The Low Hang Fruit of CyberSecurity

The threats relating to cybersecurity are real and on the rise amid the COVID crisis. Phishing-related attacks are up over 600%, and users are 3x more likely to click on a COVID-related link and enter their user credentials.

Institutions small and large have to be vigilant when dealing with this threat, and for many, there is often a lack of both topical and technical knowledge of how to deal with the problem effectively. This is exacerbated in schools where there such a wide range of users, from students, staff, faculty, and administration.

The solutions are often present in ways full of technical jargon or have high price tags associated with them to make them difficult to implement, given the often limited budgets for which schools have to work.

Cybersecurity needs not to be confusing or expensive if you focus on the “low hanging fruit.” These are the things anyone can be easily pick off to protect your institution better. They often come with little to no expense, require a minimum of technical expertise, and can ve achieve relatively quickly.

I have broken these pieces of “fruit” into what I refer to as the 5P’s of cybersecurity – people, policies, passwords, phishing, and protection.

PEOPLE
The people we serve are our biggest problem and through no fault of their own. With the constant flow of email and the sophistication of many of these threats, it’s not surprising people click the wrong things, follow the wrong links or directions, and provide their user credentials without thinking twice.

Focusing on in-person or online training is key, but you MUST get out in front of the issue. Finding time in meetings, during workshops, or professional development times.

Build a basic curriculum around the topics covered within this post and in a way that focuses not just on the organization’s needs but on how this applies to people in their personal lives. When you can make it about them and how it will help, then in their personal lives, you are more likely to make it stick.

Without first starting with training, many of your efforts will fall flat, met with skepticism, or ignored. People want to do the right thing to protect themselves and the organization, by giving them the training to do so will go a long way.

POLICY
Your institutions need policies to guide people and technology relating to cybersecurity. These policies can impact both people and technology, but they need to clear and achievable.

For different organizations, there are often standards or guidelines they must follow. For independent schools, the National Association of Independent Schools (NAIS) and Association of Technology Leaders in Independent School (ATLIS) have published various briefs and advisories to help guide their members. The NAIS Legal Advisory- Cybersecurity in Independent Schools: Data Breach Threats and Prevention Techniques (12/2018) and the ATLIS Cybersecurity Recommendations – Revised October 2020 are great resources for schools of any kind.

Your policies should include things such as how and where you store your data (including data mapping), methods for data backup and recovery, minimum password requirements, cybersecurity insurance, training schedules, device theft or loss, and access, retention, and control for personally identifiable information (PII), to name only a few. These policies should clarify how an organization will respond to identified cyber events, malware, or phishing attacks and quickly respond within the organization.

Conducting tabletop exercises can be a helpful practice to help your organization prepare for a cyber-related event. Bringing together key personnel to talk through the steps that will need to be taken in the event of a breach, ransomware attack, lost or stolen device, or otherwise compromised system. This will also help identify those instances where an attorney or law enforcement may need to become involved.

One common policy has been around the frequency to which organizations should require a password change for their users. Recent research has shown this practice may be counterproductive and should be carefully considered so long that other protective measures are being used.

PASSWORDS
User credentials are one of the things cybercriminals are after, as they are the gateway to more systems and data.

Having a basic password policy is key for your institution and should be enforced from the start. Common passwords should be avoided, and a minimum requirement for password length and character types should be implemented.

Password fatigue is real, and asking people to change their passwords frequently can often lead to less secure passwords. Using a password management tool can help mitigate this. There are many services and tools such as OnePass and LastPass that will store your passwords, as well as within your browser(s), or built into your operating system (Keychain Access – Apple OS).

Companies like Apple, Google, Facebook, Twitter, and others let you use the same credentials for their platforms to log in to other services. This can reduce password fatigue but can also make these password vulnerable in the event they are compromised. When using these services along with multi-factor authentication, you can strengthen your password posture.

Regardless of how you chose to store or manage your passwords, it should first start with your device.

Whether using a desktop, laptop, tablet, or phone, you should ALWAYS have a password set to unlock the device at startup or when waking up from sleep. You should set your device to enter sleep when unattended for a specific period of time to avoid someone from access it when you step away, leave your device, or if it is lost to stolen.

Like Google, some services can be configured to require a device to have a password/passcode set or not allow the service to run on the device.

PHISHING
The most common point of a cybersecurity incident starts with an email.

Phishing emails are designed to look like they are coming from a legitimate source and generally include a link or links designed to have the user click on to get them to either provide personally identifiable information (PII – usernames, password, social security numbers, etc.).

These emails can vary in sophistication and include the actual branding associated with a well-known company or be as simple as what appears to be like an email from a colleague or supervisor.

There are often signs within the email itself that can point to a phishing attempt, such as misspelled words or poor grammar, misleading sending or reply-to email addresses, bad links, or even missing footers normally associate with a trusted sender.

Building fluency around common phishing tactics can be one of the best things an organization can do to protect its user base and itself. A phishing exercise – a coordinated effort to send a suspicious email to an organization’s users to determine susceptibility and vulnerability – is a great way to develop a baseline for which user training and support can be developed. Administered regularly, these can help build a person’s and organizations’ defense against attacks.

A basic phishing exercise can be put together from within the organization itself. There are services such as KnowBe4 and others that offer a full variety of phishing exercises and training modules.

PROTECTION
There are some straightforward and manageable ways to protect your users, their devices, and the organizations as a whole.

The most basic of these protections start at the machine level with software updates to the operating system, browsers, and applications used. Each vendor provides updates either on a schedule or when vulnerabilities are discovered. If you are managing your device, you can “push” these updates out to your machines. Encourage users to install updates as they are released to keep their device as secure as possible. If you have a policy of vetting updates before deploying them to your fleet to ensure compatibility with other software, develop a schedule to do so in a timely fashion.

When protecting user credentials, it is highly recommended to implement multi-factor authentication. This is when a second step is required and a username and password to authenticate a user to the system. This second factor could be a code or text message sent to a device, a set of codes provided to the user, a randomly generated code, or a physical device required to be within the proximity of or connected to the primary device. Many of the software companies offer some form of multi-factor authentication, and people should be encouraged, on a personal level, to implement these same steps with their banking and other institutions that offer such services.

Multi-factor authentications can require that a person use their personal device to complete the process steps. This may also require them to install an application or receive a text message on their phone. For some, this blurring of the personal and work line may cause issues and should be considered when choosing a method.

[See – “Three helpful hints for deploying 2 Factor Authentication” – for implementation suggestions.]

A person’s device contains not only information about themselves but also about others. Depending on the person, the amount of organization data help on that device can be extensive. Your policies should be clear on how this information will be safeguarded if a device is lost or stolen.

Two options for doing so would be to require disk encryption on all organizationally owned devices and the ability to remotely lock and/or wipe the device’s hard drive.

Disk encryption secures your entire hard drive making it unreadable without the correct password. It requires a user to enter the password before allowing access to the startup or after waking from sleep. Most modern operating systems offer this as part of the OS. When using a mobile device management platform (MDM), policies can be put in place to require this and securely store the recovery key for a person’s device.

The ability to remote lock or wipe a device’s hard drive has become easier with organizationally managed and personal devices. Most MDM platforms allow the organization’s administrator to lock the device and wipe the hard drive. Before doing so, a message can be displayed on the device in the event it is recovered. This can also be done with services like Apple’s “Find My [device]” for personal devices. Each of these assures the organization or person that the information on the device cannot be accessed.

Anti-virus/malware software has been around for many years and is just as important now as they were in the past. When running and up-to-date on a device, the software can protect against both viruses and potentially unwanted programs (PUPs). These pieces of malware and PUPs can infect a machine with malware and ransomware, which can truly cripple an organization or person.

Ransomware is a type of malware where the data on a device is encrypted, and a user cannot access it. The cybercriminal can hold the data ransom for a set price or threaten to release the data publicly or onto the dark web. These cybercriminals are often difficult to catch, and depending on the type of data or the ability to restore the data from backups, the ransoms are often paid.

Anti-virus/malware software, in addition to the people training on things like phishing, can help mitigate this risk but only magnifies the need for proper disaster recovery planning and data backup.

Services like OneDrive, Backblaze, CrashPlan, and Carbonite (to name a few) offer reliable cloud-based backup of key system files in the event of a cyber-attack or other natural disaster.

Google’s Back and Sync allow users to specify folders on their laptops and desktops to be synced with their Google Drive accounts with a simple one-time install and configuration.

Additionally, services like Apple’s TimeMachine and CarbonCopyCloner provide a local, whole disk backup for machine-level recovery.

IN CONCLUSION
Cyber threats are real and only growing in their frequency and sophistication. There are careers and companies built around this threat, and not every organization has the knowledge, personnel, or budget to deal with these threats as they might like.

Often the number of threats and the things you need to think of can be overwhelming. By focusing on the “low hanging fruit,” organizations can easily pick those most easily digested and implemented.

While there are many more technical things to consider where either an introductory (Educational Collaborators) or full cybersecurity audit (Ankara) from a credible security firm would be beneficial and even recommended, these pieces of fruit can most easily get you started.

Please share your thoughts and ideas on the post in the comments.

 

About William Stites

Currently the Director of Technology for Montclair Kimberley Academy, occasional consultant, serial volunteer for ATIS, husband, and father to two crazy kids who make me smile everyday.
This entry was posted in Cyber Security, Data Management, Schools, Technical and tagged . Bookmark the permalink.