The Cyber Blog is an initiative of Indiana's Educational Cybersecurity Task Force, a partnership between the Indiana CTO Council and the Indiana Department of Education.
Need to Know: Implementing Role-Based Access ControlsPosted by Tim Pritchett on 12/9/2019
Managing an ever-increasing volume of data in any organization can be challenging. Navigating privacy laws like FERPA, HIPAA, and COPPA while delivering the necessary services for students is a full-time undertaking. As organizations have grown and their databases and scope of data has grown, managing access to that data is a critical task. In large school corporations organizations must establish policies or practices for determining the depth and length of data access.
A Role-Based Access Control (RBAC) model is a tested solution to the issues presented with data access management. At a minimum, RBAC provides an architecture for a “need to know” data management policy. Additionally, this model provides a school corporation a justification for why people have access to the data they use at work and a defense if access is denied. The model involves thoughtful decisions about Users or User Groups, their Role, and the Rights to Assets that those users or groups need to effectively do their jobs.
Users and User Groups
In an organization of 2,000 employees or even 200, making individual decisions for every user for every piece of data or job function is far from a sustainable practice. Identifying organizational units, typically buildings or departments, is the first step to segregating your data and ultimately separating data access. Those organizational units within Microsoft Active Directory or Google Admin Console, for example, allow you to crosswalk those data lines to any other system like your SIS.
Once your users are grouped into a manageable number of organizational units, you can begin defining roles that span those units. Administrator, Teacher, Support Staff, Administrative Assistant, etc. are common roles in school corporation. An individual user based on their employee type is assigned a role and one or more organizational units upon account creation or position change. You may find roles that span all entities in your school system for some users or roles that are confined to a single building.
Rights and Assets
Now that you have answered the “Who?” you can move on to the “What?” Whether it is access to shared files in a Team Drive or Sharepoint site, the ability to modify a master schedule in the SIS, or membership in an email distribution list, your RBAC model defines what rights and what assets a user can access. As you modify and edit the rights for a role, keep in mind that you will no longer give individual employees access to specific information or assets, but make decisions based on the job function of that role. Changes impact all members of that role.
- Identify or review the number and scope of your user groups
- Assemble a team of key stakeholders including individuals outside of your technology department to review job functions and necessary access levels
- Schedule phased implementation
Tim Pritchett is the Director of Technology at Monroe County Community School Corporation in Bloomington, Indiana. Tim holds a technical degree in Cybersecurity and Information Assurance in addition to CompTIA Security+ certification.
Cyber Incident Containment and Best Practices for PreventionPosted by IN Cybersecurity Task Force on 11/7/2019
Indiana's Educational CyberSecurity Task Force has worked with the IDOE and the Indiana Information Sharing and Analysis Center (IN ISAC) to develop the document linked below to make your school district aware of a known cyber threat that has affected K-12 districts in the state of Louisiana and a yet un-named state. This event has created significant impact on instruction in these states, and can be prevented. The Louisiana incident led to the governor issuing a state of emergency and school districts losing data, experiencing downtime and significant expense. In order to prevent such an event for schools in the state of indiana, these recommendations along with other preventable measures should be considered by your leadership and IT services teams.
Passwords: The Top SecretPosted by Shawn Iverson, CETL on 11/4/2019
Although the October National Cybersecurity Awareness Month (NCSAM) has come to an end, cybersecurity awareness becomes no less of an issue every single month of the year. In November, we focus our attention from Phishing: The Top Cyber Threat to Passwords: The Top Secret. Your passwords are one of the most desired secrets that phishing scams target, which can lead to further potential data theft and data loss for you and your organization.
Once hackers have obtained one or more of your passwords, they can continue their campaign to achieve their desired goals, such as data theft or data held for ransom (ransomware), usually for the purpose of financial gain. Use of stolen credentials immediately follows the act of phishing as the top threat action in breaches.
Unfortunately, in addition to the threat of phishing, a majority of people reuse their passwords for multiple services and continue to use weak and potentially guessable passwords. Many password compromises don't even involve phishing at all. The simple act of guessing a password and the use of common techniques such as brute force can result in password compromise. Once obtained, hackers have access to a wide reach of networks and services wherever one has reused the same password.
Managing security in any organization is difficult. In a public school district with limited funding and personnel, the scope of cybersecurity hardening can be overwhelming. One of the most common security holes for schools is in the creation of default passwords. Schools may be implementing weak, predictable passwords en-masse based on patterns, despite digital security being one of the essential nine elements of digital citizenship. The practice of predictable passwords not only exposes schools to compromise internally and externally, it also leaves a lasting and unintentional effect of silently teaching the wrong "3 P's" of Cybersecurity: Poor Password Practices. Schools are encouraged to instead develop a strong password policy such as randomly generating passwords according to the current NIST guidelines for memorized secrets.
Steps you can take to be more secure today:
- Do not use passwords based on other information and patterns, including birthdays, phone numbers, initials, family names, locker combinations, pin numbers, life events, and other personally identifiable information.
- Never store passwords in plain text on a computer in a document or spreadsheet.
- If written down, store in a safe and secure location only you have access. (Safer)
- Use an encrypted password manager to secure passwords and generate strong and random unique passwords and passphrases for each service. (Safest)
- Longer passwords using combinations of different characters are better and take exponentially more effort to crack for each character added.
- Use passphrases (combinations of multiple words) instead of passwords. They are much longer and easier to remember. More words are better.
- Use Two-factor Authentication (2FA) whenever possible, especially for sensitive services such as online banking and administrative level accounts.
Krebs on Security password dos and don'ts
Google's Create a strong password & a more secure account
Security Boulevard's Summary of NIST 800-63 Password Guidelines
Shawn Iverson is the Director of Technology at Rush County Schools. He serves on the Educational Cybersecurity Task Force and participates in raising cybersecurity awareness at conferences such as the Hoosier Educational Computer Coordinators (HECC) Conference held each November.
Phishing: The Top Cyber ThreatPosted by Jason Bailey, Ph.D, CETL on 10/15/2019
Each October, IT professionals turn their focus to a topic that has grown in intensity with each passing year. National Cybersecurity Awareness Month (NCSAM) is a collaborative effort between government and industry to “raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online.” In Indiana, we have responded to this growing need by gathering leaders of education technology, and creating a task force to scale up our efforts to safeguard school networks, protect student data, and educate our users about how to develop better online habits.
This last piece is one of the most critical in all of cybersecurity. While you may have a preconceived idea of hackers manipulating code to infiltrate your systems, it is far more likely that cyber criminals will manipulate people to gain the access they need. In fact, most breaches involve phishing and more than 75% of organizations and businesses were targeted by phishing scams in each of the past two years.
If you are less than familiar with the term, Phishing is a ”fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.” While designing a program to get someone’s password is fairly complicated, it turns out that designing an email that convinces them to just tell you... isn’t very complicated at all. In fact, Verizon reported that 30% of phishing messages get opened, and 12% of targeted users click on the malicious attachment or link.
Several studies indicate that phishing attacks are still on the increase. Phishing remains the preferred vector for cyber threat actors, and organizations cite phishing as the top cyber threat. Last year alone, the FBI’s Internet Crime Complaint Center registered more than $1.2 billion lost to email account compromise, and it is likely that these breaches are vastly underreported.
So, how can we begin to protect ourselves and our school districts against this cyber menace? Two of the most popular responses are: education and assessment. Since our staff are the targets of these repeated attempts, we must increase their awareness of the threat, and increase their ability to recognize it when they see it. Many districts have already undertaken an awareness campaign using district communication as well as online training modules to teach employees how to pick up on the warning signs of a phishy email. In conjunction with this training, districts have been conducting their own phishing campaigns to find out which employees are most likely to take the bait, and doing extra remediation with those most at-risk. Schools who have sent a baseline phishing email ahead of awareness training have seen a substantial improvement in those click-rate numbers through the course of a campaign. If you are an IT leader in an Indiana public school, you can take advantage of an initiative we’ve just launched at the IDOE which can lend you this capacity at no cost to your district.
Steps you can take to be more secure today:
- Regularly update security software on your computer, and run updates on your cell phone
- Frequently back up your critical files to an external drive or cloud storage
- Educate yourself (and your staff) on scam tip-offs like generic greetings, bogus email accounts, and pressure tactics designed to make you click on the bait
- Scrutinize URL’s to make sure they will lead to a legitimate top-level domain
- If in doubt, don’t click, and hover over links to reveal the real URL
- Report any suspicious emails to your district’s IT department
How to Recognize and Avoid Phishing Scams (Federal Trade Commission)
National Cybersecurity Awareness Month 2019 (NICCS)
Jason Bailey is the Senior Specialist of Workforce and Digital Learning for the Indiana Department of Education. He serves on the CTO council board, and is a liaison to the Educational Cybersecurity Task Force.