Curious teenagers all around the country have been known to try to
improperly access student information systems and other online
applications. This is not a new phenomenon and at least ten states
experienced it this past school year. Most of these “hacks” were not
sophisticated and the students simply found the teacher’s credentials
on a piece of paper, perhaps under the keyboard.
The desire to access student or employee information doesn’t stop with
teenagers. Organized and professional criminals with a lot of resources at
their disposal are also after such information. Student information is very
valuable and it is our job to do all that we can do to protect the
information we have been trusted with.
Our biggest challenge in cybersecurity is not the technology; it is our people. Bad actors use the weakest
link to get into our network and our untrained users are our weakest link. Train your teachers and office
workers at any opportunity and provide them the knowledge and the tools that they need to be safe
Talk to your users about cyberbullying, fake news, cyberstalking, and educate them to identify phishing
requests as well as secure surfing.
If you’ve ever watched the British comedy show The IT Crowd, you know
that their I.T. team answers the phone, “Hello, I.T., have you tried turning
it off and on again?” And if you’ve called your ISP because you’re having
problems connecting to your home internet, the first thing they ask you
is if you have reset the router. I worked for Cox Communications and that
was the first thing we learned during our training. Have you ever
wondered why that is?
A piece of malware dubbed VPNFilter infected more than 700,000
routers used in homes and small businesses in over 50 countries. While
most of the infections were in the Ukraine, it did find its way onto routers
in the United States. Since it originated in Russia, the FBI recommended rebooting and resetting our
routers. Rebooting the router will clear anything in the active memory that shouldn’t be there and will
bring the router back up to its default state. So if the issue is in the memory, a reboot should resolve the
However, this is a tricky piece of malware, and doing a garden-variety reboot will only disrupt the
malware. In order to ensure that the malware is completely eradicated, a reset back to factory settings
is recommended. The procedure for this varies from vendor to vendor, but this will essentially take the
router back to the same state as it was when it was removed from the box. One thing to remember
though, if you reset the modem to factory defaults, you will need to apply any updates to it. Updates are
released on an ongoing basis to patch security issues.
As SDCOE's Cybersecurity team encounters both educators and students in the classroom via our awareness presentations, we're often asked about career options. Thankfully, the Department of Homeland Security has created an amazing website with a plethora of information that can be useful in steering interested students into the vast career pathway known as Cybersecurity.
National Initiative for Cybersecurity Careers and Studies provides a single location for visitors from government and industry, career seekers, and those seeking to hire them. With resources, training, and tools to help all of these audiences, it is a no-brainer to check it out.
Highlights from the website:
Cybersecurity Workforce Framework: The Department of Homeland Security has been working hard to create a language that we can all leverage when it comes to the hiring and retention of skilled cybersecurity workers. Leverage a matrix approach, interested parties can delve into how to go about participating in this workforce based upon specialty areas, work roles, tasks, skills, knowledge, and abilities. Given that cybersecurity is an ever-evolving landscape, this is an excellent resource for those who are still trying to figure out where to go and how to get there.
Training: The Education and Training Catalog currently reveals over 3,000 cybersecurity-related courses that participants can locate via a user-friendly map. Additionally, state and federal government employees and military veterans have free access to industry-recognized training.
Events and Resource Links: Also included is an extensive database of cybersecurity-related events and links to interesting resources that are within easy reach for site visitors.
Coming Soon - Career Profiles: The Department of Homeland Security is in the process of developing amazing visuals that easily break down various roles within the cybersecurity field. For those with a new interest in the field or who find themselves swept along in the current of information, it is going to be an amazing resource that explains the capabilities and characteristics required for each role.
Coming Soon - Career Pathways: For those interested in preparing for their next steps, this new tool will enable users to input their current knowledge, skills, ability and capabilities which will then be plotted into a visual map showing similar work roles that are available as well as a map for how to get there.
National Initiative for Cybersecurity Careers and Studies website for more information
Defense in depth is an approach of safeguarding an Organizations network with a series of defensive components such that if on layer fails, another will already be in place to prevent an attack. Since there are so many potential attackers with an array of attack methods, there is no single method to assure that an Organizations network is completely secure. What the defense in depth approach will accomplish is to reduce the risk of the attacker to complete their attack. Some of these series of defensive components include strong perimeter defense, using strong password, and implementing security policies and procedures.
A strong perimeter defense can include a firewall to manage both incoming and outgoing traffic, and deployment of a network intrusion detection system (IDS) to identify scans or traffic patterns that alert of an attack. Using strong passwords and frequently changing them can make it more difficult for attackers to guess or crack the passwords. Policies and procedures raise awareness of users so they will know if their actions are allowed. There is no single security measure that will fully protect an Organizations network, but an approach of defense in depth will hopefully block or discourage all kind of attackers
Phishing is part of our cybersecurity presentation that we hit the hardest. We demonstrate what can happen if a link or attachment is clicked and a webcam is compromised. It always gets the audience's attention. We also give tips and tricks to spot phishing and encourage users to send suspicious emails to us. During a typical week at SDCOE, we might get two or three malicious emails sent to a handful of people. But the last week of February proved to be anything other than a typical week.
A little after 8 a.m., one of our users sent us a phishing email. We ran a message trace, inputting the sender's email address to find out who got the email. It was only two people. We asked them to let us know if they clicked the link. Then we blocked further emails from that sender and prevented anyone from accessing the link.
Unfortunately, the other user who received the email clicked on the link before we blocked it. When this happens, the best practice is to wipe the computer, because we are not sure of the damage. I have tried manually removing malware that would recreate itself as a randomly generated filename immediately after I deleted it. The only way to be sure something malicious isn't hiding is to start over. We requested that the machine to be reimaged and asked the user to shut down to prevent spreading or pivoting.
However, the person who sent the phishing email quickly took advantage of the vulnerability. One of the first things they must have done is download a local copy of the user's mailbox information. This gave them a list of everyone the user had emailed or received email from. The attacker took that information and started sending emails on a scale we have never seen before at SDCOE -- 3,575 over the next four days. It's possible the attacker was trying to keep the Cybersecurity team busy while they tried to take advantage of another vulnerability.
The following day, the user who clicked the link received an email that looked like a reply to an email chain from someone at a local school district. The email directed the user to send money to a different financial account, claiming that the correct account had be compromised. The email address looked very similar to the actual email address but was one letter off. Email addresses that have different domains are as different as Paris, France, is to Paris, Texas. Thanks to training and expertise, no money was transferred.
Within 24 hours, the phishing had compromised the machine, grabbed the contact list, looked through emails to find one that could be altered with fake bank information, created a bogus domain that looked legitimate, and bombarded us with phishing to keep us occupied. It could have been much worse. We took the opportunity to refine our processes and learned quite a bit from the experience. This is just one example of what can happen with something as simple as a click. We are working hard to make our processes more efficient and to reduce as much of the danger from phishing as we can.
When thinking about internet-of-things (IoT) devices, one often imagines the stuff of sci-fi such as driverless cars, camera-mounted drones, and talking teddy bears. However, many connected K-12 schools are finding themselves already in the future by leveraging smart thermometers to regulate the HVAC system, buses that act as mobile hotspots, and wireless probeware suitable for any STEM classroom environment. With these conveniences, it is even more imperative to be mindful of the baseline cybersecurity measures that should be in place to protect organizational data.
A quick win whenever adopting IoT devices is to immediately change all appropriate default passwords for the routers to which these devices may connect. Someone can quickly and easily locate this information online with sites such as RouterPasswords.com.
Another important action is ensuring that all software (either on the device or used to interact with the device) is kept current. Most updates contain some level of protection against recently discovered vulnerabilities.
Being dependent on the manufacturers of IoT devices to ensure they are impenetrable against the latest cyberthreat is not the safest approach to take given their objective is often profit over safety. As such, ensuring that the K-12 infrastructure is providing a protective barrier is critical to any organization leveraging IoT technologies. This includes, but is not limited to, use of firewalls and intrusion detection/prevention systems, implementation of segregated network segments (such as secure and guest), and finally ensuring that physical security is accounted for as well.
Living in the future is exactly what K-12 organizations should be providing to their students. To not do that safely is simply not an option.
Severe design flaws in modern CPUs including Intel, Qualcomm, AMD, and ARM processers were recently disclosed, triggering a wave of urgent security advisories and patches.
The problem lies in the way these processors have been designed to rely on a technique called speculative execution to optimize performance. Optimization is done by predicting the instructions they are going to be executing next.
Exploiting these vulnerabilities – Meltdown and Spectre are very challenging and in some attacks a physical access is required. This means that a hacker has to spend a lot of time and effort to access an average user’s machine where it would be much easier to get the access via phishing which is a lot easier. On the other hand, for high value targets like financial and educational institutions, Meltdown and Spectre vulnerabilities are a cause to be of concern.
Companies are working to apply available patches while dealing with the performance hit as a result of Meltdown and Specter patches. The average user should not see a major performance changes from these vulnerabilities. Process intensive tasks like video editing and some gaming programs will notice the slowdown.
The shopping season is upon us and with the growth in the popularity of online shopping, the SDCOE Cybersecurity team recognizes the need to talk about e-commerce and what we should be aware of while shopping online. If you are going to get the best out of your online shopping activities without falling prey to criminals, you will need to take a few precautions.
The common security features of an e-commerce site are: the inclusion of SSL certificates which is indicated by a closed lock on your browser near the address bar and a URL which starts with HTTPS. In addition, the website should comply with Payment Card Industry Data Security Standards.
Criminals often create sites that are the exact duplicates of your favorite ecommerce sites and use SEO tricks and techniques to get you to their site where you will type your username and password to purchase items. Even though search engines are very useful when you are looking for products, there is always the risk of clicking on a malicious site. Instead of just clicking a link to your selected retailer's website, it is much safer to type the URL into the address bar of your browser. Lots of credit card companies will issue a temporary credit card number for their customers. These cards can be useful for a one-time purchase. Finally, it is best to use a dedicated computer system for online banking and shopping when possible.
Karen Connaghan, Assistant Superintendent and CTO of San Diego County Office of Education, started talking about cybersecurity almost three years ago. I began researching and familiarizing myself with cybersecurity, especially related to coding practices.
In October 2016, Karen was given the approval to create a Cybersecurity team and we used National Cybersecurity Aware Month to kick-off the formation of the team. Since then, we have created many services for all districts to use.
A short list of the services that we provide are as follows:
Awareness: At the heart of our awareness outreach are the presentations and demos that we provide on topics such as cybersecurity, data privacy, and even social media safety. To keep the message going, we create monthly flyers and articles which are available to the districts for their own awareness campaigns.
Procedures: Through our own implementation process at SDCOE, we've been able to craft procedures that are readable and informative to those who are asked to follow them. By offering these procedures to other educational organizations in the county, we are hopeful that they will be able to customize and implement their own versions in a shorter duration.
Training: By providing informative "How-To" resource documentation, we're working to empower those that we support to further share the CyberAware message. At this point, we are also working towards more training opportunities such as a Train-the-Trainer Program for our End-User Awareness Presentations as well as a catalog of technical training events.
Vulnerability Assessment: The Cybersecurity Analysts on our team, Ed Kipp and Vong Sopha, support SDCOE through our Vulnerability Management Program. They've taken their technical knowledge and practice experience and we now offering their assessment services to districts within San Diego County.
We are very excited about the services already in place as well as those that are coming in the year ahead. Stay connected through the Cyber Guru eNewsletter to hear how our program continues to grow.