Shopping has never been my forte, much less when amongst the throng of shoppers angling for the latest toys at the lowest prices. No, I am naturally inclined to the comfort of a recliner and a mobile device in order to buy everything from special gifts for my loved ones to the cat food that I forgot to pick up earlier in the day. This has made the balance of security versus convenience a necessity in my life.
Below are some of my hard-won tips for shopping safely online.
Use reputable businesses and do the research: It is always amazing to run across a new online boutique that specializes in a niche market – Did you know Maisonette sells the cutest STEM Toys? – but do your homework if you have never heard of them. Does their website have https before the URL? What does the Better Business Bureau say about them? Do they receive authentic and positive feedback on Yelp and other crowdsourced review sites?
Compare prices to see if it is a bargain or a mirage: Ok, I will admit that I was suckered into a too- good-to-be-true opportunity. I gave up my home address so I could be a beta tester for new Bluetooth headphones. I did not get the headphones, but I did get a bunch of junk mail. Saving some money on an item is great but huge savings should be a red flag.
Use VPN if you are going to use Public Wi-Fi: Online shopping does not always have to happen in a pair of pajamas. Sometimes it happens when we are on the go or taking a caffeine break at a favorite local coffee shop. So, if you’re trying to save on your cellphone data usage so that you can buy your Aunt Margaret a new set of oven mitts, don’t lose your shirt by using that public Wi-Fi signal unless you have installed a reliable VPN service and are using it. For tips about choosing a reliable VPN Service, see the first bullet point.
Think before you click on any links: This applies to links on websites, links in emails and links in a text message. We are bombarded by advertisements, and it is easy to be tripped up by clicking on a link to save 70 percent on some new gadget. Scammers have become true artists in mimicking your favorite retailers. Rather than risk getting a virus on your system, go directly to the vendor’s website. If they advertise it in an email, they will advertise it on their (secure) website.
This October marks the 15 th annual Naonal Cybersecurity Awareness Month , which was cofounded by United States Department of Homeland Security and the Naonal Cyber Security Alliance. The Cybersecurity team at SDCOE takes advantage of this month to remind users about the importance of cybersecurity and how it is our shared responsibility. We have to work together to improve our awareness inside and outside the work environment. I encourage my colleagues to think twice before clicking on links or downloading soware, documents, or aachments. Also, keep in mind that unencrypted email is not a safe environment for sharing personally idenﬁable informaon. SDCOE's Cybersecurity team is here to help, so please contact us at firstname.lastname@example.org if you are not sure about the legimacy of an email.
Curious teenagers all around the country have been known to try to
improperly access student information systems and other online
applications. This is not a new phenomenon and at least ten states
experienced it this past school year. Most of these “hacks” were not
sophisticated and the students simply found the teacher’s credentials
on a piece of paper, perhaps under the keyboard.
The desire to access student or employee information doesn’t stop with
teenagers. Organized and professional criminals with a lot of resources at
their disposal are also after such information. Student information is very
valuable and it is our job to do all that we can do to protect the
information we have been trusted with.
Our biggest challenge in cybersecurity is not the technology; it is our people. Bad actors use the weakest
link to get into our network and our untrained users are our weakest link. Train your teachers and office
workers at any opportunity and provide them the knowledge and the tools that they need to be safe
Talk to your users about cyberbullying, fake news, cyberstalking, and educate them to identify phishing
requests as well as secure surfing.
If you’ve ever watched the British comedy show The IT Crowd, you know
that their I.T. team answers the phone, “Hello, I.T., have you tried turning
it off and on again?” And if you’ve called your ISP because you’re having
problems connecting to your home internet, the first thing they ask you
is if you have reset the router. I worked for Cox Communications and that
was the first thing we learned during our training. Have you ever
wondered why that is?
A piece of malware dubbed VPNFilter infected more than 700,000
routers used in homes and small businesses in over 50 countries. While
most of the infections were in the Ukraine, it did find its way onto routers
in the United States. Since it originated in Russia, the FBI recommended rebooting and resetting our
routers. Rebooting the router will clear anything in the active memory that shouldn’t be there and will
bring the router back up to its default state. So if the issue is in the memory, a reboot should resolve the
However, this is a tricky piece of malware, and doing a garden-variety reboot will only disrupt the
malware. In order to ensure that the malware is completely eradicated, a reset back to factory settings
is recommended. The procedure for this varies from vendor to vendor, but this will essentially take the
router back to the same state as it was when it was removed from the box. One thing to remember
though, if you reset the modem to factory defaults, you will need to apply any updates to it. Updates are
released on an ongoing basis to patch security issues.
As SDCOE's Cybersecurity team encounters both educators and students in the classroom via our awareness presentations, we're often asked about career options. Thankfully, the Department of Homeland Security has created an amazing website with a plethora of information that can be useful in steering interested students into the vast career pathway known as Cybersecurity.
National Initiative for Cybersecurity Careers and Studies provides a single location for visitors from government and industry, career seekers, and those seeking to hire them. With resources, training, and tools to help all of these audiences, it is a no-brainer to check it out.
Highlights from the website:
Cybersecurity Workforce Framework: The Department of Homeland Security has been working hard to create a language that we can all leverage when it comes to the hiring and retention of skilled cybersecurity workers. Leverage a matrix approach, interested parties can delve into how to go about participating in this workforce based upon specialty areas, work roles, tasks, skills, knowledge, and abilities. Given that cybersecurity is an ever-evolving landscape, this is an excellent resource for those who are still trying to figure out where to go and how to get there.
Training: The Education and Training Catalog currently reveals over 3,000 cybersecurity-related courses that participants can locate via a user-friendly map. Additionally, state and federal government employees and military veterans have free access to industry-recognized training.
Events and Resource Links: Also included is an extensive database of cybersecurity-related events and links to interesting resources that are within easy reach for site visitors.
Coming Soon - Career Profiles: The Department of Homeland Security is in the process of developing amazing visuals that easily break down various roles within the cybersecurity field. For those with a new interest in the field or who find themselves swept along in the current of information, it is going to be an amazing resource that explains the capabilities and characteristics required for each role.
Coming Soon - Career Pathways: For those interested in preparing for their next steps, this new tool will enable users to input their current knowledge, skills, ability and capabilities which will then be plotted into a visual map showing similar work roles that are available as well as a map for how to get there.
National Initiative for Cybersecurity Careers and Studies website for more information
Defense in depth is an approach of safeguarding an Organizations network with a series of defensive components such that if on layer fails, another will already be in place to prevent an attack. Since there are so many potential attackers with an array of attack methods, there is no single method to assure that an Organizations network is completely secure. What the defense in depth approach will accomplish is to reduce the risk of the attacker to complete their attack. Some of these series of defensive components include strong perimeter defense, using strong password, and implementing security policies and procedures.
A strong perimeter defense can include a firewall to manage both incoming and outgoing traffic, and deployment of a network intrusion detection system (IDS) to identify scans or traffic patterns that alert of an attack. Using strong passwords and frequently changing them can make it more difficult for attackers to guess or crack the passwords. Policies and procedures raise awareness of users so they will know if their actions are allowed. There is no single security measure that will fully protect an Organizations network, but an approach of defense in depth will hopefully block or discourage all kind of attackers
Phishing is part of our cybersecurity presentation that we hit the hardest. We demonstrate what can happen if a link or attachment is clicked and a webcam is compromised. It always gets the audience's attention. We also give tips and tricks to spot phishing and encourage users to send suspicious emails to us. During a typical week at SDCOE, we might get two or three malicious emails sent to a handful of people. But the last week of February proved to be anything other than a typical week.
A little after 8 a.m., one of our users sent us a phishing email. We ran a message trace, inputting the sender's email address to find out who got the email. It was only two people. We asked them to let us know if they clicked the link. Then we blocked further emails from that sender and prevented anyone from accessing the link.
Unfortunately, the other user who received the email clicked on the link before we blocked it. When this happens, the best practice is to wipe the computer, because we are not sure of the damage. I have tried manually removing malware that would recreate itself as a randomly generated filename immediately after I deleted it. The only way to be sure something malicious isn't hiding is to start over. We requested that the machine to be reimaged and asked the user to shut down to prevent spreading or pivoting.
However, the person who sent the phishing email quickly took advantage of the vulnerability. One of the first things they must have done is download a local copy of the user's mailbox information. This gave them a list of everyone the user had emailed or received email from. The attacker took that information and started sending emails on a scale we have never seen before at SDCOE -- 3,575 over the next four days. It's possible the attacker was trying to keep the Cybersecurity team busy while they tried to take advantage of another vulnerability.
The following day, the user who clicked the link received an email that looked like a reply to an email chain from someone at a local school district. The email directed the user to send money to a different financial account, claiming that the correct account had be compromised. The email address looked very similar to the actual email address but was one letter off. Email addresses that have different domains are as different as Paris, France, is to Paris, Texas. Thanks to training and expertise, no money was transferred.
Within 24 hours, the phishing had compromised the machine, grabbed the contact list, looked through emails to find one that could be altered with fake bank information, created a bogus domain that looked legitimate, and bombarded us with phishing to keep us occupied. It could have been much worse. We took the opportunity to refine our processes and learned quite a bit from the experience. This is just one example of what can happen with something as simple as a click. We are working hard to make our processes more efficient and to reduce as much of the danger from phishing as we can.
When thinking about internet-of-things (IoT) devices, one often imagines the stuff of sci-fi such as driverless cars, camera-mounted drones, and talking teddy bears. However, many connected K-12 schools are finding themselves already in the future by leveraging smart thermometers to regulate the HVAC system, buses that act as mobile hotspots, and wireless probeware suitable for any STEM classroom environment. With these conveniences, it is even more imperative to be mindful of the baseline cybersecurity measures that should be in place to protect organizational data.
A quick win whenever adopting IoT devices is to immediately change all appropriate default passwords for the routers to which these devices may connect. Someone can quickly and easily locate this information online with sites such as RouterPasswords.com.
Another important action is ensuring that all software (either on the device or used to interact with the device) is kept current. Most updates contain some level of protection against recently discovered vulnerabilities.
Being dependent on the manufacturers of IoT devices to ensure they are impenetrable against the latest cyberthreat is not the safest approach to take given their objective is often profit over safety. As such, ensuring that the K-12 infrastructure is providing a protective barrier is critical to any organization leveraging IoT technologies. This includes, but is not limited to, use of firewalls and intrusion detection/prevention systems, implementation of segregated network segments (such as secure and guest), and finally ensuring that physical security is accounted for as well.
Living in the future is exactly what K-12 organizations should be providing to their students. To not do that safely is simply not an option.