Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Cybersecurity for School Districts
Presented to NJASBO
June 5, 2019
School Districts in the News
Cyber Fraud is Big Business
Cyber Fraud is Big Business Malware is specifically written to target bank accounts, credit card information,
personal information, etc.
Hackers for hire
Turn Key Solutions• Fraud As A Service (FAAS)• Attacks As A Service (AAAS)• Malware As A Service (MAAS)• Ransomware As A Service (RAAS)
Products and Services come with warranties, feature requests, training programs and customer support.
Web Layers
Dark Web Markets
Dark Web Markets
Cyber Threat Landscape
Social Engineering Social Engineering – The act of tricking you to perform an action
or disclose information to a cyber criminal through social interaction.• Also, the primary method students use to obtain teacher
credentials Actions are things such as:
• Clicking on Links• Downloading and Executing a File• Opening a Microsoft Office type document or pdf • Submitting information into a form• Providing information over the phone
Social Engineering
Ransomware
Ransomware = Cyber extortion• It is evolving and becoming more targeted.• Ransoms are becoming more tailored. Ransomware may be designed to:
• Encrypt all data or systems on the network it can reach.• Take down systems by way of denial of service attacks.• Threaten to expose sensitive information
e.g, Social Security Numbers, Credit Card Numbers, etc.
Cloud and Mobility Many school districts are moving to cloud-based solutions
for their key applications. • Manage and store student records. • Support classroom education and assignments.
− “Smart Classrooms” • Allows for interaction and communication with parents. • Students are provided tablets, laptops, and/or chrome
books. • Faculty and Administrators connect their personal mobile
devices.
Cloud and Mobility
Cloud and Mobility
Data is being stored in places (e.g., employee personal devices) it can not be effectively controlled and protected. Shadow IT has increased dramatically.
• Faculty and administrators find their own solutions to interact with students, parents and store student data.
• Security and Privacy of theses systems are not assessed.
Known Weaknesses and Misconfigurations
The following are used by internal and external threat actors. • Known Vulnerabilities (Unpatched Systems)• Insufficient Endpoint Monitoring • Default Credentials• Vulnerable Web Applications• Weak Network Configurations and Design • Third Party Connections
Third Party Due Diligence
Third Party Risk Management
School districts have specific obligations to protect student data:• FERPA – Family Educational Rights and Privacy Act.• COPPA - Children's Online Privacy Protection Act.• State Breach Notification Laws. These obligations do not end when using Third
Parties.
Third Party Risk Management Any connection to your environment is an exposure point. Allowing a third party to create, maintain, use, transfer or
destroy information on your behalf creates risk. Vendor management and monitoring is critical. Vendors are a means to delegate a task. Responsibility will
always remain with the organization and cannot be delegated.• Issue security based questionnaires. • Obtain and review a vendor’s Service Organization
Control Report (SOC) 1 or 2.
Cybersecurity Playbook
Senior Management/Board oversight and support is key• The Board and Management must understand
their role−Educate the Board
• Make cybersecurity an agenda item. Establish a role or department with the appropriate
skill set and sufficient authority to oversee, manage and communicate cyber risk.
Cybersecurity Playbook Do not assume that information security is only an IT issue.
• Cybersecurity is a District issue that requires the assistance of a technical solution.− Everyone has a role!
Establish or verify you have a well-defined IT security governance and risk assessment/management program.• Cyber risks must factor in People, Process and
Technology. • View Cybersecurity as a key component in providing a
safe and effective educational environment.
Cybersecurity Playbook
Embrace a “Zero Trust” model. • Everything should be considered hostile. • The network needs to be architected to
shield all systems and data repositories from internal and external threats.
Embrace that an education environment can be both Open and Secure at the same time.
Cybersecurity Playbook Ensure the District has identified and documented all the
processes that result in the creation, transfer or storage of sensitive information (credit card numbers, social security numbers, etc.) Ensure Faculty and Administrators only use approved
District applications and store data in approved repositories. Ensure you have strong procedures around the electronic
transfer or movement of money. Ensure your e-mail security appliances are effectively
configured to detect malicious e-mails.
Cybersecurity Playbook Provide routine security awareness training.
• Your employees are your biggest security investment and vulnerability.
• Phishing training is essential. Perform due diligence on all third parties. Have strong password controls for all staff and students. Use two-factor authentication when possible.
• If not possible, strong passwords are key.• Train employees to use passphrases.
e.g., “Cybersecurity Starts with Me!”
Cybersecurity Playbook
Ensure that a sound and well-tested backup and recovery methodology exists. Publish a business continuity, disaster recovery and
incident response strategy that is aligned to the District’s needs. Publish a mobile device strategy. Ensure media is sanitized appropriately before selling
or gifting.
Cybersecurity Playbook
Obtain cyber liability insurance and know the role it will play in incident response situations. Have routine independent IT cyber/security
assessments.
Procurement – IT/Cyber Security
Overview of Public Schools Contracts Law:
• Professional Service
• Extraordinary Unspecifiable Service
• Competitive Contracting
• State Contract/Cooperative Purchasing Agreement
Procurement – IT/Cyber Security
Professional Service:• Professional services are services rendered or performed by a
person authorized by law to practice a recognized profession,whose practice is regulated by law, and the performance ofwhich services requires knowledge of an advanced type in afield of learning acquired by a prolonged formal course ofspecialized instruction and study as distinguished from generalacademic instruction or apprenticeship and training.
Procurement – IT/Cyber Security
Professional Service (continued)
• Whether a contract could be awarded under this option is dependent upon the company proposing to perform the engagement.
− Key question to ask - Are they regulated by law?
Procurement – IT/Cyber Security
Extraordinary Unspecifiable Service:• Extraordinary unspecifiable services are services
which are specialized and qualitative in naturerequiring expertise, extensive training and provenreputation in the field of endeavor.
Procurement – IT/Cyber Security
Extraordinary Unspecifiable Service (continued):
• Keys to awarding a contract under this provision: − The need for expertise, extensive training and proven reputation in
the field of endeavor must be critical and essential to the project,and not merely a desire to have a reliable job performed.
− The services must be of such a qualitative nature that theperformance of the services cannot be reasonably described bywritten specifications.
Procurement – IT/Cyber Security
Competitive Contracting:• Competitive contracting means the method described in sections 1
through 5 of P.L.1999, c.440 (C.18A:18A-4.1 thru 18A:18A-4.5) of contracting for specialized goods and services in which formal proposals are solicited from vendors; formal proposals are evaluated by the purchasing agent or counsel or administrator; and the governing body awards a contract to a vendor or vendors from among the formal proposals received.
Procurement – IT/Cyber Security
Competitive Contracting (continued):• May be used under the following provisions:
• At the option of the governing body of the contracting unit, any good orservice that is exempt from bidding pursuant to section 5 of P.L.1971,c.198 (C.18A:18A-5).
• The operation, management or administration of other services, withthe approval of the Director of the Division of Local GovernmentServices.
Procurement – IT/Cyber Security
• Cooperative Purchasing Agreements:• New Jersey has a state contract for auditing
services, including IT related audits;• Some cooperatives with educational services
commissions have cooperative contracts for auditing or IT security services.
www.pkfod.com
Thomas DeMayo, PrincipalCyber Risk Management
Contact Information
665 Fifth AvenueNew York, NY 10022T: 212.286.2600
500 Mamaroneck AvenueHarrison, NY 10528T: 914.381.8900
20 Commerce DriveSuite 301Cranford, NJ 07016T: 908.272.6200
300 Tice BoulevardSuite 315Woodcliff Lake, NJ 07677T: 201.712.9800
293 Eisenhower PkwySuite 270Livingston, NJ 07039T: 973.535.2880
3001 Summer Street5th Floor EastStamford, CT 06905T: 203.323.2400
32 Fostertown RdNewburgh, NY 12550T: 845.565.5400
100 Great Meadow RoadWethersfield, CT 06109T: 860.257.1870
2 Bethesda Metro CenterSuite 420Bethesda, MD 20814T: 301.652.3464
David Gannon, PartnerPublic Sector Services
[email protected] 40 Westminster Street
Suite 600Providence, RI 02903T: 401.621.6200