Ryan Cloutier, Principal Security Consultant, SecurityStudio, Author at eSchool News

5 ways to nurture a cybersecurity interest in a healthy way

Ryan Cloutier, Principal Security Consultant, SecurityStudio — Fri, 12 Feb 2021 10:00:55 +0000

It’s something no teacher or administrator wants to think about, but what if one of your students is showing an interest in computer hacking? Teachers–sometimes more than parents–can tap into kids’ interests and skill sets. And with technology now a large part of how students are learning, it is just a matter of time until any educator runs into a student with an unexpected knowledge of how tech works or how to manipulate it.

How do you know if these students simply have a healthy curiosity or are interested in something darker? And how do you help an advanced student understand that they can use their skills for good by choosing a career as a cybersecurity professional rather than an underground hacker? Here’s how to handle such a nuanced situation.

1. Identify interest and skill

There are a few ways to pinpoint a student who has sufficient skills and interest to be a potential security threat.

First, look for kids with a high technical aptitude. They’ll be the whizzes in their computer class, often helping other kids (or teachers) who run into technical issues. Second, they seem to have all the devices and know how they work. Listen for them to talk about their phones, tablets, gaming systems, and more. Additionally, really pay attention to students who show a real curiosity about technology. These are the ones who talk frequently about new tech or ask a lot of questions; these kids are demonstrating a high level of interest in the topic. Combine technical aptitude, access to devices, and curiosity, and you have a student who could cross over into pushing the envelope a bit further than any of us want.

Second, keep an eye out for actions like changing a teacher’s password or accessing something on the network they’re not supposed to. Some kids might do this for attention. Others simply because they can. And others might consider it a harmless prank on a good-natured teacher. But if not recognized and addressed, changing a password could quickly turn into running bitcoin miners on school computers or hijacking a school quiz system in order to receive a particular incentive.

Are you protecting health data amid COVID-19 testing and tracking?

Ryan Cloutier, Principal Security Consultant, SecurityStudio — Tue, 08 Dec 2020 09:50:30 +0000

There’s no point mincing words: School districts and administrators have had a heck of a year. Not only have you been under immense pressure from parents and state officials to reopen schools safely, but your teachers are also understandably concerned about virus transmission. What’s more, your plans keep changing and you’re being forced to adapt. It’s an uphill battle, and there’s no doubt you’re doing your best. In all the chaos, you’re now responsible for taking temperatures and doing daily COVID-19 screenings, but you may not have had enough time to research screening devices and do sufficient due diligence before welcoming students back through your doors. Unfortunately, making a purchase like this can open you up to risk. Here’s why, and how to mitigate these risks moving forward. Untested tech, unproven vendors COVID-19 took the world by surprise, and people have taken a waterfall of reactionary measures ever since. Consumers have bought household goods out of panic, and schools have bought screening devices in much the same way - because they needed to. You need to reopen your doors, so you need to perform health checks, as well as COVID-19 testing and tracking. It’s understandable that you may have either purchased a device for your school or been given one to install from your district without first undergoing a complete risk assessment. But these screening devices are largely unproven. Many of them have emerged very recently from vendors that are neither widely known nor trusted. Furthermore, many of them use facial recognition so the technology can connect the dots between the temperatures they’ve taken and whose temperature it is. Do you know how, where, or if that data then gets stored? Whether you have a handheld screening device that looks like a modified cell phone or one that looks like a tablet, you need to understand the associated risks and configure the technology securely. You’re now handling health data You’ve always had to manage and protect student data, but as soon as you pull the trigger on a temperature scanner, you’re dealing with sensitive health information. Some people dismiss temperature data as “just a temperature,” but the reality is that this is health data - and it needs to be treated differently than general student records. When you’re handling health data, the complexity and sensitivity is increased significantly. A lot of COVID-19 testing and tracking devices have a server component to them, so the device sends data to a centralized server system where it’s captured and used for reporting. If someone scans hot, a notification may go out. That notification is then sharing health data. Additionally, many technologies are working to help record contact tracing. This, of course, is another layer of sensitive data, this time about the comings and goings of individuals. So, consider where the personal information captured by these devices goes. Is it being used by the vendor for purposes aside from COVID-19 testing and tracking? Odds are good that it is (or eventually will be). Also, is it part of your network? If so, there’s a possibility that a cybercriminal could access the network - and all the data. There has been an increase in attacks on COVID-19 testing centers, vaccine development facilities, etc. so it’s not a stretch to imagine this type of data being a target within your own walls. Assess risk & make plans If your data, school, or district does get compromised and your screening technology is taken offline, what’s your backup plan? Do you have one? If not, take the time to think through all possible outcomes and what your next moves will be. Whether it’s because of cybercriminals or simply because the technology fails (as all tech does eventually), having contingency processes in place will increase your speed of response and level of security.

5 cybersecurity life skills to teach all year

Ryan Cloutier, CISSP, Principal Security Consultant, SecurityStudio — Thu, 03 Dec 2020 10:00:09 +0000

If a student from your school had someone knock on their front door, ask for personal information and offer to give them a treat in exchange for that information, what would happen? It depends on the child, but what you know for certain is that your district or school has been teaching stranger danger since that child was in kindergarten, so the odds are good that the interaction would raise a red flag for the student. Why is it, then, that students are posting videos and photos on TikTok, Instagram, and Snapchat without any concern that their school name or home address is displayed prominently in the background? The reason is simple: we – parents and educators alike – aren’t adequately teaching our kids cyber life skills designed to protect them online. Life skills are relative – and ever-evolving Simply put, life skills have always been relative to the time of society. When sabre toothed tigers roamed the earth in 10,000 BC, humans were taught to watch them because their lives, literally, depended on it. When automobiles became more commonplace in the early 1900’s, we had to teach children to look both ways before crossing the street. Historically, when there have been major changes to the daily norm, we have adjusted our life skills to accommodate those changes – except over the past 20 years. Despite what is arguably the most significant change society has ever undergone – the advent of the internet – we’ve done very little to adjust to the massive technological changes over the past two decades or to properly prepare our children for how the innovation can and will impact their lives. Technology is wonderful in the ways that it’s wonderful. But, without education and guidance, it moves very quickly into truly dangerous territory. Cyberbullying education isn’t enough While schools are putting devices in the hands of students as early as kindergarten, and many families are doing so at an even earlier age, we generally are not giving kids the instruction or guidance on how to manage their health and wellbeing, time or security online. While there have been proactive pockets of parents and educators who were ahead of the curve and informed themselves about both the plusses and minuses of technology, no one could have anticipated the universal adoption of smart phones or the addictive power of social platforms targeted at kids. One area we have seen schools target heavily with regard to technology is cyberbullying. And while this vicious type of interaction between kids needs to stop, it really is something that schools are already familiar with and have programs in place to handle it. What’s even more important is to educate kids about how to protect themselves online, how to identify red flags and when to ask for help when the broader, global online community (yes, including their classmates) is held in the palm of their hands. Cybersecurity life skills to teach As consumers ourselves, we know that privacy is important. I contend, however, that privacy is an end game and that there are other cyber life skills we need to teach more urgently that will help get us to privacy. Let’s take a look at five areas that we can really dig into with students that will make a difference in terms of how they conduct – and protect – themselves online. Cybersecurity Life Skill #1: Digital is real: The physiological responses humans experience when they are in danger – increased heartbeat or breathing, etc. – don’t translate well to the online world. We have to teach kids how to identify risk without those cues and understand that the digital world is the real world. There is no separation between what they say and do on TikTok and what they say and do in their living room. Cybersecurity Life Skill #2: Healthy skepticism: It sounds dramatic, but it’s not: children today are subjected to military and nation-state grade psychological warfare. From the ads they are served to the click-bait headlines that flash across their Pinterest boards, students are being fed propaganda, and it’s our job to teach them now to stop, think critically, and question why they are seeing what they are seeing. One simple tactic that can be adjusted, depending on the age of the child, is to imagine how they would react if the situation they face online were happening in the physical world.

10 K-12 cybersecurity must-dos

Ryan Coultier — Mon, 22 Jun 2020 09:55:47 +0000

Cybersecurity has always been a high priority for K-12 administrators and staff, but with the rapid push to remote learning brought on by COVID-19, school leadership has had to consider how to educate through the lens of cybersecurity. While school years are closing up for the 2019 – 2020 year, it’s still unknown what our learning environments will look like for the 2020 – 2021 school year. Let’s look at 10 things that K-12 schools must focus on – whether the next school year takes place in person on via remote learning. Related content: To improve cybersecurity, start at the endpoints 1. Perform A Risk Assessment You’re already doing risk assessments for severe weather, fire, or other types of crises and emergencies. Do the same for your technology resources. This will give you the visibility you need to identify areas of concern. Don’t be surprised if your assessment finds that you have more systems than you realized. For instance, many administrators are surprised to learn that computers are controlling other systems such as door locks or cameras. 2. Create and Maintain an Accurate Technology Inventory The vast majority of districts don’t have an accurate inventory of their technology assets and contracts because they aren’t considering their hardware and software resources in addition to the third-party services with whom they’re contracted. Districts have to have a holistic view of all of these assets if they are to properly secure their schools and students. 3. Limit Unauthorized Access to Systems and Networks Just like only certain teachers have access to certain student data, we need to make sure only authorized people are taking authorized actions on your technology systems. Also, remember – curious students might try to access systems they aren’t authorized to access. We want to encourage curiosity, but prevent it from turning criminal. 4. Continuous Security Awareness Training Regular security awareness training – weekly updates, phishing testing, quarterly assessments - targeted toward students, teachers, staff, and administration is critical to keeping your systems and your people safe. By having an ongoing security awareness program, you create a “security-first” culture that reduces your risk of being attacked by a cybercriminal. Encourage your students, teachers, and administrators to apply what they learn both at home and at school. And remember that people are tired and stressed right now- they likely aren’t making mistakes maliciously so create a non-punitive program that teaches people where they have had a mis-step, rather than punishing them for it. 5. Maintain Secure Configurations for Systems and Networks Systems patching is the top technical activity you can do to limit your cyber risk. A full 60 percent of breaches in 2019 were linked to vulnerabilities where a patch was available, but not applied. Patching and maintenance of systems should happen at least every week. Different systems release fixes at different times, so your district needs to create a schedule to consistently patch everything from hardware to operating systems to software. 6. Focus on Data Classification Data classification, which has to do with data privacy and a clear definition of who has access to what, needs to be a focal point of your security program. By making sure you have a clear data classification process, you can limit who has access to what data and better protect your school and student data. This applies to third party vendor access, too – those systems your school uses such as PowerSchool, Kahoot!, Remind, and others. 7. Plan How to Respond to Cyber/ Information Security Events Cyber events are inevitable, so you need to have a plan in place for how to handle them before they happen. Save time and effort by taking your crisis plans for weather events or fires and modifying them to address information security issues. Keep in mind that most districts don’t have the on-staff expertise to do incident response or sophisticated cybersecurity. When you’re creating your plan, identify partners that you might need to work with to identify and respond to an issue. 8. Perform Cyber and Information Security Assessments Security assessments test your cyber and information security systems to ensure they are working. Just like you test new door locks, you have to test your information security programs. This is another area that having a third-party partner can be very helpful. Yes, your IT team can and should test your systems regularly. But having a partner run a stringent annual assessment is another layer of insurance that your systems are working. 9. Monitor Systems and Networks for Suspicious Activity