Tag: email

CyberSecurity Part 3: Simple Penetration Testing for K12 Schools

Tony DePratoLeave a comment

simplepen
By Tony DePrato | Follow Me on LinkedIn

I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest

As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.

Finding a Good Pentester

The Conversation

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…

What is wrong here?

Here is how this should go

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented).

School: What do you need?

Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline.

A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.

There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events.  If you provide and manage laptops, a good pentester will need one of the school’s laptops.

These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable.

Doing Your Own Testing

I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc.

Over the last few months, I have developed a checklist for pentesting K12 school websites and resources.

Test Definition
Subscription and Services Discovery Can your subscriptions and services be easily discovered?
Files Exposed to the Public Are there files publicly available that supposed to be private?
Calendars Exposed to the Public Is calendar data that should be private, private?
Staff and/or Student Email Harvesting Can your staff and/or student PII be used to create a database for phishing and spamming?
Portals and SIS Are your portals and SIS properly secured and difficult to brute force attack?
Websites and Social Media Are websites and social media properly secured; is the media being used legally and correctly?
Cloud Services Have cloud services been properly secured?
Third-Party Sharing Is anyone sharing your content and do they have permission?
FTP, SSH, and Telnet Are any of these protocols a threat to your school via publically accessible information?
Email Blacklist Is your email domain blacklisted?
Email Header Check Is there any data in your header that could be anonymous or lead to blacklisting?
Email Catch-All for Non Existent Emails Is your email set up to catch any email that does not exist and alert someone?
SMTP Relay Is your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf?
4xx and 5xx Error Check Do the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users?
HTML Forms Are any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.)

I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents.

In other words, avoid jargon and lingo.

Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.

If you do not know what is actually dangerous, then everything could be sold as dangerous.

These recommended tests are not very difficult, but if you want to outsource this, email me at: tony.deprato@gmail.com  .  I thoroughly enjoy doing this kind of work and have automated many of these processes with scripts and services.

 

 

 

 

Episode 174 – Law & Tech

Patrick CauleyLeave a comment

Tony and Patrick have got law questions. This means that we had to go out and get a real, honest-to-God lawyer in the form of Keith Wurzbacher. Listen to a (mostly) serious conversation regarding schools, email addresses and much more. As always be sure to subscribe to us on Apple Music or with your favorite podcasting app.

  1. World Series Predictions?
  2. Should or can schools give email to people who do not work (or have worked) or are associated with the school 
    1. Uses email for personal legal matters
    2. No expectation of privacy
    3. Email address is for school related purposes
    4. Representing the school
    5. Social media concerns
  3. Limited expectation of privacy
  4. School’s legal time in a problem
    1. Hiring PR firm
    2. Paying for lawyer/law firm
  5. Trunk-or-Treat – https://en.wikipedia.org/wiki/Trick-or-treating#Trunk-or-Treat

You can download to the episode here!

Episode 126 – Fat websites

Patrick CauleyLeave a comment

126

Tony, Tim and Patrick talk about the increasing sizes of web pages, learning management systems vs. class websites and some email etiquette. Check out the talking points below.

As always subscribe to us on iTunes, follow us on Podomatic or subscribe to us with your favorite podcasting app.

The average web page weight would equal that of the Doom install image in about 7 months time
a. Link: https://mobiforge.com/research-analysis/the-web-is-doom?r=1
b. Same thing is happening with programs.

Learning Management System or Class website
a. What is an LMS?
b. Pros?
c. Cons?
d. Verdict

Email etiquette
a. Should you have your own personalized signature?
b. Thoughts?

You can download the MP3 file HERE!

I don’t like email – but I like Slack!

Patrick CauleyLeave a comment

I don’t like emails. As IT coordinator I get what I consider to be a lot of emails – around 60 a day right now. I’m often too busy during the day to go through them effectively and leave them till I get home. Then I spend around two hours mowing through them. I don’t like email not because I hate the volume I receive, but more due to its inefficiency.

Our school just had its first day of the school year today. Leading up to this week I received around 50–60 emails a day on top of trying to do my part to get the school in shape. I often, spend my day running around, completing tasks, helping my colleagues however I can and rarely have time to sit down and address them pesky emails. That leaves me with 50+ emails every night to mow through.

You might be thinking that the volume of email I receive is what bothers me, but that’s really not it. It’s how inefficient it is. Let me paint a picture for you. A teacher in a classroom is having trouble printing and so are five other teachers who have the same issue. Even though it’s one issue all five teachers will email me at different times to report it.

Instead of just dealing with all five issues at once, we end up dealing with them individually throughout the day – interrupting our tasks and thus making our time less effective. It’s not the teacher’s fault. How are they supposed to know that the issue is not confined to them? They’re just reporting an issue that is pressing and needs to be solved.

Another problem with this scenario is that only I see the message. I work with 5 other very talented and capable ICT engineers who are often as good or better at solving issues than myself. They will often miss out on these issues as they are only sent to me. Then if I do forward it onto a team member, they maybe too busy working on another problem to help that teacher in a timely manner.

See – not too efficient.

Now let me give you another issue. A member of the IT team wants to let me know of an issue so they email me. Sounds OK right? Not really. There may be other members of the team who need to know about this but are left in the dark. This leads me to do a lot of micromanaging and miscommunication. This often leaves the team going over the same old ground again and again. I don’t blame my team members – email is fast, reliable, and for a long time the only means to reach out to someone. It just happens to not be a sucky tool for team communication.

Groups

To help combat this I created a Google group. You don’t need to have Google apps for education, but it helps if you do. Instead of emailing just me, they email the group. All of the IT team will receive the email as well as myself, thus keeping the whole team informed and in the loop. I have one person per grade level or subject email a list of problems their team has. So we can engage in multiple issues in one visit as opposed to stopping back again and again.

This helps a little bit but we run into another problem. The rogue emailer. A person who decides that the protocol just doesn’t apply to them or they simply forget to send it to the group. This person isn’t nefarious and they probably feel that one direct email is harmless. Now chain that together with 15–20 people in a day. Yep – that is a lot busy work. Often, these emails can get buried in my inbox too, escaping the focus of the IT team and making the sender frustrated.

You see, I can’t control these people anymore than I can control the weather. I would have better luck getting Omar to clean his desk. 🙂 They act independently and to be honest – there aren’t any consequences they will suffer doing this. I can’t dock their pay or place them in time out – are you kidding me. Also, for me to ignore their request just is irresponsible and not in my nature. The result is a bloated inbox that eats up my time.

So you see – I don’t like email, but I’m stuck with it. I deal with too many people to ignore it and there isn’t a better option out there for me – at least not yet. Yet, all hope is not lost.

Slack

Then I saw an article on The Verge about Slack. Slack is a way for groups or teams to communicate. Despite the link bait headline

Slack lets you create a small community focused on nothing but communication. Check out the screen shot below.

At a quick glance it may look like a simple chat program and it certainly has that feature (even with emojis) but there is much more to it. On the far left hand column there are some cool features.

As you can see there are channels. Slack creates a General and a Random channel (of course you can rename or delete these). I’ve also added Major Issues and Xerox to the mix as well. Then below that is a list of all members in the team. Since I created the group I have control on who is in the group. You can create as many channels as you want and each channel requires a purpose so it is clear why it was created.

When they are online a green dot is next to their name so I know who on my team is watching and available for immediate action. When I send a message, they receive it in real time and can reply. I can even send direct messages if need be.

Another great feature is how you can add Integrations to your Slack team. You can up to five for free and then you need to pay after that. For us, it works great because I can add Google Drive to it, making it easy to share files with my team.

In fact there is an impressive amount of integrations that you can add to Slack making it much more than just a communication hub for your team. Another great feature is how Slack handles linked files and actual files. You can easily find them in a side bar that you can hide or show at any time.

So for example, we were going to be setting up some new computers for about 60 staff members. We needed print drivers, ActivInspire, AirServer and a few other programs. As a team we all had them but no easy place to store them all. Slack stepped in and we were all able to upload our files and make them accessible for the entire team. This has already proved to be very, very nice.

This helps me and the rest of the team stay on the same page. We can update each other of ongoing projects, alert everyone of new issues, ask for help. No worry of sending errant emails to the wrong person, or accidentally hit Reply to all. It’s closed, just for us and gives us a clearer focus.

This isn’t to say that it is perfect, but it is certainly better than just email. My team and I still use email, especially dealing with vendors or administration to build an email chain, but when it comes to communication within the team Slack is the way to go for us.

It also has an iOS app, an Android app and desktop apps for Windows and Mac. They have all the bases covered here. If, you’re like Tony who is rocking Linux, you can still access the web version and if you have a BlackBerry, get a new phone.

Not for everyone

Don’t get me wrong, Slack will not replace email. That would probably be a disaster – but it helps me keep in touch with the IT team. Could this work within a school? I think it could if used properly. You wouldn’t want a Slack for an entire division or even a grade level, but let’s say you have a curriculum team, Slack could work very well. Also, if you have a team of people in charge of reaccreditation or working on a grant – Slack may very well be the better route to helping you build something effective and meaningful in your school.

The fact that all messages are easily searchable, files are very easy to find, you can make focused channels for various sections of your project makes Slack a real alternative to emailing when working within groups or on teams. Technology doesn’t always make our lives better or easier, but Slack is a product that seems to offer more focus, better efficiency and a clearer focus for members of a team. Give it a try for you and your team. It’s free!

https://slack.com/

Patrick Cauley
The Tech Jonsey

Print Friendly – Print from the web the right way

Patrick Cauley2 Comments

Have you ever been to a website and wanted to print an article and tried but you only found way too much ads, junk on the side, or it just doesn’t print correctly. Well fear not my friend because Print Friendly is here to save you. Print Friendly will take that article and remove all that unwanted nonsense. Not only that but you can email it or create a PDF. Heck, you can even remove parts of the article if you like. Print Friendly is easy, reliable, and free. Check out the video above to get all the friendly goodness. There are other services out there that offer similar features, but I find Print Friendly a little easier to use and that can make your day a lot easier.