CYBERSECURITY AND ONLINE SAFETY IN K12 EDUCATION

Sally Savona, Stanislaus County Office of Education Carl Fong, Orange County Department of Education Spring CUE 2018 Conference -

K e y T a k e a w a y s for T o d a y • Cybercrime threats are real, growing, and a moving target • Cybercrime is an organizational and personal risk (not just IT) • Building a culture of “security awareness” is critical • Resources are scarce (technical, monetary) • Ongoing safety resources to mitigate cybersecurity threats will be necessary • The Tools used for Hacking are free and readily available

C y b e r c r i m e is ... …a m a lic io us b re a c h of a school’s security to expo s e sensitive a n d confidential personal information

Cybercrime l o o k s like …

● …students h a c k i n g into d atabase s to c h a n g e g ra d e s ● …hackers instigating a distributed denial of service (DDoS) attack w h i c h s t o p s e l e c t ro nic te st i n g a n d Internet a c c e s s ● …thieves ste a l i n g p e rs o n al identification i nfo r m atio n (PII) from the financial s y s t e m a n d p o st i ng it o n the Internet ● …staff l o s i n g a l a pto p or tablet with access to h ighl y sensitive i nfo r m atio n ●…ransomware & p h i s h i n g b e i n g u s e d to h ol d a L E A h ostage a n d cost i n g t h o u s an ds of $ $ $

T o p 10 R e a s o n s C y b e r C r i m e Happens ● Th e H u m a n Fac tor (aka: we a ke st link 68% of education employees are labeled as “risk” profiles) ● Re s o u rc e s & Tal e nt Constraints

● C o n f u s i n g C o m p l i a n c e with cybersecurity ● BYO D

● Failure to cover C y b e rs e c u r i ty Ba s i c s

● Information Security Tra i n i n g i n c l u d i n g N EO

● N ot u n d e rsta n d in g W h a t Ge n e rat e s R i s k

● L a c k of a Re c o v e r y P l a n

● L a c k of a C y b e rs e c u r i t y Po l i c i e s an d P ro c e d u re s

● Constantly Evo l v i n g Ri s ks

C o m m o n t y p e s of t a r g e t e d d a t a (PII) PII E x a m p l e s

S ocia l Security N u m b e r, N a m e , Gender, Birthday, E m a i l Address, Mailing Address, Password, B a n k A ccou nt, He a lth Records, S S I D

P ro te c te d PII “Protected PII that should be protected can be used to access or steal either PII or influence thought and behavior”

B e s t Practices: re stricted sharing, ex p i ratio n d a te s via retention ru l es

Confidential, P ro te c te d PII

“PII that should be protected and confidential can be used to access or steal assets or benefits”

B e s t Practices: encryption, secure FTP, verifiable/enforceable co nfidentiality a g r e e m e n t s b e t w e e n s h a rin g parties, restricted sharing, expiration dates via retention rules, a c c e s s logs, s y s t e m a u d i t s

S o What... ● A n attack o n a school’s IT system c a n c o m p r o m i s e the ability to t e a c h & a s s e s s s t u d e n t s ● If p e rs o n a l i nfo r m at i o n is exposed, districts m a y b e subject to p e n a l t i e s u n d e r S O P I PA , H I PA A , F E R PA or P C I i n c l u d i n g the loss of potential federal f u n d i n g ● Civil l a w s u i t s co u l d cost millions ● Districts m a y find they aren’t covered for d a m a g e s u n d e r traditional business interruption insurance policies ● C O E a n d District b u s i n e s s offices m a y not b e a ble to function for a period of t i m e a n d fulfill timely requirements s u c h as payroll

O n e t h i n g is clear… • Many c y b erc ri m e events are preventable, b u t ca n n o t b e 1 0 0 % m i t i gate d • K-12 institutions n e e d to have a st rate g y for m i n i m i z i n g the likelihood (risk) of a b re a c h as well as a p l a n to dea l with the fallout after o n e takes place.

Cybercrime has … …touched organizations of every size a n d s h a p e in every industry – i n c l u d i n g K-12 school districts

http://www.informationisbeautiful.n et/visualizations/worlds-biggestdata-breaches-hacks/

K-12 C y b e r I n c i d e n t M a p (with examples) Map last update: March 8, 2018 h t t p s : / / w w w. e d t e c h st r at e g i e s . c o m / k 12-cyber-incident-map



P o w ay U n i f i e d S c h o o l D i s t r i c t



Pa l o A l t o U n i o n S c h o o l D i s t r i c t

2016 (unauthorized disclosure/breach): Personal information of more than 36,000 Poway Unified students exposed in data breach 2017 (unauthorized disclosure/breach): Names, addresses, birth dates and test scores of 14,000 current and former students were accessed by a well-known computer security researcher targeting a former vendor 2017 (unauthorized disclosure/breach): “A website that enables Palo Alto High School students to view their grade point averages and class rank is circling around the student community and suggests a breach of the Infinite Campus system

W h a t is c o m m o n i n all of these examples? ● All of these b re ache s in security co u l d have b e e n m i t i ga t e d a n d a d d r e s s e d ● Staff are n o t a w a r e of the policies, nor their responsibilities u n d e r C o m p l i a n c e regulations ● Many schools d o not have the a p p ro p ri ate re s o u rc e s to d eve lop a Cyb e r Security Aware ne ss p ro g ra m ● Policies are o u t d at e d ● Many IT d e p a r t m e nt s d o not have the time, re s o urc e s or t h e s kills to d eve lop awareness p ro g ra m s ● Security b e c o m e s i m p o r t a n t w h e n a b r e a c h occurs!

Other Costs Associated with Data Breach ● O rga n i zat i o n‘s re p u t at i o n ● L a c k of credibility ● D ata b re a c h e s in E d u c a t i o n c a n c o s t an average of $245 per record ● N et wo r k countermeasures ● Loss of p ro d u c t i v i ty ● L e ga l fees/fines ● Insurance (Coverage m a y vary) ● Equipment replacement ● P u rc h a se of credit mo n i to r i n g services (SSN) for e mp l oye e s (or e m p l o ye e families) or students

Ransomware ● Education is currently the biggest target for ransomware attacks – WannaCry /NotPetya ● 2017 seems to be the year o f t h e R a n s o m wa r e ● Effective a n d easy to d e p l oy ● Th e average ransom demand has risen to $1,077 in 2017 ● B i t C o in - C y b e r currency that is a n o ny m o u s in nature a n d c a n n o t b e t ra c ke d ● F B I estimates o n e strain created losses of $18M b e t we e n 2014-15

Opportunities ● S t e p 1: C C S E S A is positioned to provide assistance to other county offices of e d u cat i o n a n d school districts by defining, d eve l o p i n g a n d sta n dardi zi n g a:

Cyber Security Framework ● This f ra m ewo r k has been d eve l o p e d to m e e t the n e e d s of all C O E s a n d school districts in California to provide a c o m m o n a p p ro a c h to security awareness a n d controls ● S t e p 2: Develop s u p p l e m e nta l materials that support the framework, i.e. –PD, policies, rubrics, etc.

Developing a C o m m o n F r a m e w o r k includes….

T h e ideas, c u s t o m s a n d s o c ial b e h av i or of a p art i cular s o c i et y t h at a l l o w s t h e m to b e free f r o m d a n g e r or threats.

E s t a b l i s h i n g a m o d e l for s e c u ri t y i nvo l v i n g ri s k m a n a g e m e n t , s e c u ri ty d e s i gn, s e c u ri ty i m p l e m e n ta t i o n a n d verification.

Process

I N FO R M ATI O N SECURITY

C u l t u re

Po l i c i e s Defining h o w an o rga n i zat i o n a d d re s s e s co n st rai nt s o n b e h av io r to p ro te c t t h e p hy s i c a l a n d i nfo rmat i o n te c h n o l o g y assets.

Cybersecurity Education Program ● District Security Awareness & Training P r o g ra m ● On l i n e Courses Modules ● Presentations for S c h o o l Leaders ● P h i s h i n g tools for assessing your staff ● Networ k of “Sentinels” to support d e p l oy m e nt s ● Best Practices Toolkit ● Resource: www.k12tapd.org

Additional Resources • CCSESA • Cybersecurity F ra m e wo r k • K12HSN - TA P D • Cybersecurity E d u c a t i o n P ro g ra m • Cybersecurity B o o t c a m p s • N et wo r k Security O n l i n e Course • C E T PA • S t u d e nt D ata Privacy Gu i d e

California Student Privacy Alliance

• California S t u d e nt Privacy Alliance • Fa g e n F r i e d m a n &Fulfrost • Ventura C o u nt y Office Ed u ca t i o n • A c c e s s 4 Lea rning • C E T PA • S ta n d a rd i ze d Privacy A g re e m e nt s • C o m p l i a n c e with 1584 • A p p ro ve d Applications a n d Digital Resources • G o o g l e C o m p l i a n c e Rev i ew • S t u d e nt D ata Privacy G u i d e

Student Data Privacy Resources Searchable Database

Vendor Compliance and K-12 Curriculum Reviewing EdTech Products

Common Sense Media & Digital Citizenship -- What is COPPA? for Education: Privacy & Security -- Other applications (AB 1584)

Curated educational content

Licensed Content

Open “Free” Content

Single Sign-on, Single Search

E x a m p l e s of w h a t s o m e L E A s are d o i n g … ● R e g u l a r ( an n u al or b i - an n ual) IT s e c u r i ty a u d i t s ○ N et wo r k penetration tests ○ Social E n g i n e e r i n g ○ Policy a n d p ro c e d u re reviews ○ Anti-virus/Anti-malware ● B u s i n e s s C o nt i n u i t y Ef fo r t s ○ B a c k u p D ata Center ○ Off-site d ata replication

• C y b e r S e c u r i t y User a wa r e n e s s p r o g r a m s •

P hy s i c a l A c c e s s Co nt ro l



O t h e r n o n - te c h n i c a l s o l u ti ons ○ L o c k i n g file cabinets ○ S h r e d d i n g sensitive documents ○ Screensavers ○ Pa s swo rd policies

E-mail Phishing

When your Email Account is Hacked

Tools of the Trade • Wireless Tools Available • Credit Card Skimmers

• Password Capturing Tools • Tools for Hiding Files

Q/A

Questions?

http://bit.ly/CybersecurityCUE

Contact Information

Sally Savona, CCSESA- Past TTSC Chair Division Director, Technology & Learning Resources Stanislaus County Office of Education E-mail [email protected] Carl Fong, D.B.A, CGEIT, CISM, CCTO Chief Technology Officer Orange County Department of Education Email: [email protected]

Cybersecurity - CUE.pdf

Ongoing safety resources to mitigate cybersecurity threats ... denial of service (DDoS) attack. which stops electronic ... Page 4 of 27. Cybersecurity - CUE.pdf.
Download PDF
3MB Sizes 0 Downloads 158 Views
Report

Recommend Documents

cybersecurity professional - ISACA
With CSX, business leaders and cyber professionals can obtain the .... work with senior management to maximize organizational .... Like ISACA on Facebook:.
Cybersecurity - Snell & Wilmer
Sep 30, 2016 - 25% of all of the data breaches that we hear about and ... when there is a data breach or cyber. DANIELLE ... no matter how small or large, can.
Cybersecurity - Snell & Wilmer
Sep 30, 2016 - the last ten or fifteen years. Let's start ... and social engineering. To level set the ... it will help harden your networks ... (UAT) into a unique all-STEM institution that marries the best ..... part of larger systematic campaign.
Cybersecurity Incident Checklist.pdf
Cybersecurity Incident Checklist.pdf. Cybersecurity Incident Checklist.pdf. Open. Extract. Open with. Sign In. Main menu. Displaying Cybersecurity Incident ...
Reducing Systemic Cybersecurity Risk - OECD
Jan 14, 2011 - such as satellites, cellular base stations and switches. ..... may also be difficult: investigations can be technically challenging and cross national.
Reducing Systemic Cybersecurity Risk - OECD.org
Jan 14, 2011 - patches to operating systems and applications; the deployment of anti-malware, firewall and intrusion detection products and services; the use ...
Reducing Systemic Cybersecurity Risk - OECD
Jan 14, 2011 - views of the OECD or of the governments of its member countries. ...... seeking to punish downloaders of copyright material, against the .... to focus more on the process of analysing risk rather than simply having a long list ... abou
pr2-CyberSecurity-Bellua.ppt.pdf
Download. Connect more apps... Try one of the apps below to open or edit this item. pr2-CyberSecurity-Bellua.ppt.pdf. pr2-CyberSecurity-Bellua.ppt.pdf. Open.