The Superintendent’s Worst Fear ESC Region 1 Finance Advisory Council November 10
Superintendents Imagine having to notify parents or employees that their personal privacy has been violated!!!!!!
Martin Yarborough BS, MEd, PhD (Tarleton and NIU) • 35 yrs in Education • Teacher (Granbury, Glen Rose), • Principal (Glen Rose), • CIO (Glen Rose, Granbury, Stephenville, Abilene, Fort Worth ISD) • 10 yrs managing Dell Ed Services • Owner – Martin Yarborough and Associates since 2008 • Author – CCSESA Cybersecurity Framework for K-12 Schools in California • Recognized expert – Assessments, Security and Disaster/Recovery •
Objective of this Discussion I want to provide you a recipe for, maybe not preventing but certainly mitigating, cyber attacks on your district
Cybercrime is … …a malicious breach of a school’s security to expose sensitive and confidential data.
Cybercrime has … …touched organizations of every size and shape in every industry – including K-12 school districts.
Cybercrime looks like … …students hacking into databases to change grades. …hackers instigating a DDOS (denial of service) attack which stops electronic testing. …thieves stealing personal identification information (PII) and posting it on the internet. …staff losing a laptop or tablet with access to highly sensitive information. … ransomware being used to hold a district hostage and costing thousands of $$$.
Equifax • Exposed personal data of over 143 MM Americans. • Cyber attack exploited a software program containing: • Names • SSN • DOB • Other personal data • Many executives sold their stock (loss of $4.4 BB) • CIO retired ??? • CSO retired ??? • CEO got FIRED !!!!!!
So What … An attack on a school’s IT system can compromise the ability to teach. If personal information is exposed, districts may be subject to penalties under FERPA including the loss of potential federal funding. Civil Lawsuits could cost millions. Districts may find they aren’t covered for damages under traditional business interruption insurance policies. District business offices may not be able to function for a period of time and fulfil timely requirements such as payroll.
One thing is clear… • Many cybercrime events are preventable. • K-12 institutions need to have a strategy for minimizing the likelihood of a breach as well as a plan to deal with the fallout after one takes place.
Is this for real?
2016 Netwrix survey
2016 Netwrix survey
2016 Netwrix survey
49% of educational institutions have faced security incidents caused by human errors, and 37% have had security incidents due to malware. 2016 Netwrix survey
2016 Netwrix survey
Educational institutions named lack of budget (74%), lack of time (54%) and insufficient participation of senior management (44%) as the main obstacles to taking a more efficient approach towards cyber risk management. 2016 Netwrix survey
2016 Netwrix survey
Oh My! This is for real
May 22, 2017 Texas Association of School Boards Inadvertently posted the names and social security numbers of Texas school employees publically on the Internet. Corpus Christi ISD Halletsville ISD Laredo ISD Shriner ISD Edcouch-Elisa ISD Killeen ISD La Hoya ISD Ector County ISD Laredo ISD Leander ISD Los Fresnos CISD Round Rock ISD Mission CISD Alief ISD Monte Alto ISD San Benito CISD Progreso ISD Fort Worth ISD Rio Grande City CISD Beaumount ISD Lyford CISD Bridge City ISD McAllen ISD Port Arthur ISD San Perlita ISD Kountze ISD South Texas ISD West Orange-Cover CISD United ISD Midway ISD Weslaco ISD Temple ISD Victoria ISD Robinson ISD Calhoun County ISD Glen Rose ISD Goliad ISD Pflugerville ISD
2017 Argyle ISD Victim of an email phishing scheme. Employees were victimized by a W-2 scam affecting most employees as reported by EdTech Strategies.
2016 Region XI Service Center A cyber attack that paralyzed the websites of at least 2 area school districts for several days and sidelined the websites of many more in the region. Affected commerce, testing and student records.
May 12, 2017 Mesquite ISD Food & Nutrition Services was hit by a cyber attack that crippled the POS systems and affected student nutrition accounts.
May 14, 2017 DeWitt-Lavaca SPED Cop Encountered a ransomware attack which compromised all student SPED records. The files were encrypted rendering them inaccessible and non-functioning. Data was lost and had to be re-created.
2017 Calallen ISD Encountered a ransomware attack which compromised all computers in the district. The attack infected most servers in the district.
2016 Santa Rosa ISD Encountered a malware attack causing the district to go without computers and telephones while repairs were made.
Why? Since 2005, • approximately 14,750,000 educational data records have been compromised. • 755 educational institutions (K-12 and HiEd) cyber security breaches have been reported and made public.
Cyber Crime costs projected to reach $2 TRILLION by 2019 … Forbes
Cyber crime may not be prevented… 70% of the issues are human-caused 30% are caused by technology.
But … • Many schools do not have the appropriate resources to develop a Cyber security Awareness program. • Policies are outdated. • Staff are not aware of the policies. • Many IT departments do not have the time, resources or the ability to develop awareness programs. • Security becomes important when a breach occurs!
Establishing a model for How… security involving risk management, security design, security implementation and verification. The ideas, customs and social behavior of a particular society that allows them to be free from danger or threats. Defining how an organization addresses constraints on behavior to protect the physical and information technology assets.
Texas Schools need a common approach
The madness has to stop!!!
Here it is ….
Lets see how it can work implementing in 7 phases ….
Prioritize and Scope Entire district? • Subset of entire district? • Critical departments? • Understanding district governance. • Understanding how the district • calculates risk. Identify stakeholders. • Generate the Project Plan • 2-3 meetings •
Prioritize and Scope Orient Getting ready to ask “Where are we • now”. Understand NIST framework tiers and • how they work. Partial Risk Informed Increasing Maturity Repeatable Adaptive 3 workshops •
Prioritize and Scope Orient Create a Current Profile Using the NIST Framework Tiers, review • the framework enablers and assign each a Framework Tier level. Several short meetings • Surveys • Survey validations •
Prioritize and Scope Orient Create a Current Profile Conduct a Risk Assessment Commission a Security Risk • Assessment. Review results of risk assessment • and compare to perception of Current Profile. Security Assessment • ISO 27001 Review Electronic vulnerability scans Penetration testing (internal/external)
Prioritize and Scope Orient Create a Current Profile Conduct a Risk Assessment Work with stakeholders to • Generate a generate a Target Profile. Target Profile Consider Budget, Personnel, Time • Mitigate findings of the Risk • Assessment Facilitated meetings • 2 weeks •
Prioritize and Scope Orient Create a Current Profile Conduct a Risk Assessment Compare the Current (AS-IS) to • Generate a the Target (TO-BE) and identify Target Profile the gaps. Document the gaps into a series • Analyze, of projects to be performed. Prioritize and Determine Working with a Project Mgr • Gaps 2-3 weeks •
Prioritize and Scope Orient Create a Current Profile Conduct a Risk Assessment Convert the identified gaps into a • Generate a series of project proposals. Target Profile Assign each project proposal to a • competent project manager. Develop project plans, risk plans, Analyze, • Prioritize and communication plans and quality Determine plans for each identified gap. Gaps Develop a budget for remediation. • Begin “fixing” your security issues. • Develop and Implement Action Plans
You may need some help to do this …. • Martin Yarborough & Associates • Netsync Network Solutions • http://www.martinyarborough.com • http://netsyncnetwork.com • (817)408-5725 • (866)974-5959 • info@martinyarborough.com • info@netsyncnetwork.com
Recommend
More recommend
