Cybersecurity and cybersafety threats abound. As a CTO, have you taken the right steps and obtained the knowledge needed to protect the integrity of your district network? In this session, you will have achieve essential understandings for safeguarding your school, your network, staff, and students.
1- Clarifying Vocabulary
There is a beguiling amount of jargon and vocabulary relevant to cybersecurity (systems and things) and cybersafety (people).
Let's explore this vocabulary in more detail.
- Cybersafety: The safe and responsible use of technology (Source), of which digital citizenship plays a key role
- Cyberbullying: Cyberbullying is bullying that takes place over digital devices like cell phones, computers, and tablets. Cyberbullying can occur through SMS, Text, and apps, or online in social media, forums, or gaming where people can view, participate in, or share content. Cyberbullying includes sending, posting, or sharing negative, harmful, false, or mean content about someone else. It can include sharing personal or private information about someone else causing embarrassment or humiliation. Some cyberbullying crosses the line into unlawful or criminal behavior (Source).
- Digital Citizenship: The self-monitored habits that sustain and improve the digital communities you enjoy or depend on (Source)
- Cybersecurity: Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurity and physical security (Source)
- Content Filters: On the Internet, content filtering (also known as information filtering) is the use of a program to screen and exclude from access or availability Web pages or e-mail that is deemed objectionable (Source)
- Data Breach: A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property (Source).
- Denial of Service (DOS)/Distributed Denial of Service (DDOS) Attack: A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent legitimate users from accessing the service. In a DoS attack, the attacker usually sends excessive messages asking the network or server to authenticate requests that have invalid return addresses (Source). In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more (Source).
- Firewall: Software/hardware that blocks external attacks from malicious attackers
- Malware: A catch-all term for malicious software targeting computers and mobile devices. 170M malware events in 2014 (Source).
- Personally Identifiable Information (PII): Personally identifiable information (PII), or sensitive personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context (Source).
- Phishing: An attack that impersonate user(s) to obtain data access via email. Nearly 50% of users fall for this.
- Point of Sale (POS) Intrusion: An attack that targets a device transacting a sale. Account for 30% of data breaches.
- Ransomware: A form of malware in which rogue software code effectively holds a user's computer hostage until a "ransom" fee is paid. Ransomware often infiltrates a PC as a computer worm or Trojan horse that takes advantage of open security vulnerabilities (Source).
- Safe Harbor: The concept of “Safe Harbor” refers to specific actions, example; encryption of private data, that an individual or an organization can take to show a good-faith effort in complying with the law. This good-faith effort provides a person or organization “Safe Harbor” against prosecution under the law (Grama, 2015, pg.253). The State of Texas Statute 521.002 states that when a an individual’s first name or first initial and last name are combined with other private information, example, Social Security Number, that the information must be encrypted. (Source)
- Web App Attack: A web-based attack that relies on http/https protocol to target a website. Ten to twelve percent of data breaches occur as a result of this form of attack (2014) (Source).
Did You Know?
Free cybersecurity webinars available via the Texas Education Agency's Frosty Walker
The Texas Education Agency features CyberSecurity webinars. The webinars are presented by Frosty Walker, Chief Information Security Officer at the Texas Education Agency. Here are two of the multiple webinars offered online.
2 - Action Steps You Can Take
Step 1 - Table Top Game - When Disaster Strikes
“It’s the processes and procedures, working with all the other customers. We have to get them to understand the importance of planning. One way is to do tabletop exercises to practice to see what we would do in the event of an event,” said Mark Gabehart (Round Rock ISD). As Mark’s voice filled the respectful silence as he spoke, his turn of phrase caught my ear. Whatever did he mean by “tabletop exercises?”
In this blog entry, we’ll discuss the value of tabletop exercises for cybersecurity, disaster recovery, and business continuity. You will also find a complete game that you as a technology leader can use right away.
Step 2 - Take Ten
Step 3 - Raise Awareness for End Users
Is There a Problem?
Are Your Personal Records CyberSecure?
Government agencies, businesses, hospitals and universities are the frequent targets of staggering data breaches that can affect millions of people. Two examples:
Individuals' personal information is scattered to unknown reaches of the globe.
Are IT Directors/CTOs/CIOs Keeping Student/Staff Cybersafe?
Experts say K-12 schools are also at risk — from outside threats and students who want to stir up trouble — as they rely more on technology for day-to-day operations and incorporate more software, apps, online programs and Web-based testing into classes.
“I don’t think there’s a school district in America that doesn’t have important digital assets sitting on a computer somewhere that needs to be protected,” said Michael Kaiser, executive director of the National Cybersecurity Alliance. “We know schools sometimes don’t like to report incidents. Responding right away and bringing in law enforcement should be encouraged.”
Adapted from Source: Cybersecurity in K-12 Education
Consequences for Schools
There can be various consequences to not securing data, such as the following:
- Direct costs are incurred by school districts for having to notify individuals whose confidential data has been compromised, as well as notify credit agencies.
- The cost of paying for credit protection for individuals affected.
- The school district may suffer damage to reputation.
- Staff may be disciplined or terminated depending on the severity of the data breach.
- Ongoing bad press as identity theft cases mount.
Step 4 - Collaborate with Admin to Set School Policy
Failed cybersecurity efforts represent a problem at large for society. The consequences are also felt in schools given improperly trained staff, students, and a lack of policies and procedures.
Cybersafety has a direct impact on the cybersecurity of an organization. The less cybersafe staff and students are, the greater the threat to personally identifiable information (PII).
Need more training and technical info?
Step 4 - Prepare for Anything
Cybersafety attacks (e.g. ransomware, hackers) may damage data so badly that you may need to implement a portion of your disaster recovery and business continuity plan.
When Disaster Strikes, the theme of the October 11, 2017 Technology Leadership Summit , garnered a variety of insights from participants. In this blog entry, we’ll explore the first two of five insights. These insights flow from the experience of Texas technology leaders and can help you prevent natural and man-made disasters from crushing your district’s operations.
Insight #1 – Cross-Departmental Collaboration
“Process. The process has to involve HR, Business Office, and M&O,” said David Jacobson (Lamar Consolidated ISD). The Executive Director of Technology for Round Rock ISD agreed. “It’s the processes and procedures, working with all the other customers. We have to get them to understand the importance of planning. One way is to do tabletop exercises to practice to see what we would do in the event of an event,” said Mark Gabehart (Round Rock ISD). In these situations, it is important to 1) recognize the need; 2) clarify the depth of the hole the organization is in; and 3) present a plan to never be in that hole again. Make sure your district has an equipment replacement plan. And that is then followed by a disaster recovery and business continuity plan.
Insight #2 – Disaster Recovery Planning Resources
“There are genuine resources out there to put plans together. It’s been frustrating to find resources, but now I know about various resources. We have a disaster recovery plan, but I didn’t realize how huge the business continuity plan was. How do we continue doing business?” It’s unsettling to realize that if you have no equipment to load all your backup data into and make it work, your district can’t overcome the disaster. What’s worse, the cost of recreating a network operations center (NOC) would be exorbitant, not to mention duplicating network/internet connections to district locations.
To help you think through these issues, here are a few documents shared at the Technology Leadership Summit:
- Michael Knight (CEO/CTO of Encore Technologies, TLS17 Event Sponsor) shared his slide deck on the topic, providing several snapshots documenting the evolution of disaster recovery from multiple NOCs to the hybrid cloud.
- Frosty Walker (Chief Information Security Officer of Texas Education Agency) shared his slide deck and other resources available at the Texas Gateway, including the DIR Incident Response Team redbook.
- Sample disaster recovery plan
- David Carpenter (Huffman ISD) on I’ve Been Hacked…Now What?
- Edward Doan (Google) provided his slide deck on Google Cloud Storage, as well as was able to record a short voxercast discussing the topic.
Insight #3 – Systems Approach and Assessment
Conducting a needs assessment remains a critical first step. Moving forward from that benchmark assessment can involve developing a design of how data flows in the district and how it can best be maintained, backed up, and set up for disaster recovery/business continuity.
Step 5 - Be Prepared for When, Not If
Encryption Safe Harbor
Did you know that if data is encrypted and a data breach occurs, you are not obligated to report it? This is the power of data encryption and can potentially spare the District from unnecessary litigation and expense. This is known as an encryption safe harbor. Texas defines a data breach in terms of sensitive personal information only if the data items are not encrypted (Source: Data Breach Charts, Baker-Hostetler).
What steps should you take when your school or district organization has been hacked?
- Create strong cybersecurity foundations: Invest in the basics, such as security intelligence, while innovating to stay ahead of the hackers.
- Undertake extreme pressure testing: Don’t rely on compliance alone; identify vulnerabilities to be able to outwit and outpace attackers.
- Invest in breakthrough innovation: Balance spend on new technologies, such as analytics and artificial intelligence, to scale value.
The Results of Poor Cybersecurity and Cybersafety
External USB Drive Containing PII Left in Car, Later Stolen
An April 19 car burglary resulted in the exposure of student information. An external hard drive containing letters associated with students who applied to the [name of campus removed] was stolen from a teacher's car. The letters contained applicant names, Social Security numbers, dates of birth, home addresses, phone numbers, and previous school district information.
Employee Posts Confidential Data on a Wiki
The District discovered that a number of employees had their names, Social Security numbers, disability plan information, and salary information available on a publicly accessible website. Employees who were enrolled for disability insurance had their information posted in April 2011 on the Employee Benefits/Risk Management website.
Students Hack District's Network Server
Instance #1: Two students may face criminal charges for hacking into the School District's network server and accessing a file with 14,500 student names and Social Security numbers. The students are a high school junior and a senior. Students who attended during the 2008-2009 school year may have been affected.
Instance #2: Hackers accessed a District server and were able to collect the personal information of students, teachers and other employees. There were names, Social Security numbers, and addresses from approximately 63,000 students and 9,000 teachers on the district's internal network (myepisd.org). The District was not aware of the breach until a computer security company noticed hackers bragging about breaking into the District's system. Names, ethnicity codes, and student ID numbers for 26 students were posted by hackers.
3 - Learn From Other's Experiences
Some cyber incidents at U.S. K–12 schools that Levin has tracked include
- phishing attacks that procure personal data;
- ransomware attacks;
- denial-of-service attacks;
- “other unauthorized disclosures, breaches or hacks” that disclose personal information; and
- other cyber incidents that have caused school disruptions or closures. (Source: THE Journal)
Reflect - What's YOUR Cybersafety & CyberSecurity Response Plan?
Below, please find a variety of scenarios that detail actual events that took place in K-12 schools or districts.
Share YOUR response to a scenario. Your 3-5 minute response may take the form of a short video presentation (short! 3 minutes max).
Note: Instead of speaking into the camera, you can also make your own screencast and upload it. Supported video formats include MP4, MOV and WEBM video formats. Maximum file size is 250MB.
A sample presentation addressing a scenario. Feel free to add your own twist.
Scenarios for Assignment
Scenario #1: Teacher Password
A teacher has written down his login information to the new student information system on a sticky note and put it on his desk. While he is gone, a couple of students discover the note. They then use the teacher’s login to access the system after hours and change students’ grades. Additionally, since the teacher used the same password on other internal systems, the students were also able to access other systems with sensitive employee data, including Social Security numbers and other private information.
Scenario #2 - External Drive
“John,” began Liz, the PEIMS Data Clerk at the high school. Tears started to stream down her face. “I saved some work out of iTCCS to take home and analyze last night onto my USB drive. This morning, when I went to pick up my coffee from Starbucks, I think it fell out of my purse while I was paying. I can’t find it and I’ve looked everywhere.”
Liz paused then said, “I had the entire freshman class’ data on in an encrypted file. What do I do?”
Scenario #3 - Emailed File
When Melodie, an elementary school principal, opened her email on her phone, she saw that Jake had sent her the Excel spreadsheet with student names, IDs, addresses and much more for her campus. She quickly opened the file in her phone’s Excel viewer. She ignored that a copy of the file was saved somewhere on her phone. Satisfied she had received the correct information, she forwarded the email with attachment to her secretary to begin processing for the mail merge to send custom flyers to parents.
Scenario #4 - Open workstation
Mark, a Middle School counselor, has been working all morning on several spreadsheets, combining assessment data and student personally information to facilitate some informational and intervention reports. He is called to the principal’s office for a discipline concern.
To ensure that everything stays just the way it is on his computer, he walks away without logging out or locking his screen. A few minutes later, the school secretary encourages two students to wait in Mark’s office for his return. The two students notice the open screen and begin to smile.
Did You Know?
Want to lock your computer? On Windows, press the WindowsFlag key (left side of your keyboard) AND the "L" key on your keyboard. On Mac, press simultaneously press the following keys: Control + Shift + Eject. Learn more here.
Scenario #5 - Paper
“I just need a quick print-out so I have something I can reference in my hand,” Jill exclaimed. As Darlene printed out the report from iTCCS, she promised to put the document in Dropbox so Jill could get to it more easily. Jill dropped the sheaf of papers into her briefcase and ran out the door.
“Maybe,” she thought to herself, “I’ll have time to stop at HEB on the way home tonight, get a good night’s sleep so I’ll be fresh for this data presentation tomorrow morning.” She looked at her briefcase, carefully locking it in the trunk and casually throwing a blanket on top of it, just in case.