advantage of open security vulnerabilities (Source).
- Safe Harbor: The concept of “Safe Harbor” refers to specific actions, example; encryption of private data, that an individual or an organization can take to show a good-faith effort in complying with the law. This good-faith effort provides a person or organization “Safe Harbor” against prosecution under the law (Grama, 2015, pg.253). The State of Texas Statute 521.002 states that when a an individual’s first name or first initial and last name are combined with other private information, example, Social Security Number, that the information must be encrypted. (Source)
- Web App Attack: A web-based attack that relies on http/https protocol to target a website. Ten to twelve percent of data breaches occur as a result of this form of attack (2014) (Source).
2 - Action Steps You Can Take
Step 1 - Table Top Game - When Disaster Strikes
“It’s the processes and procedures, working with all the other customers. We have to get them to understand the importance of planning. One way is to do tabletop exercises to practice to see what we would do in the event of an event,” said Mark Gabehart (Round Rock ISD). As Mark’s voice filled the respectful silence as he spoke, his turn of phrase caught my ear. Whatever did he mean by “tabletop exercises?”
In this blog entry, we’ll discuss the value of tabletop exercises for cybersecurity, disaster recovery, and business continuity. You will also find a complete game that you as a technology leader can use right away.
Step 2 - Take Ten
Step 3 - Raise Awareness for End Users
Is There a Problem?
Are Your Personal Records CyberSecure?
Government agencies, businesses, hospitals and universities are the frequent targets of staggering data breaches that can affect millions of people. Two examples:
Individuals' personal information is scattered to unknown reaches of the globe.
Are IT Directors/CTOs/CIOs Keeping Student/Staff Cybersafe?
Experts say K-12 schools are also at risk — from outside threats and students who want to stir up trouble — as they rely more on technology for day-to-day operations and incorporate more software, apps, online programs and Web-based testing into classes.
“I don’t think there’s a school district in America that doesn’t have important digital assets sitting on a computer somewhere that needs to be protected,” said Michael Kaiser, executive director of the National Cybersecurity Alliance. “We know schools sometimes don’t like to report incidents. Responding right away and bringing in law enforcement should be encouraged.”
Adapted from Source: Cybersecurity in K-12 Education
Consequences for Schools
There can be various consequences to not securing data, such as the following:
- Direct costs are incurred by school districts for having to notify individuals whose confidential data has been compromised, as well as notify credit agencies.
- The cost of paying for credit protection for individuals affected.
- The school district may suffer damage to reputation.
- Staff may be disciplined or terminated depending on the severity of the data breach.
- Ongoing bad press as identity theft cases mount.
Step 4 - Collaborate with Admin to Set School Policy
Failed cybersecurity efforts represent a problem at large for society. The consequences are also felt in schools given improperly trained staff, students, and a lack of policies and procedures.
Cybersafety has a direct impact on the cybersecurity of an organization. The less cybersafe staff and students are, the greater the threat to personally identifiable information (PII).
Need more training and technical info?
Step 4 - Prepare for Anything
Cybersafety attacks (e.g. ransomware, hackers) may damage data so badly that you may need to implement a portion of your disaster recovery and business continuity plan.
When Disaster Strikes, the theme of the October 11, 2017 Technology Leadership Summit , garnered a variety of insights from participants. In this blog entry, we’ll explore the first two of five insights. These insights flow from the experience of Texas technology leaders and can help you prevent natural and man-made disasters from crushing your district’s operations.
Insight #1 – Cross-Departmental Collaboration
“Process. The process has to involve HR, Business Office, and M&O,” said David Jacobson (Lamar Consolidated ISD). The Executive Director of Technology for Round Rock ISD agreed. “It’s the processes and procedures, working with all the other customers. We have to get them to understand the importance of planning. One way is to do tabletop exercises to practice to see what we would do in the event of an event,” said Mark Gabehart (Round Rock ISD). In these situations, it is important to 1) recognize the need; 2) clarify the depth of the hole the organization is in; and 3) present a plan to never be in that hole again. Make sure your district has an equipment replacement plan. And that is then followed by a disaster recovery and business continuity plan.
Insight #2 – Disaster Recovery Planning Resources
“There are genuine resources out there to put plans together. It’s been frustrating to find resources, but now I know about various resources. We have a disaster recovery plan, but I didn’t realize how huge the business continuity plan was. How do we continue doing business?” It’s unsettling to realize that if you have no equipment to load all your backup data into and make it work, your district can’t overcome the disaster. What’s worse, the cost of recreating a network operations center (NOC) would be exorbitant, not to mention duplicating network/internet connections to district locations.
To help you think through these issues, here are a few documents shared at the Technology Leadership Summit:
- Michael Knight (CEO/CTO of Encore Technologies, TLS17 Event Sponsor) shared his slide deck on the topic, providing several snapshots documenting the evolution of disaster recovery from multiple NOCs to the hybrid cloud.
- Frosty Walker (Chief Information Security Officer of Texas Education Agency) shared his slide deck and other resources available at the Texas Gateway, including the DIR Incident Response Team redbook.
- Sample disaster recovery plan
- David Carpenter (Huffman ISD) on I’ve Been Hacked…Now What?
- Edward Doan (Google) provided his slide deck on Google Cloud Storage, as well as was able to record a short voxercast discussing the topic.
Insight #3 – Systems Approach and Assessment
Conducting a needs assessment remains a critical first step. Moving forward from that benchmark assessment can involve developing a design of how data flows in the district and how it can best be maintained, backed up, and set up for disaster recovery/business continuity.
Step 5 - Be Prepared for When, Not If
Encryption Safe Harbor
Did you know that if data is encrypted and a data breach occurs, you are not obligated to report it? This is the power of data encryption and can potentially spare the District from unnecessary litigation and expense. This is known as an encryption safe harbor. Texas defines a data breach in terms of sensitive personal information only if the data items are not encrypted (Source: Data Breach Charts, Baker-Hostetler).
What steps should you take when your school or district organization has been hacked?
- Create strong cybersecurity foundations: Invest in the basics, such as security intelligence, while innovating to stay ahead of the hackers.
- Undertake extreme pressure testing: Don’t rely on compliance alone; identify vulnerabilities to be able to outwit and outpace attackers.
- Invest in breakthrough innovation: Balance spend on new technologies, such as analytics and artificial intelligence, to scale value.
The Results of Poor Cybersecurity and Cybersafety
External USB Drive Containing PII Left in Car, Later Stolen
An April 19 car burglary resulted in the exposure of student information. An external hard drive containing letters associated with students who applied to the [name of campus removed] was stolen from a teacher's car. The letters contained applicant names, Social Security numbers, dates of birth, home addresses, phone numbers, and previous school district information.
Employee Posts Confidential Data on a Wiki
The District discovered that a number of employees had their names, Social Security numbers, disability plan information, and salary information available on a publicly accessible website. Employees who were enrolled for disability insurance had their information posted in April 2011 on the Employee Benefits/Risk Management website.
Students Hack District's Network Server
Instance #1: Two students may face criminal charges for hacking into the School District's network server and accessing a file with 14,500 student names and Social Security numbers. The students are a high school junior and a senior. Students who attended during the 2008-2009 school year may have been affected.
Instance #2: Hackers accessed a District server and were able to collect the personal information of students, teachers and other employees. There were names, Social Security numbers, and addresses from approximately 63,000 students and 9,000 teachers on the district's internal network (myepisd.org). The District was not aware of the breach until a computer security company noticed hackers bragging about breaking into the District's system. Names, ethnicity codes, and student ID numbers for 26 students were posted by hackers.
3 - Learn From Other's Experiences
Some cyber incidents at U.S. K–12 schools that Levin has tracked include
- phishing attacks that procure personal data;
- ransomware attacks;
- denial-of-service attacks;
- “other unauthorized disclosures, breaches or hacks” that disclose personal information; and
- other cyber incidents that have caused school disruptions or closures. (Source: THE Journal)
Protecting Your School Data
Securing Confidential Files for Transfer
If you are an IT Director, you may be called upon to transfer files in a secure manner. In school districts, there are several ways to accomplish that. Each way is briefly explored below and solutions offered.
1- Secure FTP Solutions (Automated)
This approach entails creating an encrypted conduit through which unencrypted files will be transferred from a server or your computer on a nightly basis. You will need to be able to automate this process and rely on a secure File Transfer Protocol (sFTP) solution or FTPs (read how sFTP is different from FTPs). This may entail you purchasing and implementing a secure FTP solution on a district server outside the firewall.
Server Side sFTP Solutions
Client Side sFTP Solutions
- WinSCP (other clients)
Some of the features most need include:
- Automating the transfer of files from one server to another
- Securing the files with encryption (e.g. GPG/PGP)
- Verification that files were sent and received
- Encrypted transfer of files
2-PGP/GPG File Encryption (Automated / Manual as needed)
Using a Pretty Good Privacy (PGP) or open source equivalent (GPG), such as OpenPGP Encryption Tool (GoAnywhere MFT for automated encryption). You can write scripts that automate this using PowerShell if on Windows or other solutions if on GNU/Linux or Mac. Exploring the use of scripting solutions for data encryption is beyond the scope of this webinar.
3-Virtual Private Network (VPN)
"A virtual private network extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network" (Wikipedia).
When we talk about using a VPN in a school setting, we're not discussing consumer-level VPN tools like those used for individual protection.
Some solutions in use in Texas schools:
Technology as Student Management Tool
Like many, if not all of you, I found myself spending way too much time on filtering issues. Block this, unblock that, getting teachers by-pass rights, etc. I finally just got fed up with all the time it was requiring. When I started looking at trends I realized we were using the filter as a student management tool and not for its intended purpose. Let me be very clear, we are still filtering and complying with CIPA and other mandates.
What we are NOT doing any longer, is blocking all the multitudes of other sites that might have inappropriate material. There are many sites, YouTube comes to mind, that have a lot of great educational material but also have content that is inappropriate at school.
If I block YouTube, then many of the school safe sites, like the browser Kidzui, Gaggle.net, and many others that use videos from YouTube, will not work. So, I did something drastic. I deleted the entire custom “blocked” sites in the filter. These are the sites that we add over time to the blocked library. There were literally thousands. The custom block library had become unmanageable. It was a total senseless mess....
The bottom line is that we are no longer using the filter as a student management device. We still block clearly inappropriate sites that have absolutely no educational value. The rest is up to proper monitoring and when that fails, treating the issue as a discipline issue, which it is. We have put the responsibility back on the teacher in the lab to monitor students effectively. Source: Texas Technology Director
This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. Watch a long video overview | Watch short video
MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. MITRE started this project in 2013 to document common tactics, techniques, and procedures (TTPs) that advanced persistent threats use against Windows enterprise networks.
The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Watch video shown right to learn more.
Listen and Learn about MITRE's ATT&CK "CyberThreat Encyclopedia"
How Secure Is Your Email? Data?
- Have I Been Pwnd? OR Firefox Monitor
- How Secure is Your Password?
- Secure Password Generator
- Password managers: Keepass or Lastpass
- Turn On Two-Factor Authentication Tutorials
Protecting Confidential, Personally Identifiable Information (PII)
Personal Tip: Try Firefox Quantum with the Multi-Account Container, which allows you to group your browser cookies. This prevents one site from spying on you while you are looking at another (Facebook does this, as do many other sites). Try privacy add-ons, too.
Encryption+SecureFTP in Schools
Need to encrypt using public/private key encryption tools that are compatible with PGP/GPG? Consider GoAnywhere's Open PGP Studio for Windows, Mac, or GNU/Linux computers. GoAnywhere also offers a Secure File Transfer Protocol (FTP) solution.
Protect Yourself on the Go
Virtual Private Network (VPN)
"Virtual Private Networks provide an important element of privacy protection for users," Electronic Frontiers Association says. . .VPNs [are] one of the most effective tools for protecting privacy when using the Internet, due to the degree of anonymity they provide when accessing online services.
- Encrypted Files/Folders...
- Encrypted End to End Messaging via Your Computer: Signal
- Encrypted Email: ProtonMail.ch* via web or Thunderbird
- Virtual Private Network (VPN): Private Internet Access
- Browsers and Tools:
- Password Management: Keepass2
- File/Folder Shredding: Use File Shredder or Eraser
*Cost associated, usually approx. <=$50 annual
Mobile Phone (Android/iOS)
- Encrypted End to End Messaging: Signal
- Encrypted Files: Secure Space Encryptor app
- Encrypted Email: ProtonMail.ch*
- Virtual Private Network: Private Internet Access*
- Search Engine/Secure browser: Duck Duck Go
- Block RoboCallers/Spammers: Hiya
- Password Management: KeepassDroid
- Check vulnerabilities on your phone: NYC Secure
*Cost associated, usually approx. <=$50 annual
When Will I Use This in the Real World?
This is a question you will get. Make sure you keep your response simple and make it a requirement of dealing with sensitive data.
- Avoid embarrassment and high-cost of identity theft protection for students and staff. Texas Safe Harbor law protects organization that encrypt data should that data be lost or stolen.
- Avoid sending decrypted confidential information via email or as email attachments. Phishing attacks can compromise users' accounts and spread to all quickly via email groups (a.k.a. distribution lists). Decrypted data on compromised accounts can be a treasure trove and lead to costly issues. Encrypted email attachments are no big deal on a stolen smartphone, tablet or laptop. Decrypted email attachments or files on stolen devices puts the district at risk for liability and lawsuits.
- Avoid saving decrypted files to portable devices (e.g. laptops, tablets) and/or storage media (e.g. USB flash drives, pendrives, sticks, hard drives).
- Always encrypt sensitive data before sending it to a third party solution provider. Negotiate up front, over the phone how you will encrypt data and come up with a solid password to use. If data is transferred from a server, encrypt it FIRST before placing it on the server, then use Secure FTP to transfer it. An alternate approach is to grant the 3rd party solution provider Virtual Private Network (VPN) access to a specific device. This may be easier since you can setup a network share, a mapped drive, to make it simpler to create and share files quickly. Again, it is better to encrypt than to have decrypted files at rest on an intranet server.
- NEVER place decrypted sensitive files online on an internet server and/or in cloud storage.