Phishing is part of our cybersecurity presentation that we hit the hardest. We demonstrate what can happen if a link or attachment is clicked and a webcam is compromised. It always gets the audience's attention. We also give tips and tricks to spot phishing and encourage users to send suspicious emails to us. During a typical week at SDCOE, we might get two or three malicious emails sent to a handful of people. But the last week of February proved to be anything other than a typical week.
A little after 8 a.m., one of our users sent us a phishing email. We ran a message trace, inputting the sender's email address to find out who got the email. It was only two people. We asked them to let us know if they clicked the link. Then we blocked further emails from that sender and prevented anyone from accessing the link.
Unfortunately, the other user who received the email clicked on the link before we blocked it. When this happens, the best practice is to wipe the computer, because we are not sure of the damage. I have tried manually removing malware that would recreate itself as a randomly generated filename immediately after I deleted it. The only way to be sure something malicious isn't hiding is to start over. We requested that the machine to be reimaged and asked the user to shut down to prevent spreading or pivoting.
However, the person who sent the phishing email quickly took advantage of the vulnerability. One of the first things they must have done is download a local copy of the user's mailbox information. This gave them a list of everyone the user had emailed or received email from. The attacker took that information and started sending emails on a scale we have never seen before at SDCOE -- 3,575 over the next four days. It's possible the attacker was trying to keep the Cybersecurity team busy while they tried to take advantage of another vulnerability.
The following day, the user who clicked the link received an email that looked like a reply to an email chain from someone at a local school district. The email directed the user to send money to a different financial account, claiming that the correct account had be compromised. The email address looked very similar to the actual email address but was one letter off. Email addresses that have different domains are as different as Paris, France, is to Paris, Texas. Thanks to training and expertise, no money was transferred.
Within 24 hours, the phishing had compromised the machine, grabbed the contact list, looked through emails to find one that could be altered with fake bank information, created a bogus domain that looked legitimate, and bombarded us with phishing to keep us occupied. It could have been much worse. We took the opportunity to refine our processes and learned quite a bit from the experience. This is just one example of what can happen with something as simple as a click. We are working hard to make our processes more efficient and to reduce as much of the danger from phishing as we can.
When thinking about internet-of-things (IoT) devices, one often imagines the stuff of sci-fi such as driverless cars, camera-mounted drones, and talking teddy bears. However, many connected K-12 schools are finding themselves already in the future by leveraging smart thermometers to regulate the HVAC system, buses that act as mobile hotspots, and wireless probeware suitable for any STEM classroom environment. With these conveniences, it is even more imperative to be mindful of the baseline cybersecurity measures that should be in place to protect organizational data.
A quick win whenever adopting IoT devices is to immediately change all appropriate default passwords for the routers to which these devices may connect. Someone can quickly and easily locate this information online with sites such as RouterPasswords.com.
Another important action is ensuring that all software (either on the device or used to interact with the device) is kept current. Most updates contain some level of protection against recently discovered vulnerabilities.
Being dependent on the manufacturers of IoT devices to ensure they are impenetrable against the latest cyberthreat is not the safest approach to take given their objective is often profit over safety. As such, ensuring that the K-12 infrastructure is providing a protective barrier is critical to any organization leveraging IoT technologies. This includes, but is not limited to, use of firewalls and intrusion detection/prevention systems, implementation of segregated network segments (such as secure and guest), and finally ensuring that physical security is accounted for as well.
Living in the future is exactly what K-12 organizations should be providing to their students. To not do that safely is simply not an option.
Severe design flaws in modern CPUs including Intel, Qualcomm, AMD, and ARM processers were recently disclosed, triggering a wave of urgent security advisories and patches.
The problem lies in the way these processors have been designed to rely on a technique called speculative execution to optimize performance. Optimization is done by predicting the instructions they are going to be executing next.
Exploiting these vulnerabilities – Meltdown and Spectre are very challenging and in some attacks a physical access is required. This means that a hacker has to spend a lot of time and effort to access an average user’s machine where it would be much easier to get the access via phishing which is a lot easier. On the other hand, for high value targets like financial and educational institutions, Meltdown and Spectre vulnerabilities are a cause to be of concern.
Companies are working to apply available patches while dealing with the performance hit as a result of Meltdown and Specter patches. The average user should not see a major performance changes from these vulnerabilities. Process intensive tasks like video editing and some gaming programs will notice the slowdown.
The shopping season is upon us and with the growth in the popularity of online shopping, the SDCOE Cybersecurity team recognizes the need to talk about e-commerce and what we should be aware of while shopping online. If you are going to get the best out of your online shopping activities without falling prey to criminals, you will need to take a few precautions.
The common security features of an e-commerce site are: the inclusion of SSL certificates which is indicated by a closed lock on your browser near the address bar and a URL which starts with HTTPS. In addition, the website should comply with Payment Card Industry Data Security Standards.
Criminals often create sites that are the exact duplicates of your favorite ecommerce sites and use SEO tricks and techniques to get you to their site where you will type your username and password to purchase items. Even though search engines are very useful when you are looking for products, there is always the risk of clicking on a malicious site. Instead of just clicking a link to your selected retailer's website, it is much safer to type the URL into the address bar of your browser. Lots of credit card companies will issue a temporary credit card number for their customers. These cards can be useful for a one-time purchase. Finally, it is best to use a dedicated computer system for online banking and shopping when possible.
Karen Connaghan, Assistant Superintendent and CTO of San Diego County Office of Education, started talking about cybersecurity almost three years ago. I began researching and familiarizing myself with cybersecurity, especially related to coding practices.
In October 2016, Karen was given the approval to create a Cybersecurity team and we used National Cybersecurity Aware Month to kick-off the formation of the team. Since then, we have created many services for all districts to use.
A short list of the services that we provide are as follows:
Awareness: At the heart of our awareness outreach are the presentations and demos that we provide on topics such as cybersecurity, data privacy, and even social media safety. To keep the message going, we create monthly flyers and articles which are available to the districts for their own awareness campaigns.
Procedures: Through our own implementation process at SDCOE, we've been able to craft procedures that are readable and informative to those who are asked to follow them. By offering these procedures to other educational organizations in the county, we are hopeful that they will be able to customize and implement their own versions in a shorter duration.
Training: By providing informative "How-To" resource documentation, we're working to empower those that we support to further share the CyberAware message. At this point, we are also working towards more training opportunities such as a Train-the-Trainer Program for our End-User Awareness Presentations as well as a catalog of technical training events.
Vulnerability Assessment: The Cybersecurity Analysts on our team, Ed Kipp and Vong Sopha, support SDCOE through our Vulnerability Management Program. They've taken their technical knowledge and practice experience and we now offering their assessment services to districts within San Diego County.
We are very excited about the services already in place as well as those that are coming in the year ahead. Stay connected through the Cyber Guru eNewsletter to hear how our program continues to grow.