CYBERSECURITY AND ONLINE SAFETY IN K12 EDUCATION
Sally Savona, Stanislaus County Office of Education Carl Fong, Orange County Department of Education Spring CUE 2018 Conference -
K e y T a k e a w a y s for T o d a y • Cybercrime threats are real, growing, and a moving target • Cybercrime is an organizational and personal risk (not just IT) • Building a culture of “security awareness” is critical • Resources are scarce (technical, monetary) • Ongoing safety resources to mitigate cybersecurity threats will be necessary • The Tools used for Hacking are free and readily available
C y b e r c r i m e is ... …a m a lic io us b re a c h of a school’s security to expo s e sensitive a n d confidential personal information
Cybercrime l o o k s like …
● …students h a c k i n g into d atabase s to c h a n g e g ra d e s ● …hackers instigating a distributed denial of service (DDoS) attack w h i c h s t o p s e l e c t ro nic te st i n g a n d Internet a c c e s s ● …thieves ste a l i n g p e rs o n al identification i nfo r m atio n (PII) from the financial s y s t e m a n d p o st i ng it o n the Internet ● …staff l o s i n g a l a pto p or tablet with access to h ighl y sensitive i nfo r m atio n ●…ransomware & p h i s h i n g b e i n g u s e d to h ol d a L E A h ostage a n d cost i n g t h o u s an ds of $ $ $
T o p 10 R e a s o n s C y b e r C r i m e Happens ● Th e H u m a n Fac tor (aka: we a ke st link 68% of education employees are labeled as “risk” profiles) ● Re s o u rc e s & Tal e nt Constraints
● C o n f u s i n g C o m p l i a n c e with cybersecurity ● BYO D
● Failure to cover C y b e rs e c u r i ty Ba s i c s
● Information Security Tra i n i n g i n c l u d i n g N EO
● N ot u n d e rsta n d in g W h a t Ge n e rat e s R i s k
● L a c k of a Re c o v e r y P l a n
● L a c k of a C y b e rs e c u r i t y Po l i c i e s an d P ro c e d u re s
● Constantly Evo l v i n g Ri s ks
C o m m o n t y p e s of t a r g e t e d d a t a (PII) PII E x a m p l e s
S ocia l Security N u m b e r, N a m e , Gender, Birthday, E m a i l Address, Mailing Address, Password, B a n k A ccou nt, He a lth Records, S S I D
P ro te c te d PII “Protected PII that should be protected can be used to access or steal either PII or influence thought and behavior”
B e s t Practices: re stricted sharing, ex p i ratio n d a te s via retention ru l es
Confidential, P ro te c te d PII
“PII that should be protected and confidential can be used to access or steal assets or benefits”
B e s t Practices: encryption, secure FTP, verifiable/enforceable co nfidentiality a g r e e m e n t s b e t w e e n s h a rin g parties, restricted sharing, expiration dates via retention rules, a c c e s s logs, s y s t e m a u d i t s
S o What... ● A n attack o n a school’s IT system c a n c o m p r o m i s e the ability to t e a c h & a s s e s s s t u d e n t s ● If p e rs o n a l i nfo r m at i o n is exposed, districts m a y b e subject to p e n a l t i e s u n d e r S O P I PA , H I PA A , F E R PA or P C I i n c l u d i n g the loss of potential federal f u n d i n g ● Civil l a w s u i t s co u l d cost millions ● Districts m a y find they aren’t covered for d a m a g e s u n d e r traditional business interruption insurance policies ● C O E a n d District b u s i n e s s offices m a y not b e a ble to function for a period of t i m e a n d fulfill timely requirements s u c h as payroll
O n e t h i n g is clear… • Many c y b erc ri m e events are preventable, b u t ca n n o t b e 1 0 0 % m i t i gate d • K-12 institutions n e e d to have a st rate g y for m i n i m i z i n g the likelihood (risk) of a b re a c h as well as a p l a n to dea l with the fallout after o n e takes place.
Cybercrime has … …touched organizations of every size a n d s h a p e in every industry – i n c l u d i n g K-12 school districts
http://www.informationisbeautiful.n et/visualizations/worlds-biggestdata-breaches-hacks/
K-12 C y b e r I n c i d e n t M a p (with examples) Map last update: March 8, 2018 h t t p s : / / w w w. e d t e c h st r at e g i e s . c o m / k 12-cyber-incident-map
•
P o w ay U n i f i e d S c h o o l D i s t r i c t
•
Pa l o A l t o U n i o n S c h o o l D i s t r i c t
2016 (unauthorized disclosure/breach): Personal information of more than 36,000 Poway Unified students exposed in data breach 2017 (unauthorized disclosure/breach): Names, addresses, birth dates and test scores of 14,000 current and former students were accessed by a well-known computer security researcher targeting a former vendor 2017 (unauthorized disclosure/breach): “A website that enables Palo Alto High School students to view their grade point averages and class rank is circling around the student community and suggests a breach of the Infinite Campus system
W h a t is c o m m o n i n all of these examples? ● All of these b re ache s in security co u l d have b e e n m i t i ga t e d a n d a d d r e s s e d ● Staff are n o t a w a r e of the policies, nor their responsibilities u n d e r C o m p l i a n c e regulations ● Many schools d o not have the a p p ro p ri ate re s o u rc e s to d eve lop a Cyb e r Security Aware ne ss p ro g ra m ● Policies are o u t d at e d ● Many IT d e p a r t m e nt s d o not have the time, re s o urc e s or t h e s kills to d eve lop awareness p ro g ra m s ● Security b e c o m e s i m p o r t a n t w h e n a b r e a c h occurs!
Other Costs Associated with Data Breach ● O rga n i zat i o n‘s re p u t at i o n ● L a c k of credibility ● D ata b re a c h e s in E d u c a t i o n c a n c o s t an average of $245 per record ● N et wo r k countermeasures ● Loss of p ro d u c t i v i ty ● L e ga l fees/fines ● Insurance (Coverage m a y vary) ● Equipment replacement ● P u rc h a se of credit mo n i to r i n g services (SSN) for e mp l oye e s (or e m p l o ye e families) or students
Ransomware ● Education is currently the biggest target for ransomware attacks – WannaCry /NotPetya ● 2017 seems to be the year o f t h e R a n s o m wa r e ● Effective a n d easy to d e p l oy ● Th e average ransom demand has risen to $1,077 in 2017 ● B i t C o in - C y b e r currency that is a n o ny m o u s in nature a n d c a n n o t b e t ra c ke d ● F B I estimates o n e strain created losses of $18M b e t we e n 2014-15
Opportunities ● S t e p 1: C C S E S A is positioned to provide assistance to other county offices of e d u cat i o n a n d school districts by defining, d eve l o p i n g a n d sta n dardi zi n g a:
Cyber Security Framework ● This f ra m ewo r k has been d eve l o p e d to m e e t the n e e d s of all C O E s a n d school districts in California to provide a c o m m o n a p p ro a c h to security awareness a n d controls ● S t e p 2: Develop s u p p l e m e nta l materials that support the framework, i.e. –PD, policies, rubrics, etc.
Developing a C o m m o n F r a m e w o r k includes….
T h e ideas, c u s t o m s a n d s o c ial b e h av i or of a p art i cular s o c i et y t h at a l l o w s t h e m to b e free f r o m d a n g e r or threats.
E s t a b l i s h i n g a m o d e l for s e c u ri t y i nvo l v i n g ri s k m a n a g e m e n t , s e c u ri ty d e s i gn, s e c u ri ty i m p l e m e n ta t i o n a n d verification.
Process
I N FO R M ATI O N SECURITY
C u l t u re
Po l i c i e s Defining h o w an o rga n i zat i o n a d d re s s e s co n st rai nt s o n b e h av io r to p ro te c t t h e p hy s i c a l a n d i nfo rmat i o n te c h n o l o g y assets.
Cybersecurity Education Program ● District Security Awareness & Training P r o g ra m ● On l i n e Courses Modules ● Presentations for S c h o o l Leaders ● P h i s h i n g tools for assessing your staff ● Networ k of “Sentinels” to support d e p l oy m e nt s ● Best Practices Toolkit ● Resource: www.k12tapd.org
Additional Resources • CCSESA • Cybersecurity F ra m e wo r k • K12HSN - TA P D • Cybersecurity E d u c a t i o n P ro g ra m • Cybersecurity B o o t c a m p s • N et wo r k Security O n l i n e Course • C E T PA • S t u d e nt D ata Privacy Gu i d e
California Student Privacy Alliance
• California S t u d e nt Privacy Alliance • Fa g e n F r i e d m a n &Fulfrost • Ventura C o u nt y Office Ed u ca t i o n • A c c e s s 4 Lea rning • C E T PA • S ta n d a rd i ze d Privacy A g re e m e nt s • C o m p l i a n c e with 1584 • A p p ro ve d Applications a n d Digital Resources • G o o g l e C o m p l i a n c e Rev i ew • S t u d e nt D ata Privacy G u i d e
Student Data Privacy Resources Searchable Database
Vendor Compliance and K-12 Curriculum Reviewing EdTech Products
Common Sense Media & Digital Citizenship -- What is COPPA? for Education: Privacy & Security -- Other applications (AB 1584)
Curated educational content
Licensed Content
Open “Free” Content
Single Sign-on, Single Search
E x a m p l e s of w h a t s o m e L E A s are d o i n g … ● R e g u l a r ( an n u al or b i - an n ual) IT s e c u r i ty a u d i t s ○ N et wo r k penetration tests ○ Social E n g i n e e r i n g ○ Policy a n d p ro c e d u re reviews ○ Anti-virus/Anti-malware ● B u s i n e s s C o nt i n u i t y Ef fo r t s ○ B a c k u p D ata Center ○ Off-site d ata replication
• C y b e r S e c u r i t y User a wa r e n e s s p r o g r a m s •
P hy s i c a l A c c e s s Co nt ro l
•
O t h e r n o n - te c h n i c a l s o l u ti ons ○ L o c k i n g file cabinets ○ S h r e d d i n g sensitive documents ○ Screensavers ○ Pa s swo rd policies
E-mail Phishing
When your Email Account is Hacked
Tools of the Trade • Wireless Tools Available • Credit Card Skimmers
• Password Capturing Tools • Tools for Hiding Files
Q/A
Questions?
http://bit.ly/CybersecurityCUE
Contact Information
Sally Savona, CCSESA- Past TTSC Chair Division Director, Technology & Learning Resources Stanislaus County Office of Education E-mail
[email protected] Carl Fong, D.B.A, CGEIT, CISM, CCTO Chief Technology Officer Orange County Department of Education Email:
[email protected]