[BreachExchange] 5 cyber cards for K-12 schools to play against potential hackers

Tue Aug 15 19:56:00 EDT 2017

https://www.bizjournals.com/buffalo/news/2017/08/15/5-
cyber-cards-for-k-12-schools-to-play-against.html

Cybersecurity is not about the making your network 100 percent
impenetrable. You would never be certain beyond any doubt when you arrived
at 100 percent protected, moreover, you would spend money needlessly.

Not every attack vector out there is a vulnerability for you and your
environment. Frankly, no internet-connected system is completely secure.
Ask Target or Yahoo!, or Sachem School District in Long Island, or
Maryland’s Prince George’s County School – all victims of cyberattacks in
the last four years.

The Federal Trade Commission chases cyberattackers who violate the privacy
of private citizens, but they pursue the private sector only. They do not
provide guidance to schools on what to do. So, who chases the hacker who
breaches the personal information of students, parents, faculty, and
administrative staff in the K-12 space?

The answer is largely no one, at least not proactively. There is little, if
any, offensive security seen in the K-12 market nationwide. This means not
much by way of penetration testing, perhaps the occasional vulnerability
assessment (VA), but this is just one component of a vital vulnerability
management program, often lacking in the elementary through high school
arena.

Hacking is an attack of opportunity, and given inherent value, online
criminals will take advantage. The goal for any organization, K-12
included, is to place sufficient obstacles to deter the cyberattacker, so
they look elsewhere for an easier mark.

When I lecture, I often compare cyber to avoiding termites in your home.
Termites are pernicious and challenging to exterminate. Chemicals used,
like permethrin and arsenic, are harmful to humans as well. I apologize to
your neighbors, but salt, sunlight, and hot to cold temperature changes can
chase termites away to find any residence to attack. Cyber is similar. Put
up enough walls, make them diverse, give the attacker more effort than they
are willing to expend, and the attacker will seek cozier environs.

What can be done by school districts and Board of Cooperative Educational
Services (BOCES) throughout New York State to protect student, parents,
faculty, and administrative privacy, safeguarding against identity and
economic attack?

Keeping with our card playing theme, let’s call these five steps “table
stakes.”

1. Don’t fail at password security. Implement multi-factor authentication
(MFA). It actually costs more not to implement it with password resets (I
will “betcha”) accounting for more than 25 percent of all trouble tickets.
There are a variety of tools for every size organization out there. Pick
one or get assistance picking one and run a proof of concept. You will be
glad you did.

2. Make data more mysterious. Use encryption everywhere you have data that
describes a person or group of people. Not long ago, encryption was
considered too hard to do and a drain on performance. Not any longer. With
the advent of crypto-accelerators, performance can be as good and sometimes
faster than passing data in clear-text (without encryption).

Use RSA, TLS 1.2 and PGP for asymmetric encryption. Advanced encryption
standard (AES) should be used for symmetric encryption. Use bcrypt or
SHA-512 with a salt for password storing. I know these terms may be new and
unknown. Ask your security expert and they will happily explain each one.

3. Not patching systems is like having a hole in the front door to your
home. Now if the hole was small, maybe nothing bad would happen for a time,
but you would likely be making a trek to Home Depot soon. Have an approach
to patching. It’s okay to say, “I patch every 45 days,” but just do it.
Don’t promise system patching and then three years later, find out you only
issued three of every 10 patches.

4. Implement a vulnerability management toolset. Great solutions abound
that prioritize and can even send your patching software info on what to
patch immediately. Ask for help choosing and testing. You will be shocked
at what gets found.

5. Pen test at least once a year. It’s easy to arrange; someone else does
all the work to conduct the test.

It takes many factors to keep a network secure. I gave you just a few, but
done holistically, you can make your network unappetizing to attackers.
Stay safe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170815/fa15b08c/attachment.html>