CyberSecurity Part 1: Social Engineering

Lock
Lock
Source: https://www.youtube.com/watch?v=JsVtHqICeKE

By Tony DePrato | Follow Me on LinkedIn

I have noticed an uptick recently in schools moving resources, money and time, to address cybersecurity concerns. The motivation for addressing security issues is genuine, but the approach and implementations I am reading about are less than effective.

Over the next few weeks, I will be writing a series of posts to address what schools should do to improve cybersecurity. Nearly every suggestion will require a change in process or culture, but not any significant financial investment.

Social Engineering

Even if you’ve got all the bells and whistles when it comes to securing your data center, your cloud deployments, your building’s physical security, and you’ve invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data. ~ https://www.csoonline.com/article/2124681/what-is-social-engineering.html

Physical access to any space is the holy grail. Hacking begins with collecting information, watching people, finding the weak links within the organization, and studying how systems and people work.

Having an open friendly campuses means exposing information systems to a variety of threats that exist outside the network controls.

Allowing students, teachers, and staff to freely move around campus with few limitations or consequences, creates multiple opportunities for data to be collected on areas of the campus that generally are part of the plant or backend operations. These areas are designed for small teams of workers to keep the campus running, and these areas allow access to systems that control things like water, gas, electricity, etc. The plans and operational guides for these areas are not public, but people taking a regular stroll through these spaces eventually collect enough information to execute an exploit.

Maybe the exploit is simply students finding a way to sneak off-campus, but when one group creates a loophole, another group has the opportunity to use it. Social engineering practitioners are looking for loopholes and they are looking to mix with trusted groups of people. Their access begins with a bad policy or the improper enforcement of a policy.

It is far easier to use social engineering tactics to attack a school’s data and assets than to try and exploit the network externally. Not only is it easier, it is less risky. Generally, school policy is granting a person physical access, and therefore they are not trespassing. Whereas any attempt to breach the network would be a crime.

Before worrying about the network, the cameras, and the technology as a whole, it is imperative to reduce physical access and to design policies that balance community with access.

Defending Against Social Engineering in a Friendly Manner

Schools are not banks or government facilities. They are generally friendly and trusting environments. Implementing security measures should not create a panic, and should not create a culture a fear. Every measure taken needs to connect to another logical reason that the community can understand. Here are some ways you can reduce the risk of threats through social engineering:

  1. Let everyone know, they are free to call security and report anyone or anything they see that seems “off.” This means, not punishing people if they misidentify someone. Make the process easy, and make certain security personnel follow through and keep records. Social engineering often requires a few visits to a campus, and studying reports could identify a pattern.
  2. Lunchtime is always important on a school campus. Set a simple policy for business and operational offices to either rotate their lunchtimes and /or lock their offices. Lunchtime rotation is an excellent countermeasure. It ensures that every day, a few people are always in an office, the offices are open so people can access services, and the schedule of activity is difficult to predict.

    An example would be the following: Four people work in accounting. On Mondays, Wednesdays, and Fridays, person 1 and 3 choose to do lunch at 11:30AM; On those days person 2 and 4 choose to do lunch at 12:30 PM.

    Locking offices for an hour is safe, but it is not going to be as popular as using a rotation.

  3. Any closet or room containing computer network equipment, phone system equipment, etc. should not be used for storage. Why is this important? Because the moment a room or closet is accessible for storage, the number of people who will be opening the door becomes unpredictable. The equipment in that space would allow easy access to all the data that flows through the school.

    A common mistake schools make, is to use these network/electrical closets to store cleaning supplies.  Cleaners are usually very friendly and trying to help people, as well as maintain safety. So, if I wanted to access the closet and exploit the network, I would create a spill of liquid and wait for the cleaner to get into the closet. I might even distract them long enough to slide a small piece of paper between the lock and door jamb.

    The cleaner is doing their job, and I have gained access to the space after the cleaner is finished.

  4. Guests/Parents should have their own network. It goes without saying that allowing anyone aside from students and employees on the academic network is risky. A guest network SSID is highly recommended if the public or parents are allowed to use the WiFi. The more I consider this, the more I believe that a better policy is to simply improve the mobile network reception, and direct people to use their own data.

    A school can invest in repeaters and other technology to make the mobile signals from various providers strong and robust.

    Schools can also use services like Kajeet to deploy better mobile access. In many cases, schools qualify for FREE mobile hotspots. Why spend time and resources giving the public and parents access to limited and/or filtered academic networks anyway? Using mobile reduces the chances of a data breach, and virtually eliminates the liability a school would incur.

  5. Encourage and incentivize teachers to work outside their offices, in higher traffic areas. Teachers know each other, they know parents, and they know students. Teachers also have good instincts for spotting odd behavior. These statements are from anecdotal evidence, but if you have worked at a school for a long enough time, then you realize teachers are truly on the pulse of the organization.

    Teachers working in school cafes, libraries, etc see and hear more than they would if they are isolated in offices.

    Setting up conference rooms with glass walls, or creating PD opportunities in more public venues would greatly improve the random and increased presence of teachers on-campus.

    Remember, the idea is to create unpredictable patterns and to make it more difficult for someone to find a weakness and the confidence to act. The mere presence of staff in public spaces is a deterrent.

  6. Assume a good Social Engineer can get on-campus with an ID check, and plan accordingly. The core group defending against social engineering would most likely be the security team, operations team, and technology team. They should work together to plan scenarios and action plans. School leadership needs to make certain that those teams are focusing on those individuals who have enough skills to get through the external layer of security.

    Making assumptions that the camera system, front gate ID check, etc., will somehow prevent access, is going to create a false sense of security. Good social engineering requires imagination and creative thinking. Good defense will require the same.

  7. Work with parents to test your security and access. Parents want what is best for the school and their children. Parents also have come from a variety of backgrounds. They are a trusted group that will be honest and help measure improvements.
  8. Educate yourself first, and seek outside advice second. There is a massive amount of information about social engineering. It is worth educating a core group of people on security topics so they can inform practice and direct consultants. Remember, consults will only be useful until they leave. Build your team, and give them the time they need to learn. Much of what people need to know is free, time is the only factor.

I hope this posts stirs the pot and creates some discussion on school campuses. I am placing some resources below, including some very informative and entertaining videos on the subject of social engineering and physical penetration testing.

I am happy to do a live debate on this subject or webinar for anyone interested. Please email me at tonydeprato@gmail.com

 

Resources

 

  1. DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (w speaker)- https://www.youtube.com/watch?v=JsVtHqICeKE
  2. I’ll Let Myself In: Tactics of Physical Pen Testers- https://www.youtube.com/watch?v=rnmcRTnTNC8

  3. What is Social Engineering: https://www.csoonline.com/article/2124681/what-is-social-engineering.html
  4. Passwords are Still a Problem: https://www.nextgov.com/cybersecurity/2019/01/why-computer-passwords-are-still-problem-2019/154086/
  5. Cybersecurity Stats: https://www.varonis.com/blog/cybersecurity-statistics/

 

 

 

It’s Time to Regulate Social Media in Schools

By: Tony DePrato | Follow me on Twitter @tdeprato

It is spring time, and once again I am planning a new network security plan for a school. The same issues as always, and the same questions.

All questions usually have answers with a price tag attached. Value in such planning is very subjective. After all, we spend money every year managing free apps on iPads, how does that make financial sense?

One question cannot be answered. Regardless of my due diligence and the school’s willingness to fund a comprehensive plan, students will still have phones. Those phones will have data plans. Those data plans circumvent all the work we do. Parents do not seem to care, because they are worried about having that device for logistics and emergencies.

These devices are addictive, and the applications are purely for entertainment and dopamine-driven feedback loops.

Yes, the network can manage the problem when students are on Wifi; but not when the students are on their own network.

Jamming signals is not legal in most countries, and localized jamming seems to cover very large spaces. Even if it was legal, it would impact other services.

I believe all problems can be solved, and I believe I have a solution for this one. Generically, I like to call it Social Media for Education.

Social Media for Education Explained

The core concept is simple. Facebook, Twitter, Instagram, etc., would offer an educational package. I firmly believe this should be a paid service for schools that can afford it, and free for schools that can demonstrate hardship. If you consider the cost of properly  blocking Apps on Wifi ($10-50 USD per student per year), this service would be viable if priced appropriately.

The social media companies would follow a Google Apps or O365 model for schools to join. They would require any person under the age of 18 to register as a student connected to a school.

For example, schools who sign-up would be given a school code, and could provide a student ID based roster for cross-referencing. Any person under 18 would be required to connect their profile to a school or education program of some sort(some students are home schooled or have other types of educational plans).

Unless they are connected to some type of educational plan, they simply cannot use social media until they are 18 years of age.

Schools who join would receive these benefits:

  1. Social media profiles are deactivated from 8:00 am – 3:00 pm everyday, in the timezone set by the school. This prevents VPN access from spoofing the clock.
  2. Schools could centralized a two steps homework system. Teachers would use Social media to circulate messages related to the school, and unless students confirmed all messages have been received (read), their profiles would not be activated. Although confirming a message has been seen does not equal work completed, it does mean the student acknowledged receiving the message. Blocking all other activities until all messages are cleared would prioritize the school’s notifications.
  3. Since all students can be identified and connected to a school or program, cyber-bullying would be easier to manage. Schools would need to make a request for data, but that data would connect to a student ID (most likely), and a verified location.

I have thought of more options, but, I would consider the above a tier one solution.

It Cannot Work Unless There is Regulation

It is clear from current practices, such as not enforcing the age restrictions for users, that social media companies will not offer services to schools that help disconnect students during their academic day.

In places like France, the government is physically banning phones from campuses. Other schools follow strict device confiscation policies. These measures only create a black market for phones, theft among students, and a burden on families who are victims of theft.

Trying to regulate property, and potentially facing liability issues related to property, is not the path to follow to solve this problem.

Governments need to simply require social media companies, or any company making a communications product, to provide the an identity and connection management system for those under the age of 18.

Those over 18 already have to use multiple methods to verify themselves when making new accounts. However, students seem to be able to join social media using devices and phone numbers that are not even legally in their own name. Think about that? I give my child a phone and number, they use it to join Facebook? How is that legal or even verified?

Not Enrolled in School = No Social Media

Compulsory Education around the world varies. Very few countries report having no compulsory education requirements.

No Requirement Based on Previous Data
Oman 0 2007
Solomon Islands 0 2002
Cambodia 0 2008
Holy See (Vatican City) 0 2007
Tokelau 0 2007
Bhutan 0 2008

The world-wide impact of adopting social media regulation of this caliber would equate to those under 18 not being allowed on social media, if they could not demonstrate they were enrolled in some type of educational program.

Likely, many countries would not participate in such regulation at all. However, it really only has to be country by country. As international as these platforms seem to be, connections students have are usually very local. Most students have their primary social network within the school they attend. That means their social media time is literally just interacting with people they could easily look at and speak with.

If Facebook in India were not participating, that would not impact a school in Korea. If students were to move from country to country (or school to school), they would have to re-register. The meta data from that behavior alone would help confirm drop-out rates, possible issues within school districts, etc. I believe the unknown benefits of the data would be substantial. Observer effect issues and data manipulation by school administration would be reduced.

I have been working with teenagers since 2005. I have worked with students from over 100 countries. I have been a technology disruptor, more times than I have supported the status quo. I believe in BYOD programs, and any students I have worked with will confirm I empower them to lead and make decisions. I know when I see a problem in the plan and the patterns. I know when students are not engaged, and when they are not learning. Mobile devices with addictive applications are a real problem. The design is an addictive design, and the effects are powerful. I hate regulation, but unfortunately, I think we are there.

 

Social Media Statistics and Facts 2012

wpid-oneword67-2012-11-7-13-32.png

Lately we’ve been talking a lot about social media and its growing importance and influence on schools. Here is a fantastic inforgraph made by Go-Globe that kind of breaks it down and gives you some interesting facts. You can view the infograph by clicking past the break. It’s pretty long but with each rotation of the scroll wheel it gets more and more interesting. I didn’t know that students were the #1 user of Google+ Did you?

Continue reading “Social Media Statistics and Facts 2012”

People are watching . . .

your online rep!

social-intelligence-santa.jpg

Gizmodo posted an interesting article today about the company Social Intelligence and how they performed a background check by looking at a person’s web footprint. This trend is easy, quick, and effective. I expect to see schools using this for prospective teachers, universities using it for prospective parents, and potentially over zealous parents checking out their child’s current educators (though I feel that last example will be very few and far between). Read the article written by Mat Honan here and let me know what you think. Personally, I’m for it. Whether you agree or disagree this type of background check is here and I don’t think it’s going anywhere, but would love to read your comments. All opinions welcomed!

Author’s note: I do not know Santa’s opinion of Omar. Santa’s evaluation of Omar’s behavior is between the North Pole Inc. and Omar. 🙂

Posterous.com – A quick how to

I’m going to take a tiny break in my timeline extravaganza to quickly add a how to guide for Posterous.com. This blogging platform is pretty sweet and perfect for the casual blogger who cares not for widgets and the like. You can very easily add people to the blog, and it is especially easy to add your own video and multimedia files. Me likes posterous.com very much. Check out the guide below.

HootCourse – YES

hootcourseyes1.jpg

Hopefully you’ve read my post on what HootCourse is, if not click here. My colleague and I Omar have discussed HootCourse and are torn on the matter. Omar doesn’t feel that HootCourse has any functional place in the classroom. You can read his well written and supported points here. This post is not to argue his points, I can see where he’s coming from. I am just going to layout how I think it can HELP teachers in the classrooms. Read on past the break to get all the Hootness you can handle.

Continue reading “HootCourse – YES”

Hootcourse is Absent in My Class!


Hoot. Ur kidding dud3, LOL!

At the risk of sounding lame, I wasn’t hooting and hollering when I saw Hootcourses. I followed a link Patrick sent me after he had set up a course. My interest was piqued and I assumed I was checking out a new online course system like Moodle or Learnable.com. Not even close. [Note: My original post was quite cynical and made me sound like a crotchety old man, so I have toned it down]

I was not impressed with what boiled down to be a new user interface for Twitter with a twist of education. I go into all the gory details,  Continue reading “Hootcourse is Absent in My Class!”

Hootcourse – Twitter educationalized

hootcourse-post13.jpg

That is definitely not a real word. Anyway, in this post I am going to share with you the online service HootCourse.com. This uses Twitter as a means to create a back channel chat, but it has some nice features that expand it beyond just the normal chat room experience. Basically you use your Twitter or Facebook account to log into HootCourse and it will create a Twitter feed specifically for you. Not sure what that is? Then click on past the break to get all the educationalized information.

Continue reading “Hootcourse – Twitter educationalized”