Cybersecurity for School Districts

Presented to NJASBO

June 5, 2019

School Districts in the News

Cyber Fraud is Big Business

Cyber Fraud is Big Business Malware is specifically written to target bank accounts, credit card information,

personal information, etc.

Hackers for hire

Turn Key Solutions• Fraud As A Service (FAAS)• Attacks As A Service (AAAS)• Malware As A Service (MAAS)• Ransomware As A Service (RAAS)

Products and Services come with warranties, feature requests, training programs and customer support.

Web Layers

Dark Web Markets

Dark Web Markets

Cyber Threat Landscape

Social Engineering Social Engineering – The act of tricking you to perform an action

or disclose information to a cyber criminal through social interaction.• Also, the primary method students use to obtain teacher

credentials Actions are things such as:

• Clicking on Links• Downloading and Executing a File• Opening a Microsoft Office type document or pdf • Submitting information into a form• Providing information over the phone

Social Engineering

Ransomware

Ransomware = Cyber extortion• It is evolving and becoming more targeted.• Ransoms are becoming more tailored. Ransomware may be designed to:

• Encrypt all data or systems on the network it can reach.• Take down systems by way of denial of service attacks.• Threaten to expose sensitive information

e.g, Social Security Numbers, Credit Card Numbers, etc.

Cloud and Mobility Many school districts are moving to cloud-based solutions

for their key applications. • Manage and store student records. • Support classroom education and assignments.

− “Smart Classrooms” • Allows for interaction and communication with parents. • Students are provided tablets, laptops, and/or chrome

books. • Faculty and Administrators connect their personal mobile

devices.

Cloud and Mobility

Cloud and Mobility

Data is being stored in places (e.g., employee personal devices) it can not be effectively controlled and protected. Shadow IT has increased dramatically.

• Faculty and administrators find their own solutions to interact with students, parents and store student data.

• Security and Privacy of theses systems are not assessed.

Known Weaknesses and Misconfigurations

The following are used by internal and external threat actors. • Known Vulnerabilities (Unpatched Systems)• Insufficient Endpoint Monitoring • Default Credentials• Vulnerable Web Applications• Weak Network Configurations and Design • Third Party Connections

Third Party Due Diligence

Third Party Risk Management

School districts have specific obligations to protect student data:• FERPA – Family Educational Rights and Privacy Act.• COPPA - Children's Online Privacy Protection Act.• State Breach Notification Laws. These obligations do not end when using Third

Parties.

Third Party Risk Management Any connection to your environment is an exposure point. Allowing a third party to create, maintain, use, transfer or

destroy information on your behalf creates risk. Vendor management and monitoring is critical. Vendors are a means to delegate a task. Responsibility will

always remain with the organization and cannot be delegated.• Issue security based questionnaires. • Obtain and review a vendor’s Service Organization

Control Report (SOC) 1 or 2.

Cybersecurity Playbook

Senior Management/Board oversight and support is key• The Board and Management must understand

their role−Educate the Board

• Make cybersecurity an agenda item. Establish a role or department with the appropriate

skill set and sufficient authority to oversee, manage and communicate cyber risk.

Cybersecurity Playbook Do not assume that information security is only an IT issue.

• Cybersecurity is a District issue that requires the assistance of a technical solution.− Everyone has a role!

Establish or verify you have a well-defined IT security governance and risk assessment/management program.• Cyber risks must factor in People, Process and

Technology. • View Cybersecurity as a key component in providing a

safe and effective educational environment.

Cybersecurity Playbook

Embrace a “Zero Trust” model. • Everything should be considered hostile. • The network needs to be architected to

shield all systems and data repositories from internal and external threats.

Embrace that an education environment can be both Open and Secure at the same time.

Cybersecurity Playbook Ensure the District has identified and documented all the

processes that result in the creation, transfer or storage of sensitive information (credit card numbers, social security numbers, etc.) Ensure Faculty and Administrators only use approved

District applications and store data in approved repositories. Ensure you have strong procedures around the electronic

transfer or movement of money. Ensure your e-mail security appliances are effectively

configured to detect malicious e-mails.

Cybersecurity Playbook Provide routine security awareness training.

• Your employees are your biggest security investment and vulnerability.

• Phishing training is essential. Perform due diligence on all third parties. Have strong password controls for all staff and students. Use two-factor authentication when possible.

• If not possible, strong passwords are key.• Train employees to use passphrases.

e.g., “Cybersecurity Starts with Me!”

Cybersecurity Playbook

Ensure that a sound and well-tested backup and recovery methodology exists. Publish a business continuity, disaster recovery and

incident response strategy that is aligned to the District’s needs. Publish a mobile device strategy. Ensure media is sanitized appropriately before selling

or gifting.

Cybersecurity Playbook

Obtain cyber liability insurance and know the role it will play in incident response situations. Have routine independent IT cyber/security

assessments.

Procurement – IT/Cyber Security

Overview of Public Schools Contracts Law:

• Professional Service

• Extraordinary Unspecifiable Service

• Competitive Contracting

• State Contract/Cooperative Purchasing Agreement

Procurement – IT/Cyber Security

Professional Service:• Professional services are services rendered or performed by a

person authorized by law to practice a recognized profession,whose practice is regulated by law, and the performance ofwhich services requires knowledge of an advanced type in afield of learning acquired by a prolonged formal course ofspecialized instruction and study as distinguished from generalacademic instruction or apprenticeship and training.

Procurement – IT/Cyber Security

Professional Service (continued)

• Whether a contract could be awarded under this option is dependent upon the company proposing to perform the engagement.

− Key question to ask - Are they regulated by law?

Procurement – IT/Cyber Security

Extraordinary Unspecifiable Service:• Extraordinary unspecifiable services are services

which are specialized and qualitative in naturerequiring expertise, extensive training and provenreputation in the field of endeavor.

Procurement – IT/Cyber Security

Extraordinary Unspecifiable Service (continued):

• Keys to awarding a contract under this provision: − The need for expertise, extensive training and proven reputation in

the field of endeavor must be critical and essential to the project,and not merely a desire to have a reliable job performed.

− The services must be of such a qualitative nature that theperformance of the services cannot be reasonably described bywritten specifications.

Procurement – IT/Cyber Security

Competitive Contracting:• Competitive contracting means the method described in sections 1

through 5 of P.L.1999, c.440 (C.18A:18A-4.1 thru 18A:18A-4.5) of contracting for specialized goods and services in which formal proposals are solicited from vendors; formal proposals are evaluated by the purchasing agent or counsel or administrator; and the governing body awards a contract to a vendor or vendors from among the formal proposals received.

Procurement – IT/Cyber Security

Competitive Contracting (continued):• May be used under the following provisions:

• At the option of the governing body of the contracting unit, any good orservice that is exempt from bidding pursuant to section 5 of P.L.1971,c.198 (C.18A:18A-5).

• The operation, management or administration of other services, withthe approval of the Director of the Division of Local GovernmentServices.

Procurement – IT/Cyber Security

• Cooperative Purchasing Agreements:• New Jersey has a state contract for auditing

services, including IT related audits;• Some cooperatives with educational services

commissions have cooperative contracts for auditing or IT security services.

www.pkfod.com

Thomas DeMayo, PrincipalCyber Risk Management

646.449.6353tdemayo@pkfod.com

Contact Information

665 Fifth AvenueNew York, NY 10022T: 212.286.2600

500 Mamaroneck AvenueHarrison, NY 10528T: 914.381.8900

20 Commerce DriveSuite 301Cranford, NJ 07016T: 908.272.6200

300 Tice BoulevardSuite 315Woodcliff Lake, NJ 07677T: 201.712.9800

293 Eisenhower PkwySuite 270Livingston, NJ 07039T: 973.535.2880

3001 Summer Street5th Floor EastStamford, CT 06905T: 203.323.2400

32 Fostertown RdNewburgh, NY 12550T: 845.565.5400

100 Great Meadow RoadWethersfield, CT 06109T: 860.257.1870

2 Bethesda Metro CenterSuite 420Bethesda, MD 20814T: 301.652.3464

David Gannon, PartnerPublic Sector Services

908.967.6855dgannon@pkfod.com 40 Westminster Street

Suite 600Providence, RI 02903T: 401.621.6200