Preview Mode Links will not work in preview mode

The Cybertraps Podcast


Nov 29, 2021

Show Notes The Problem The K–12 Cybersecurity Resource Center, tracked 408 cybersecurity incidents that hit K–12 institutions over the past year, an 18 percent increase from 2019 and an average of two cyberattacks per school day aimed at the nation’s education system. The most widespread cyber incidents were ransomware attacks, in which a hacker infiltrates a network and hold it for ransom, along with data breaches of student and staff personal data that included everything from bullying reports to Social Security numbers. Class invasions were also a significant trend, with these incidents involving a malicious actor gaining access to an online video conferencing system and disrupting it, often with inappropriate images or words. This trend was seen particularly at the beginning of the pandemic, and was used to interrupt classes on video conferencing platform Zoom in so many situations that the term “Zoombombing” was coined. News Items Passage of $1 Billion Department of Homeland Security cybersecurity grant program While the grants will technically be administered by the Federal Emergency Management Agency, which has long been DHS’s main grant-making unit, the Infrastructure Investment and Jobs Act calls on CISA to serve in an advisory capacity — work that Wales said has already started. The infrastructure law requires each state to develop a comprehensive cybersecurity plan to qualify for the grants, and about 80% of the total funds will eventually make their way to local jurisdictions. Wales told Clarke that leaves CISA with several questions to answer before the money begins flowing, which is expected in 2022. Goal is development of “common baseline” – That’s likely to include some cybersecurity steps that are commonly described as fundamental — multi-factor authentication, limiting the number of privileged user accounts on a government network, patching vulnerabilities as soon as they’re identified and running regular risk assessments. But those are sometimes unaffordable for the small, local governments that stand to benefit from the new grant program. Signature of K–12 Cybersecurity Act requires the Cybersecurity and Infrastructure Security Agency (CISA) to create cybersecurity recommendations and tools for schools to use to defend themselves against hackers after conducting a study on the cybersecurity risks facing K–12 institutions. What Should Schools Be Doing Now? Educate themselves about the grant process and information needed Educate teachers, students, and parents about the importance of cybersecurity Cultivate a culture of cybersecurity For K–12 IT Departments Check CISA Web site regularly Review lists of potential threats [from Ikon Business Group] Advanced Persistent Threat Attack [APT]: a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period. Brute-force Cracking: a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies. Credential Reuse: Once attackers have a collection of usernames and passwords from a breached website or service (easily acquired on any number of black market websites on the internet), they know that if they use these same credentials on other websites there’s a chance they’ll be able to log in. Distributed Denial of Services [DDoS]: an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. Drive-by Download: a program that is automatically downloaded to your computer without your consent or even your knowledge. Malware: refers to various forms of harmful software, such as viruses and ransomware. Once malware is in your computer, it can wreak all sorts of havoc, from taking control of your machine, to monitoring your actions and keystrokes, to silently sending all sorts of confidential data from your computer or network to the attacker’s home base. Network-probe: a probe is an attempt to gain access to a computer and its files through a known or probable weak point in the computer system. Phishing: When internet fraudsters impersonate a business to trick you into giving out your personal information. Phishing Attacks are the primary vector for malware attacks and are usually comprised of a malicious e-mail attachment or an e-mail with an embedded, malicious link. Ransomware: a type of malicious software designed to block access to a computer system until a sum of money is paid. Session Hijacking and Man-in-the-Middle Attacks: The session between your computer and the remote web server is given a unique session ID, which should stay private between the two parties; however, an attacker can hijack the session by capturing the session ID and posing as the computer making a request, allowing them to log in as an unsuspecting user and gain access to unauthorized information on the web server. SQL Injection Attack: uses malicious code to get a server to divulge information it normally wouldn’t. This is especially problematic if the server stores private customer information from the website, such as credit card numbers, usernames and passwords (credentials), or other personally identifiable information, which are tempting and lucrative targets for an attacker. 7 Steps for Better Cybersecurity [from Ikon Business Group] Get buy in from top administration – A good cybersecurity plan requires line items in the budget for people, hardware, and software – which means getting the principal, CIO, Operations Manager, and any other top-level decision makers on board. Perform live simulations and training exercises with students and staff – The best training today is one in which users undergo a simulated attack specific to their job or role. Follow up any training by testing how well the lesson was learned. Send out occasional phony phishing emails to check how many employees still fail to recognize the threat. Conduct evaluations – Don’t be afraid to perform evaluations of both employees and systems to find out how vulnerable your organization is to attack. Present users with a realistic type of cyber-attack and include a follow-up meeting for end users and IT personnel to discuss the results of the campaign and how to avoid scams in the future. Communicate – Don’t opt for scare tactics. The goal is to build a culture of cyber awareness. Start small with a few videos or infographics to kick things off. Don’t waste time sending out long memos that will only get ignored. Keep it fun, keep it short. Create a formal plan – IT teams should develop a formal, documented plan for cybersecurity training that is reviewed and updated often with the latest information on attack vectors and other risks. Stress the importance of security at school and at home – Tech leaders should help employees understand the importance of cyber hygiene not just in the workplace, but also at home, Pollard said. “Teach users about privacy, security, and how the lessons learned at work can apply at home and in their personal lives to give them a ‘what’s in it for me’ they can apply all the time, not just at work,” he added. Reward users – Reward users that find malicious emails, and share stories about how users helped thwart security issues. IT leaders should also empathize with people who make mistakes. Include posters, contests and other reminders to drive home an easy-to-understand message that security is everyone’s personal responsibility. Resources Cybersecurity and Infrastructure Security Agency “https://www.cisa.gov/” A Guide to Cybersecurity for K–12 Schools “https://www.ikonbusinessgroup.com/a-guide-to-cybersecurity-for-k–12-schools/” - #2021–11–22 Schumer: LI school districts should get ready to apply for funding to fight off cyberattacks “https://www.newsday.com/long-island/education/cyberattacks-school-districts-infrastructure-bill–1.50430756” - #2021–11–17 Cyber grants are a ‘game changer,’ CISA leader tells Congress “https://statescoop.com/cyber-grants-game-changer-cisa-leader-tells-congress/” - #2021–11–16 K–12 School Districts Failing at Cloud Security “https://www.infosecurity-magazine.com/news/k12-school-districts-failing-at/” - #2021–10–31 FBI: K–12 schools a leading target for ransomware attacks. Are local districts secure? “https://www.desertsun.com/story/news/education/2021/10/31/ransomware-attacks-concern-school-districts/8543466002/” - #2021–10–22 The K–12 Cybersecurity Act Becomes Law “https://edtechmagazine.com/k12/article/2021/10/k–12-cybersecurity-act-becomes-law” - #2021–10–08 Biden signs bill to strengthen K–12 school cybersecurity “https://thehill.com/policy/cybersecurity/575957-biden-signs-bill-into-law-to-strengthen-k–12-school-cybersecurity?rl=1” - #2021–09–09 K–12 Cybersecurity Standards Released, Along with Free District Self-Assessment Tool “https://thejournal.com/articles/2021/09/09/k12-cybersecurity-standards-released-along-with-free-district-self-assessment-tool.aspx” - #2021–03–10 New research finds ‘record-breaking’ number of K–12 cyber incidents in 2020 “https://thehill.com/policy/cybersecurity/542518-new-research-finds-record-breaking-number-of-k–12-cyber-incidents-in ” - #2021 The State of K–12 Cybersecurity: 2020 Year in Review “https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity–2020.pdf”