14 minute read
How ready is your school to defend against
How ready is your school to defend against cyber attacks?
Phishing. Viruses. Malware. Ransomware. Schools face multiple, on-going threats to their digital security and safety. In fact, education is regarded as vulnerable and a popular target for hackers – and attacks are escalating. What can you do to protect yourself? How can you minimise the risk? INTERFACE investigates.
Advertisement
Assessing and managing the digital security risks facing your school
Globally, the education sector is one of the most targeted sectors for cyber attacks – and New Zealand is no different. Schools and kura hold sensitive student, staff and financial information that attackers would like to expose for their own benefit.
In addition, there’s an emotive factor at play with schools. Compromising students’ ability to learn would raise discomfort for most parents. If schools are locked out of their systems or devices for a lengthy period of time, this quickly starts to disrupt student learning. This provides a rather emotive bargaining chip that attackers would aim to exploit. Technology like Microsoft Teams, Zoom meetings and cloud file sharing offer exciting learning opportunities for rangatahi that prepare them well for a digital world. So ever-present are these tools that they now form part of an expected education offering for students. Also, increasingly connected learning environments between school and home, alongside schools providing more access to laptops and cloud apps to support learning, mean that there are ongoing challenges for how to provide these services in a secured way. In order to maximise efforts to shore-up your school’s defences to cyber threats, it’s key to do the basics well. Knowing your level of risk within your school’s digital environment, is a fundamental step to get right, so you can then start to mitigate risk.
Audit your environment
Hardware: How many computers and devices does your school/kura own and where are they? Do you have your own server? How many TVs, tablets and smartphones do you have? Do you have VOIP desk phones that rely on your network?
Software: Internal software that you may host or have installed on your devices (for example, some student management systems), and external software that’s hosted in the cloud (like Xero, Educa or Google Workspace). Data: Identify the data you hold or have access to, including: • Personal staff and student information; • Medical information; • Financial information; and • Lesson plans, reports.
The Ministry of Education’s new Cyber Security in School team recently launched its ‘Say No to Cyber Nasties’ campaign. Dedicated to helping schools improve their cyber security, the initiative will provide advice and encouragement to help you keep your school safe and online threats out. Cyber criminals don’t care if you’re busy or distracted or not quite up to speed on security – if they get into your school, they can wreak havoc.
Want to find out more? The Ministry’s new online cyber security hub has advice and guidance to help you get started, and we’ve included resources you can share with your staff and teachers to help them get to the right information, too. Make sure you say ‘no’ to nasties. You can find out more information about how to keep them out of your school at education.govt.nz/cyber-security
Keep the NEW NASTy out of your school
This weeks homework:
Identify potential risks and impacts
For the datasets you’ve identified, consider what implications there may be if this information was:
• Wiped, accidentally deleted or lost forever – do you have back-ups? Would there be financial or operational implications? • Stolen, leaked or accessed by someone who isn’t authorised to see it – could information about custody or protection orders be exposed? Bank account details? Private health information like mental health conditions, or a history of sexual assault or other trauma?
• Locked down and you couldn’t access it, either because of a cyber incident or an accident or natural disaster – could the school keep running? Who would be affected and how?
You may want to categorise the type of risk, for example: • Operational risks – losing access would affect day-to-operations; • Financial risks – financial information could be lost or stolen, or this system or data would be costly to replace;
Cyber nasties have a way of wreaking havoc in a school. Learn how to protect your school against them.
www.education.govt.nz/cyber-security
CLOUDY WITH THE CHANCE OF TRANSPARENCY
Continued on page 21 …
What are the most prevalent types of cyber threats that schools are facing?
There are many cyber security challenges to creating a safe and secure digital learning environment. Here are the commonest threats against schools.
Phishing
This is when someone uses an email or phone call to try and get access to sensitive information (like bank account numbers and passwords). Phishing scammers will claim to be from a legitimate organisation and increasingly have email addresses or websites that look very real. They’ll often ask you to claim a prize, check your details, or tell you that your account is expiring or needs to be checked.
Ransomware
This is a type of malicious software that hackers put into your system – often through a phishing scam. The malware encrypts your data so no-one can access it, until you pay a fee or ‘ransom’ to get it back. The first sign of a ransomware attack is often a text file pop up or a background, or that you are suddenly unable to access or open any files. If you’re affected by ransomware, report it to CERT NZ, cert.govt.nz/report or
0800 CERT NZ
Software vulnerabilities
There can be unintended weakness in a computer system, which are often identified when someone finds that a piece of code in the software can do something more than was originally intended, such as give users more access to the system. Once software companies are told about it, they usually quickly fix these bits of code and then share them through a software update (sometimes known as a patch).
Denial of Service (DoS)
Denial of Service attacks aim to restrict or impair access to a computer system or network. When a website is under a DoS attack, it will look like it’s ‘down’ or unavailable. The attack works by overwhelming the website’s servers with multiple requests for access until the server becomes overloaded and goes down. As websites and networks can only process a certain number of requests at once, this blocks any genuine requests from getting through. DoS attacks are much more likely to happen to an organisation than an individual. In a distributed denialof-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources.
Vulnerable devices
These are devices that haven’t been secured in some way. They may not have had:
• Security policies applied; • User access limited (for example, any user has full admin access to the device); • Anti-virus software installed; • Security settings added (such as a password to lock the computer); or • Software updates applied, so the software is out of date.
Data leaks
A data leak is when sensitive information is accidentally or deliberately copied, viewed, sent, or stolen. Whenever data or information is available online it’s at risk of a data leak – that’s why it’s so important to configure how a school’s data can be accessed and by who. If you think you’ve had a data leak, talk to the Office of the Privacy Commissioner about what to do next. Find out more information at privacy.org.nz
Human error
Computer breaches or attacks can occur because of a staff or student mistake. This could be by emailing a spreadsheet to the wrong person, forgetting to make a folder private rather than public, or by being tricked by sophisticated phishing attempts. Source: Ministry of Education, education.
govt.nz/school/digital-technology/
• Confidentiality risks – private or personal information could be lost or exposed; and • Integrity risks – data that could be at risk of being changed, like test results or reports.
Evaluate your school’s current level of risk
To determine your level of risk, look at who has access to your systems and data and how they have access. What policies and protections do you already have in place? You might want to consider basing levels of access in your school around time of day and least amount of privilege required. For example, there might be some systems that only need to be accessed during certain hours of the day. Also consider, what is the least amount of privilege required for staff and students to access the data and information they need.
Prioritise and make a plan
Unfortunately, cyber security risks can’t be eliminated as there are always new and emerging online security threats, along with the human element of users interacting with technology. Taking charge of digital security is like taking charge of health and safety. It’s not a ‘one and done’ scenario.
Overall, it pays to take a proactive approach with cyber security. Digital security is an ongoing effort to manage new risks as they emerge. Knowing your digital environment to then mitigate risks will form a key foundation of your digital security strategy. Look through all the information you’ve gathered and prioritise your areas of risk. It might seem like there’s a lot to do – or a few key areas to tackle might immediately jump out at you. Start with your top priority areas and remember you can build gradually on most of these recommendations over time.
Article supplied by the Ministry of
Education’s Cyber Security in School team.
For more information and to create a digital security strategy go to
bit.ly/ministryriskassessment
Cyber security training and webinars
The Ministry is developing dedicated cyber security advice and recommendations. To help your school configure your technology and get the most out of the security products available to you, it has worked with Google and Microsoft to develop a series of webinars and online training for keeping up to date with the latest technology changes. The subjects of the webinars include ‘Identity and authentication’, ‘File security’, ‘Mail, calendar and contacts’, ‘Protect cloud apps’, ‘Detect risky users’ and more. These are available at
bit.ly/ministrycyberwebinars
There are five easy ways to help educate students about online safety, says Norton
Educators across New Zealand are dedicated to helping Kiwi kids navigate the internet safely. No matter what model of instruction your school is following, we all have a part to play ensuring children understand digital safety. Modern learning means students need to make new accounts in apps and programs regularly. However, this could provide hackers with an opportunity to steal personal information. Depending on a child’s age, they might be facing new challenges on social media as well, like cyberbullying and inappropriate messaging, behaviours that they might not even identify as dangerous or inappropriate. For educators, it’s important to help students understand the dangers of the internet, as well as feel safe and excited while using it. Digital safety doesn’t have to be complicated. Here security specialist Norton has five easy things you can do to safely empower them at school: • Turn on automatic updates for all apps, programs and devices. If you’re looking for quick and simple ways to increase cyber safety, just turn on automatic updates on laptops, tablets, and smartphones. Malware lets hackers infect devices and this one simple step to help prevent that. • Set up lock screens on phones and tablets. This is especially true for older students who might have devices in public places. Phones contain a lot of personal information and, without a lock screen, provide criminals with easy access to this data. • Teach them not to share personal information online. If someone, particularly a stranger, asks for things like a name, address, and age, students need to know not to give this information out, both for privacy and identity theft. They also need to be careful with the personal information they post on social media and even gaming platforms. • Help them make strong passwords (and not reuse them!). Kids should practise good password hygiene by creating long passwords with upper- and lower-case letters, numbers, and special characters. Remind them not to reuse passwords, too. If they’re having trouble remembering passwords, a password manager, as part of a comprehensive security plan, could do all the hard work for them.
• Use reputable cyber security
software and talk to students about
digital safety. Initiate conversations about digital safety, help them understand good online behaviours and let them know they can come to you with questions. For more on Norton’s solutions, as well as tips, to help keep your devices and data safer, go to nz.norton.com
Learning about ciphers, passwords, breaking into websites, locking picking, and much more
Last month, the second Cybersecurity 101 event for students in Years 11-13 took place at Victoria University of Wellington. Several local schools sent students, about 30 attended, more than half were female. While a few seemed to be doing some form of cybersecurity or learning about crypto and encryption in their CS course at school, most came with no specific background but were keen to know more and considered it an option at university after doing the course. The day began with a keynote by Kate Pearce, Head of Security at Trade Me. She covered the complexity and scaling of systems when dealing with security and reminded students that humans will inevitably make mistakes in the programming or delivery, it’s how you resolve or respond to them that matters. Former graduate Justina Koh from ZX Security talked about her journey as an ex-student of the Cybersecurity Engineering degree here. She only found out about the field while in her second year of software engineering and decided to switch over. Without prior knowledge, she was unsure at the start but now works as a Penetration Tester, someone who’s paid to break into a website or apps to find vulnerabilities.
Picking a lock
Finding alternate ways to break into systems by bypassing valid user credentials is common, so we ran a lock picking exercise to depict similar scenarios. The ethics of the activity were described before they got into it. Most times, this activity, when used in the industry, is guided by two rules: Only pick a lock that you have got permission to pick and do not pick a lock that’s in use. Students used a variety of tools provided in the kit, such as torsion wrenches and different sized picks. There was a smile on faces when locks were successfully picked, bringing them to another valuable lesson about no security being perfect. Students heard about the history of ciphers, which date back to at least 400BCE where military commanders shared private messages with their troops. The Second World War’s Enigma Machine was up next for discussion, covering how physical systems made a difference to the complexity of the cipher and the way Alan Turing and his team at Bletchley Park solved the challenge. Finally, we covered current day ciphers and the impact of Diffie-Hellman’s work in encryption.
SHARING MESSAGES WITH A CAESAR CIPHER.
Science of passwords
Our Assistant Professor of Cybersecurity, Ian Welch, discussed the differences between course choices in Cybersecurity Engineering vs online and diploma courses. Students do not need to have a degree in the field to get into Cybersecurity. However, it does help as the courses teach a range of important topics, including Malware, Offensive/ Defensive, Cryptography, and Digital Forensics, along with providing 800 hours of industry experience. After lunch, students explored the science of passwords and the final activity was the picoCTF, set up by one of our PhD students in Cybersecurity, Abdullah Al Mamun. The platform was built as a safe space to learn cybersecurity skills. Teachers can monitor and visualise learning and progress through an interactive platform that’s easy to set up and free to use. Students worked in teams to solve several hidden messages. We hope to run this one-day event every year around the same time (towards the end of Term 2). Please get in touch if you’re interested in sending students or have any questions on how to organise a CTF in your classroom. By Pravin Vaz, Outreach Coordinator, School of Engineering and Computer Science, Victoria University of Wellington,
pravin.vaz@vuw.ac.nz
STUDENTS ATTENDING LAST MONTH’S CYBERSECURITY 101.
About picoCTF
This is a free, fun computer security education programme built on a capture-the-flag framework created at Carnegie Mellon University. Learn more at picoctf.org
