Cybersafety & Security

Session Description

Cybersecurity and cybersafety threats abound. As a CTO, have you taken the right steps and obtained the knowledge needed to protect the integrity of your district network? In this session, you will have achieve essential understandings for safeguarding your school, your network, staff, and students.

Goals

TechAdmin: Cybersafety & Security

1- Clarifying Vocabulary

There is a beguiling amount of jargon and vocabulary relevant to cybersecurity (systems and things) and cybersafety (people).

Let's explore this vocabulary in more detail.

Cybersafety

  1. Cybersafety: The safe and responsible use of technology (Source), of which digital citizenship plays a key role
    1. Cyberbullying: Cyberbullying is bullying that takes place over digital devices like cell phones, computers, and tablets. Cyberbullying can occur through SMS, Text, and apps, or online in social media, forums, or gaming where people can view, participate in, or share content. Cyberbullying includes sending, posting, or sharing negative, harmful, false, or mean content about someone else. It can include sharing personal or private information about someone else causing embarrassment or humiliation. Some cyberbullying crosses the line into unlawful or criminal behavior (Source).
    2. Digital Citizenship: The self-monitored habits that sustain and improve the digital communities you enjoy or depend on (Source)

Cybersecurity

  1. Cybersecurity: Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security (Source)
    1. Content Filters: On the Internet, content filtering (also known as information filtering) is the use of a program to screen and exclude from access or availability Web pages or e-mail that is deemed objectionable (Source)
    2. Data Breach: A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property (Source).
    3. Denial of Service (DOS)/Distributed Denial of Service (DDOS) Attack: A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent legitimate users from accessing the service. In a DoS attack, the attacker usually sends excessive messages asking the network or server to authenticate requests that have invalid return addresses (Source). In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more (Source).
    4. Firewall: Software/hardware that blocks external attacks from malicious attackers
    5. Malware: A catch-all term for malicious software targeting computers and mobile devices. 170M malware events in 2014 (Source).
    6. Personally Identifiable Information (PII): Personally identifiable information (PII), or sensitive personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context (Source).
    7. Phishing: An attack that impersonate user(s) to obtain data access via email. Nearly 50% of users fall for this.
    8. Point of Sale (POS) Intrusion: An attack that targets a device transacting a sale. Account for 30% of data breaches.
    9. Ransomware: A form of malware in which rogue software code effectively holds a user's computer hostage until a "ransom" fee is paid. Ransomware often infiltrates a PC as a computer worm or Trojan horse that takes advantage of open security vulnerabilities (Source).
    10. Safe Harbor: The concept of “Safe Harbor” refers to specific actions, example; encryption of private data, that an individual or an organization can take to show a good-faith effort in complying with the law. This good-faith effort provides a person or organization “Safe Harbor” against prosecution under the law (Grama, 2015, pg.253). The State of Texas Statute 521.002 states that when a an individual’s first name or first initial and last name are combined with other private information, example, Social Security Number, that the information must be encrypted. (Source)
    11. Web App Attack: A web-based attack that relies on http/https protocol to target a website. Ten to twelve percent of data breaches occur as a result of this form of attack (2014) (Source).

Did You Know?

Free cybersecurity webinars available via the Texas Education Agency's Frosty Walker

The Texas Education Agency features CyberSecurity webinars. The webinars are presented by Frosty Walker, Chief Information Security Officer at the Texas Education Agency. Here are two of the multiple webinars offered online.

2 - Action Steps You Can Take

Step 1 - Table Top Game - When Disaster Strikes

Disaster Recovery Project Cards

The Game

“It’s the processes and procedures, working with all the other customers. We have to get them to understand the importance of planning. One way is to do tabletop exercises to practice to see what we would do in the event of an event,” said Mark Gabehart (Round Rock ISD). As Mark’s voice filled the respectful silence as he spoke, his turn of phrase caught my ear. Whatever did he mean by “tabletop exercises?”

In this blog entry, we’ll discuss the value of tabletop exercises for cybersecurity, disaster recovery, and business continuity. You will also find a complete game that you as a technology leader can use right away.

Step 2 - Take Ten

Step 3 - Raise Awareness for End Users

Is There a Problem?

Are Your Personal Records CyberSecure?

Government agencies, businesses, hospitals and universities are the frequent targets of staggering data breaches that can affect millions of people. Two examples:

Individuals' personal information is scattered to unknown reaches of the globe.

Are IT Directors/CTOs/CIOs Keeping Student/Staff Cybersafe?

Experts say K-12 schools are also at risk — from outside threats and students who want to stir up trouble — as they rely more on technology for day-to-day operations and incorporate more software, apps, online programs and Web-based testing into classes.

“I don’t think there’s a school district in America that doesn’t have important digital assets sitting on a computer somewhere that needs to be protected,” said Michael Kaiser, executive director of the National Cybersecurity Alliance. “We know schools sometimes don’t like to report incidents. Responding right away and bringing in law enforcement should be encouraged.”

Adapted from Source: Cybersecurity in K-12 Education

Consequences for Schools

There can be various consequences to not securing data, such as the following:

  • Direct costs are incurred by school districts for having to notify individuals whose confidential data has been compromised, as well as notify credit agencies.
  • The cost of paying for credit protection for individuals affected.
  • The school district may suffer damage to reputation.
  • Staff may be disciplined or terminated depending on the severity of the data breach.
  • Ongoing bad press as identity theft cases mount.

Step 4 - Collaborate with Admin to Set School Policy

Failed cybersecurity efforts represent a problem at large for society. The consequences are also felt in schools given improperly trained staff, students, and a lack of policies and procedures.

Cybersafety has a direct impact on the cybersecurity of an organization. The less cybersafe staff and students are, the greater the threat to personally identifiable information (PII).

Need more training and technical info?

Step 4 - Prepare for Anything

Cybersafety attacks (e.g. ransomware, hackers) may damage data so badly that you may need to implement a portion of your disaster recovery and business continuity plan.

When Disaster Strikes, the theme of the October 11, 2017 Technology Leadership Summit , garnered a variety of insights from participants. In this blog entry, we’ll explore the first two of five insights. These insights flow from the experience of Texas technology leaders and can help you prevent natural and man-made disasters from crushing your district’s operations.

Insight #1 – Cross-Departmental Collaboration

“Process. The process has to involve HR, Business Office, and M&O,” said David Jacobson (Lamar Consolidated ISD). The Executive Director of Technology for Round Rock ISD agreed. “It’s the processes and procedures, working with all the other customers. We have to get them to understand the importance of planning. One way is to do tabletop exercises to practice to see what we would do in the event of an event,” said Mark Gabehart (Round Rock ISD). In these situations, it is important to 1) recognize the need; 2) clarify the depth of the hole the organization is in; and 3) present a plan to never be in that hole again. Make sure your district has an equipment replacement plan. And that is then followed by a disaster recovery and business continuity plan.

TCEA_Disaster Recovery and Business Continuance - Not an Either Or.pdf

Insight #2 – Disaster Recovery Planning Resources

“There are genuine resources out there to put plans together. It’s been frustrating to find resources, but now I know about various resources. We have a disaster recovery plan, but I didn’t realize how huge the business continuity plan was. How do we continue doing business?” It’s unsettling to realize that if you have no equipment to load all your backup data into and make it work, your district can’t overcome the disaster. What’s worse, the cost of recreating a network operations center (NOC) would be exorbitant, not to mention duplicating network/internet connections to district locations.

To help you think through these issues, here are a few documents shared at the Technology Leadership Summit:

Insight #3 – Systems Approach and Assessment

Conducting a needs assessment remains a critical first step. Moving forward from that benchmark assessment can involve developing a design of how data flows in the district and how it can best be maintained, backed up, and set up for disaster recovery/business continuity.

More detailed suggestions, as well additional insights, appear in the two part blog entry, "When Disaster Strikes." Read Part 1 and Part 2. You are strongly encouraged to review them in more detail since they capture CTOs' wisdom.

Step 5 - Be Prepared for When, Not If

Hacked_Now_What.pdf

Encryption Safe Harbor

Did you know that if data is encrypted and a data breach occurs, you are not obligated to report it? This is the power of data encryption and can potentially spare the District from unnecessary litigation and expense. This is known as an encryption safe harbor. Texas defines a data breach in terms of sensitive personal information only if the data items are not encrypted (Source: Data Breach Charts, Baker-Hostetler).

What steps should you take when your school or district organization has been hacked?

  • Contain
  • Assess
  • Recover
  • Disclose

Recommendations

  1. Create strong cybersecurity foundations: Invest in the basics, such as security intelligence, while innovating to stay ahead of the hackers.
  • Undertake extreme pressure testing: Don’t rely on compliance alone; identify vulnerabilities to be able to outwit and outpace attackers.
  • Invest in breakthrough innovation: Balance spend on new technologies, such as analytics and artificial intelligence, to scale value.

Source: Accenture, 2017 Cost of Cyber-Crime Report

The Results of Poor Cybersecurity and Cybersafety

The following represent case studies for Texas school districts that suffered a data breach during the 2011-2013 calendar years. See more up to date data breach reports at online at Privacy Rights.

External USB Drive Containing PII Left in Car, Later Stolen

An April 19 car burglary resulted in the exposure of student information. An external hard drive containing letters associated with students who applied to the [name of campus removed] was stolen from a teacher's car. The letters contained applicant names, Social Security numbers, dates of birth, home addresses, phone numbers, and previous school district information.

Employee Posts Confidential Data on a Wiki

The District discovered that a number of employees had their names, Social Security numbers, disability plan information, and salary information available on a publicly accessible website. Employees who were enrolled for disability insurance had their information posted in April 2011 on the Employee Benefits/Risk Management website.

Students Hack District's Network Server

Instance #1: Two students may face criminal charges for hacking into the School District's network server and accessing a file with 14,500 student names and Social Security numbers. The students are a high school junior and a senior. Students who attended during the 2008-2009 school year may have been affected.

Instance #2: Hackers accessed a District server and were able to collect the personal information of students, teachers and other employees. There were names, Social Security numbers, and addresses from approximately 63,000 students and 9,000 teachers on the district's internal network (myepisd.org). The District was not aware of the breach until a computer security company noticed hackers bragging about breaking into the District's system. Names, ethnicity codes, and student ID numbers for 26 students were posted by hackers.

If your school hasn't thought about cybersecurity as a growing concern, it's time to learn what the threats are and what you should be doing to keep your school, and its data, protected.

3 - Learn From Other's Experiences

Directions

  1. Pick ONE video to watch.
  2. Watch the video.
  3. In the chat, share the link to the video you watched. Then, share your thoughts about the situation. How would YOU have handled it differently?

Doug Levin has been tracking the publicly disclosed K–12 incidents on a color-coded map on his website, edtechstrategies.com. His sources include media reports, DataBreaches.net and the Privacy Rights Clearinghouse.

Some cyber incidents at U.S. K–12 schools that Levin has tracked include

  • phishing attacks that procure personal data;
  • ransomware attacks;
  • denial-of-service attacks;
  • “other unauthorized disclosures, breaches or hacks” that disclose personal information; and
  • other cyber incidents that have caused school disruptions or closures. (Source: THE Journal)

Reflect - What's YOUR Cybersafety & CyberSecurity Response Plan?

Below, please find a variety of scenarios that detail actual events that took place in K-12 schools or districts.

Share YOUR response to a scenario. Your 3-5 minute response may take the form of a short video presentation (short! 3 minutes max).

Note: Instead of speaking into the camera, you can also make your own screencast and upload it. Supported video formats include MP4, MOV and WEBM video formats. Maximum file size is 250MB.

Safeguarding Sensitive Data

A sample presentation addressing a scenario. Feel free to add your own twist.

Scenarios for Assignment

Respond to one of the scenarios below via Flipgrid or view a news story appropriate for K-12 education.

Scenario #1: Teacher Password

A teacher has written down his login information to the new student information system on a sticky note and put it on his desk. While he is gone, a couple of students discover the note. They then use the teacher’s login to access the system after hours and change students’ grades. Additionally, since the teacher used the same password on other internal systems, the students were also able to access other systems with sensitive employee data, including Social Security numbers and other private information.

Did You Know?

Passwords are growing increasingly complex and difficult to make secure. Encourage users to develop secure passwords they can remember. Also, use a password keeper (e.g. Keepass, LastPass, Dashlane). Learn more here.

Scenario #2 - External Drive

“John,” began Liz, the PEIMS Data Clerk at the high school. Tears started to stream down her face. “I saved some work out of iTCCS to take home and analyze last night onto my USB drive. This morning, when I went to pick up my coffee from Starbucks, I think it fell out of my purse while I was paying. I can’t find it and I’ve looked everywhere.”

Liz paused then said, “I had the entire freshman class’ data on in an encrypted file. What do I do?”

Did You Know?

USB drives are an interesting attack vector. Better to encrypt any data before you place it on a USB drive. Also, be aware of picking up "stranger" USB drives. Learn more here.

Scenario #3 - Emailed File

When Melodie, an elementary school principal, opened her email on her phone, she saw that Jake had sent her the Excel spreadsheet with student names, IDs, addresses and much more for her campus. She quickly opened the file in her phone’s Excel viewer. She ignored that a copy of the file was saved somewhere on her phone. Satisfied she had received the correct information, she forwarded the email with attachment to her secretary to begin processing for the mail merge to send custom flyers to parents.


Did You Know?

A company, KnowB4, provides phishing protection for schools. Other companies provide Google Suites and Microsoft Office 365 protection. Learn more here.

Scenario #4 - Open workstation

Mark, a Middle School counselor, has been working all morning on several spreadsheets, combining assessment data and student personally information to facilitate some informational and intervention reports. He is called to the principal’s office for a discipline concern.

To ensure that everything stays just the way it is on his computer, he walks away without logging out or locking his screen. A few minutes later, the school secretary encourages two students to wait in Mark’s office for his return. The two students notice the open screen and begin to smile.

Did You Know?

Want to lock your computer? On Windows, press the WindowsFlag key (left side of your keyboard) AND the "L" key on your keyboard. On Mac, press simultaneously press the following keys: Control + Shift + Eject. Learn more here.

Scenario #5 - Paper

“I just need a quick print-out so I have something I can reference in my hand,” Jill exclaimed. As Darlene printed out the report from iTCCS, she promised to put the document in Dropbox so Jill could get to it more easily. Jill dropped the sheaf of papers into her briefcase and ran out the door.

“Maybe,” she thought to herself, “I’ll have time to stop at HEB on the way home tonight, get a good night’s sleep so I’ll be fresh for this data presentation tomorrow morning.” She looked at her briefcase, carefully locking it in the trunk and casually throwing a blanket on top of it, just in case.

Did You Know?

Are you wondering about an easy way to encrypt data in cloud storage locations like Dropbox, OneDrive, and Google Drive? There are a variety of solutions. Also, some prefer to store all confidential data in an encrypted cloud space (OneHub). Learn more here.